Data Minimization: Summary of Recent Rulings
Regulatory bodies and courts around the world have discussed Data Minimization in various matters related to security and data breaches. We intend to maintain a summary of these rulings and our key takeaways as a reference for Data Privacy and Information Governance professionals.
1. Infotrax Systems L.C. | FTC | January 2020
InfoTrax failed to prevent unauthorized access to the personal information of its consumers.
Summary: The technology company InfoTrax failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. FTC alleged that the company failed to have a systematic process for inventorying and deleting consumers’ personal information stored on the network. Data inventory and deletion are identified as critical and low-cost protections for ensuring security.
Outcome: The company and the CEO were prohibited from collecting, selling, sharing, or storing personal information unless they implemented an information security program to address the security failures identified in the complaint. They were also required to obtain third-party assessments of their companies’ information security programs every two years.
Key takeaways: The Director of the FTC’s Bureau of Consumer Protection Service stated, “Providers don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers.”
Link to full ruling: InfoTrax Systems, L.C. | Federal Trade Commission (ftc.gov)
2. Mister Tango| VDAI | May 2019
Data Processing fine on UAB ‘Mister Tango’ for excessive collection and storing of data for longer than necessary
Summary: Electronic payment company UAB ‘Mister Tango’ was allegedly collecting excessive data and storing it for longer than necessary. The company collected more personal data than necessary (in this case only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance, purpose of the payment/payment code are necessary for effecting the payment). However, in addition to the aforementioned data, the company also collected dates of provision of not reviewed electronic invoices, names of the senders and amounts; dates, topics of submission of not read notifications and a part of the text of the notification; purposes, types, amounts of the loans; names of the pension funds, accumulated units, value thereof, accumulated amounts; types of credits (e.g., mortgage credit), due balances, amounts and dates of other payments, numbers of the issued payment cards and amounts in such payment cards. Most of this data was not needed for the purpose for which it was being collected and would be deemed superfluous data. The company also stored this data for longer than it had established and indicated as necessary by itself (data was stored for 216 days instead of 10 minutes).
Outcome: The VDAI concluded that Mister Tango doesn’t have the necessary technical and organizational security measures in place to ensure the required level of safety, including protection against unauthorized processing or disclosure. It imposed the first administrative fine on the company for violating the GDPR.
Key Takeaways: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Link to full ruling: First GDPR fine issued in Lithuania | GDPR Register
3. IDDesign | Danish DPA | June 2019
The Danish Protection Agency imposed a fine for not maintaining a retention schedule and adhering to this schedule
Summary: IDdesign had provided an overview of the systems the company uses for the processing of personal data. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other stores. The old system maintained names, addresses, telephone numbers, e-mail addresses, and purchase histories of around 385,000 customers. IDdesign had never deleted the data of these customers from the old system. The company did not define if the personal information was necessary and establish any deadlines for the deletion of the personal data stored in the system.
Outcome: The Danish DPA concluded that IDDesign relied on an old technology system in some of its stores for storing information and did not have any retention policies in place for the deletion of customer information.
Key Takeaways: Personal data should be held only for as long as necessary in relation to the purposes for which it is being processed.
4. Polish City Mayor | Polish DPA (PUODO)| October 2019
The City was fined by the Data Protection Authority for not maintaining a retention schedule and deleting data after it was no longer needed
Summary: The Polish Data Protection Authority (PUODO) imposed a fine on the city mayor as the City signed a personal data processing agreement with other entities to which it transferred data. Also, some of the data that was regulated was stored for longer than necessary and there was no defined data retention schedule for data that was not regulated by any laws. It was determined that the controller had violated the principle of storage limitation set forth in Article 5(1)(e) of the GDPR. The City had also violated the principle of accountability as the register of processing activities did not track all data recipients and did not define the date of deletion for certain processing activities. In other words, the DataMap and the Retention Schedule were not in place or needed work.
