Updated: Apr 15, 2020
The Danish data protection agency has issued a declaration declaring that it proposes to fine Taxi company, Taxa 4×35 for a total of DKK 1.2 million for a breach of the GDPR.
Read the full press release in Danish here
The source of the article can be found here
Taxa 4×35 will be fined for failure to delete customers’ data. this is the first time that the Danish data protection agency proposed a fine following the guidelines of the GDPR.
Within the autumn of 2018, the Danish data protection agency inspected the Danish taxi organisation Taxa 4×35. According to Taxa 4×35, personal data used for booking and settlement of the taxi service are made anonymous after two years, since there is no longer a need to identify the client.
However, only the client’s name is deleted after these two years, but not the phone number. Therefore, information on the client’s taxi ride (including addresses) can still be traced to the client via the phone number, which is not deleted until five years have passed. At the time of the inspection, 8.873.333 personal data records were found for taxi journeys older than two years.
The reason why the phone number is not deleted is, according to the taxi organisation, that the number is fundamental to the system’s database and is, therefore, necessary for relation to the organisation’s product a0nd business development.
According to the Danish data protection authority, however, it is not acceptable to store personal data three years longer than necessary, only due to the fact the organisation’s system makes compliance with the GDPR burdensome.
“We have opted for a fine in this case. This is due to the fact that there are very large amounts of personal data which have been stored without an objective purpose. One of the basic principles in the field of data protection is that you only store the information you need — and when you do not need it anymore, it must be deleted immediately,” says the Danish DPA’s director Cristina Angela Gulisano.
In most European nations, national data supervisors themselves can issue administrative fines, but the rules are different in Estonia and Denmark. After having examined and assessed the case, the DPA transfers the case to the police. The police will then examine whether there’s a basis for a charge etc. and, subsequently, any financial penalty will be settled before a court.