“It is a very important judgment because it helps to determine the practice for the level of fines for private companies. This case will be squinted when deciding similar cases in the future. And we are satisfied that the Eastern High Court broadly agrees with our original assessment of the level back from 2020.”
The quote originates from Cristina Angela Gulisano, director of Datatilsynet. And that is quite understandable. Back then, when the fine was set at DKK 1,1 million. DKK, there were a number of voices who expressed that it was far too much. In light of the other fine cases we are seeing around the EU today, the size of the fine, whether you like it or not, seems to be in line with developments.
In the district court, a majority had voted to let the penalty lapse, while a minority had voted to punish the hotel chain with a fine of DKK 175.000. The 1,1 million DKK had become one warning. Thus, the GDPR was obviously somewhat reduced in importance around the boardrooms.
The High Court took a decision, partly whether there was an infringement, partly what the amount of the fine should be and, by extension, which annual accounts should be used as a starting point when a fine is to be set.
The violation
About the violation type the high court:
"The hotel chain was thus [..] knowing that the company did not comply with the nature of the regulation. 5, subsection 1, letter e, and accepted this, as a manual deletion procedure was only initiated in the fall of 2018. The manual deletion that was initiated in September 2018 was, according to witness 1's explanation, insufficient, which the company was aware of, and it was most established to show that something was done about the problem. The manual deletion was only intensified in November 2018, after it became apparent at the inspection visit on 1 October 2018 by Datatilsynet it was established that there were problems with compliance with the erasure deadline. There is therefore an intentional violation in the period from 25 May 2018 until December 2018, where in particular in November 2018 around 500.000 customer profiles were deleted that had been stored in violation of the company's own deletion deadlines."
The natural conclusion is:
"That's why the hotel chain exists guilty to the same extent as determined by the district court [..].”
Which account?
Next question sounded: The breach was closed in December 2018. Datatilsynet set the fine in 2020 on the basis of the most recently completed accounts from 2018, but the high court sets the fine in 2023, so which account should the fine be calculated on the basis of?
The High Court writes:
"It appears from the regulation's art. 83, subsection 4 and 5, that when determining the amount of the fine,
taking into account the total global turnover in the previous financial year, and this appears from the decision
of 28 July 2021 from the European Data Protection Board, that with "the previous financial year"
is based on the latest audited and published accounts when the supervisory authority
makes a final decision on the amount of the fine."
The High Court further writes:
"The provisions in the regulation's art. 83, subsection 4 and 5, after which the fine must be taken
starting point in "the previous financial year" is designed based on the premise that there is an imposition
an administrative fine, which in most cases must be expected to mean that there will be a close one
temporal connection between the period of the offense and the financial year which must form the basis
for the determination of the administrative fine. The provision is thus not drafted with a view to it
system in force in Denmark, according to which fines are imposed by the courts. "
As is well known, the scheme in Denmark is that Datatilsynet imposes the fine while the courts determine it. This means that it may take some time before the fine is finally determined. And then, as a starting point, the close temporal connection between the period of the offense and the financial year, which must form the basis, is lost
for the determination of the administrative fine.
The conclusion was that the high court follows Datatilsynet:
"The High Court finds that the setting of the fine must be done taking into account the company's finances
conditions based on the annual accounts for 2018, which reflects the company's financial situation in the period,
where the infringement took place and which was the most recently audited and published account, then
the supervisory authority, Datatilsynet, completed the case processing and reported the hotel chain to the police.”
Determination of fines
In the case of the determination of the fine writes the high court regrettably and somewhat surprisingly Datatilsynets penalty setting:
"Datatilsynet has not explained in detail the calculations that led to the fact that there was originally
alleged a fine of DKK 1.100.000 based on the hotel chain's annual accounts for 2018. Thus it is not
possible to assess which starting point for setting the fine, which Datatilsynet have used and
subsequently corrected taking into account the aggravating or extenuating circumstances of the case. The amended penalty calculations, which Datatilsynet has made based on later financial years, does not cover this either.”
It seems that the high court was irritated by this and therefore ended up deducting a little from the 1,1 million. DKK:
"The High Court finds on this background after an overall assessment of the circumstances of the case and with
starting point in that of Datatilsynet set fine as well as taking into account the hotel chain's
net turnover in 2018, that the fine can be appropriate set at DKK 1.000.000."
It is surprising that we did not get more during the case about how more precisely Datatilsynets own model must be used. If Datatilsynet had wanted an even stronger case to work on, it might have been wise. But now the full freedom of determination is at least preserved and possibly approved, which presumably corresponds less well EDPB's guidance in the area:
"These Guidelines can be seen as following a step-by-step approach, although supervisory authorities are not obliged to follow all steps if they are not applicable in a given case, nor to provide reasoning surrounding aspects of the Guidelines that are not applicable. Although, reasoning should at least include the factors which led to determining the level of seriousness, the turnover which is applied, and the aggravating and mitigating factors which were applied."
Further developments
Recently, we have seen a large number of decisions from Datatilsynet, which, regardless of whether the violation is committed by a private company or a public authority, has resulted in criticism or serious criticism. It is to be expected that Datatilsynet now again increasing the level of fines, and that the courts can determine them somewhat more quickly.