Outcome: The entity shared personal data without a legal basis, in violation of the principle of the lawfulness of processing, the principle of confidentiality, and the principle of storage limitation of the GDPR. Apart from the monetary fine, the controller was also ordered to take action to remedy the relevant infringements within 60 days.
Key Takeaways: In the case of data whose storage period is not regulated by law, the controller should determine it themselves appropriate to the purposes for which they process the data.
5. Taxa 4X35 | Danish DPA | March 2019
Danish Data Protection Agency fined Taxa 4X35 for failing to delete customers’ data
Summary: The Danish Data Protection Agency imposed a fine on Taxa 4x35 for failing to delete customers’ data in accordance with the rules of the GDPR. The company claimed that the personal data used for booking was anonymized after two years. However, only the customer’s name was deleted but not the phone number. The customer’s information was traced to the customer via the phone number, and this data is not deleted until five years.
Outcome: The DPA found that the company failed to delete data when no longer needed
Key Takeaways: It is not acceptable to store personal data longer than necessary.
6. Spartoo | French DPA | August 2020
CNIL found Spartoo’s data minimization practices inconsistent and inadequate
Summary: The French Data Protection authority or CNIL imposed a penalty on online retailer Spartoo for deficiencies concerning the data of customers, prospects, and employees. The company stored and maintained telephone conversations with customers for training and evaluation. CNIL found this to be excessive and not justified because the person in charge of training employees listened to only one recording per week and per employee. The company had also not established any retention period for customer and prospect data. The company was maintaining data for a substantial number of former customers (more than 3 million customers who have been inactive for 5 years or more).
CNIL found contradictory or inconsistent practices, for example, the company had set up a retention period of five years from their last activity (for example the opening of a newsletter). However, the company had stopped prospecting to these people if they did not show interest in its products or services for two years. Even after five years, the customers’ email addresses and passwords were stored in pseudonymized and non-anonymized forms.
Outcome: Spartoo was in violation of the GDPR’s data minimization principle, failed to comply with the obligation to inform individuals, retained the data for longer than was necessary, and failed to ensure data security.
Key Takeaways: Personal data must be "adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed (data minimization)."
7. Deutshe Wohnen | Berlin DPA | November 2019
German authorities fined Deutshe Wohnen for storing data in a system with no deletion capabilities
Summary: German real estate company Deutsche Wohnen was fined by the Berlin DPA for failing to implement measures to enable the regular deletion of tenant data that was no longer required. The company used an archive system for the storage of the personal data of tenants. But this system did not provide any options for deleting data when it was no longer required.
Outcome: Deutsche Wohnen failed to establish GDPR-compliant data retention and deletion procedure for tenants’ personal data.
Key Takeaways: It is important to look into the detail of records management and the data deletion lifecycle and establish formal records management policies.
8. Car Dealership | Office of the Data Protection Ombudsman | July 2019
The car dealership was found to be violating the GDPR for sharing the customer’s personal data online.
Summary: A car dealership in Finland posted an image of the car's maintenance certificate containing the personal data of the customer in connection with the sales notification. The customer asked for his personal data to be removed from the images, but the controller maintained that the display of personal data does not harm data subjects.
Outcome: The dealership failed to comply with the GDPR’s data minimization principle and the obligation of built-in and default data protection. The controller was asked to revise the process in accordance with the GDPR.
Key Takeaways: Sharing the customer’s personal data online discloses their information to an unspecified group of recipients.
Link to full ruling: Data Protection Ombudsman 26.7.2021 - FINLEX ®
9. Cosmote and OTE | Hellenic Data Protection Authority | January 2022
Cosmote failed to justify the retention of all traffic data for a period of three months.
Summary: Telecom operator Cosmote retained all call data from customers for a period of 90 days, which was later anonymized and retained for a year in order to improve the company’s services. HDPA’s investigation also found that the data processing for data analytic purposes could have also been fulfilled using anonymized data. While Cosmote claimed that the data was anonymized, HDPA found the data in question was actually pseudonymized. The company failed to be transparent about the reason for retaining the data, the purpose of data processing and lacked sufficient measures to protect the data.
