Denmark’s Data Protection Authority Datatilsynet (DPA) issued their first GDPR fine to the taxi company, Taxa 4×35 (Taxa) for violation GDPR data retention periods.
Taxa weren’t adhering to the data minimisation principle of the GDPR because they were over-retaining personal data long after the provided retention periods. While they had deleted customers’ names and addresses after two years of retention, they still kept customers’ telephone numbers for an additional three years, arguing that telephone numbers were an essential part of their IT database and weren’t able to delete them at that time. This was disputed by the Danish DPA, arguing that this explanation didn’t justify the serious breach of data privacy laws.
Taxa’s attempts at anonymisation were also found to be inadequate. Anonymisation optimally makes certain information impossible to connect to the person it belongs to but in Taxa’s case the information could still be linked to their customers through their phone numbers.
The DPA recommended a fine of 1.2 million kroner, approx. €160,754, which amounts to approx. 2.8 % of the company’s annual turnover. While this still doesn’t match the GDPR’s standard of such a fine (4% annual global turnover) it shows that DPA’s are taking matters seriously. While this fine is only a recommendation, the DPA noted that Denmark’s police and courts “generally tend to be in line” with regulators’ proposed penalties.