A Danish taxi company, Taxa 4×35 (Taxa), has been issued with a General Data Protection Regulation penalty by the Denmark’s Data Protection Authority Datatilsynet (DPA) for breaching GDPR data retention periods.
The DPA approved a fine of approximately €160,754 which makes up around 2.8 % of the company’s annual global revenue. The amount is lower that the highest possible amount, 45 of annual global revenue but is still high enough to indicate that the DPA are not taking GDPR violations lightly. turnover.
The fine was applied following the discovery that Taxa were not complying to the data minimisation principle of the GDPR. The company were keeping copies of personal sdata for far longer that the permissible retention periods under GDPR. Even though they had erased customers’ identities and addresses after two years of retention, they still held customers’ telephone contact details for another three years, stating that these details were an essential part of their IT database. Due to this fact they were not in a position to terminate the records. The DPA argued against this stating that this was not sufficient justification for such a serious breach of GDPR occurring.
Taxa did attempt to complete some anonymisation of the data. Anonymisation is a process of ensuring certain information cannot be connected to the individual it belongs to. However Taxa’s attempts to achieve this were deemed to be inadequate by the DPA. as the information could still be linked to their customers through their phone contact details.
It should be remembered that this fine is only a recommendation from the DPA. However the agency, in announcing the fine, noted, that Denmark’s police and courts ‘generally tend to be in line’ with regulators’ recommended penalties. It should also be noted, however, that is the first Danish GDPR penalty notice in Denmark so it remains to be seen if the Danish legal system will enforce this new level of fining.
Denmark is the latest European Union Member State to apply its first GDPR fine. In January the French Data Protection Agency, CNIL, sanctioned Google with a €50m GDPR penalty in relation to the methods it employed for displaying data consent policies. You can read that story here. In the UK the first GDPR penalty was sanctioned against a Canadian law firm that was link to the Cambridge Analytica Facebook GDPR breach.