Authored by Attorney-at-law Mathias Bartholdy.
The case was brought on by a site inspection by the Danish Data Protection Agency, at which the agency found that the business had been processing personal data in violation of the General Data Protection Regulation (GDPR) by storing the data for too long. Consequently, the agency reported the business to the police.
More specifically, the Data Protection Agency found that the business had been processing data about some 350,000 customers without a legitimate purpose. The data had been kept longer than necessary in an old and partially phased-out customer data system.
In calculating the fine, the prosecution and the Data Protection Agency took account of the consolidated revenue of the entire group, and they considered the business to have acted wilfully.
The City Court, however, was only satisfied that the business had acted negligently. The City Court noted that the failure to erase data was due to an oversight resulting from a one-sided focus on the business’ new IT system – a circumstance emphasised by the Court when determining the fine.
The City Court also took into consideration the following mitigating circumstances:
- It was the first time the business had acted in contravention of the GDPR.
- The data concerned were ordinary personal data and not sensitive personal data.
- The data were stored in an old and partially phased-out system, which was accessed only occasionally.
- None of the data subjects had suffered any loss.
- It was an offence in name only.
Finally, the City Court noted that significant weight should be given to the fact that the business “had expended quite considerable efforts to ensure that many of its 57 database systems were in compliance with the complex GDPR rules, from both an IT technical and legal perspective”.
It is not yet known if the judgment will be appealed.
Our comments
The fine was fixed based on the business’ own revenue and not the consolidated revenue of the entire group, as had been requested by the prosecution and the Data Protection Agency. Some might be puzzled by this as many people believe that the fine is invariably fixed based on consolidated revenue. However, under article 83 of the GDPR, governing fines, the fine must be fixed based on the revenue of the undertaking. That may not always be the group of undertakings – in fact the opposite is generally the case. For the purpose of EU law, an ‘undertaking’ means an economic entity engaged in commercial/economic activities. In this case, the City Court found that only the undertaking had engaged in the commercial/economic activity forming the basis of the violation, and not the group of undertakings as a whole.
It is also worth noting that the City Court’s downward adjustment of the fine is consistent with the guidance notes on fines issued by the Data Protection Agency in January 2021, bødevejledning af januar 2021 (in Danish only).
Another important point in the judgment is that the ability to demonstrate active efforts to comply with the GDPR rules is considered mitigating circumstances. All businesses should therefore consider the judgment an incentive to either initiate or continue their active compliance efforts.
If you have any GDPR-related questions or you want to fast-track your GDPR compliance efforts, you are welcome to contact two of our GDPR specialists, Attorney Mikkel Kleis or Attorney Mathias Bartholdy.
UPDATE: The judgment has now been appealed.