The Danish Data Protection Agency has issued a statement declaring that it proposes to fine Taxa 4x35 for a total of DKK 1. 2 million for a breach of the GDPR.
Taxa 4x35 could be fined for failure to delete customers’ data. This is the first time that the Danish Data Protection Agency proposes a fine in accordance with the rules of the GDPR.
8.873.333 taxi trips
In the autumn of 2018, the Danish Data Protection Agency inspected the Danish taxi company Taxa35. According to Taxa 4x35, personal data used for booking and settlement of the taxi service are made anonymous after two years, since there is no longer a need to identify the customer.
However, only the customer’s name is deleted after these two years, but not the phone number. Therefore, information on the customer’s taxi trip (including addresses) can still be traced to the customer via the phone number, which is not deleted until five years have passed. At the time of the inspection, 8.873.333 personal data records were found for taxi trips older than two years.
Assessment by the Danish Data Protection Authority
The reason why the phone number is not deleted is, according to the taxi company, that the number is key to the system’s database and is therefore necessary in relation to the company’s product and business development.
According to the Danish Data Protection Authority, however, it is not acceptable to store personal data three years longer than necessary, only because the company’s system makes compliance with the GDPR burdensome.
“We have opted for a fine in this case. This is due to the fact that there are very large amounts of personal data which have been stored without an objective purpose. One of the basic principles in the field of data protection is that you only store the information you need — and when you do not need it anymore, it must be deleted immediately,” says the Danish DPA’s director Cristina Angela Gulisano.
Next steps
In most European countries, national data supervisors themselves can issue administrative fines, but the rules are different in Estonia and Denmark. After having examined and assessed the case, the DPA transfers the case to the police. The police will then examine whether there is a basis for a charge etc. and, finally, any financial penalty will be settled before a court.
Read the full press release in Danish here
For further information, please contact the Danish DPA: dt@datatilsynet.dk