Faulty deletion of data makes the Danish Data Protection Agency fine publishing house
The largest publishing house in Denmark had been saving the data of hundreds of thousands of members in a passive database for over a decade after the members had unsubscribed. The company had no procedures or guidelines for erasure for the database. It was such a fundamental breach of the data protection rules that the Danish Data Protection Agency filed a police report with a recommendation to issue a DKK 1 million fine.
During an inspection at a large publishing house, the Danish Data Protection Agency discovered that data on around 685,000 unsubscribed members of the company’s book clubs were kept in a database. Most of the data had been in the database for more than 10 years after the members had unsubscribed from the book club.
The Danish Data Protection Agency also found that no internal procedures or guidelines on how the data should be deleted from the passive database were in place.
Data cleaning is a fundamental principle
Personal data must be deleted on an ongoing basis to avoid storing it for longer than necessary. To achieve this, companies must have established procedures to ensure that the data is either deleted or anonymized when there is no longer a legal basis for processing it.
The DKK 1 million fine reflected that the company had breached some of the most fundamental data processing principles on storage limitation and accountability. The fine also reflected that the data concerned a large number of members. Also, the error was not a single occurrence but a substantial internal issue as the data had been retained intentionally.
However, at the same time, the fine had also only been limited to DKK 1 million as the Danish Data Protection Agency considered that the company had been cooperative and that only two employees had access to the passive database.
IUNO’s opinion
The Danish Data Protection Agency’s fine is in the category of the highest fines yet. However, this is in line with the fact that the company’s breach of the rules concerned two fundamental processing principles. Therefore, the Danish Data Protection Agency’s reasoning also clearly confirms how important it is to have procedures on data retention.
IUNO recommends that companies continuously control that retention deadlines are complied with and that the process for when data is being deleted is documented. It is also a good idea that employees who process the data are familiar with the guidelines to ensure that the rules are adhered to as part of the day-to-day business.
[The Danish Data Protection Agency’s police report of Gyldendal A/S of 22 June 2022]
During an inspection at a large publishing house, the Danish Data Protection Agency discovered that data on around 685,000 unsubscribed members of the company’s book clubs were kept in a database. Most of the data had been in the database for more than 10 years after the members had unsubscribed from the book club.
The Danish Data Protection Agency also found that no internal procedures or guidelines on how the data should be deleted from the passive database were in place.
Data cleaning is a fundamental principle
Personal data must be deleted on an ongoing basis to avoid storing it for longer than necessary. To achieve this, companies must have established procedures to ensure that the data is either deleted or anonymized when there is no longer a legal basis for processing it.
The DKK 1 million fine reflected that the company had breached some of the most fundamental data processing principles on storage limitation and accountability. The fine also reflected that the data concerned a large number of members. Also, the error was not a single occurrence but a substantial internal issue as the data had been retained intentionally.
However, at the same time, the fine had also only been limited to DKK 1 million as the Danish Data Protection Agency considered that the company had been cooperative and that only two employees had access to the passive database.
IUNO’s opinion
The Danish Data Protection Agency’s fine is in the category of the highest fines yet. However, this is in line with the fact that the company’s breach of the rules concerned two fundamental processing principles. Therefore, the Danish Data Protection Agency’s reasoning also clearly confirms how important it is to have procedures on data retention.
IUNO recommends that companies continuously control that retention deadlines are complied with and that the process for when data is being deleted is documented. It is also a good idea that employees who process the data are familiar with the guidelines to ensure that the rules are adhered to as part of the day-to-day business.
[The Danish Data Protection Agency’s police report of Gyldendal A/S of 22 June 2022]
Similar
Poor handling of access requests triggered criticism and police reports
New guidelines on prohibited AI practices
Managing transfer impact assessments in practice
Secret audio recordings of conversations led to serious criticism
Updated guidelines regarding breaches of data security
New rules on CCTV monitoring