easyGDPR

We make implementing General Data Protection Regulation Easy

by

First GDPR fine in Denmark

The Danish Data Protection Authority inspected the cab company Taxa 4×35, focusing on the deletion of personal data.

Upon inquiry with the company, the company explained that all information on routes will be anonymized after two years, i.e., the personal data will be deleted from the records.

The authority checked the company’s data and found that although the names of the persons concerned are deleted, the telephone number and pick-up and destination addresses are not. Since people can be easily identified via the telephone number, the required anonymization is no longer given. A total of 8,873,333 records were affected at the time of the inspection.

The reason given by the cab company was that the phone number is the key element in the database, therefore records cannot be saved without a phone number.

The authority clarified that this justification is unacceptable. Personal data must be deleted immediately after expiry of the period of use, even if the system used is not designed for this purpose.

Conclusion

The deletion of personal data is one of the sticking points of the General Data Protection Regulation. If a company fails to comply with its obligations, it will be subject to severe fines, as is readily apparent in this case. The creation of a procedure directory is also essential. If a company cannot provide a processing directory upon request, this is a serious breach of the GDPR. The documentation of all data processing procedures is complex and comprehensive. Only with the appropriate software can you record all processes efficiently. easyGDPR helps you do this – the online tool offers templates for all common data processing procedures and thus creates your processing directory in a short time.

Entscheidungsdatum:
25.03.2019

Land:
Denmark

Art des Verstoßes:
Illegal data processing

Betroffene Datensätze:
8873333

Waren sensible Daten betroffen?:
No

verhängte Geldstrafe:
€ 161,000,-

Quelle:
Communication from the Danish Data Protection Authority (Danish)

Category iconUncategorized