Denmark´s first GDPR fine to date
The imposition of fines in Denmark
Before turning to the facts of this case, fines are imposed through court verdicts in Denmark.
For this purpose, the fines the DDPA imposes are solely a proposal for solving the issue outside of court, rather than a binding fine. If an outside-of-court-settlement fails, the DDPA fine forms the basis for a potential litigation. The DDPA will start by reporting the breach to the police, which will investigate the matter further. If the police deem it necessary, it will hand over the case to the prosecutor´s office, which in turn will initiate a criminal court case. Only if the court finds the charged person(s) or company guilty, a binding fine will be imposed.
The breaches in particular
The DDPA was on a monitoring visit at ILVA in fall of 2018. Before the visit, ILVA informed the DPPA about the data processing systems being used. Almost all ILVA shops are equipped with a new system AX 2012, whilst three of them were still using the previous data processing system AX 2.5. During the DDPA’s verification visit, the authority became aware of 4 breaches of the GDPR, all relating to GDPR art. 5 sec. (1) and (2).
The first and most serious breach related to the storage of customer information on the AX 2.5 system. The data recorded included names, addresses, telephone numbers, e-mail-addresses and shopping history of 350.000 customers. As ILVA had not outlined the retention periods, it was found that ILVA exceeded the storage of the personal data with regard to its processing purpose.
The second breach related to the first, as the DDPA saw a violation in the lack of a deletion period of the personal data contained in the AX 2.5 system.
The third breach effected the newer data processing system AX 2012. For this system, ILVA had set its own date for deletion of the personal data of its customers in accordance with the GDPR. Notwithstanding, ILVA had not deleted the personal data in accordance with its own deadlines.
The last breach pertained the systems for processing the personal data of their employees. The data has been deleted in accordance with the deletion period, yet the process had not been written down or documented.
The Court's decision
The specific focus of this case concerned the reassessment of the level of the fine. While the Court acknowledged the breaches, the Court did not agree with the size of the fine. The Court’s reasoning related to the essential prerequisite, that the fine should be based on ILVA’s revenue only and not on the basis of the whole turnover in the Jysk Group, which ILVA is a part of. As the turnover in ILVA is significant less than in the Jysk Group, the fine was deducted thereafter.
Furthermore, the Court found that the DDPA and the prosecution office had not taken the following mitigating circumstances into account:
- a first-time offence,
- the stored data was not sensitive information,
- the information was stored in an older system with less access activity,
- no data subject had suffered any damage, and
- the DDPA itself characterized the breaches as being formal breaches.
On the grounds of a multitude of mitigating circumstances, the Court considered even, not to impose a fine at all. In the end, thethe large amount of customer information and thus the large group of data subjects outweighed the imposition. However, the fine had been significantly reduced from the initial proposal of DKK 1.5 mio to DKK 100.000, due to the Courts reasoning above.
The prosecutor has appealed the verdict and it will therefore be interesting to follow whether the decision will be confirmed.
Article provided by: Claas Thöle (NJORD Law Firm, Denmark)
Dr. Tobias Höllwarth (Managing Director INPLP)