Danish DPA €1.345m fine for Danske Bank
In November 2020, Dankse Bank reported to the Danish Data Protection Agency (DDPA) that it had identified an internal problem with its data retention and deletion policies. A hoarding problem, you could say.
Dankse Bank acknowledged that it had over four hundred systems where they had not been able to determine whether data retention and deletion policies had been implemented or whether deletion of personal data which Danske Bank no longer had continued justification to process had in fact been carried out. These four hundred systems processed the personal data of millions of people.
The DDPA have reported Danske Bank to the police and proposed a fine of DKK 10 million (£1.12m) for the infringement of Article 5(2) of the GDPR, namely that the controller (Danske Bank) was in breach of Article 5(1)(e) "Personal data shall be…(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed", i.e. the retention principle.
Why did the DDPA not issue a fine themselves you ask? Interestingly, the rules on issuing GDPR fines in Denmark are different to most European countries. In Demark the procedure is that, after an investigation by the DDPA, they make a report to the police and recommend a fine. The Danish police will then launch their own investigation and determine whether there is a basis for a criminal charge. If Dankse Bank is charged and the matter is taken forward, then the issue of the fine will be determined by the Danish courts. This is in contrast to most other Data Protection Agencies who have the power to autonomously issue fines.
Spring cleaning takes on a whole new meaning for the Bank of Ireland
Dankse Bank is not alone on the naughty step this April, however; the Bank of Ireland have also recently been fined of €463,000 (approx. £385,000) by the Irish Data Protection Commission (IDPC) for data breaches affecting more than fifty thousand customers. The Bank of Ireland notified the IDPC of twenty-two breaches (which occurred between 9 November 2018 and 27 June 2019) and nineteen of those were found to have been GDPR breaches. One of these breaches affected forty-seven thousand customers. It also transpired that in other breaches, it affected customers’ credit scores and their ability to secure loans.
Going to the various regulators with hands held up, admitting failures, may demonstrate how seriously some banks are taking their regulatory and compliance obligations and buy some time to correct the failures and leniency if proactive steps are being taken, as is the case with the Bank of Ireland. It can also, as we saw last year with the BA and Marriot fines, potentially reduce the fine profile significantly. However, Dankse Banks efforts over several years to ensure compliance, as it had been more "complex [an] undertaking than they had anticipated," led to the DDPA becoming "dismayed with ongoing issues", and, ultimately, by the looks of things the DDPA decided to commence the criminal proceedings against Dankse Bank having maybe run out of patience.
Conclusion
It’s important to remember that policies (especially retention policies) are not pretty pieces of paper to be filed away and a box ticked. They must be living, breathing strategies that are complied with. Often they are complex and take time, effort and money to implement and maintain. As with a lot of things, consistency seems to be key.
"One of the basic principles of gdpr is that you can only process information you need - and when you don't need it anymore, it must be deleted. When it comes to an organization of Danske Bank's size that has many and complex systems, it is particularly crucial that you can also document that the deletion actually happens."
https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/apr/danske-bank-indstilles-til-boede