On April 5, The Danish Data Protection Agency (Datatilsynet) reported Danske Bank to the police and issued a €1.3 million (DKK 10 million) fine for not being able to demonstrate a compliant data deletion process along with the violation of Art. 5 (2) GDPR.
In November 2020, Datatilsynet initiated the investigation after the Bank itself stated that they have identified a problem with personal data deletion and processing of personal data that was no longer necessary for the business purposes of the Bank.
The Datatilsynet’s investigation
The investigation uncovered that the Danske Bank did not document rules set up for storage and deletion of personal data, and could not demonstrate that manual deletion of personal data has been carried out in more than 400 Banks systems that process personal data of millions of individuals.
As Kenni Elm Olsen, specialist consultant at the Datatilsynet stated;
“One of the basic principles of the GDPR is that you can only process information you need – and when you no longer need it, it must be deleted. When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place.”
The reason behind high fine
The Danish Data Protection Authority justified the high amount of the fine by the seriousness of the case, stating that Danske Bank has violated one of the basic principles of the General Data Protection Regulation as well as the number of people that were affected by the violation.
Compliant data removal
Each personal data collected by the company goes through a personal data lifecycle. Data is collected through different channels, and processed for everyday business operations. After the lawful basis for processing expires, personal data has to be archived for legal and documentation purposes and eventually removed.
Privacy solutions, like Data Privacy Manager, facilitate automatic instructions to a different system when data deletion needs to be executed and enables you to define data retention and data removal operationalization on different data categories.
Data Privacy Manager’s automated services answer two key questions:
- WHICH data subject’s data needs to be removed?
- WHEN does this data need to be removed?