The Danish Data Protection Agency (DPA) has recently notified the Police of a Danish taxi company’s - Taxa 4x35 - infringement of basic GDPR principles on storage limitation and data minimisation. The notification derives from an inspection visit last year where the DPA found that the taxi company stored its customers’ phone numbers for 5 years, which in the opinion of the DPA was for longer than necessary.
According to the GDPR, companies must erase personal data once there is no longer a fair necessity for storing the data. Taxa 4x35 argued that they needed the phone numbers for product and business development seeing that the numbers were the key to the company’s system database containing information about the taxi rides. Hence, the system made it difficult to erase the phone numbers, however, such circumstance does not in the opinion of the DPA constitute any fair need for the data.
Against this background, the DPA has recommended that Taxa 4x35 is fined DKK 1.2 million in the light of the fact that the phone numbers during the extended time of storage made it possible to trace about 9 million taxi rides back to the persons that ordered them.
In Denmark it is the courts that issue fines, and not the DPA. Hence, the amount of the final fine is yet unknown, however, as the courts according to the GDPR ought take into consideration the recommendation of the DPA, the final fine is expected to be an amount of a corresponding level.
The Polish Data Protection Office (UODO) has imposed a fine on a Warsaw company, upon which Poland is now on the list of countries having imposed fines on companies pursuant to the new GDPR. The Warsaw company had collected data on 6 million existing and former business owners through various public sources to be used in the company’s own database, which i.a. is accessed by banks in order to verify creditworthiness.
Although personal data is available to the public, the processing hereof is still subject to the GDPR, and accordingly, companies must as a main rule inform the persons about the collection and the further processing. However, only 90,000 of the 6 million business owners were informed. The company justified this by arguing that they did not have an e-mail address or similar on the remaining business owners, and that it would be excessively expensive to inform by means of a registered letter.
According to the opinion of the UODO, the information obligation does not imply that correspondence shall be sent by registered mail. The company had access to both postal addresses and phone numbers and could therefore either send the information by ordinary mail or ring the persons in question. Hence, the company could not be exempt from the requirement on providing information, and was consequently issued with a fine of PLN 943,000, corresponding to DKK 1.6 million.
According to the GDPR, fines shall be effective, proportionate and act as a deterrent. It costs the equivalent of DKK 5.60 to send a domestic letter in Poland, upon which the company has recovered potential costs of DKK 33 million by omitting from informing the remaining 5.9 million business owners by letter. Hence, it may be questioned whether the fine is effective as well as deterrent.
On 22 March 2019, the ICO issued Grove Pension Solutions with a monetary penalty of GBP 40,000 for having transmitted 2,108,924 emails through a third party without having obtained the required consent for such. Four days earlier, the ICO had imposed the same amount in fine on the campaign group Vote Leave, which had sent out 212,355 unsolicited text messages.
The ICO reasoned the relatively low fine issued to the pension company with the fact that the company had not previously been involved in unlawful marketing, that the company had cooperated with the ICO, that the number of complaints received was minimal, and that the company had engaged in extensive consultation with a recognised specialist data protection consultancy in order to avoid any unlawful marketing.
The decision against the pension company emphasises that a company cannot pass on its obligation for having obtained consent by outsourcing the transmission of emails, including the collection of email addresses, to a third party.