The data processing and storage activities of “taxa 4×35” may result in significant financial penalties for the Danish taxi service company, with the Danish Data Protection Agency (Datatilsynet( recommending a fine of DKK 1.2 million. This is the first public recommendation for a fine that Datatilsynet has made in relation to the 2018 Danish Data Protection Act since the new legislation came into force.
Since the introduction of the GDPR in May 2018, there has been much attention around the first fines to be issued by national data protection agencies in this time of heightened personal data protection. Whilst some countries issued fines relatively shortly after, it is in March 2019 that the Datatilsynet has issued its first recommendation for fines. Notably, Denmark and Estonia are the two countries in the EU that currently cannot issue administrative fines of their own accord. Instead, Datatilsynet recommends fines to the police for follow up.
Following investigations by Datatilsynet in Autumn 2018, it has been determined that the taxi company is storing customers’ personal data for longer than the maximum time period.I lyset af den stigende fokus på emnet har Folketinget 20. december 2018 vedtaget et lovforslag om ændring af ligebehandlingsloven med henblik på at tydeliggøre forbuddet mod sexchikane. The taxi company had implemented data security measures in order to comply with new data protection rules that came into force in 2018, however these were not sufficient. Part of the company’s data policy involved the deletion of customer’s names after two years so as to “anonymise” their records, whilst retaining various other information including phone numbers and addresses.
However, anonymization of a record under the GDPR requires that identifying information be removed such that it is no longer possible to identify the person who the data relates to. Accordingly, it was viewed that taxa 4 x 35 had in fact not properly anonymised their records and was retaining customer data for years past the applicable time limits.
The purpose of this data retention was so that the company could still apply data analytics to the collected data, which taxa 4×35 viewed as critical. Whilst personal information such as phone numbers were not necessary to retain in themselves, taxa 4×35 explained that this number was the key to their records system. However, Datatilsynet have emphasised that matters such as a database having historically required personal information to operate are not sufficient justification for the continued storage of such data.
A core GDPR principle is that of data minimisation whereby data is limited to what is necessary for its legitimate use, alongside the principle of storage limitation whereby identifying personal information is not retained for longer than necessary.
It is therefore important for companies and organisations to continually reflect on whether their internal data protection measures are sufficient for compliance with national and EU-level data protection standards. A critical part of this is considering whether the existing justifications for data retention truly are legitimate, or whether it is time to re-evaluate the company’s data structure and systems.
At MKLaw, we have experience in assessing and implementing data protection measures as well as advising on specific instances regarding data protection law. If your organization may require assistance in this area, please get in contact with us.
Thanks to the following contributors to the website: Steen Evald (photograph), Stine Heilmann (photograph), Count Pictures (video), Kunde & Co. A/S (design), WeCode A/S (coding)