Penalty for missing deletion deadlines

Penalty for missing deletion deadlines

The Danish company IDdesign A / S was convicted by the DPA of a fine of 1.5 million krone (approximately € 201,000).

As part of an audit visit to the company, the company admitted that an older IT system was still being used at three independent locations. In this program, the data of about 385,000 customers were stored (name, address, phone number, e-mail address and customer history). Upon request, however, the company could not name the period from which the data storage is no longer necessary and thus the data has to be deleted. As a result, principles in the processing of personal data were disregarded, which is why the Authority fined the company.

Conclusion

The creation of a record of processing activities is one of the essential points of the GDPR. Companies have to record all steps in which personal data is processed. Furthermore, the lawfulness and purpose of the processing must be stated. As soon as the data is no longer needed, these must be deleted, and this process must also be documented in the record of processing activities.

Without a software, such a document can neither be created nor reasonably maintained. With easyGDPR you can create the obligatory record of processing activities with a mouse click. Thanks to templates for the most common data processes (e-mail correspondence, contact forms, telephone system, etc.) you save valuable time in the creation. Fulfill the requirements of the GDPR today – with easyGDPR.

Entscheidungsdatum:
03.06.2019

Land:
Denmark

Art des Verstoßes:
Illegal data processing

Betroffene Datensätze:
385000

Waren sensible Daten betroffen?:
No

verhängte Geldstrafe:
€ 201,000,-

Quelle: