The Danish and Polish data protection authorities issued their first GDPR fines last month. The cases serve as indicators of the kinds of technical violations enforcement officials are looking to deter as they police the EU’s new privacy regulation.
In Denmark, Datatilsynet recommended fining the taxi company Taxa 4×35 nearly $180,000 for failing to delete records on 9 million taxi rides after they were no longer needed. Article 5 of the GDPR discourages companies from holding on to data that they no longer need: “personal data shall be … adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’); …” and “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed … (‘storage limitation’).”
In Taxa 4×35’s case, the company allegedly sought to comply with Article 5 by anonymizing its data after two years. In practice, the company only removed customer names from its database, keeping other data points such as customer phone numbers and ride histories for five years for purposes of business analytics.
The Datatilsynet said this procedure was insufficient. The data protection authority found that phone numbers still permit identification of a data subject, meaning that Taxa 4×35 did not properly anonymize its records. Furthermore, the Datatilsynet rejected Taxa 4×35’s explanation that its technical systems did not allow preservation of ride history data without an associated phone number. “One cannot set a deletion deadline, which is three years longer than necessary, simply because the company’s system makes it difficult to comply with the rules in the Data Protection Regulation,” the data protection authority wrote.
Meanwhile, Poland’s Personal Data Protection Office (UODO) fined digital marketing company Bisnode €220,000 for failing to notify 6 million people about its data scraping activities. The UODO said that Bisnode was required to notify data subjects that it was pulling their publicly-available personal data from public sources in accordance with Article 14 of the GDPR, which mandates notice to data subjects where personal data was not obtained from the data subject.
UODO noted that of the data subjects Bisnode did notify, 13 percent objected to the data processing. “This shows how important it is to properly fulfill the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR,” UODO wrote.
In response to UODO’s inquiries, Bisnode pointed to a notice it had posted on its website, apparently explaining to UODO it would be far too costly to notify data subjects directly. UODO rejected such an approach: “[w]hile having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them,” UODO wrote in a press release.
These actions by the Danish and Polish authorities are just the latest in an increasing number of GDPR-related enforcement actions so far in 2019.