Danish hotel group fined for failing to delete customers’ details

The Arp-Hansen Hotel Group in Denmark has been fined 1.1m Danish crowns (US$170,000, €148,000) and referred to the police by the country’s data protection authority (Datatilsynet) for storing information on clients longer than necessary. 

In an audit visit, the DPA found there were customer profiles which should have been deleted several years earlier. The authority considers 500,000 entries ought to have been erased from the group’s systems.

There was also a booking system containing a lot of personal data which should have been deleted in accordance with Arp-Hansen’s own deletion deadlines, Datatilsynet said.

“In a society where our personal data is increasingly being recorded and exploited, it is crucial that we as citizens can have confidence that our personal data is processed for objective purposes and that it is only stored for as long as is necessary,” said Frederik Viksoe Siegumfeldt, office manager for the DPA’s supervisory unit.

He added the authority choose to report the matter to the police because in its opinion Arp-Hansen had not offered objective reasons for the extensive storage of information.

The group runs ten up-market hotels in Copenhagen and Aarhus.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.