Danish Regulator Orders Aalborg Municipality to Address Data Deletion Failures

Key Takeaways

• Regulatory Action Triggered by DPO Findings: The Danish Data Protection Agency launched its investigation into Aalborg Municipality after press coverage of issues identified in the municipality’s data protection officer’s annual report, particularly around failures to delete personal data.
• GDPR Violations Identified: The regulator found the municipality in breach of core obligations under the General Data Protection Regulation, specifically around storage limitation and accountability, with personal data being retained longer than necessary.
• Mandatory Remediation Measures: Aalborg must map all systems processing personal data, delete data that has exceeded retention deadlines, and develop a structured plan with system suppliers to address remaining data that should be erased.
• Compliance Deadline and Enforcement Risk: The municipality has until October 2, 2026 to comply, with potential penalties including fines or imprisonment for non-compliance under Danish law.
• Persistent Governance Gaps: Despite repeated internal reviews in 2022, 2023, and 2025, deletion routines remained inadequate, highlighting a broader issue of implementation failures rather than lack of guidance.

Deep Dive

The Danish Data Protection Agency has ordered Aalborg Municipality to bring its handling of personal data into compliance with data protection rules, after an investigation found the municipality had failed to delete information it no longer had a legal basis to retain.

The case began on April 10, 2026, when the authority launched an inquiry following press coverage of issues outlined in the municipality’s data protection officer’s annual report. That report pointed to ongoing weaknesses in deletion practices across the organization.

Less than a month later, on May 4, the regulator issued a formal order requiring Aalborg to correct those deficiencies. The decision followed a review of the annual report and the municipality’s response.

The case turns on one of the most basic obligations under the General Data Protection Regulation. Personal data must not be kept longer than necessary, and organizations must be able to demonstrate that they comply with that principle. The Danish authority concluded that Aalborg Municipality had not met either requirement.

According to the decision, the municipality has been processing personal data that should already have been deleted. In some systems, deletion must be carried out manually and has not been done. In others, technical limitations prevent automatic deletion. The regulator also found that Aalborg lacks a complete overview of the systems holding personal data subject to deletion rules.

The order lays out a set of corrective steps designed to bring the municipality back into compliance. Aalborg must compile a comprehensive list of all systems that process personal data, including details on whether and how deletion is possible and what deadlines apply. It must also immediately remove data that has exceeded those deadlines where deletion can be carried out, and develop a broader plan, in coordination with system suppliers, to eliminate remaining data that is no longer needed.

The authority has set a deadline of October 2, 2026 for compliance, requiring the municipality to confirm by that date that the order has been fulfilled.

Failure to comply could carry legal consequences. Under Denmark’s data protection law, non-compliance with such an order can result in fines or imprisonment for up to six months, and public authorities are also subject to penalties.

In comments accompanying the decision, IT security specialist and lawyer Allan Frank described the shortcomings as “extremely serious,” noting that rules on data deletion have been established for more than 25 years and have been clarified repeatedly by the authority. He added that when a data protection officer identifies unlawful practices, it should lead to documented reflection by management and the development of a clear remediation plan.

The authority also emphasized that the order is intended to address the current situation, but it has reserved the right to take further corrective action if necessary.

The findings mirror concerns raised internally within the municipality. The data protection officer’s 2025 report noted that deletion routines had been reviewed multiple times in recent years, including in 2022, 2023, and 2025, yet remained insufficient. According to the report, none of the municipality’s administrations had completed the required work, with several having not started at all.

For the Danish regulator, the case highlights a persistent gap between policy and practice. Even where expectations are clearly defined, the absence of system-wide implementation and oversight can leave fundamental compliance obligations unmet.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.