Violation of Obligations to Delete Personal Data
Violations of data protection laws or the General Data Protection Regulation (GDPR) can result in significant fines. For instance, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) imposed a fine of €900,000 on a company in the debt management sector for failing to delete personal data in a timely manner.
With the introduction of the GDPR, the requirements for data protection in companies have increased significantly. Companies must take appropriate measures to protect personal data when processing it. Moreover, individuals have the right to have their data deleted within specified timeframes. Violations of data protection laws or GDPR can result in substantial penalties, according to the law firm MTR Legal Rechtsanwälte, which also provides advice on IT law.
Review of Companies in Debt Management
The storage of personal data can be a significant burden for individuals, particularly for delinquent debtors. Their data is often shared with credit agencies, which can, for example, make it significantly harder to enter into contracts. It is therefore crucial for debtors that their data is deleted promptly after the relevant retention periods have expired.
Hamburg is an important hub for the debt management sector. As part of a focused review, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) examined leading companies in this industry.
Generally Positive Findings
The review primarily focused on how personal data is stored and processed within the companies. The data protection team conducted on-site visits to several companies’ premises. The findings were generally positive. Notably, the companies have improved their transparency toward affected individuals, as stated in a press release by the Hamburg Commissioner for Data Protection on November 12, 2024.
Data Retained for Too Long
However, there were exceptions. During the audit, it was discovered that one company retained datasets beyond their legal retention periods. This included personal data affecting a six-figure number of individuals, stored without legal justification. This constitutes a violation of Article 5(1)(a) and Article 6(1) of the GDPR. While the data was not shared with third parties, it remained in the company’s database for up to five years beyond the legal retention periods, as the Hamburg Commissioner further noted.
For this violation, the data protection authority imposed a fine of €900,000, which the company has accepted. The company’s cooperation with the supervisory authority during the investigation was taken into account when determining the fine. Similar violations were found at another company, but investigations in that case are still ongoing.
When a client relationship ends, stored data must be deleted immediately or after the expiration of legal retention periods. As the example of the Hamburg-based company shows, violations of these obligations can be costly. To prevent such violations, companies should implement efficient data protection compliance measures.
Timely Deletion of Data
To handle sensitive personal data in compliance with the law, companies should develop systematic deletion strategies to ensure data is not stored unlawfully, thus avoiding GDPR violations. From the point of collection, it should be clear whether, for how long, and for what purposes the data will be stored and processed. This approach can help companies avoid fines for data protection violations and enhance trust among their clients.
It is essential to remember that data protection plays a crucial role not only in client relationships but also internally, in relationships with employees. Employees also have the right under GDPR to request information from their employers about the use of their personal data.
MTR Legal Rechtsanwälte provides guidance on data protection law and other IT law matters.
Feel free to contact us!
