The district court in Aarhus has rendered its decision in the first case before the Danish courts on violation of the General Data Protection Regulation (GDPR). The case relates to an enterprise that was reported to the police by the Danish Data Protection Agency for failure to delete customer information. The court reduced the prosecution service’s claim for a fine by more than 90% (from the original DKK 1.5m to DKK 100,000). Bech-Bruun has assisted the enterprise in question in this case of general public importance for the past couple of years.
On the basis of an inspection at the enterprise conducted in the autumn of 2018 regarding deletion of personal data, the Danish Data Protection Agency in June 2019 decided to file a report against the enterprise to the police. The reported issue related to the enterprise’s storage of the customers’ personal data in an old ERP system. The system stored information such as the customers’ names, addresses, telephone numbers, email addresses and purchase history. The data had not been misused and there had been no breaches of security. The case related solely to the question of storage limitation and the potential sanction for violation of the GDPR.
This is the first time that a Danish court considers the question of guilt, the standard of proof and potential sanctions under the EU’s data protection rules. Because of the general public importance of the case and the considerable significance to society, the Court allowed Bech-Bruun’s request to have the case heard by a court sitting with lay judges.
Failure to delete personal data
The Court found that the GDPR violation had been proved as a valid processing purpose no longer existed for approx. 350,000 customers, and that the personal data of these customers was accordingly being processed contrary to the storage limitation. In the assessment of the Court, the personal data should have been deleted according to the five-year rule in the Danish Consolidated Bookkeeping Act (bogføringsloven). The Court thus agreed with the prosecution service and the Data Protection Agency on the question of guilt. On the question of sanctions, the Court, however, agreed with Bech-Bruun.
As the only mitigating circumstance, the Data Protection Agency and the prosecution service had pointed to the fact that this solely concerned general personal data and not sensitive personal data or data of a special nature.
The Court allowed Bech-Bruun’s arguments on taking into account the following mitigating circumstances in the assessment of the sanction:
- The enterprise had not previously violated the General Data Protection Regulation.
- The data was stored in an older and partly phased-out system, which was only accessed occasionally.
- No data subjects had suffered any harm.
- The violation was of a formal nature.
- The enterprise had taken quite considerable steps to ensure compliance with the rules.
- The enterprise had displayed only negligence and not intent.
Calculation of the fine
With respect to the calculation of the fine, the Court allowed Bech-Bruun’s argument on focusing only on the revenues of the enterprise itself and not on group revenues. This was one of the key disputes in the case.
Furthermore, the Court rejected that in respect on the charge raised, a separate legal basis existed according to Article 5(2) of the General Data Protection Regulation, which had been argued by the prosecution service during the proceedings.
Comments by Bech-Bruun
“The decision of the Court is a clear defeat for the prosecution service and the Data Protection Agency’s criminal prosecution of GDPR violations. Furthermore, the decision creates considerable uncertainty with respect to the level of fines in cases concerning alleged violation of the GDPR. The prosecution service attempted to have the fine determined using the Data Protection Service’s guidelines on fines, published on 29 January 2021. The decision of the District Court does not follow the guidelines on fines of the Data Protection Agency, even though this was a crucial point for the prosecution service”, says partner Dan B. Geary.
He goes on: “It must be expected that the decision in this case will be of major importance to the strategy adopted in future cases on GDPR violation to be heard by the courts.”
The case was conducted by Dan B. Geary, Partner, and by Poul Gade, Senior Associate, with the assistance of Bech-Bruun’s GDPR team.