Danish Data Protection Agency, fine taxi company €160 000 for not deleting personal data in time while Norway’s DPA, Datatilsynet charge a Municipality €170,000 for having one file saved in the wrong location. In France CNIL imposes a significant fine of €400,000 on a Property Management Company.
Following an inspection by the Danish Data Protection Agency in October 2018, taxi company, Taxa 4×35, has been reported by the Danish Data Protection Agency to the police and the Agency has recommend a fine of €160,000 for violation of the GDPR.
In most jurisdictions, the Data Protection Authority can issue fines by their own but in Denmark a police report must be issued and the fine will be determined by the courts.
The conclusions are interesting, as they expose several mistakes made by Taxa
Article 5 of the EU General Data Protection Regulation outlines the processing requirements for personal data. The recent fine imposed by the Danish DPA gives some guidance on how these Article 5 principles could be enforced going forward. In its ruling, the Danish DPA found that Taxa had violated Article 5 of the GDPR in three ways: purpose limitation, data minimisation and storage limitation (retention).
Article 5(1)(b) requires that data be collected for a legitimate purpose and not be further processed in a matter that is incompatible with that purpose. Taxa violated this principle when it transformed the phone numbers of customers into “anonymous” account numbers. Taxa admitted that the phone number was not necessary; only an account number associated with taxi ride data was needed. Taxa did not treat the phone number as personal data and apparently had no intention of using the phone number to contact or personally identify the individual customer. Instead, it intended it to be an anonymous way to track data to meet a business purpose. The Danish DPA clearly found that personal data must be processed in compliance with the GDPR, regardless of how the company intends to treat the data.
Article 5(1)(c) requires personal data be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Taxa argued that it had met minimisation requirements by removing the names associated with the phone numbers and that its systems were not capable of transferring the anonymous data about the taxi ride from a phone number to a unique ID. The Danish DPA did not care that the computer systems made it difficult to create new account numbers and stated, in no uncertain terms, that costs associated with migrating personal data to a new anonymous data structure do not justify continued use of the phone number beyond the retention policy.
Article 5(1)(e) requires that personal data is kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the personal data is processed. Taxa had a retention policy in place that stated data collected during a taxi ride is only necessary for two years. However, at the end of the two years, Taxa only deleted the name associated with the ride but kept all the other taxi-ride data relating to the ride (date, GPS coordinates of starting and ending location, distance, payment) and associated with the customer’s phone number for an additional three years.
Retention schedules are only as good as long as they are followed. Privacy professionals need to ensure that the timetable of retention is no longer than is necessary and that once time has expired all personal data is removed. Read more about the Danish case here.
In the example from Norway, the Municipality of Bergen has been fined €170,000 for having one file saved in the wrong location and for not knowing where the personal data they are processing is actually stored.
The breach came to the DPAs attention through a report of one of the students of the public school, administrated by the Municipality, who found a file with login credentials for 35,000 students and employees, in a public storage area.
The fine is for having one file saved in the wrong location and actually, for not knowing where the personal data they are processing is stored at all. Not knowing where their data is stored means they cannot apply appropriate measures to protect it, and they are therefore in breach of both Article. 5(1)f and Article. 32 GDPR.
Datatilsynet found that the municipality’s lack of appropriate measures to protect the personal data in the computer file systems constituted violations of both Article 5(1)f and Article 32 GDPR.
The fact that the security breach encompasses personal data of over 35,000 individuals, with the majority of these being children, was considered to be an aggravating factor.
The Norwegian decision points the finger at the need to perform a privacy data inventory. The Municipality of Bergen has conducted a number of projects relating to information security and access management. However, there is no point investing in security measures and access management, until one has full control of where personal data resides within the data sources. Read more about the Norwegian case here.
Meanwhile France’s CNIL imposed a hefty €400,000 fine on a property management company following a complaint from an individual. The company was found to have inadequate protection for the data of users of its website. More about CNIL’s decision can be read here.
Closer to home, Ireland’s DPC has said there will be increased staff capacity for investigations and audits this year. With fines like we are seeing in these cases both in Denmark and Norway are you confident that your organisation can stand up to investigation?