Penalty for missing deletion deadlines
The Danish company IDdesign A/S was ordered by the data protection authority to pay a fine of 1.5 million kroner (approx. € 201,000).
In the course of an inspection visit by the authority to the company, it was admitted that an older IT system was still being used at three independent sites. This program stored the data of approximately 385,000 customers (name, home address, telephone number, e-mail address and customer history). However, when asked, the company was unable to specify the period after which data storage is no longer necessary and the data must therefore be deleted. Thus, principles in the processing of personal data were disregarded, which is why the authority issued the fine.
Conclusion
The creation of a procedure directory is one of the essential points of the GDPR. Companies must record all steps in which personal data is processed. Furthermore, the lawfulness and purpose of the processing must be stated. As soon as the data is no longer required, it must be deleted; this process must also be documented in the procedure directory.
Without appropriate software, such a document can neither be created nor meaningfully maintained. With easyGDPR , you can create the mandatory procedure directory at the click of a mouse. Thanks to templates for the most common data processing tasks (e-mail correspondence, contact forms, telephone system, etc.) you will save valuable time when creating them. Meet the requirements of the DSGVO today – with easyGDPR.
Entscheidungsdatum:
03.06.2019
Land:
Denmark
Art des Verstoßes:
Illegal data processing
Betroffene Datensätze:
385000
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 201,000,-
Violation of GDPR Paragraph:
5. Principles relating to personal data processing
Quelle:
Communication from the Danish Data Protection Authority (Danish)