Danske Bank, the largest bank in Denmark, is facing a fine of 10 million Danish kroner (1,3 million euros) for General Data Protection Regulation (GDPR), customer data held for longer than legally allowed. In more than 400 systems encompassing millions of people, Danske had not been able to present proper procedures for deleting and storing personal data.
GDPR violations
An investigation of Danske Bank began back in November of 2020, after the bank reported itself to the Danish Data Protection Authority for possible data protection violations, more specifically storing it’s customers’ personal data for longer than necessary and not ensuring its systems’ compliance with the GDPR.
Danske Bank claimed that it has been trying to properly implement data deletion functionality into their systems since 2016, but failed to do so until May 2018 – the deadline for GDPR compliance regarding the data deletion and storage, due to having multiple locations throughout Europe, large number of customers and a complex IT-system structure.
Moreover, regardless of having an internal data protection compliance team, which raised concerns about the problem to properly store and discard personal data, Danske Bank felt there was no need to inform the Data Protection Authority as long as no data breaches have occurred and all customer data was safe – meaning Data Protection Authority was only informed about these violations 2 years after the GDPR came into effect.
DPA decision
Regardless of the active efforts to limit the damages to the data subjects and active participation in providing information about their struggles back in 2020, the investigation of the Data Protection Authority uncovered that Danske Bank did not document rules set up for data storage and deletion, failed to ensure deletion of personal data in more than 400 systems holding large amounts of personal data of the bank’s customers.
Due to the nature and seriousness of the violations, which could affect a very large amount of data subjects, and the greater responsibility held to organisations processing large amounts of personal data, such as banks, lead to the Data Protection Authority’s decision of imposing Danske Bank a whopping fine of EUR 1,3 million.
What should be learned from this?
Regardless of the size, every organisation processing personal data should comply with the basic principles of the GDPR. Regarding this case, compliance with the following principles should be ensured:
- “Data minimisation” – meaning only the information necessary for the fulfilment of the purposes set out should be processed; and
- “Storage limitation” – meaning once the processed information is no longer needed for the purposes set out, it must be deleted.
In order to avoid potential data breaches and violations of data subjects’ rights, these and other principles set in the Article 5 of the GDPR should be ensured before you start processing personal data. It is also highly recommended to ensure that the process of storage and deletion of personal data is properly documented. Imperfections in an organisation’s IT systems or lack of time to comply with the GDPR does not justify data protection breaches and does not exempt from liability.
If your organization is having struggles adapting to data protection changes or complying the GDPR requirements, do not hesitate to contact data protection experts at ECOVIS for more information or help.
Prepared by Brigida Bacienė, Data Protection Expert of ECOVIS ProventusLaw, and Gabija Bacevičiūtė, junior lawyer of ECOVIS ProventusLaw