Furniture Retail Chain Fined in GDPR Ruling

Key Takeaways

• Fine: Denmark’s Western High Court fined ILVA A/S, a furniture retail chain, $216,000 (DKK 1.5 million) for GDPR violations.
• Group Turnover Standard: The ruling confirmed that fines should be based on the entire corporate group’s global revenue, not just the subsidiary’s.
• CJEU Precedent: The Court of Justice of the EU clarified that “undertaking” under GDPR must align with competition law concepts.
• Effective Enforcement: The judgment ensures fines remain effective, proportionate, and dissuasive, raising exposure for multinationals.
• Case Origins: The breach stemmed from outdated IT systems without deletion deadlines or procedures for personal data.

Deep Dive

The Western High Court in Denmark has imposed a fine of $216,000 (DKK 1.5 million) on ILVA, a Danish furniture retail chain known for its Scandinavian-style home furnishings, for violating the General Data Protection Regulation (GDPR). The ruling establishes an important precedent for how fines against companies are calculated.

The case centered on ILVA’s failure to set deletion deadlines and procedures in an older IT system containing customer information, breaching GDPR’s requirement to delete personal data that is no longer necessary. ILVA operates as part of IDdesign, which owns several furniture and lifestyle brands, giving the case broader implications for group-based liability under European data protection law.

The case first went before the Court in Aarhus in 2021, which fined the company $14,000 (DKK 100,000). That ruling calculated the penalty based on ILVA’s own net revenue rather than the group’s overall turnover. Dissatisfied with the narrow interpretation, prosecutors appealed.

The matter escalated to the Court of Justice of the European Union (CJEU), which in February 2025 clarified that the term “undertaking” in GDPR must be interpreted consistently with EU competition law. This means fines should be calculated on the basis of a group’s total worldwide turnover, ensuring they are “effective, proportionate, and dissuasive.”

High Court’s Decision

Following the CJEU’s guidance, the Western High Court raised the penalty to $216,000 (DKK 1.5 million), in line with the Danish Data Protection Authority’s original recommendation.

“This is a very important judgment because it helps to determine the practice for the level of fines for private companies,” said Cristina Angela Gulisano, Director of the Danish Data Protection Authority. “The judgment is also important because it establishes that management’s knowledge of actual circumstances—about processing that is in breach of data protection rules—makes it an intentional violation of the rules.”

The ruling underscores that GDPR fines in Denmark, and across the EU, will not be limited to the revenues of individual subsidiaries but can be pegged to the financial capacity of the entire corporate group. For businesses, this decision raises the stakes significantly in cases of intentional or negligent data protection violations.

The case began in 2018 when the Danish Data Protection Authority inspected ILVA. By June 2019, the regulator had filed a police report citing breaches of storage limitation rules. With the High Court’s ruling now finalized, ILVA may only seek permission from the Danish Court of Appeal to bring the matter before the Supreme Court.

The ruling carries weight well beyond ILVA. By confirming that fines can be calculated against a group’s global revenue rather than a single subsidiary’s turnover, the case broadens the enforcement risk landscape for multinationals operating under the GDPR. It further demonstrates the importance of robust data governance practices at both subsidiary and group levels, making clear that outdated systems or lax deletion procedures can expose entire corporate groups to significant financial penalties.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.