Danish bank fined for failure to delete the data it no longer needed

The Danish SA has proposed a fine, and had Danske bank reported to police officials, after the bank reportedly neglected to have data deleted. 

 

The Danish Supervisory Authority has filed a police report against Danske Bank and proposed a fine on the bank, of €1.3 million, according to this report from the EDPB. This is the result of an investigation dating back to November 2020, when the Authority initiated a case of its own motion, after the bank had reported that it had identified a problem with the deletion of personal data, for which there was no continued  justification to process. Legal basis for the processing of personal data is necessary under the GDPR and data must only be kept for as long as absolutely necessary. 

 

The bank was unable to demonstrate compliance and was therefore found to have infringed on Article 5(2) of the GDPR. 

 

In connection with the Danish SA’s investigation, it was found that the bank had not been able to show that rules had been laid out dictating how the bank would handle the storage and deletion of personal data, nor was the bank able to prove that manual deletion of personal data was being carried out. Article 5(2) specifically states that the data controller shall be responsible for, and must be able to demonstrate compliance with, paragraph 1. Article 5(1)(e) specifically states that “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” According to Kenni Elm Olsen, specialist consultant at the Danish Data Protection Agency, “One of the basic principles of the GDPR is that you can only process information you need – and when you no longer need it, it must be deleted. When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place.” 

 

A total fine of €1.3 million has been proposed after the Danish SA considered the several details of this case. 

 

In determining what fine should be proposed, the Danish Supervisory Authority considered that the breach in question is in relation to a basic principle under the GDPR (Article 5), relating to the processing of personal data. The Authority also considered that the actions of the bank affected quite a large number of data subjects. The bank’s systems prices the personal data of several million data subjects. The Danish Data Protection Agency has emphasized the nature and seriousness of the infringement and also the requirement that a fine must be effective, proportionate to the infringement, and have a deterrent effect. In addition, the Authority also considered that Danske Bank actively volunteered information during the case. The Authority believes that the bank has indeed tried to curb the potential damage to data subjects.  As a result, a total fine of €1.3 million has been proposed. 

 

 

 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Violation of data minimisation leads to administrative fine

The Finnish DPA has fined the Finnish Motor Insurers’ Centre, after this controller was found to be in violation of data minimisation. 

The Finnish DPA has fined the Finnish Motor Insurers’ Centre over their inability to adhere to the principle of data minimisation. The company was fined late last year, for collecting an unnecessary amount of data from patients for health insurance claims, according to this report by the EDPB. The Finnish Motor Insurers’ Centre’s practices in requesting patient records from health care providers for claims handling purposes were investigated by the Office of the Data Protection Ombudsman. The Finnish DPA found that this controller systematically requested more information than necessary. The controller was fined €52,000 as a result. 

The Finnish Motor Insurers’ Centre requested unredacted patient records, which contained more information that is considered necessary for insurance claims. 

The Finnish Motor Insurers’ Centre requested unredacted patient records from health care providers in order to settle claims as this controller expected to have the right to collect extensive patient information. This information included the facts of patients’ health care appointments to determine whether the health care provider had charged for visits unrelated to the examination or treatment of injuries sustained in the relevant traffic incident. The controller also requested additional information in the event that the healthcare provider had omitted any pertinent information. 

The Data Protection Ombudsman determined that the practice of requesting this extensive information was a violation of the GDPR. 

The Data Protection Ombudsman determined that the controller’s systematic requests for full patient records of claimants instead of limiting their requests to the information necessary for claims was a violation of the GDPR. According to the EDPS, the principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specific purpose. The information collected must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. The data controller in this case, was therefore found to be in violation of the GDPR. The Data Protection Ombudsman stated that the Traffic Insurance Act does not give direct access to all patient records. As a matter of fact, the information requested must be only that which is necessary for the settlement of the claim. In addition, any information on an individual’s state of health should be disclosed to insurance companies in the form of a statement, according to the Finnish Medical Association.

While this decision is not final as the Finnish Motor Insurers’ Centre has appealed it in the administrative court, a fine of €52,000 has been imposed. The controller was also ordered to bring their practices into compliance.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

How subcontractors can reuse data: CNIL outlines specific conditions

How subcontractors can reuse data: this is possible only under specific conditions, which CNIL has outlined with specific context.

