Danish bank fined for failure to delete the data it no longer needed

The Danish SA has proposed a fine, and had Danske bank reported to police officials, after the bank reportedly neglected to have data deleted. 


The Danish Supervisory Authority has filed a police report against Danske Bank and proposed a fine on the bank, of €1.3 million, according to this report from the EDPB. This is the result of an investigation dating back to November 2020, when the Authority initiated a case of its own motion, after the bank had reported that it had identified a problem with the deletion of personal data, for which there was no continued  justification to process. Legal basis for the processing of personal data is necessary under the GDPR and data must only be kept for as long as absolutely necessary. 


The bank was unable to demonstrate compliance and was therefore found to have infringed on Article 5(2) of the GDPR. 


In connection with the Danish SA’s investigation, it was found that the bank had not been able to show that rules had been laid out dictating how the bank would handle the storage and deletion of personal data, nor was the bank able to prove that manual deletion of personal data was being carried out. Article 5(2) specifically states that the data controller shall be responsible for, and must be able to demonstrate compliance with, paragraph 1. Article 5(1)(e) specifically states that “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” According to Kenni Elm Olsen, specialist consultant at the Danish Data Protection Agency, “One of the basic principles of the GDPR is that you can only process information you need – and when you no longer need it, it must be deleted. When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place.” 


A total fine of €1.3 million has been proposed after the Danish SA considered the several details of this case. 


In determining what fine should be proposed, the Danish Supervisory Authority considered that the breach in question is in relation to a basic principle under the GDPR (Article 5), relating to the processing of personal data. The Authority also considered that the actions of the bank affected quite a large number of data subjects. The bank’s systems prices the personal data of several million data subjects. The Danish Data Protection Agency has emphasized the nature and seriousness of the infringement and also the requirement that a fine must be effective, proportionate to the infringement, and have a deterrent effect. In addition, the Authority also considered that Danske Bank actively volunteered information during the case. The Authority believes that the bank has indeed tried to curb the potential damage to data subjects.  As a result, a total fine of €1.3 million has been proposed. 




Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Monitoring data processors: guidance from Danish DPA

The Danish DPA has published guidance for data controllers on monitoring data processors, with suggestions based on risk assessment.

The Danish DPA published guidance last month, for any private company, public authority or institution, processing personal data, or functioning as a data controller, on how to best monitor their data processors. These data processors are essentially external bodies who process information on behalf of the data controllers, and are oftentimes in possession of personal data and other sensitive information. It is imperative that processors handle this information as they are supposed to, and data controllers can monitor their respective processors to ensure that this is the case. This is important, as ultimately data controllers are held responsible for the data.

Data controllers have a responsibility to ensure that their  data processors are processing the information properly.

In the relationship dynamic between a data controller and processor, the data controller decides why (for what purpose) and how (with what aids) the personal data is processed. A data processor, on the other hand, is the one  who processes personal data on behalf of the data controller – i.e. following an instruction from the data controller. The data controller is oftentimes held responsible for the data and its use, as well as any mishaps which may occur regarding the data and its processing. As a result, it is imperative that data controllers monitor their data processors handling the data of their clients, customers or other data subjects.

The Danish DPA has suggested six different approaches to monitoring data processors, based on the level of risk.

In light of the importance of data controllers supervising their respective data processors, the Danish DPA has provided guidance for controllers regarding how, and how much they should supervise. The guide answers many questions on how much supervision is necessary and how it should be carried out. In addition, it provides a helpful approach of following guiding supervisory concepts, to help gauge the level of risk associated with the processing of certain data. Based on the level of risk, the guide from the Danish DPA suggests six different approaches to supervision, ranging from a very low risk supervisory approach to very high risk. These are outlined here:

Concept 1  (very low risk)

Do not do anything unless you become aware that something is wrong with the data processor.

Concept 2

The data processor confirms – preferably in writing – to you that all requirements in the data processor agreement are still complied with.

Concept 3

The data processor gives you annually – either directly or via its website – a written status of matters covered by the data processor agreement and other relevant areas (e.g. organizational or product changes).

Concept 4

The data processor has a relevant and updated certification or follows a so-called code of conduct that is relevant to your processing activities.

Concept 5

An independent third party has conducted documented supervision of the data processor in an area that also covers your processing activities.

Concept 6  (very high risk)

The data controller carries out a documented inspection of the data processor themselves – or together with others.

Deciding which approach would be appropriate in each data controller’s situation is important and would be determined based on the level of risk associated with the data being handled by the processor. However, some level of supervision of one’s data processor is necessary in every case. It then becomes important to assess the level of supervision necessary and to conduct supervision as needed.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.