Under the GDPR, the Danish supervisory authority, the Data Protection Agency (DPA), has issued a DKK 1.5m (£180,000) fine in relation to a furniture company’s failure to delete data held on around 385,000 customers.

The DPA carried out a visit to the furniture company, IDDesign, in autumn 2018 and asked whether the company had retention policies in place that set deadlines for deletion of customer information (which included names, addresses, telephone numbers, email addresses and purchase history). As the company still relied on an old technology system in some of its stores for storing information, it transpired that none of the personal data in the older system had ever been deleted. One of the principles of the GDPR is that personal data should be held only for as long as necessary in relation to the purposes for which it is being processed. IDDesign should have had a clear policy in place to address the legal bases for which it held the personal data and the periods for which it would be justifiably retained. The Danish DPA therefore found IDDesign to be in breach of the GDPR, by having processed customer data for longer than necessary.

The ICO, the UK’s supervisory authority, has yet to levy any fines under the new data protection regime, and although this fine does not get anywhere close to the £17 million maximum fine European supervisory authorities can impose, it is a stark reminder that non-compliance with the new data protection legislation can be pretty costly.

Whilst this decision has no direct influence on UK data controllers, it may indicate the likely approach to those who have not reviewed how long they are holding data for.  If there is no legitimate basis for retaining data, if should be deleted.  For more advice on data retention policies or other GDPR compliance issues, please get in touch with one of our information law experts.  

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.