Denmark’s Data Protection Authority Datatilsynet has recommended that taxi company Taxa 4×35 be fined for violating the General Data Protection Regulations (GDPR).
The DPA approved a fine of 2.8% of the company’s revenue, amounting to €160,754, for the violation. The maximum fine that can be levied against an organisation for a GDPR violation is 4.5%. While the fine issued was less than this maximum (which would have equated to approximately €258,000), it is still hefty enough to show that the DPA takes these types of violations seriously.
DPA stated that the fine was due to Taxa 4×35’s failure to comply with the data minimisation principle of the GDPR. It was discovered that the company was keeping copies of personal data in their system for longer than GDPR’s permissible data retention periods allowed. The company had erased customers’ identities and addresses after two years of retention but maintained records of their customers’ telephone contact details for another three years. They justified this retention by claiming that these details were an ‘essential’ part of their IT database.
The DPA determined that this was not sufficient justification for retaining the records and breaching GDPR.
Taxa 4×35 did make attempts to anonymize some of the data. Anonymisation is a process of removing certain information from data such that it cannot be used to identify the individual to which it pertains. However, DPA deemed Taxa’s attempts to anonymise data inadequate, as the information could still be linked to their customers through their phone contact details.
This fine is only a recommendation from the DPA. DPA noted that Denmark’s police and courts ‘generally tend to be in line’ with regulators’ recommended penalties. However, as this is the first Danish GDPR penalty notice in Denmark, questions still surround how the Danish legal system will enforce this new level of fine.
Denmark is the latest EU member state to apply its first GDPR fine. In January the French Data Protection Agency, CNIL, sanctioned Google with a €50m GDPR penalty concerning the methods it employed for displaying data consent policies. In the UK the first GDPR penalty was sanctioned against a Canadian law firm that was linked to the Cambridge Analytica GDPR breach.