The Danish data protection authority ('Datatilsynet') announced, on 11 June 2019, that it had proposed, on 3 June 2019, a fine of DKK 1.5 million (approx. €200,800) against IDdesign A/S for its failure to set adequate timeframes for deletion of customer information under Article 5(1)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, Datatilsynet highlighted that, following an investigation into companies' customer data deletion deadline practices, they had analysed whether IDdesign had set deadlines for deleting customer information and whether deadlines had been met.

Datatilsynet noted that some IDdesign stores had moved to a new system to process data, whereas some were still using the old system. As part of the investigation, the Datatilsynet noted that information about approximately 385,000 customers' names, addresses, telephone numbers, email addresses and purchase histories had been retained on the old system, and no deletion deadlines had been set, therefore, this personal data had never been deleted. 

Datatilsynet highlighted that it had notified the national police of the proposed fine to be imposed by a court against IDdesign.

You can read the press release here, and the statement on the Datatilsynet's investigation here, both only available in Danish.