Almost a year after the application of the General Data Protection Regulation (GDPR), the first sanctions begin to be imposed in Europe.
On the one hand, a few weeks ago the data protection authority of Denmark recommended the imposition of a fine of 1.2 million crowns (approximately 160,000 euros) to a taxi company for non-compliance of the GDPR.
The taxi company, while deleting the names and the addresses of all its data bases after two years, maintained other client´s information, such as their phone numbers, for a longer period and without a specific purpose. The authority considered that this attempt to anonymize by the company is not appropriate. Furthermore, the authority found that the data cannot be kept for longer than necessary to comply with the purposes of the processing.
On the other hand, the data protection authority of Poland imposed a fine of 220,000 euros to a digital marketing company for the violation of the right of information to the users, required in the GDPR.
Indeed, the article 14 of the GDPR imposes on data controllers the obligation to provide information to data subjects when this information has not been obtained from them. In this case, the company obtained the personal data from public records and other public databases, and instead of informing about the processing of their data to the data subjects, the company published a notice on its website. The authority considered it insufficient.
In effect, the company could have complied with the obligation to inform once it had the contact data of the affected.