Datatilsynet - Datatilsynet - Arp-Hansen Hotel Group A/S indstilles til bøde

From GDPRhub
Datatilsynet - Datatilsynet - Arp-Hansen Hotel Group A/S indstilles til bøde
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published: 28.08.2020
Fine: 1100000 DKK
Parties: Arp-Hansen Hotel Group A / S
National Case Number/Name: Datatilsynet - Arp-Hansen Hotel Group A/S indstilles til bøde
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA has fined the Arp-Hansen Hotel Group DKK 1,100,000 (approximately 148,000 Euros) and reported them to the police for failing to delete 500,000 customer profiles.

English Summary[edit | edit source]

Facts[edit | edit source]

During an audit visit to Arp-Hansen Hotel Group A / S (hereinafter Arp-Hansen), the Danish DPA became aware of a number of systems contained a lot of personal data that should have been deleted in accordance with Arp-Hansen's own set deletion deadlines. The DPA also found customer profiles which should have been deleted several years earlier. In summation, about 500,000 profiles were found that should have been deleted.

Dispute[edit | edit source]

Whether Arp-Hansen was in violation of the storage limitation principle under GDPR Article 5(1)(e)?

Holding[edit | edit source]

The Danish DPA held that Arp-Hansen was indeed in violation of Article 5(1)(e), noting in particular Arp-Hansen's lack of an objective reason for the extensive storage of information. Therefore, the DPA fined the hotel chain DKK 1,100,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Danish Data Protection Agency became aware of the situation in connection with an inspection visit to Arp-Hansen Hotel Group A / S (hereinafter Arp-Hansen), where the audit reviewed a number of systems with a view to examining whether Arp-Hansen had sufficient procedures to ensure that personal data were not stored for longer than was necessary for the purposes for which the data were processed.

During the process, the Danish Data Protection Agency found that a booking system in particular contained a lot of personal data that should have been deleted in accordance with Arp-Hansen's own set deletion deadlines. The Authority was also able to establish that there were so-called customer profiles, which - after Arp-Hansen's own deletion deadlines - should have been deleted several years earlier. In this connection, the Authority's view is that approx. 500,000 customer profiles should have been deleted at the time of the audit visit.

"In a society where our personal data is increasingly being recorded and exploited, it is crucial that we as citizens can have confidence that our personal data is processed for objective purposes and that it is only stored for as long as is necessary. ”Says Frederik Viksøe Siegumfeldt, office manager for the supervisory unit in the Danish Data Protection Agency, who adds:

"We choose to take a police report in a case like the one in question, because in our opinion Arp-Hansen has not been able to come up with objective reasons for the extensive storage of information."

The Danish Data Protection Agency has therefore recommended Arp-Hansen a fine of DKK 1,100,000 for not having complied with the regulation's requirement for deletion (storage restriction) in Article 5 (1). 1, letter e.