The Arp-Hansen Hotel Group in Denmark has been fined 1.1m Danish crowns (US$170,000, €148,000) and referred to the police by the country’s data protection authority (Datatilsynet) for storing information on clients longer than necessary.
In an audit visit, the DPA found there were customer profiles which should have been deleted several years earlier. The authority considers 500,000 entries ought to have been erased from the group’s systems.
There was also a booking system containing a lot of personal data which should have been deleted in accordance with Arp-Hansen’s own deletion deadlines, Datatilsynet said.
“In a society where our personal data is increasingly being recorded and exploited, it is crucial that we as citizens can have confidence that our personal data is processed for objective purposes and that it is only stored for as long as is necessary,” said Frederik Viksoe Siegumfeldt, office manager for the DPA’s supervisory unit.
He added the authority choose to report the matter to the police because in its opinion Arp-Hansen had not offered objective reasons for the extensive storage of information.
The group runs ten up-market hotels in Copenhagen and Aarhus.