Retten i Aarhus - J.nr. SS 3662/2020

From GDPRhub
Retten i Aarhus - J.nr. SS 3662/2020
Courts logo1.png
Court: Retten i Aarhus (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(e) GDPR
§10 of the Danish Consolidated Bookkeeping Act
Decided: 12.02.2021
Published:
Parties: IDdesign A/S (now ILVA A/S)
National Case Number/Name: J.nr. SS 3662/2020
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): Danish
Original Source: The district court in Aarhus (in Danish)
Initial Contributor: Tetyana Porokhonko

The district court in Aarhus (Retten i Aarhus) decided that the company IDdesign A/S (now ILVA A/S) breached Article (5)(1)(e) GDPR by keeping the data of around 350,000 customers for longer than is necessary for the purposes for which it was collected.

English Summary[edit | edit source]

Facts[edit | edit source]

In June 2019, the Danish Data Protection Agency (DPA) expressed severe criticism of IDdesign A/S for the violation of the Article 5(1)(e) of the GDPR, namely, the failure to delete personal information of approx. 350,000 customers in its old IT-system. The personal data included the customers´ names, addresses, telephone numbers, email addresses and order history. The company was reported to the police.

The Prosecution Service decided to pursue the case further in a court. The DPA and the Prosecution Service recommended a fine of DKK 1.5 million, which was calculated based on the entire group turnover and by taking into consideration the company´s intentional failure to delete the data.


Dispute[edit | edit source]

The court considered whether the company violated the Article 5(1)(e) of the GDPR (storage limitation principle) and determined the amount of fine for the violation.

Holding[edit | edit source]

The court found that the company, in breach of the Article 5(1)(e) of the GDPR, kept the data of around 350,000 customers for longer than is necessary for the purposes for which it was collected. According to the Danish Consolidated Bookkeeping Act (in Danish - Bogføringsloven) the data must be deleted after 5 years. However, the court concluded that the violation has been committed through negligence.

With respect to the calculation of the fine, the court disagreed with the proposed charges and concluded that amount should be calculated based on the company´s own turnover, and not on the entire group.

Moreover, while calculating the fine amount, the mitigating circumstances under the Article 83(2) should be taken into consideration, such as:

  • the company has not breached the GDPR before,
  • the breach involved only general personal information,
  • any data subjects suffered damage as a result of the infringement,
  • negligent character of the infringement,
  • the company has taken considerable steps to ensure compliance with the GDPR.

The court imposed a fine of DKK 100,000.


Comment[edit | edit source]

The case has gained much attention as it is for the first time the Danish district court had to decide on violation of the GDPR rules and determine severity of penalty. The decision is also of major importance for the future development of legal practice in the field. There is a high probability that the decision will be appealed to a higher court.

Here is a link to the DPA decision from 03.06.2019 (case Nr. 2018-41-0015) https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/jun/tilsyn-med-iddesigns-behandling-af-personoplysninger

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

12 FEB 2021

THE COURT IN AARHUS

Company fined DKK 100,000.
Company fined DKK 100,000 for violation of the Data Protection Ordinance
The case in short

In June 2019, the Danish Data Protection Agency notified the company IDdesign A / S (now Ilva A / S) of a breach of the nature of the Data Protection Ordinance. 5 pieces. 1, letter e, by having stored approx. 350,000 personal data longer than was necessary in an older and partly phased-out customer data system. The Danish Data Protection Agency recommended to the prosecution that the case be decided with a fine of DKK 1.5 million. DKK, which the prosecution has since agreed to.

In January 2019, the personal data had been deleted by the defendant himself, and it was disputed during the case how much personal data it had actually been about and whether the data protection regulation had been violated.

It was also disputed whether there were grounds for imposing a fine - or, depending on the circumstances, only a warning - and how large the fine should be.

In the estimate of the size of the fine, the Public Prosecutor's Office and the Danish Data Protection Agency had taken the entire group's turnover as a basis and had also assessed that the defendant had intentionally failed to delete the information.

The result of the judgment

The court found it proved that there had been approx. 350,000 personal data and that they should have been deleted after the 5 year deadline of the Accounting Act. There was therefore an infringement of the nature of the Data Protection Regulation. 5 pieces. 1, letter e. But the court only found evidence that the violation had been committed negligently. The court here assumed that the defendant had not had the information deleted due to an oversight due to a too one-sided focus on the company's active IT systems.

The court also found that only the defendant's own turnover should be used as a basis for calculating the fine, just as it should be taken into account that the infringement had been committed negligently. The Court stated in this connection that the Public Prosecutor's Office and the Danish Data Protection Agency had not taken due account of the mitigating circumstances arising from the nature of the Data Protection Regulation. 83, para. 2, including that it was a first-time infringement of the Data Protection Regulation, that the information in question was of a general and not personally sensitive nature, that it was in an older and partly phased-out system that was only accessed occasionally, that no data subject had suffered any damage, and that the violation - also in the Data Inspectorate's own opinion - was only of a formal nature.

In addition, the court stated that it should be included with considerable weight in the assessment that it had been proven that the defendant had made quite significant efforts to ensure that many of the company's 57 computer systems had been both technically and legally compliant with the Data Protection Regulation. not uncomplicated sets of rules.

On that basis, the court considered whether the infringement exceeded the threshold between expressing criticism - which in the legal context would have the character of a warning under section 900 of the Administration of Justice Act - or whether, depending on the circumstances, it was necessary to impose a fine on the defendant. However, in view of the overriding principle of sentencing in the Data Protection Regulation to ensure that infringements of the Regulation are met with sanctions that are effective, proportionate and dissuasive, the court found - in particular in view of the significant amount of data anonymised or deleted - that the defendant should be fined.

As the preparatory work for the Data Protection Act provides for a "significant increase" in the level of fines for violations of the provisions of the Data Protection Ordinance compared with previous practice, which in the preparatory work is stated at a level of between DKK 2,000 and 25,000, depending on the nature of the violation. after an overall assessment the fine to DKK 100,000.

Decision date

The judgment was handed down on 12 February 2021 (court j.nr. SS 3662/2020).