The Danish SA has proposed a fine, and had Danske bank reported to police officials, after the bank reportedly neglected to have data deleted.
The Danish Supervisory Authority has filed a police report against Danske Bank and proposed a fine on the bank, of €1.3 million, according to this report from the EDPB. This is the result of an investigation dating back to November 2020, when the Authority initiated a case of its own motion, after the bank had reported that it had identified a problem with the deletion of personal data, for which there was no continued justification to process. Legal basis for the processing of personal data is necessary under the GDPR and data must only be kept for as long as absolutely necessary.
The bank was unable to demonstrate compliance and was therefore found to have infringed on Article 5(2) of the GDPR.
In connection with the Danish SA’s investigation, it was found that the bank had not been able to show that rules had been laid out dictating how the bank would handle the storage and deletion of personal data, nor was the bank able to prove that manual deletion of personal data was being carried out. Article 5(2) specifically states that the data controller shall be responsible for, and must be able to demonstrate compliance with, paragraph 1. Article 5(1)(e) specifically states that “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” According to Kenni Elm Olsen, specialist consultant at the Danish Data Protection Agency, “One of the basic principles of the GDPR is that you can only process information you need – and when you no longer need it, it must be deleted. When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place.”
A total fine of €1.3 million has been proposed after the Danish SA considered the several details of this case.
In determining what fine should be proposed, the Danish Supervisory Authority considered that the breach in question is in relation to a basic principle under the GDPR (Article 5), relating to the processing of personal data. The Authority also considered that the actions of the bank affected quite a large number of data subjects. The bank’s systems prices the personal data of several million data subjects. The Danish Data Protection Agency has emphasized the nature and seriousness of the infringement and also the requirement that a fine must be effective, proportionate to the infringement, and have a deterrent effect. In addition, the Authority also considered that Danske Bank actively volunteered information during the case. The Authority believes that the bank has indeed tried to curb the potential damage to data subjects. As a result, a total fine of €1.3 million has been proposed.