EN
Technology

Faulty deletion of data makes the Danish Data Protection Agency fine publishing house

logo
Legal news
calendar 25 August 2022
globus Denmark

The largest publishing house in Denmark had been saving the data of hundreds of thousands of members in a passive database for over a decade after the members had unsubscribed. The company had no procedures or guidelines for erasure for the database. It was such a fundamental breach of the data protection rules that the Danish Data Protection Agency filed a police report with a recommendation to issue a DKK 1 million fine.

During an inspection at a large publishing house, the Danish Data Protection Agency discovered that data on around 685,000 unsubscribed members of the company’s book clubs were kept in a database. Most of the data had been in the database for more than 10 years after the members had unsubscribed from the book club.

The Danish Data Protection Agency also found that no internal procedures or guidelines on how the data should be deleted from the passive database were in place.

Data cleaning is a fundamental principle

Personal data must be deleted on an ongoing basis to avoid storing it for longer than necessary. To achieve this, companies must have established procedures to ensure that the data is either deleted or anonymized when there is no longer a legal basis for processing it.

The DKK 1 million fine reflected that the company had breached some of the most fundamental data processing principles on storage limitation and accountability. The fine also reflected that the data concerned a large number of members. Also, the error was not a single occurrence but a substantial internal issue as the data had been retained intentionally.

However, at the same time, the fine had also only been limited to DKK 1 million as the Danish Data Protection Agency considered that the company had been cooperative and that only two employees had access to the passive database.

IUNO’s opinion

The Danish Data Protection Agency’s fine is in the category of the highest fines yet. However, this is in line with the fact that the company’s breach of the rules concerned two fundamental processing principles. Therefore, the Danish Data Protection Agency’s reasoning also clearly confirms how important it is to have procedures on data retention.

IUNO recommends that companies continuously control that retention deadlines are complied with and that the process for when data is being deleted is documented. It is also a good idea that employees who process the data are familiar with the guidelines to ensure that the rules are adhered to as part of the day-to-day business.

[The Danish Data Protection Agency’s police report of Gyldendal A/S of 22 June 2022]

During an inspection at a large publishing house, the Danish Data Protection Agency discovered that data on around 685,000 unsubscribed members of the company’s book clubs were kept in a database. Most of the data had been in the database for more than 10 years after the members had unsubscribed from the book club.

The Danish Data Protection Agency also found that no internal procedures or guidelines on how the data should be deleted from the passive database were in place.

Data cleaning is a fundamental principle

Personal data must be deleted on an ongoing basis to avoid storing it for longer than necessary. To achieve this, companies must have established procedures to ensure that the data is either deleted or anonymized when there is no longer a legal basis for processing it.

The DKK 1 million fine reflected that the company had breached some of the most fundamental data processing principles on storage limitation and accountability. The fine also reflected that the data concerned a large number of members. Also, the error was not a single occurrence but a substantial internal issue as the data had been retained intentionally.

However, at the same time, the fine had also only been limited to DKK 1 million as the Danish Data Protection Agency considered that the company had been cooperative and that only two employees had access to the passive database.

IUNO’s opinion

The Danish Data Protection Agency’s fine is in the category of the highest fines yet. However, this is in line with the fact that the company’s breach of the rules concerned two fundamental processing principles. Therefore, the Danish Data Protection Agency’s reasoning also clearly confirms how important it is to have procedures on data retention.

IUNO recommends that companies continuously control that retention deadlines are complied with and that the process for when data is being deleted is documented. It is also a good idea that employees who process the data are familiar with the guidelines to ensure that the rules are adhered to as part of the day-to-day business.

[The Danish Data Protection Agency’s police report of Gyldendal A/S of 22 June 2022]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

22 September 2022

The Danish Data Protection Agency is testing the use of cloud solutions

logo
Technology

8 September 2022

Cyber-attack will become expensive for law firm

logo
Technology

16 June 2022

Unfortunate software update gave thousands of employees access to job applications

logo
Technology

2 June 2022

Failure to inform shareholder breached the data protection rules

logo
Technology

28 April 2022

First fine to a public authority for breach of the data protection rules

logo
Technology

31 March 2022

New guidelines clarify when processing is an international data transfer

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate