Data Minimization: Summary of Recent Rulings

Regulatory bodies and courts around the world have discussed Data Minimization in various matters related to security and data breaches. We intend to maintain a summary of these rulings and our key takeaways as a reference for Data Privacy and Information Governance professionals.

1. Infotrax Systems L.C. | FTC | January 2020

InfoTrax failed to prevent unauthorized access to the personal information of its consumers.

Summary: The technology company InfoTrax failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information it maintained on behalf of its clients. FTC alleged that the company failed to have a systematic process for inventorying and deleting consumers’ personal information stored on the network. Data inventory and deletion are identified as critical and low-cost protections for ensuring security.

Outcome: The company and the CEO were prohibited from collecting, selling, sharing, or storing personal information unless they implemented an information security program to address the security failures identified in the complaint. They were also required to obtain third-party assessments of their companies’ information security programs every two years.

Key takeaways: The Director of the FTC’s Bureau of Consumer Protection Service stated, “Providers don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers.”

Link to full ruling: InfoTrax Systems, L.C. | Federal Trade Commission (ftc.gov)

2. Mister Tango| VDAI | May 2019

Data Processing fine on UAB ‘Mister Tango’ for excessive collection and storing of data for longer than necessary

Summary: Electronic payment company UAB ‘Mister Tango’ was allegedly collecting excessive data and storing it for longer than necessary. The company collected more personal data than necessary (in this case only such data as the name, surname and, if the payer wishes, his/her identification code, bank account number, currency and balance, purpose of the payment/payment code are necessary for effecting the payment). However, in addition to the aforementioned data, the company also collected dates of provision of not reviewed electronic invoices, names of the senders and amounts; dates, topics of submission of not read notifications and a part of the text of the notification; purposes, types, amounts of the loans; names of the pension funds, accumulated units, value thereof, accumulated amounts; types of credits (e.g., mortgage credit), due balances, amounts and dates of other payments, numbers of the issued payment cards and amounts in such payment cards. Most of this data was not needed for the purpose for which it was being collected and would be deemed superfluous data. The company also stored this data for longer than it had established and indicated as necessary by itself (data was stored for 216 days instead of 10 minutes).

Outcome: The VDAI concluded that Mister Tango doesn’t have the necessary technical and organizational security measures in place to ensure the required level of safety, including protection against unauthorized processing or disclosure. It imposed the first administrative fine on the company for violating the GDPR.

Key Takeaways: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

Link to full ruling: First GDPR fine issued in Lithuania | GDPR Register


3. IDDesign | Danish DPA | June 2019

The Danish Protection Agency imposed a fine for not maintaining a retention schedule and adhering to this schedule

Summary: IDdesign had provided an overview of the systems the company uses for the processing of personal data. This overview revealed that some of the furniture stores used an older system, which had been replaced by a newer system in the other stores. The old system maintained names, addresses, telephone numbers, e-mail addresses, and purchase histories of around 385,000 customers. IDdesign had never deleted the data of these customers from the old system. The company did not define if the personal information was necessary and establish any deadlines for the deletion of the personal data stored in the system.