In addition, Cosmote and OTE were found to have undertaken security measures without any specific data processing agreement between the two.
Outcome: The HDPA ruled that Cosmote’s data processing violated the data minimization and storage limitation principles of the GDPR and the provisions of Article 6 of the Greek E-Privacy Law 3471/2006. As a result, Cosmote and its parent OTE were fined €9.25 million (the largest fine in Greece). Cosmote was also ordered to stop further illegal data processing and destroy the collected data.
Key Takeaways: Personal data should be held only for as long as necessary in relation to the purposes for which it is being processed and shall be processed in a manner that ensures appropriate security of the personal data.
10. Den Blå Avis | Danish DPA | January 2022
The Danish DPA ruled that Den Blå Avis’ (DBA) refusal pertaining to a request for deletion of a user profile along with some additional information was warranted under the GDPR.
Summary: The complainant had approached DBA to have their user profile and other information deleted. The company rejected the request stating that it had received three independent complaints from its buyers regarding the complainant and it was necessary for it to store the complainant’s data for blocking their access to DBA's platform.
DBA also stated that the complainant had previously tried to work their way around the system by creating new profiles using different email addresses, but the retention of the complainant’s information helped in identifying and closing all the profiles. The company specified that the complainant’s profile and related personal data would not be deleted, and the information would be expunged after 24 months of inactivity with DBA.
Outcome: The Danish DPA found that the processing of the complainant’s personal data is necessary for DBA to pursue a legitimate interest that precedes the interest of the data subject. It ruled that the data processing, in this case, cannot be considered to be in conflict with the principle of "storage limitation" in Article 5 (1) of the Data Protection Regulation as the information will be automatically deleted by DBA after 24 months of inactivity.
Key takeaways: If the controller demonstrates compelling legitimate grounds for data processing that outweigh the interests, rights and freedoms of data subjects or if the processing is necessary for the establishment, assertion or defense of legal claims, then the processing may continue.
11. CafePress | FTC | March 2022
CafePress failed to safeguard the sensitive personal data of its consumers and covered up a breach.
Summary: CafePress suffered a data breach in February 2019, exposing email addresses and passwords, unencrypted names, physical addresses, and security questions and answers, unencrypted Social Security numbers, and partial payment card numbers along with their expiration dates. After being notified about the vulnerability and the breach, the company patched the vulnerability but didn’t investigate the incident for some time despite additional warnings. It was given a warning in April 2019 by a foreign government regarding a breach and was asked to intimate the affected customers. CafePress did not inform the affected customers about the breach until September 2019.
In addition, it used consumer email addresses for marketing without providing appropriate disclosures of purpose limitations.
Outcome: The FTC ruled that CafePress failed to employ the necessary security controls to protect the sensitive information of buyers and sellers stored on its network. The company also stored Social Security numbers and password reset answers in clear, readable text and retained the data for longer than necessary. It also didn’t apply readily available protections and patches to well-known vulnerabilities. These practices led to multiple data breaches.
Personal data should be deleted after fulfilling the purpose for which it was collected
Timely notification to affected customers of data breach
Ensure personal data is stored in encrypted format as per the encryption standards
Have an incident response plan in place
Address security vulnerabilities on a regular basis
12. Danske Bank | Danish DPA | April 2022
Danske Bank failed to document the storage and deletion of personal data in compliance with the GDPR’s data protection rules.
Summary: An investigation by the Danish DPA found that Danske Bank was not able to document rules for deletion and storage of personal data, or manual deletion of personal data across 400 systems processing personal data of millions of individuals. The investigation was carried out after the bank informed the DPA about a problem with the deletion of personal data. Following the inquiry, the bank was found to have failed to comply with the GDPR’s data protection rules.
