€ 200.000 GDPR fine: the importance of retention periods under the GDPR

Author info
Geert Somers

The Danish supervisory authority proposes to impose a fine of DKK 1.5 million (approximately € 200,000) on a Danish furniture manufacturer (IDDesign) for failing to comply with the obligations regarding the retention periods of personal data.

What happened?

In October 2018, a Danish furniture manufacturer received a questionnaire from the supervisory authority regarding the ERP (Enterprise Resource Planning) software used by the manufacturer. Due to, inter alia, the fact that in this questionnaire the furniture manufacturer declared to be a processor (instead of a controller) of the personal data of its customers, the Danish supervisory authority initiated an investigation.

During the investigation it turned out that the furniture manufacturer had not implemented retention periods in the ERP software. The personal data, including the name, telephone number, e-mail address and purchase history of approximately 800,000 customers of the manufacturer were therefore kept for an unlimited period of time.

The principle of storage restriction

According to the GDPR, Article 5.1.e, personal data must be:

kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed [...]

In other words, retaining personal data longer than necessary is a violation of the GDPR's storage restriction principle.

It also follows from the accountability principle that the data controller must be able to demonstrate that the storage restriction is respected. In this case, however, the furniture manufacturer had failed to document the retention periods and compliance with such periods by means of an appropriate internal policy.

The continuation of the investigation

Following the investigation by the Danish supervisory authority, the furniture manufacturer had removed about half of the approximately 800,000 customers from the system. The other half had to be kept longer in order to comply with an accounting obligation.

In the meantime, the furniture manufacturer had also purchased new ERP software which would keep the personal data of the 'customers' category for 912 days. According to the manufacturer, this time limit corresponded to the period during which a complaint could be lodged. After the expiry of 912 days, the personal data would be rendered anonymous, despite the fact that some products were covered by a 25-year guarantee period.

However, a follow-up investigation by the Danish supervisory authority showed that this retention period was also not implemented in the manufacturer's new ERP software, as a result of which the personal data was kept for more than 912 days. This was another breach of the principle of storage restriction.

In addition to the infringements found when using the ERP software, similar infringements were also found in two HR systems used by the furniture manufacturer. For all these infringements, the Danish supervisory authority proposes an administrative fine of about €200,000 (converted).

Provisional lessons from this case

  • Also so-called classic companies where the processing of personal data is not a core business can be fined if they do not comply with the GDPR basic principles (e.g. a furniture manufacturer in this case).
  • Avoid errors or inaccuracies in a supervisory authority questionnaire to reduce the risk of an investigation (For example, do not declare to be a processor of personal data if you are clearly a controller, for example for data of customers processed in ERP software).
  • Process personal data only for a period necessary to fulfil the purpose.
  • Ensure that these retention periods are legally substantiated.
  • Document the retention periods and their compliance in writing.
  • Implement the retention periods in all IT systems (e.g. ERP software).