Latest GDPR Enforcements in the EU

The Polish Data Protection Authority (UODO) has fined the digital marketing company Bisnode EUR 220,000 for not informing 6 million people about its data-scratching activities.  The UODO said that Bisnode is obliged to inform the data subjects that they have obtained their publicly accessible personal data from public sources, in accordance with Article 14 of the EU DSVGO, when the personal data were not collected from the data subjects directly.

UODO believes that Bisnode has failed to fulfill its obligation to inform individuals of the fact that it processes their data. According to Bisnode, the cost of providing such information was so high that it could be considered an excessive burden, exempting them from the obligation. The cost of sending so many letters amounted to EUR 8 million in registered mail.

UODO noticed that Bisnode had been informed only a certain part of the data subjects and that 13 % of them objected to the data processing. “This shows how important it is to fulfill the information obligations properly in order to exercise the privacy rights to which we are entitled under the EU GDPR,” wrote UODO.

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR and local privacy regulations. But how to inform them? There are several best practice to inform the individuals as below:

• Privacy Policy on websites – Cookies Statement
• Privacy Policies in different Landing Pages, social media and other lead generation channels
• Letter and on time Privacy Notices

Data Controller must provide individuals with information including the kind of personal data you collect from them, your purposes for processing their personal data, the retention periods, who it will be shared with and which rights the individual has with regards to the processing. The Privacy Notice must be provided to individuals at the time you collect their personal data from them. If you obtain personal data from other sources, inform the individual about the collection at the latest within one month. The Privacy Notice you provide to individuals must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

The Danish Data Protection Authority, Datatilsynet recommended a fine for a Taxi company on March 18, 2019.

In Denmark, Datatilsynet recommended a fine of almost €160,200 to the taxi company Taxa 4×35 for failing to delete records of 9 million taxi rides after they were no longer needed. Article 5 of the GDPR prevents companies from keeping data they no longer need.

In the case of Taxa 4×35, the company allegedly tried to comply with Article 5 by anonymising its data after two years. In practice, the company has only removed customer names from its database and kept other data points such as customer numbers and driving histories for five years for business analysis purposes.

Datatilsynet said that was not enough. The data protection authority found that telephone numbers still allow identification of a data subject, which means that Taxa 4×35 did not properly anonymise its records.  In addition, Datatilsynet rejected Taxa 4×35’s statement that its technical systems did not allow the storage of driving history data without an associated telephone number.  “You cannot set a deletion period that is three years longer than necessary just because the company’s system makes it difficult to comply with the rules of the Data Protection Regulation” wrote the data protection authority.

Data Minimisation: “Personal data must be adequate, relevant and limited to the extent necessary for the purposes for which they are processed”

Storage Limitation: “Kept in a form that does not require the identification of data subjects for longer than for the purposes for which the personal data are processed”.

Since the GDPR is less than a year old, even greater enforcement is still lacking. But there are signs that regulators are preparing to take the same firm line on this front.

In the event of violations of the GDPR, the responsible DPA can prescribe certain regulatory measures:

• Issue warnings or referrals
• Temporary or permanent restrictions on data processing
• A ban on data processing
• fines of up to 4% of the world’s annual turnover or 20 million euros

These actions by the Danish and Polish authorities are only the latest of a growing number of enforcement actions related to the GDPR in 2019.