Denmark’s Data Protection Authority (DPA) has recommended fining a taxi company 1.2 million kroner ($180,000) for not deleting customers’ telephone numbers, the first Danish penalty imposed under GDPR

The DPA found the taxi company did not adhere to the GDPR’s data-minimization principle.

While Taxa deleted the names from all its records after two years, the rest of the ride records remained intact.

The DPA recommended the fine after it was discovered the taxi company continued to hold onto individuals’ phone numbers after their names were removed from the records.

Key points:

• The removal of a name does not constitute anonymization because taxi ride information (e.g pick up and drop off addresses) could still be linked to a person through the phone number.
• The five year retention for the phone number was longer than necessary for the purpose
• You cannot set a deletion deadline, three years longer than necessary, simply because your database or system makes it difficult to comply with the rules. Rather you need to fix your system, e.g by replacing phone numbers with random identifiers.
• You must adequately document your procedures for data deletion including: follow-up on the deletion of the systems correctly; handling reloading of previously deleted personal data when putting in backup; and logging deletions in the system