Danish hotel group fined for failing to delete customers’ details

The Arp-Hansen Hotel Group in Denmark has been fined 1.1m Danish crowns (US$170,000, €148,000) and referred to the police by the country’s data protection authority (Datatilsynet) for storing information on clients longer than necessary. 

In an audit visit, the DPA found there were customer profiles which should have been deleted several years earlier. The authority considers 500,000 entries ought to have been erased from the group’s systems.

There was also a booking system containing a lot of personal data which should have been deleted in accordance with Arp-Hansen’s own deletion deadlines, Datatilsynet said.

“In a society where our personal data is increasingly being recorded and exploited, it is crucial that we as citizens can have confidence that our personal data is processed for objective purposes and that it is only stored for as long as is necessary,” said Frederik Viksoe Siegumfeldt, office manager for the DPA’s supervisory unit.

He added the authority choose to report the matter to the police because in its opinion Arp-Hansen had not offered objective reasons for the extensive storage of information.

The group runs ten up-market hotels in Copenhagen and Aarhus.


The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.