 

Under the GDPR, there are several conditions which need to be met in order for subcontractors to reuse data provided to them by the data controller. French regulator; CNIL has outlined the context under which the reuse of data is allowed by the subcontractor. A data processor is typically meant to process data at the request of the controller, and never for their own purposes. However, in some cases a subcontractor may wish to reuse that data for a specific purpose such as improving its products or services. In these cases, a controller may authorize a subcontractor to reuse the data for its own purposes, only if several conditions are met. CNIL has outlined these conditions in a recent article. It is important to note that the processor would become responsible for this new processing once authorised to reuse this data for its own purposes. 

 

Before processing by a subcontractor can begin, a compatibility test must be run.

 

Before any “subsequent processing” or processing which follows the collection operation (and for purposes other than that of the initial collection) can take place, the data controller must run a compatibility test. The purpose of this test is to determine whether this further processing is compatible with the purpose for which the data was initially collected. In testing this, the data controller would consider the possible existence of a link between the purposes for which the personal data was collected and the purposes of the subsequent processing intended. Other relevant factors include the context in which the personal data was collected as well as the nature of the personal data. It is also necessary to consider the use of appropriate safeguards, which may include encryption or pseudonymization. This compatibility test must be carried out for a specific processing operation, taking into account the purposes and characteristics of each processing operation for which the subcontractor wishes to reuse the data. The data controller is then free to give consent or not, only if the results of the test were satisfactory. 

 

Authorization for the reuse of data must be in writing, and the data subjects must be informed by the controller.

 

The GDPR dictates that a contract or any other written legal act must be drawn up to regulate the processing implemented by a subcontractor. This includes electronic format. In addition, the controller must ensure that data subjects are adequately informed of the reuse of their data for new purposes. In particular, the controller must indicate whether it is possible to oppose it. In practice, it is recommended that the initial data controller provide, if possible, all the information on the processing. The controller may delegate this task if the subcontractor already has the contact data of the persons concerned. 

 

The responsibility of ensuring the compliance of the subsequent processing rests on the subcontractor. 

 

The subcontractor is responsible for ensuring that the new processing is compliant with the GDPR. If this subcontractor fails to do so, they may be sanctioned by CNIL. They must ensure that the data is processed within regulation, and also only for the intended, and compatible purposes for which the written consent was given. As the controller of further processing, they must ensure that it meets a well-defined purpose and is based on a legal basis adapted specifically to this purpose.

 

CNIL’s article made specific mention of defining an adequate retention period and ensuring that data subjects are provided with information on any indirect collection that has not already been provided by the initial controller (subject to applicable exceptions). Also particular attention needs to be paid to ensuring appropriate security measures, data minimisation and overall maintaining the protection of the rights of data subjects. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Employee right of access: how does it work?

The CNIL of France has released an article explaining the employee right of access under the EU GDPR.

 

Article 15 of the GDPR gives individuals the right to request a copy of any of their personal data from a data controller. This also applies when the data controller is the individual’s employer. CNIL has recently outlined in this article, how employers should go about fulfilling requests from current and past employees for their personal data. The organization must be sure of the identity of the applicant. In cases where there is reasonable doubt about the identity of the person requesting the information, the organisation may request proof of identity. This is not necessary in cases where the employee is requesting this information via their professional email, or the company’s intranet. Similarly, the identity can be proven by providing a current or former professional identifier.

 

Employees should receive their data, and have the right to have this data corrected or deleted free of charge in most cases.

 

Employees or former employees may request a copy of all the personal data that their employer holds concerning them and must receive this information in an understandable format, making it easy for them to check the accuracy of the information therein. The individual is also entitled to information like the purpose of the use of the data, the categories of data processed, the other organizations which may have obtained the communications data, etc. They may also request that the data be corrected or erased. These requests should be handled free of charge, however in the event that they are unfounded or excessive, for example where additional copies are requested, there may be reasonable costs related to fulfilling that request. This right of access relates to personal data and not to documents, however the organization is not prohibited from releasing documents rather than just the data, if doing so it would be more practical.

 

Employers must protect the rights of third parties when it comes to fulfilling requests for copies of professional emails.

 

Employees may request access to professional emails where they were either the sender or receiver, or where they were mentioned in the emails. In cases where the employee was the sender or receiver, it is assumed that the individual has had prior knowledge of the information contained in the messages requested. Therefore the fulfillment of those requests are presumed to respect the rights of third parties. However, in cases where the applicant is mentioned in the content of these emails, it is important that the employer protects the rights and identities of any third parties. It is suggested that the employer first makes an attempt to either delete, anonymize or pseudonymize the data. If this is insufficient it would be necessary for the employer to refuse the request for access, and provide reasons justifying the refusal to the applicant.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.