Outcome: The DPA has filed a police complaint against Danske Bank and set a fine of DKK 10 million ($1.48 million). The DPA’s special consultant stated, “One of the basic principles of the GDPR is that you can only process information you need - and when you don't need it anymore, it must be deleted. When it comes to an organization of Danske Bank's size that has many and complex systems, it is particularly crucial that you can also document that the deletion actually happens”.
Key Takeaways: Personal data should be held only for as long as necessary in relation to the purposes for which it is being processed. It is also important to document the processes in order to demonstrate compliance.
Link to the full ruling: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/apr/danske-bank-indstilles-til-boede
13. Gyldendal | Danish DPA | June 2022
Danish publishing house, Gyldendal, failed to delete the personal data of unsubscribed book club members
Summary: The Danish DPA found that personal data of around 685,000 unsubscribed members of Gyldendal's book clubs was kept for longer than what was required. Some of this information had been stored for more than ten years, and the publisher had no procedures or guidelines for deleting the data of unsubscribed members.
Outcome: Gyldendal was found to be in violation of the principles of storage limitation and accountability. The controller was reported to the police and recommended a fine of €134,427 (DKK 1,000,000).
Key Takeaways: Personal data should not be held for longer than necessary and data controllers should implement an effective retention policy.
14. Ubeeqo International | CNIL | July 2022
Vehicle rental service provider, Ubeeqo International, was found to be collecting customers’ geolocation data and storing it for an excessive period of time.
Summary: Ubeeqo failed to justify the collection of geolocation data of the rented vehicle every 500 meters when the vehicle was in motion, when the engine turned on and off or when the doors opened and closed. It also kept the data for the duration of the commercial relationship with a customer and then for three years after the termination of the service. The company also stored personal data of users who had been inactive for more than eight years in its databases.
Outcome: The CNIL imposed a fine of €175,000 against Ubeeqo International for infringing upon the privacy of its customers by geolocating them almost permanently.
The CNIL observed that the company failed in the principle of data minimization and could have offered an identical service without geolocating its customers almost permanently. It also stated that the data retention period was excessive for the defined purposes.
Key Takeaways: Data must be adequate, relevant and not excessive in relation to the purpose for which it is collected and used.
15. Clearview AI Inc | ICO |2022
The British independent data privacy authority, the Information Commissioners Office fined the American facial recognition company, Clearview AI Incfor its failure to comply with the nations data protection laws.
Summary: The facial recognition company collected images of peoples faces as well as publicly available information from the internet and social media platforms to create their online database. This was done without the knowledge or consent of the individuals.
Outcome: ICO found that Clearview AI
- Did not use data in ways that were fair or transparent.
- Could not provide lawful reasoning for the collection of peoples data
- Did not possess or utilise processes to stop the information being retained indefinitely
- Failed to meet data protection standards as required by the GDPR for biometric data
The company was fined 7.5m pounds and was ordered to stop collecting and using personal data found publicly available and to delete the data of UK residents from their systems.
Key Takeaways: Personal data cannot be collected unlawfully and further only retained for the period that is regulatorily compliant. Further, special category data such as biometric data should be handled and protected in accordance with the regulations.
16. INFOGREFFE | CNIL | 2022
The French data protection authority, the Commission nationale de l'informatique et des libertés fined the economic interest group INFOGREFFE for noncompliance with the GDPR in relation to retention and security of data
Summary:The INFOGREFFE website states that personal information collected would be kept for 36 months from the last order for a service and/or document. However, upon investigation, this was not found to be the case for 25% of the users. Manual anonymizationthat was done on individual requests concerned a small number of accounts. Further, sufficient measures were not in place to guarantee the security of the members data.
Outcome:Following a complaint and an investigation by the CNIL, the authority issued a fine of 250,000 euros on INFOGREFFE for
- Failing to comply with the obligation to keep data for a period of time proportionate to the purpose of the processing
- Failure to comply with the obligation to ensure the security of personal data
Key Takeaways:Data should be retained only for the period of time proportionate to the purpose of processing and appropriate measures must be followed to ensure the security of personal data.
Link to resource: INFOGREFFE fined 250,000 euros | CNIL