>After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency.

So maybe if his backup regime were precisely specified in his privacy policy. But even a conflicting legal requirement is no defense, here.

Regarding minimization, 4 other cases:

>During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller.

>Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

> The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller.

> The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance

"Of course if he stores the data in a personally identifying way..." GDPR cares not for identifying but for identifiable. It's GPS data. If someone uploads data pertaining to their home, workplace, frequent travel routes, etc. then it is definitely identifiable.

Regarding FUD, it seems FUD is exactly what the DPAs intend, since they are punishing rather than helping when asked for advice!

>Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider.