If you retain personal data indefinitely, or have not given thought to your retention schedule – now may be the time to take another look.
The Danish Data Protection Authority has fined a furniture store 200,000 EUR for failure to delete personal data, not having a data retention schedule and not adequately documenting its personal data deletion procedures in violation of GDPR requirements for deleting data no longer necessary for the purpose.
The inquiry revealed that in certain of of the chain’s furniture stores, an older system retained information about approximately 385,000 customers’ names, addresses, telephone numbers, e-mails and purchase histories , with no planned schedule for deletion. The Danish authority held that “Determining when the collected and registered personal data are no longer needed for the purposes for which they are processed, and thus when the information is to be deleted from the systems, is the first and most basic step towards establishing correct and functioning personal data deletion procedures.”