On 12 February 2021, the city court in Aarhus fined a company DKK 100,000 for violation of the Data Protection Regulations. The Company was fined for violating the storage limitation principles. The court found that the company had held the personal data of over 350,000 customers for longer than was necessary in an old and partly phased-out customer data system. This is the first time that a fine has been imposed for violation of the Data Protection Regulations in Denmark.
Article 5 of the Data Protection Regulation lays down the general principles for the processing of personal data. One of these "general principles", in accordance with Article 5(1)(e), is that personal data must be "stored in such a way that it is not possible to identify the data subjects for a longer period of time than is necessary for the purposes for which the personal data in question is processed (…)". In other words, personal information should only be stored for as long as necessary.
The data held by the company should have been deleted pursuant to section 10 of the Accounting Act, which provides that accounting material should be held in a secure manner for 5 years from the end of the financial year to which the material relates. Therefore, in principle, there will be a valid reason for retention of accounting material for 5 years from the end of the financial year to which the material relates, but not for a longer period, unless the data controller has another valid reason to store the information. In the specific case, the personal data of over 350,000 people had been deleted by the company in January 2019, however, the deletion took place after the 5 years from the end of the financial year to which the material related.
In June 2019, the Danish Data Protection Agency recommended to the prosecution that the company in question be fined DKK 1.5 million for the violation. The Public Prosecutor's Office agreed with the Danish Data Protection Agency's recommendation. In estimating the size of the fine, the prosecution and the Danish Data Protection Agency had taken the entire group's turnover as a basis for the fine, just as it had been assumed that the company had deliberately failed to delete the information.
Court decision
The court found that the personal data in question should have been deleted after the 5-year period pursuant to the Accounting Act, and therefore there was a breach of Article 5(1)(e) of the Data Protection Regulation.
However, the court held that the failure to delete personal data was due to an oversight, which was due to a one-sided focus on the company's active IT systems and not the historic customer data system. The court held that this omission had not been an intentional violation of the company’s obligations but was a negligent act. In addition, the court gave considerable weight in the assessment of the infringement, that the company was able to evidence that it had done much to ensure that many of the company's 57 computer systems were both IT-technically and legally compliant pursuant to the Data Protection Regulation. Further the Court found that there were several other mitigating factors, in particular (i) this was a first-time infringement of the Data Protection Regulation, (ii) that the information in question was of a general and non-sensitive nature, (iii) that the personal data was in an older and partly phased-out system that was only accessed occasionally, (iv) that no data subject had suffered any damage, and (v) that the infringement was of a formal nature only. Taking all the above factors into account the court set the fine at DKK 100,000.
Prior to the Data Protection Regulations, the level of fines for breaches of the Personal Data Act were between DKK 2,000 and 25,000, depending upon the nature of the offence. Despite the court making a thorough assessment of the mitigating factors this case demonstrates the scope for larger fines under the Data Protection Regulations.
