Updated: Apr 14, 2020
The Danish data protection agency has proposed a fine of DKK 1,5 million for failure to delete data approximately 385.000 customers to danish fine furniture company IDDesign A/S
Read the full press release in Danish here
In autumn of 2018, the Danish data protection agency performed a supervisory visit to Danish furniture company IDDesign. One of the questions the visit focused on was whether the company had set deadlines for the deletion of customers’ PII and whether the deadlines had been complied with.
Before the inspection, IDdesign had provided an overview of the systems the company uses for the processing of PII. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other stores. Within the old system, information was gathered about the names, addresses, phone numbers, e-mail addresses and purchase history of about 385.000 customers. During the inspection, IDdesign also stated that PII in the old system had never been deleted.
IDdesign did not indicate when personal data in the old system are no longer necessary for processing purposes and therefore, did not specify the deadlines applicable to the erasure of the personal data processed within the system.
The data protection agency, therefore, considers that IDdesign has not complied with the data protection requirements of the data protection regulation by having processed the personal data for a longer time than necessary