Taxi firm fined heavily under GDPR for data retention
Published on Monday, April 1, 2019 - 15:18 by Peter Galdies
The Danish Data Protection Agency has reported taxi firm Taxa 4x35 to the police and has recommended a penalty fine of DKK 1.2 million (approximately £140,000) for violations of the GDPR, including for retaining personal data after it was no longer necessary for the purpose it was collected for.
The inspection focused on whether the taxi company had in place retention and deletion policies in accordance with article 5(1)(e) of the GDPR, and whether such policies were complied with internally in the company.
The inspectors found that the company had only implemented superficial procedures that did not even match the limited retention policies that the company claimed were in place; anonymization of personal data after a 2 year retention period (accomplished by deleting only the name of data subjects) and then by deletion of telephone numbers after a period of 5 years. The company claimed that telephone number were a substitute reference. Unsurprisingly they found both the anonymization process and the retention of telephone numbers to be ineffectual and found the details of over; 8 million taxi trips which were older than 2 years still available.
Article 5(1)(c) of the GDPR states that personal data must only be processed to the extent that it is adequate, relevant and limited to what is necessary to fulfill the purpose for which it is collected and the inspectors levied severe criticism on Taxa 4x35’s shortcomings in this regard.
They added that the company must be able to demonstrate by extensive means beyond a manually updated deletion log, how and when personal data is deleted in systems and backup recovery files. A retention and deletion procedure must therefore cater for deletion logs in systems and processes for ensuring that deletion is carried out based on logs in accordance with requirements as set out in internal procedures. The Agency refers in this regard to the requirement set out in article 5(2), cf. 5(1)(e), from which is follows that the data controller must be able to demonstrate that it is not possible to identify the data subject beyond what is necessary in accordance with the purposes for which the personal data is processed. The company must therefore ensure effective deletion, including in backup recovery files, and be able to demonstrate that appropriate actions are carried out to ensure this.
In Denmark the Data Protection Agency must issue a police report, after which the police will investigate the claims and determine if the claims constitute sufficient basis for pressing charges against the company in question. The penalty fine of up to DKK 1.2 million will be determined and sentenced by court order, by the courts of Denmark.
Data Retention is often one of the hardest areas for organisations to implement - technical limitations and the natural desire of insight and analytical teams to "hoard" data often create resistance. This ruling clearly shows that a more "privacy first" focused approach to data retention is now required if organisations wish to avoid heavy penalties.