Danish Data Protection Authority Dings Cab Company for Data Minimization Violations

GDPR Data minimization in action. Danish Data Protection Authority (Datatilsynet) finds cab company Taxa 4×35’s records retention practices in violation of the GDPR data minimization principle. The cab company removed names from records after two years. For another three years, all ride records remained, together with the person’s phone number. Key points: The removal of a name does not constitute anonymization because taxi ride information (e.g pick up and drop off addresses) could still be linked to a person through the phone number. The five year retention for the phone number was longer than necessary for the purpose You cannot set a deletion deadline, three years longer than necessary, simply because your database or system makes it difficult to comply with the rules. Rather you need to fix your system, e.g by replacing phone numbers with random identifiers. You must adequately document your procedures for data deletion including: follow-up on the…

Read more detail on Recent Business Law posts –

This entry was posted in Business law and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply