Danske Bank was fined 10 million Danish kroner (US $1.47 million) by the Danish Data Protection Agency (Datatilsynet) for violating the European Union's General Data Protection Regulation (GDPR).
The Danish prosecution service should impose its own fine for the bank's failure to delete customers' personal data from its systems, according to the regulator. Danske Bank was unable to present proper procedures for deleting and storing personal data in more than 400 systems that hold millions of people's data, according to Datatilsynet on Tuesday.
In a translated statement, Kenni Elm Olsen, specialist consultant at Datatilsynet, said, "One of the basic principles of the GDPR is that you can only process information you need—and when you no longer need it, it must be deleted. When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place."
Danske Bank self-reported concerns that it was storing personal data for longer than necessary and that its systems were not fully GDPR compliant, prompting the regulator to launch an investigation in November 2020.
Despite making preparations in early 2016 for the GDPR to take effect in May 2018, the bank told Datatilsynet in December 2020 that the required compliance work would not be completed until the end of 2021—some 42 months after the legislation took effect—"mainly due to the volume of the task."
"It was not possible to build retention and deletion functionality in all systems at the same time due to the large number of IT systems and the high complexity and interconnectedness between the systems," Danske Bank added. To handle the work on retention and deletion in "manageable portions," the bank chose a phase-based approach.
Despite knowing it would miss the May 2018 deadline for GDPR compliance regarding data retention and deletion, the bank chose to wait more than two years to notify the regulator, possibly because it believed there was no risk to customer data because no breach had occurred.
In 2018, Danske Bank's data protection compliance team discovered a lack of a group-wide information records management framework, as well as limited data governance, and raised concerns internally, highlighting the risks of being GDPR noncompliant. In October of this year, these concerns were raised once more.
"First and foremost, it is important for me to emphasize that our customers’ data is secure and has been secure all along," said Bo Svejstrup, executive vice president and chief technology officer of Danske Bank, in a statement released Tuesday. "As we have previously communicated, identified instances of personal data have, unfortunately, been stored for a longer period than necessary, and that should obviously not have taken place."
"We have also had to recognize that the task is very complex and that the implementation of time limits for deleting data in certain systems has proven time-consuming. We now take note of the DPA’s recommendation and continue the task of deleting the data that we no longer have any reason to store while we await the outcome of the matter."
Danske Bank also told Datatilsynet that it had to keep some personal information due to legal obligations stemming from ongoing investigations and litigation into the bank's failure to prevent widespread money laundering at its now-closed Estonian branch.
By fLEXI tEAM