Data Protection Authority

Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data.

Breach of the data minimisation principle

The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining personal data long after the envisaged retention limit for such data, thereby finding an affirmative duty to delete expired personal data. Taxa had deleted customers’ names and addresses after two years of retention but had retained customers’ telephone numbers for an additional three years. Taxa argued that telephone numbers were an essential part of its IT database and therefore could not be deleted in the same time span.Continue Reading Danish DPA issues its first GDPR fine for late deletion of customer telephone numbers

Plans for a single market have been delivered yet another blow, this time as a result of an ECJ preliminary ruling against a relatively unknown Slovakian company. The court ruled in Weltimmo SRO v. Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, that national data protection authorities (DPAs) may take action against businesses that target residents in their Member State, even if the businesses are not registered in that state.

The ruling is significant for the ‘one stop-shop’ provisions currently being negotiated as part of the General Data Protection Regulation (‘GDPR’). In an earlier blog, we explained that the European Council endorsed the ‘one-stop-shop’ approach, so that in the future, organisations will only need to deal with the DPA having jurisdiction over the location of its EU headquarters, or EU location with delegated data protection responsibility.  The decision in Weltimmo says otherwise: an organisation will be subject to the authority of the DPA if it has an ‘establishment’ within the jurisdiction of the DPA. With the GDPR expected to be finalised later this year, it will be interesting to see how this ruling will be reconciled with the GDPR.
Continue Reading Another day…another set-back for Europe’s plans for a single market

The Brazilian government’s proposal for Brazil’s first data protection framework (‘the Proposal’) hit a stumbling block after major concerns were raised in public comments.

After the public consultation period ended, those reviewing the comments made numerous suggestions for changes, such as tightening the definition of what constitutes personal data, clarifying the consent for processing rules,

The Article 29 Data Protection Working Party (Working Party) released a Working Document setting forth a co-operation procedure for issuing common opinions on “Contractual clauses” considered as compliant with the EC Model Clauses (Working Document). The aim of this Working Document is to facilitate the use of the EU model clauses across multiple jurisdictions in

On November 23, 2010, the data protection authority (the “DPA”) of the German federal state of Hamburg fined regional financial institution Hamburger Sparkasse AG (“Haspa”) €200,000 for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers and also granting the representatives access to such profiles. The bank cooperated with the DPA and immediately discontinued the illegal practices.

From the end of 2005 until August 2010, Haspa allowed its self-employed, external customer service representatives access to customer bank data, often without having first obtained the customers’ consent. According to the DPA, the number of bank accounts accessed is not clear. The bank was aware of this practice through reviews of log files that detailed the representatives’ access.Continue Reading Hamburg DPA Files Bank €200,000 For Accessing Customer Data and Customer Profiling