In September 2025, the Danish furniture chain ILVA found itself at the centre of a landmark GDPR ruling. What began as a forgotten IT system tucked away in a few stores turned into a courtroom battle that reached the EU’s highest court, and ended with a fine of DKK 1.5 million (£174,000).
The forgotten database
Back in 2018, inspectors from Denmark’s Data Protection Authority, Datatilsynet, visited ILVA’s sister brand, IDEmøbler. What they found was unsettling: an older IT system still running quietly in the background, containing the details of nearly 385,000 customers.
Names, addresses, phone numbers, emails, and purchase histories were all stored without any deletion process. There were no deadlines, no retention rules, no mechanism for erasure. When asked, IDdesign (the company running IDEmøbler and ILVA before a merger) admitted plainly: “We don’t delete this data.”
Under GDPR, that’s a clear breach of the storage limitation principle. Personal data must not be kept longer than necessary, and yet here it was, sitting indefinitely in a dusty system no one had got around to cleaning up.
From police report to courtroom drama
Datatilsynet filed a police report in 2019. The case landed before the District Court in Aarhus in 2021, where ILVA was found guilty, but the fine was just DKK 100,000 (£11,500). The court saw the breach as negligent rather than intentional and based the penalty on ILVA’s own turnover, not the wider group’s.
That ruling didn’t sit well with regulators. The Danish DPA had pushed for DKK 1.5 million, arguing the fine should be calculated on the group’s entire turnover. The case was appealed, and soon the High Court of Western Denmark was asking the EU Court of Justice (CJEU) to weigh in on a fundamental question:
When calculating GDPR fines, should regulators look only at the infringing company, or at the turnover of the entire corporate group?
The EU steps In
In February 2025, the CJEU delivered a decisive answer. Fines under GDPR must be calculated using the concept of an “undertaking;” the same standard applied in EU competition law. That means regulators can take into account the entire global turnover of a corporate group, not just the revenue of one subsidiary.
The Court’s reasoning was clear: fines need to be effective, proportionate and dissuasive. If large groups could shield themselves behind small subsidiaries, penalties would become meaningless.
For ILVA, that meant the stakes rose sharply. The Western High Court, applying the CJEU’s guidance, overturned the lower court’s ruling and imposed the full DKK 1.5 million fine.
Management knowledge makes it worse
The judgment didn’t just rest on numbers. It also stressed management’s role. ILVA’s leadership knew there was no deletion process. They knew the system existed and still allowed data to sit there.
That knowledge meant the violation wasn’t just a careless oversight, it was closer to an intentional breach. Cristina Angela Gulisano, Director of Datatilsynet, underlined this point: managers’ awareness of unlawful processing can escalate a case from negligence to intentional non-compliance.
Why this case matters across Europe
For compliance teams and data protection officers, ILVA’s fine marks a clear precedent.
Legacy systems are liabilities. It’s not enough to implement retention policies in shiny new platforms. If old databases or software still contain personal data without deletion schedules, you are exposed.
Management accountability is real. If leadership is aware of unlawful practices, regulators will treat violations as intentional, raising both reputational and financial stakes.
Group-level fines are here to stay. The CJEU’s ruling means that regulators across Europe can base fines on global group turnover, not just local subsidiary accounts. For multinational groups, even a relatively minor GDPR slip can now carry expensive consequences.~
