The Danish privacy authority issued a fine against a hotel chain of approximately € 148K for breach of the data retention principle for data of its customers.
The fine issued by the Danish privacy authority for breach of the data retention principle
The Danish data protection authority, Datatilsynet, issued a fine of DKK 1,100,000.00 (equal to € 147,708.63) against a hotel chain for having stored its customers’ personal data beyond the data retention period necessary to achieve the pursued purposes, in breach of the principle set out by Article 5(1)(e) of EU Regulation 2016/679 (the GDPR).
The sanction was the result of an inspection carried out by the Danish privacy authority at the premises of the hotel chain, where it was found that:
- Although the company had a data retention policy, several personal data were stored beyond the period provided by the data retention policy; and
- About 500,000 customer profiles remained in the internal systems, while they should have been deleted several years before the inspection.
In this regard, the head of Datatilsynet’s inspection unit pointed out that “[i]n a company where personal data are increasingly being recorded and exploited, it is essential that we, as citizens, can be sure that our personal data is being processed for objective purposes and that it is only kept for as long as necessary“.
My view on how companies are dealing with data retention obligations
Compliance with data retention obligations is one of the most challenging tasks for companies. Not only does it require a very detailed data mapping exercise, but also technical and organizational measures able to delete data at the end of the data retention period. No company can pretend to manually cancel/anonymize all data that it processes. But, at the same time, without the cooperation of employees, it is impossible to track all processed data and ensure that they are timely deleted.
Besides, there is a cultural problem that is tied to the “feeling of potential loss” Companies are still concerned about losing something that might be useful at a later stage for a dispute, for a business decision, or to support their employees. And they believe that such a potential (and sometimes remote) risk justifies the retention of data for an indefinite period, while the risk of GDPR fines is much higher.
There are cases when, for instance, data relating to employees that perform works potentially harmful for their health could justify a more extended retention period. But retention of personal data can never last for an indefinite period, needs to be justified, and has to be supplemented by technical and legal measures ensuring that data is not in the availability of the company for longer than necessary.
The sanction from the Danish data protection authority follows the much higher fine of € 14.5 million issued by a German data protection authority (Read on the topic “€ 14.5 million GDPR fine in Germany for breach of data retention obligations“) which shows how privacy authorities are cracking down on the compliance with such a principle. Based on my experience, during inspections or dawn raids, authorities are often supported by technical experts that access to systems and can verify compliance with retention obligations.
On the topic, you may find useful the tips and recommendations that I gave in this previous article “Data retention period, an intrigued rebus under the GDPR“.