A company in Finland had to pay a fine of almost one million euros because, among other things, they processed personal data for an indefinite period. This is not allowed under the GDPR. In addition, individuals had to create an account on the company’s website in order to make purchases. The Finnish data protection authority is called Tietosuoja.
The company processed personal data for an indefinite period in violation of GDPR
The company stated that it is up to the data subjects themselves to determine the storage duration. When the data subject deletes his or her user account, the company deletes the personal data. However, the company stores the personal data for a very long and indefinite time, if the data subject does not delete his or her user account. Some other companies usually state that the company deletes the user account if the person has not been active for, for example, 2 years. In such cases, they have a predetermined storage period.
According to the investigation by the Finnish data protection authority, the company deliberately did not have a fixed retention period. It is not permitted to place the responsibility on the data subject, who must delete his or her user account in order for the retention period to end. In addition, a person could not just go into the website and shop without having to create a user account.
Retention period according to GDPR
When a company processes personal data, the company must specify a retention period. The company shall delete personal data when they are no longer necessary to process for the purpose for which they were collected. It is not allowed to have an unlimited storage period. Please note that in some cases companies need to continue processing personal data because it is regulated in some other law than GDPR. It is allowed to do.
Consequences for the company
The company in the case was awarded a fine for the infringement of the GDPR. On the other hand, they appealed against that decision to the Administrative Court of Finland. In another similar case, the Supreme Administrative Court in Finland did not grant the case. The amount of the fine in this case was EUR 856 000. The maximum fine that a company can receive in case of serious breaches of the GDPR is 4 percent of the total annual turnover or 20 million euros (the highest of the options).
Company had to pay a fine for not having stopped direct marketing on request
An international company with its head office in Sweden had to pay a fine, as they did not stop their direct marketing when the data subjects requested it. There were six (6) data subjects who complained about this in three different countries. These countries then transferred the case to Sweden, as the company has its headquarters there.