Denmark’s Data Protection Authority (DPA) has recommended fining a taxi company 1.2 million kroner ($180,000) for not deleting customers’ telephone numbers, the first Danish penalty imposed under GDPR
The DPA found the taxi company did not adhere to the GDPR’s data-minimization principle.
While Taxa deleted the names from all its records after two years, the rest of the ride records remained intact.
The DPA recommended the fine after it was discovered the taxi company continued to hold onto individuals’ phone numbers after their names were removed from the records.
The removal of a name does not constitute anonymization because taxi ride information (e.g pick up and drop off addresses) could still be linked to a person through the phone number.
The five year retention for the phone number was longer than necessary for the purpose
You cannot set a deletion deadline, three years longer than necessary, simply because your database or system makes it difficult to comply with the rules. Rather you need to fix your system, e.g by replacing phone numbers with random identifiers.
You must adequately document your procedures for data deletion including: follow-up on the deletion of the systems correctly; handling reloading of previously deleted personal data when putting in backup; and logging deletions in the system
> leroux (Community Champion) posted a new topic in GDPR on 04-01-2019 04:13 AM
> Denmark Recommends First Fine Under GDPR
Oooh! This is so exciting!
> The DPA recommended the fine after it was discovered > the taxi company continued to hold onto individualsâ€™ phone numbers after their > names were removed from the records.
Wait, what? I don't know that I'd see this as a privacy breach. What this really is is rank stupidity on the part of the taxi company, and they certainly deserve a fine for that. Why on earth do you delete names, but leave the phone numbers (which are pretty useless without the names ...) ?
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of http://www.noticebored.com/html/cisspforumfaq.html#Friday or https://blogs.securiteam.com/index.php/archives/1468