Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data.

Breach of the data minimisation principle

The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining personal data long after the envisaged retention limit for such data, thereby finding an affirmative duty to delete expired personal data. Taxa had deleted customers’ names and addresses after two years of retention but had retained customers’ telephone numbers for an additional three years. Taxa argued that telephone numbers were an essential part of its IT database and therefore could not be deleted in the same time span.

Continue Reading Danish DPA issues its first GDPR fine for late deletion of customer telephone numbers

In the midst of discussions on Google’s revised privacy policy and its compliance with EU legislation, Spain’s highest court, the Audiencia Nacional de España, has referred a case up to the European Court of Justice (ECJ) to decide on whether Spanish citizens can lawfully demand that Google delete information about them from its search engine,