IDdesign A/S (now ILVA A/S) – Court Ruling (Denmark, 2021)

In June 2019, the Danish Data Protection Agency (DPA) expressed severe criticism of IDdesign A/S for the violation of the Article 5(1)(e) of the GDPR, namely, the failure to delete personal information of approx. 350,000 customers in its old IT-system. The personal data included the customers´ names, addresses, telephone numbers, email addresses and order history. The company was reported to the police. The Prosecution Service decided to pursue the case further in a court. The DPA and the Prosecution Service recommended a fine of DKK 1.5 million, which was calculated based on the entire group turnover and by taking into consideration the company´s intentional failure to delete the data. The court considered whether the company violated the Article 5(1)(e) of the GDPR (storage limitation principle) and determined the amount of fine for the violation. The court found that the company, in breach of the Article 5(1)(e) of the GDPR, kept the data of around 350,000 customers for longer than is necessary for the purposes for which it was collected. According to the Danish Consolidated Bookkeeping Act (in Danish - Bogføringsloven) the data must be deleted after 5 years. However, the court concluded that the violation has been committed through negligence. With respect to the calculation of the fine, the court disagreed with the proposed charges and concluded that amount should be calculated based on the company´s own turnover, and not on the entire group. Moreover, while calculating the fine amount, the mitigating circumstances under the Article 83(2) should be taken into consideration, such as: *the company has not breached the GDPR before, *the breach involved only general personal information, *any data subjects suffered damage as a result of the infringement, *negligent character of the infringement, *the company has taken considerable steps to ensure compliance with the GDPR. The court imposed a fine of DKK 100,000.