Not deleting personal data in time. Price: 160 000€

Not deleting personal data in time. Price: 160 000€

Following an inspection by the Danish Data Protection Agency in October 2018, the taxi company, Taxa 4×35, have been reported by the Danish Data Protection Agency to the police and the Agency has recommend a fine of 160 000€ for violation of the GDPR. 

In most jurisdictions, the Data Protection Authority can issue fines by their own but in Denmark a police report must be issued, and the fine will be determined by the courts of Denmark.

The conclusions are interesting, as they expose several interesting mistakes conducted by Taxa 4×35.

Anonymization

Taxa 4×35 actually had a retention process in place, but only deleted the names of the data subjects. This would probably have been sufficient according to previous legislation, but as GDPR defines personal data as “any information, in combination with other information, that can be used to identify an individual”, it is not enough under GDPR. All information, that theoretically can be used to identify an individual, should have been deleted. This included geolocation data.

Data minimization

Taxa 4×35 has used the phone numbers of clients as internal identifiers. This, concludes the Danish Data Protection Agency, is a breach of data minimization. A unique identifier, that was not personal data, could have been assigned for internal processes.

Legal basis

Taxa 4×35 further argues that they have a legitimate interest processing phone numbers are up to five years, for the purpose of “conducting its business and for business development purposes”. The DPA expresses severe criticism, as this purpose is neither enough specified nor explicit.

Deletion and retention procedures

The DPA also express severe criticism for the lack of processes and procedures for retention and deletion.

The Agency refers in this regard to the requirement set out in article 5(2), cf. 5(1)(e), from which is follows that the data controller must be able to demonstrate that it is not possible to identify the data subject beyond what is necessary in accordance with the purposes for which the personal data is processed. The company must therefore ensure effective deletion, including in backup recovery files, and be able to demonstrate that appropriate actions are carried out to ensure this. 

Conclusions

The severe criticism from the DPA only concerns one system, DDS Pathfinder. However, it clearly displays the challenges of retention, and the severity of not complying to the rules set out in GDPR.

As this now is a proven challenge in one system, running on one database, companies should really start thinking about how retention procedures will be implemented and executed in their unstructured data.

Thanks to Gorrissen Federspiel for an excellent article:

https://gorrissenfederspiel.com/en/knowledge/news/recommended-fine-of-dkk-12-million-to-taxa-4×35-for-violation-of-the-gdpr