First GDPR penalty in Denmark
The Danish data protection authority controlled the taxi company Taxa 4×35 with a focus on the deletion of personal data.
Upon request from the company, this company stated that all information about the routes would be anonymised after two years, which means the personal data is deleted from the records.
The agency checked the information provided by the company and found that, although the names of those affected are deleted, but not the phone number, pickup- and destination address. Since persons can be easily identified via the telephone number, the required anonymization is no longer given. Overall, 8,873,333 records were affected at the time of the audit.
The reason given by the taxi office was that the telephone number is the key element in the database, therefore records can not be stored without a telephone number.
The Authority clarified that this justification is unacceptable. Personal data must be deleted immediately after expiry of the period of use, even if the system used is not designed accordingly.
Conclusion
The deletion of personal data is one of the sticking points of the General Data Protection Regulation. If a company fails to comply with its obligations, it will be fined severely, as can easily be seen in this case. Creating a directory of procedures is also essential. If a company can not produce a processing list on request, this is a serious violation of the GDPR. The documentation of all data processing processes is complex and comprehensive. Only with suitable software can you efficiently record all processes. easyGDPR helps you with this – the online tool provides templates for all common data processing processes and creates your processing directory in a short time.
Decision data:
25.03.2019
Country:
Denmark
Type of Issue:
Illegal data processing
Number of involved data records:
8873333
Special category of data involved:
No
Fine:
€ 161,000,-
Violation of GDPR Paragraph:
5. Principles relating to personal data processing
Reference: