Danish Bank Fined $1.5 million for Self-Reported GDPR Violation

Why This Privacy Law is Important:

On April 6, 2022, the Danish data protection authority fined Danske Bank 10m DKK, approximately $1.5 million, for violations of the General Data Protection Regulation (GDPR). The fine was levied not for a privacy breach, but for the inability to provide documentation regarding the storage and deletion of personal data across hundreds of systems storing data on millions of people.

Overview:

Datatilsynet, the Danish data protection authority, fined Danske Bank 10m Danish kroner and reported it to the police for violations of GDPR, with recommendations that the public prosecutors also levy their own fine for the bank’s failure to delete customers’ data from its many internal systems. Notably, Datatilsynet explained the basis for the fine as a failure to “present proper procedures for deleting and storing personal data” in its internal systems.

The investigation began in November 2020 as a result of Danske Bank’s self-reported concerns over its data retention policies and the fact that they may not be fully GDPR compliant. In a public statement from December 2020, the bank explained that despite their efforts beginning in 2016 to become compliant with GDPR, “we currently expect our systems to be compliant by the end of 2021”—three and a half years after the law came into effect.
Danske Bank’s compliance team identified the lack of an organization-wide information records management framework and insufficient data governance as causes for their inability to reach GDPR compliance in a timely manner.

Download the Privacy Alert to the right to get the full text and expert analysis!