.png)
The Dutch Data Protection Authority (AP) recently made headlines by imposing a GDPR fine of 30,000 euros on the municipality of Voorschoten. The reason for the fine was that the municipality had been retaining household waste data for an excessive period of time and had failed to adequately inform residents about it.
The investigation by the privacy watchdog was triggered by a complaint from a concerned resident. In 2018 and 2019, the municipality of Voorschoten had taken the initiative to replace wheelie bins and underground containers. These new bins and containers were equipped with a chip that bore a unique number linked to each home address. The purpose of this was to encourage residents to separate their waste more effectively by restricting the amount of residual waste they could dispose of. Residents were allowed to deposit residual waste in the underground containers and bins up to five times a day.
Any additional waste that was discarded after the two-week period would be rejected by the garbage trucks, and this information was meticulously recorded in the municipality's systems. "While the collection of this data aligns with the municipality's public duty, the issue arose from the prolonged retention period of the data. The municipality had been holding onto data from the wheelie bins for as long as they were in use, and the tokens for the underground containers were stored for a period of five years.
This retention period far exceeded what was necessary to monitor if a household was exceeding the specified waste limits," explained the AP. In addition to the extended retention period, the municipality had also fallen short in informing residents about the usage of their personal data.
Letters had been sent out regarding the distribution of the new wheelie bins and tokens, but there was no mention of how their personal data would be utilized. In response to the AP's findings, the municipality promptly reduced the retention period to a more reasonable timeframe of 14 days.
While the fine has been issued, the municipality of Voorschoten still has the option to contest the decision. It remains to be seen how they will choose to proceed in light of the AP's concerns. Overall, this case serves as a reminder of the importance of transparency and accountability when handling personal data. As the GDPR continues to shape data protection regulations across Europe, it is crucial for organizations, including local municipalities, to prioritize privacy and data security in their practices. Failure to do so can result in costly fines and damage to reputation, as seen in the case of Voorschoten.
English (US)