Penalty for missing deletion deadlines

Penalty for missing deletion deadlines

The Danish company IDdesign A / S was convicted by the DPA of a fine of 1.5 million krone (approximately € 201,000).

As part of an audit visit to the company, the company admitted that an older IT system was still being used at three independent locations. In this program, the data of about 385,000 customers were stored (name, address, phone number, e-mail address and customer history). Upon request, however, the company could not name the period from which the data storage is no longer necessary and thus the data has to be deleted. As a result, principles in the processing of personal data were disregarded, which is why the Authority fined the company.

Conclusion

The creation of a record of processing activities is one of the essential points of the GDPR. Companies have to record all steps in which personal data is processed. Furthermore, the lawfulness and purpose of the processing must be stated. As soon as the data is no longer needed, these must be deleted, and this process must also be documented in the record of processing activities.

Without a software, such a document can neither be created nor reasonably maintained. With easyGDPR you can create the obligatory record of processing activities with a mouse click. Thanks to templates for the most common data processes (e-mail correspondence, contact forms, telephone system, etc.) you save valuable time in the creation. Fulfill the requirements of the GDPR today – with easyGDPR.

Decision data:
03.06.2019

Country:
Denmark

Type of Issue:
Illegal data processing

Number of involved data records:
385000

Special category of data involved:
No

Fine:
€ 201,000,-

Reference: