Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Deleting data has never been more important

Two Danish companies have been reported to the police by the Danish Data Protection Authority for not complying with the GDPR. The Danish Data Protection Authority has suggested fines of up to DKK 1,5 million for failing to delete personal data pursuant to paragraph 1 (e) of article 5 of the GDPR.

Within the past year, the Danish Data Protection Authority has paid particular attention to companies' deletion habits. Although companies established in Denmark yet remain to receive fines after the GDPR, the Danish Data Protection Authority has reported both the Danish taxi company Taxa 4x35, and the Danish design and furniture chain IDdesign A/S to the police. Fines of DKK 1,2 million and DKK 1,5 million for not deleting personal data pursuant to the GDPR have been suggested to be appropriate.

Taxa 4x35 failed to deleted personal data of 9 million customers. According to the Danish Data Protection Authority, such personal data was stored without being necessary for the purpose of what it was collected for. Taxa 4x35 did deleted the customer's name after 2 years, however, the customers phone number and start- and end coordinates were stored for another 3 years. The company claimed, that it was using it's customers' personal data to develop its product- and business. Keeping such information for 5 years, simply because keeping it on file made it easier for Taxa 4x35's system to enhance the company's product- and business development, was however not proven to be necessary.

IDdesign A/S failed to deleted personal data of 385.000 customers which was stored in an old company system. While auditing IDdesign, the Danish Data Protection Authority paid special attention to whether IDdesign had a policy on retention and the compliance hereof. Because IDdesign had not considered for how long data was stored in this old system, it was never deleted.

What is particullarly interesting is thus, that IDdesign was not only criticized for not deleting personal data from the old system, but in particular for not having a retention policy in place which documented that IDdesign had taken a position on whether data had to be deleted or not.

Based on the criticism of IDdesign A/S, it is important to consider whether one's company has all the formal requirements in place. Especially because deleting data is not only a prerequisite to comply with the GDPR it may also become extremely expensive if you don't ensure that your company only retains personal data which is necessary. Hence, we recommend that you check your deletion routine and have policies in place – especially in regard to "older" data.

The Danish Data Protection Authorities guidelines on deleting personal data can be consulted here (Danish version only).

Contacts

Contact Person Picture

Assistant Attorney Camilla Bjerning Schack

+45 20 123738

Invia richiesta

Rödl & Partner Denmark

Discover more about our offices in Denmark. Read more »

Data Protection Bites

Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR. Read all releases »