I’ve previously posted about data retention being one of the hardest data privacy compliance tasks for organizations to complete. This holds true for organizations large and small in all sectors. Finding your data, cataloging it, deciding on retention periods, and implementing those retention periods is one of the hardest operational tasks organizations face.

And it’s only getting more important.

The Finnish Data Protection Commissioner recently fined a local online retailer 856,000 Euros (nearly $928,000) for 1) never deleting personal data of its customers and 2) requiring customers to create an account to make a purchase. The retailer claimed that it did have a data retention period – one that was set by customers themselves. Customers could close their account and delete their data at any time. But, this wasn’t enough. More specifically:

A penalty fee was imposed on Verkkokauppa.com, because the company had completely left the retention period for the personal data collected on customer accounts undefined. Data retention cannot be justified by the fact that the customer can later request the deletion of their data. Based on the investigation, Verkkokauppa.com had consciously decided that no retention period was defined for the data collected in the customer account and left the limitation of the data retention period to the responsibility of the customer.

[You may need to use a translation tool to read the above press release.]

The decision is not yet binding and the retailer has indicated it will appeal.

The takeaway to cases like this is:

  1. Know what data you have and all the places it lives.
  2. Create a data retention policy and accompanying retention schedule with relevant retention periods for certain kinds of data and records.
  3. Implement those retention periods and delete data at the appropriate times.

This is easier said than done and often requires significant investigation and planning. Data retention limitations aren’t just required by European laws – they’re also required under US laws. For assistance in how to address your data retention program, please reach out to us at info@fullstacklaw.com.