Datatilsynet (Denmark) - Gyldendal A/S

From GDPRhub
Datatilsynet - Gyldendal A/S
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(e) GDPR
Article 5(2) GDPR
Type: Investigation
Outcome: Violation Found
Published: 22.06.2022
Fine: 1,000,000 DKK
Parties: Gyldendal A/S
National Case Number/Name: Gyldendal A/S
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The DPA recommended a €134,427 (DKK 1,000,000) fine against the Danish publisher Gyldendal for not deleting the personal data of its unsubscribed book club members.

English Summary


During an inspection visit to Gyldendal A/S (controller), the Danish DPA found that information about approximately 685,000 unsubscribed members of Gyldendal's book clubs was kept for longer than needed. The controller stored data in a so-called "passive database" and had no procedures or guidelines for deleting it. Some of this information was kept for longer than ten years.


The DPA held that the controller violated the principles of storage limitation and accountability by keeping the personal data of a large number of data subjects for longer than necessary. Therefore, it reported the controller to the police and recommended a fine of €134,427 (DKK 1,000,000).


The DPA in Denmark does not impose fines directly but refers such cases to the police. The police then investigate whether there are grounds for raising a charge, and finally, a possible fine will be decided by a court.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Gyldendal is fined

Date: 22-06-2022


The Danish Data Protection Agency reports Gyldendal to the police and recommends a fine of DKK 1,000,000 for storing information about 685,000 book club members for longer than necessary.

On the basis of an inspection visit to Gyldendal A / S, the Danish Data Protection Agency has reported the company to the police and recommended a fine of DKK 1,000,000. During the inspection visit, it emerged that information about approx. 685,000 resigned members of Gyldendal's book clubs were kept for longer than needed.

Instead of deleting information about unsubscribed members of the book clubs, Gyldendal stored the information in a so-called "passive database". Information about approx. 395,000 of the former members had been retained for more than 10 years after they had opted out of the book clubs. Gyldendal had no procedures or guidelines for deleting information in the passive database.

After the inspection visit, Gyldendal deleted all the information in the passive database and informed the Danish Data Protection Agency that, in the company's assessment, it would in future be necessary to store information about resigned members for up to six years.

“One of the very basic principles is that you should not keep people's information longer than necessary. In this case, we believe that a fine is appropriate, because it concerns a great deal of Danes' information that has been stored without any objective purpose for a very long time, ”explains Ditte Yde Amsnæs, office manager at the Danish Data Protection Agency.

Why police report?

The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Regulation. 2, in assessing which sanction is, in the Authority's opinion, the most appropriate.

In assessing that a fine should be imposed, the Danish Data Protection Agency has emphasized that the violation concerns two basic principles for the processing of personal data - the principles of "storage limitation" and "liability" - and affects a very large number of data subjects. The Danish Data Protection Agency has also emphasized that this is not an isolated error, but a fundamental problem. The Danish Data Protection Agency has also, in an aggravating direction, emphasized that, in the Authority's assessment, the violation was committed intentionally.

In a mitigating direction, the Danish Data Protection Agency has, among other things, emphasized that Gyldendal has acted extremely cooperatively, and that according to Gyldendal, only two employees had access to the passive database.

Want to know more about the rules?

Read more about the basic principles.

Read more about deletion.

Press inquiries about the case can be directed to communications consultant Anders Due on tel. 29 49 32 83.