Background of the criminal case
In the fall of 2018, the Danish Data Protection Authority (Datatilsynet) audited the company IDdesign A/S. The main objective was to investigate whether retention periods regarding the deletion of personal data were complied with.
The Danish Data Protection Authority concluded, that IDdesign had not complied with the requirements of Article 5 (1)(e) of the GDPR (storage limitation), as the company:
- had processed personal data of approximately 385,000 customers for a longer period than what was necessary for the purposes for which they were processed;
- had not documented retention periods in one of the company’s systems, for deletion of personal data;
- had continued to process personal data of customers in another of the company’s systems, also after expiration of the company's own retention periods;
- had not sufficiently documented its procedures for deleting personal data in their recruitment and HR system.
The Danish Data Protection Authority therefore, filed a claim against IDdesign A/S and claimed a fine of DKK 1.500.000 (approx. EUR 202.000).
Decision of the City Court of Aarhus
According to the City Court of Aarhus’ decision, IDdesign was found guilty of all charges. However, because the violations were found not to have been intentional but a consequence of negligent behavior, the fine was reduced to DKK 100.000 (approx. EUR 13.500). The Court’s main objectives for reducing the fine were:
- That it was only IDdesign A/S’s revenue that was relevant when calculating the amount of the fine and not the entire Group’s revenue.
- That this was the company’s first-time violation of the GDPR.
- That the personal data was not of sensitive character and was only available in an old system that was no longer in use by the company.
- That none of the data subjects had incurred any loss and the violation was more of a principal character, to which the Danish Data Protection Authority agreed.
Furthermore, the court emphasized that the company had taken significant measures to ensure that the company’s other systems and their processing of personal data were in compliance with the GDPR.
This judgment is of great importance for other cases currently being processed by the danish courts and will likely be referenced to in any future case with regard to the determination of fines.
The Danish Data Protection Agency’s guide on GDPR fines
Because the determination of fines can be particularly complex in cases of violation of the data protection rules, given the companies’ different sizes and the wide range of violations, the Danish Data Protection Authority issued a guide in this regard in January 2021.
The amount of the fine must first be determined according to the basic principles set out in Article 83 (4) of the GDPR. The fine may thus, depending on the extend of the violation, amount up to EUR 10 million, or in the case of an undertaking 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, or up to EUR 20 million, or in case of an undertaking 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
However, the basic principles are determined on the basis of an overall proportionality consideration in relation to large companies, which have a turnover of up to and including DKK 500 million. The fine can thus be adjusted if the company is a micro, small or medium-sized company.
After determining the amount of the fine in accordance with the principles set out above, the fine can be adjusted according to the nature and duration of the violation. The size of the fine can thus be increased if there are aggravating circumstances, such as multiple offenses, or the fine can be reduced if there are mitigating circumstances, such as that the company has implemented procedures according to best practice for the area or profession in question. However, the fine can never exceed the maximum amounts stated above.
As a final point, the Danish Data Protection Agency has emphasized that the company's claim that a large fine will have a serious financial consequence for the data controller should be taken into account. A large fine that causes a company to go bankrupt must be assumed to be both effective and dissuasive, but it must also be proportionate, and it should, therefore, always be considered whether the goal can be achieved with a smaller fine.
The team of experts at LEAD I Rödl & Partner advises companies on data protection issues and are ready to assist in updating procedures and policies so that the requirements of the Danish Data Protection Act and the General Data Protection Regulation are met.
For further information, please contact LEAD I Rödl & Partner’s Privacy Team at +45 44 45 50 00, or send an email to Alexandra Huber, E firstname.lastname@example.org or Camilla Schack, E email@example.com