On 2 September 2025, the furniture company ILVA A/S, part of the Jysk Group, was fined DKK 1.5 million by the Danish High Court for storing personal data about customers in violation of the rules of the General Data Protection Regulation (GDPR).
ILVA A/S stored customers' personal data for too long
During an inspection in the fall of 2018, the Danish Data Protection Agency found that ILVA A/S had not set deletion deadlines for an older IT system nor introduced other procedures for deletion. Thus, ILVA A/S stored information about approximately 350,000 customers, including their names, telephone numbers, addresses, email addresses, and purchase histories.
According to the Data Protection Regulation personal data must be deleted when it is no longer necessary to store it. Based on this principle, the Danish Data Protection Agency filed a police report for violation of the rules of the GDPR.
The District Court's fine and preliminary questions referred to the Court of Justice of the European Union
The District Court found that ILVA A/S violated the storage limitation rules and imposed a fine of DKK 100,000. The District Court determined the fine based on ILVA A/S's turnover, rather than the turnover of the entire group, as the Danish Data Protection Agency had proposed.
The case was appealed to the High Court, which referred two preliminary questions to the Court of Justice of the European Union (CJEU). These questions concerned the interpretation of the concept of an undertaking in the GDPR, including whether a fine should be based on an undertaking's individual turnover or the total turnover of a group of companies.
On February 13, 2025, the CJEU ruled that, when a data controller or an entity thereof is fined for violating the GDPR, the fine must be calculated as a percentage of the undertaking's (the group's) total global turnover in the previous financial year.
Accordingly, the High Court ruled and increased the fine from DKK 100,000 to DKK 1.5 million.
Littler notes
The decision emphasizes the importance of companies complying with data protection rules, including the rule on storage limitation, and also establishes how fines should be determined in the event of a breach of data protection rules.
Disclaimer: This article is not and cannot replace legal advice.
