Datatilsynet (Denmark) - Danske Bank

From GDPRhub
Datatilsynet (Denmark) - Danske Bank
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 05.04.2022
Fine: 10,000,000 DKK
Parties: Danske Bank
National Case Number/Name: Danske Bank
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet Denmark (in DA)
Initial Contributor: Rie Aleksandra Walle

The Danish DPA proposed that Danske Bank should be fined €1,345,000 for lack of storage and erasure procedures in over 400 systems containing the personal data of millions of data subjects. The police will investigate the case before a final decision is made in the courts.

English Summary[edit | edit source]

Facts[edit | edit source]

In 2020, Danish Bank reported an issue with personal data deletion to the Danish DPA. In its investigation, the DPA discovered that the bank lacked policies and procedures for storage and erasure of personal data in over 400 systems. The bank could not demonstrate that it had manually deleted personal data either. The systems contain the personal data of millions of data subjects.

Holding[edit | edit source]

The Danish DPA Datatilsynet held that Danske Bank had breached a fundamental principle of the GDPR, where one is required to delete personal data one no longer needs (likely referring to Article 5(1)(e) GDPR).

Due to this, the DPA has filed a police report against Danske Bank and proposed a fine of €1,345,000 (DKK 10 million). The police will investigate the case before a final decision is made in the courts.

Comment[edit | edit source]

The process for GDPR fines in Denmark is different from most other EEA countries: after the DPA has filed their report, the police will investigate and determine if there are grounds to raise a formal charge. If so, the case is then referred to the courts, who will assess the case and determine the level of the fine - if any. In addition, whenever a case is referred to the police, the only information the DPA will publish is the press release.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Police report

Danske Bank is fined

Date: 05-04-2022


The Danish Data Protection Agency assesses that Danske Bank has not been able to document that they have deleted personal data in accordance with the data protection rules, and the Authority has therefore set the bank a fine of DKK 10 million. kr.

The Danish Data Protection Agency has reported Danske Bank to the police and fined the bank DKK 10 million. This follows on from the fact that in November 2020 the Authority initiated a case of its own motion, after the bank itself had stated that they had identified a problem with the deletion of personal data, which there was not necessarily a commercial justification for continuing to process. .

In connection with the Danish Data Protection Agency's investigation, it has emerged that the bank in more than 400 systems has not been able to document that rules have been laid down for deletion and storage of personal data, or that manual deletion of personal data has been carried out. These systems process personal data of millions of people.

"One of the basic principles of the GDPR is that you can only process information you need - and when you no longer need it, it must be deleted. When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place, ”says Kenni Elm Olsen, specialist consultant at the Danish Data Protection Agency.

Why police report?

The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Data Protection Regulation. 2, in assessing which sanction is, in the opinion of the Authority, the correct one.

In assessing that a fine should be imposed, the Danish Data Protection Agency has emphasized that the breach in question relates to a basic principle for the processing of personal data and affects a very large number of data subjects.

In its recommendation on the size of the fine, the Danish Data Protection Agency has, among other things, emphasized the nature and seriousness of the infringement and the regulation's requirement that a fine in each individual case must be effective, proportionate to the infringement and have a deterrent effect.

Furthermore, it has been concluded that Danske Bank has continuously worked to be able to document that the bank lives up to its obligations, ie. have tried to limit the damage that the data subjects potentially suffer. At the same time, the Danish Data Protection Agency has emphasized Danske Bank's active participation in the information of the case.

Do you want to know more?

Read more about deletion.

Press inquiries can be directed to communications consultant Anders Due on tel. +45 29 49 32 83.