Danish DPA fines a company for retaining/failing to delete data on 685,000 former book club members €134,415 (DKK 1mio).
The Danish DPA notified Gyldendal A/S to the police and suggested a fine of DKK 1,000,000 based on an inspection visit.
The company had kept the information of 685,000 people who had opted out of the book club.
Failing to delete data
Instead of deleting the data when the individuals left, Gyldendal stored it in a so-called passive database. Former book club members’ data was stored in it for more than ten years in 395,000 cases.
There were no guidelines or procedures in place for deleting data from the passive database.
During the examination, Gyldendal erased all data from the passive database and declared that in the future, former members’ data will be stored for six years.
Fundamental principles
One of the DPA’s fundamental principles is that you should not keep people’s information any longer than required. The DPA feels that a fine is warranted in this case since it involves a large amount of Danes’ information that has been held without any objective purpose for an extended period of time.
In determining whether punishment should be levied, the Danish Data Protection Authority underlined that the breach involves two fundamental criteria for the processing of personal data – “storage limits” and “accountability” – and affects a considerable number of data subjects.
