The Danish data protection authority has issued a fine of DKK 1.5 million (£180,000) to furniture company IDdesign for storing personal information of approximately 385,000 customers without having any valid basis to do so.
The fine was issued after the data protection authority found that a certain number of IDdesign furniture stores were using an old system that contained personal information of some 385,000 customers. Such information included names, addresses, telephone numbers, e-mail addresses and purchase history.
The use of an old system to store personal information of people indefinitely was in violation of GDPR that mandates companies to process personal data in such a way that data subjects cannot be identified for longer than is necessary for the purposes for which the personal data are processed.
The Danish data protection authority found that even though IDdesign had introduced a new system in some of its furniture shops for the processing of personal data, a large number of its shops continued to store vast amounts of customer data that included names, addresses, and telephone numbers.
IDdesign did not follow GDPR rules on storage of customer data
IDdesign admitted that information stored in the old systems had not been deleted and that it had not set any deadlines for the information to be deleted. At the same time, the company did not indicate whether customer data stored in the old system were necessary for processing purposes.
"The GDPR establishes that personal data must be stored in such a way that data subjects cannot be identified for longer than is necessary for the purposes for which the personal data are processed. IDdesign did not indicate when personal data in the old system are no longer necessary for processing purposes, and thus did not specify the deadlines applicable to erasure of the personal data processed in the system.
"The Data Protection Agency therefore considers that IDdesign has not complied with the data protection requirements of the data protection regulation by having processed the personal data for a longer timer than necessary," it added.
The fine issued under GDPR to IDdesign should serve as a wake-up call for companies that store large amounts of customer data but do not have a plan in place to delete such data if such data are not necessary for processing purposes or if such data is being held for longer than necessary.
GDPR also requires companies to obtain explicit consent from people before collecting their personal data or storing them for any purpose. Aside from personal information like names, addresses, email addresses, phone numbers and government ID numbers, such data will also include IP addresses, DNA, and cookies.
At the same time, companies are required to respect any customer's request to have his data amended or deleted from their servers. Consent will not be permanent and citizens will be able to withdraw their consent anytime they wish to do so.
If your company sends out marketing emails and offers discounts or add-ons to customers via email or text, you will need to ensure that only those customers are contacted who have expressly opted in and consented to receive such emails and texts.
ALSO READ: Data subject rights under GDPR: What we know, don’t know, and must do