Denmark´s first GDPR fine to date

19.03.2021

On February 12th 2021 the city Court in Aarhus handed down the first verdict in Denmark that has led to a fine based on GDPR. The Court imposed a fine of DKK 100,000 (appr. EUR 13,500) on the Danish furniture chain ILVA, which is part of the Danish multibillion concern Jysk Group. ILVA was found guilty of having stored around 350,000 unnecessary personal data. It was the Danish Data Protection Agency (DDPA) that had forwarded the case to the prosecution with the proposal that ILVA should be fined with DKK 1.5 mio (appr. EUR 201,700). The prosecution agreed with the proposal of the DDPA.

The imposition of fines in Denmark

Before turning to the facts of this case, fines are imposed through court verdicts in Denmark. 

For this purpose, the fines the DDPA imposes are solely a proposal for solving the issue outside of court, rather than a binding fine. If an outside-of-court-settlement fails, the DDPA fine forms the basis for a potential litigation. The DDPA will start by reporting the breach to the police, which will investigate the matter further. If the police deem it necessary, it will hand over the case to the prosecutor´s office, which in turn will initiate a criminal court case. Only if the court finds the charged person(s) or company guilty, a binding fine will be imposed.

 

The breaches in particular

The DDPA was on a monitoring visit at ILVA in fall of 2018. Before the visit, ILVA informed the DPPA about the data processing systems being used. Almost all ILVA shops are equipped with a new system AX 2012, whilst three of them were still using the previous data processing system AX 2.5. During the DDPA’s verification visit, the authority became aware of 4 breaches of the GDPR, all relating to GDPR art. 5 sec. (1) and (2).

The first and most serious breach related to the storage of customer information on the AX 2.5 system. The data recorded included names, addresses, telephone numbers, e-mail-addresses and shopping history of 350.000 customers. As ILVA had not outlined the retention periods, it was found that ILVA exceeded the storage of the personal data with regard to its processing purpose.

The second breach related to the first, as the DDPA saw a violation in the lack of a deletion period of the personal data contained in the AX 2.5 system.

The third breach effected the newer data processing system AX 2012. For this system, ILVA had set its own date for deletion of the personal data of its customers in accordance with the GDPR. Notwithstanding, ILVA had not deleted the personal data in accordance with its own deadlines.

The last breach pertained the systems for processing the personal data of their employees. The data has been deleted in accordance with the deletion period, yet the process had not been written down or documented.

 

The Court's decision

The specific focus of this case concerned the reassessment of the level of the fine. While the Court acknowledged the breaches, the Court did not agree with the size of the fine. The Court’s reasoning related to the essential prerequisite, that the fine should be based on ILVA’s revenue only and not  on the basis of the whole turnover in the Jysk Group, which ILVA is a part of. As the turnover in ILVA is significant less than in the Jysk Group, the fine was deducted thereafter.

Furthermore, the Court found that the DDPA and the prosecution office had not taken the following mitigating circumstances into account:   

  • a first-time offence,
  • the stored data was not sensitive information,
  • the information was stored in an older system with less access activity,
  • no data subject had suffered any damage, and
  • the DDPA itself characterized the breaches as being formal breaches.

On the grounds of a multitude of mitigating circumstances, the Court considered even, not to impose a fine at all. In the end, thethe large amount of customer information and thus the large group of data subjects outweighed the imposition. However, the fine had been significantly reduced from the initial proposal of DKK 1.5 mio to DKK 100.000, due to the Courts reasoning above.

The prosecutor has appealed the verdict and it will therefore be interesting to follow whether the decision will be confirmed.

 

Article provided by: Claas Thöle (NJORD Law Firm, Denmark)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.