Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data.
Breach of the data minimisation principle
The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining personal data long after the envisaged retention limit for such data, thereby finding an affirmative duty to delete expired personal data. Taxa had deleted customers’ names and addresses after two years of retention but had retained customers’ telephone numbers for an additional three years. Taxa argued that telephone numbers were an essential part of its IT database and therefore could not be deleted in the same time span.
The Danish DPA did not agree that a difficulty within a company’s IT system can justify such a serious breach of data privacy. Additionally, Taxa’s attempts at anonymisation were inadequate. Anonymisation of data requires companies to make it impossible for certain information to be connected to a person. Despite Taxa’s deletion of customer names, information on its system could still be linked to persons through telephone numbers.
How is this fine significant?
The DPA recommended a fine of 1.2 million kroner, which is approximately €160,754. This amounts to approximately 2.8 per cent of the company’s annual turnover, which essentially shows the readiness of EU supervisory authorities to get closer to the 4 per cent annual global turnover cap imposed by the GDPR. Pre-GDPR, such a fine in Denmark would have not exceeded 25,000 kroner (approximately €3,350). The hefty fine this time round mirrors the large amount of customer data that the company did not need but retained for too long – namely personal telephone numbers connected to nine million taxi rides. This DPA recommendation also sets a precedent that organisational IT limitations may not be recognised as a legitimate reason to over-retain personal data. Companies facing such limitations are wise to explore other solutions to mitigate risk, for instance replacing such telephone numbers and information with random identifiers to effectively anonymise older personal data.
Even though this fine is only a recommendation, the DPA noted that Denmark’s police and courts “generally tend to be in line” with regulators’ proposed penalties. As this is the first GDPR penalty notice in Denmark, it remains to be seen if the Danish courts will agree with this new level of fining imposed by the DPA.
Regardless, organisations should critically examine their personal data retention practices in a changed data privacy landscape. Depending on the jurisdictional requirements that apply to items containing personal data, records should be timely deleted according to a records retention schedule that sets forth periods based on regulatory, operational, legal, and tax concerns. Deletion of records must be permanent (that is, not exist in backup copies elsewhere) and preferably documented.
The fine endorsed by Denmark’s DPA is among the emerging ‘firsts’ that European regulators are starting to recommend or impose for non-compliance with the GDPR. We have reported recently that the Polish supervisory authority has enforced its first fine for a violation of Article 14 of the GDPR – nearly €220,000 for a company’s failure to inform data subjects of how it processes their personal data. Concurrently, the Dutch data protection authority has also issued its GDPR fining policy becoming the first EU supervisory authority to set out a structure for computing administrative fines for violations of obligations under the GDPR.
We expect this list of ‘firsts’ to be on the rise as EU regulators will no doubt take away the recent practice as a building block for their future findings. Stakeholders should keep an eye on penalties springing across the EU to appreciate the consequences of breaching the GDPR and begin to take protective and proactive technical and organisational measures.