Penalty for missing deletion deadlines
The Danish company IDdesign A / S was convicted by the DPA of a fine of 1.5 million krone (approximately € 201,000).
As part of an audit visit to the company, the company admitted that an older IT system was still being used at three independent locations. In this program, the data of about 385,000 customers were stored (name, address, phone number, e-mail address and customer history). Upon request, however, the company could not name the period from which the data storage is no longer necessary and thus the data has to be deleted. As a result, principles in the processing of personal data were disregarded, which is why the Authority fined the company.
Conclusion
The creation of a record of processing activities is one of the essential points of the GDPR. Companies have to record all steps in which personal data is processed. Furthermore, the lawfulness and purpose of the processing must be stated. As soon as the data is no longer needed, these must be deleted, and this process must also be documented in the record of processing activities.
Without a software, such a document can neither be created nor reasonably maintained. With easyGDPR you can create the obligatory record of processing activities with a mouse click. Thanks to templates for the most common data processes (e-mail correspondence, contact forms, telephone system, etc.) you save valuable time in the creation. Fulfill the requirements of the GDPR today – with easyGDPR.
Decision data:
03.06.2019
Country:
Denmark
Type of Issue:
Illegal data processing
Number of involved data records:
385000
Special category of data involved:
No
Fine:
€ 201,000,-
Violation of GDPR Paragraph:
5. Principles relating to personal data processing
Reference: