IDdesign A / S – €13,450 Fine (Denmark, 2021)

Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. Update: On February 12, 2021 the Aarhus District Court decided to impose a fine against IDdesign in the amount of EUR 13,450. With regard to the calculation of the fine, the court disagreed with the proposed amount of the fine. It concluded that the amount should be calculated on the basis of the company's own turnover and not that of the entire group. In addition, the court considered that the mitigating circumstances under Art. 83 (2) GDPR should be taken into account when calculating the fine. Such as that the company had not previously breached the GDPR, as well as that the breach concerned only general personal data. In addition, no data subject suffered damages as a result of the breach. Finally, the court considers that the negligent nature of the breach should be taken into account.