Taxa 4x35 is the first company reported to the police by the Data Protection Agency for violation of the GDPR. In October 2018, the Data Protection Agency carried out an inspection at the company and observed that Taxa 4x35 did not comply with the GDPR rules in several respects.
The taxi company stated that information about the customer which was used for booking and performing taxi rides was depersonalised after two years as it was thereafter no longer considered necessary to identify the customer. However, the Agency found that the customer’s telephone number was stored for five years, and that the taxi ride could be traced to a natural person by means of the telephone number. At the time of the inspection, information was registered about approx. 9 million taxi rides which could be traced to natural persons.
The company justified the storage of telephone numbers by the fact that they were necessary for the purpose of product and business development, and that the customer’s telephone number was used as key and joint reference in the system DDS Pathfinder. In this connection, the Agency stated that the taxi company could not fix a deletion deadline which was three years longer than necessary merely because the company’s system made it difficult to comply with the rules of the GDPR. The Agency found that Taxa 4x35 had failed to observe the principle of data minimisation in article 5(1), paragraph c in the GDPR.
Violation of the fundamental GDPR principles
In addition to a failure to observe the principle of data mining, the Agency found that Taxa 4x35’s procedure for depersonalisation of data was insufficient, and that the requirement for a storage limitation in article 5(1), paragraph e of the GDPR had thus not been observed. The Data Protection Agency has reported Taxa 4x35 for a failure to observe the principles of data minimisation and storage limit.
However, the Agency has also criticised the fact that the company had not determined with which authority the customers’ telephone numbers were stored in the five-year period after a ride and the fact that the company has not been sufficiently able to substantiate the deletions made in the system and the procedures in this connection.
The first GDPR fine in Denmark
As opposed to many of the other European supervisory authorities, the Danish Data Protection Agency is not able to issue administrative fines to companies failing to observe the GDPR rules. Therefore, the police are to decide whether there are grounds for bringing charges based on the recommendation from the Data Protection Agency; and, ultimately, the courts will have to decide whether to impose a fee.