Denmark: Datatilsynet recommends DKK 1.1M fine and reports Arp-Hansen to police for failure to delete personal data
The Danish Data Protection Authority ('Datatilsynet') announced, on 28 July 2020, that it had recommended Arp-Hansen Hotel Group A/S for a fine of DKK 1,100,000 (approx. €147,800) and reported it to the police for failure to delete the personal data of 500,000 customers in violation of Article 5(1)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Datatilsynet highlighted that during an inspection, it reviewed a number of systems with a view to examining whether Arp-Hansen had sufficient procedures to ensure that personal data were not stored for longer than was necessary for the purposes for which the data were processed. Furthermore, the Datatilsynet noted that, during the course of the inspection, it discovered that a booking system contained a lot of personal data that should have been deleted in accordance with Arp-Hansen's own set deletion deadlines and was also able to establish that there were so-called customer profiles, which, after Arp-Hansen's own deletion deadlines, should have been deleted several years earlier.
You can read the announcement, only available in Danish, here.