Danish SA: fine proposed for Danske Bank

Seen at the European Data Protection Board:

Background information

Date of final decision: 4 April 2022
Cross-border case or national case: National
Controller: Danske Bank
Legal Reference: Article 5 (2)
Decision: Infringement of the GDPR
Key words: Deletion

Summary of the Decision

Origin of the case

The Danish Data Supervisory Authority (SA) has reported Danske Bank to the Danish police and proposed a fine of DKK 10 million (app.1.3 million EUR). This concludes a case that the SA opened in November 2020 after the bank itself had stated that they had identified a problem with the deletion of personal data in which there was not necessarily a commercial justification for continuing to process.

Key Findings

During the Danish SA’s investigation, it has become clear that the bank in more than 400 systems has not been able to document whether rules have been laid down for deletion and storage of personal data, or whether manual deletion of personal data has been carried out. These systems process personal data of millions of people. The Danish Supervisory Authority has reported Danske Bank to the police and proposed a fine of DKK 10 million (app.1.3 million EUR) for the infringement of Article 5 (2) of the GDPR.

Decision

The Danish Supervisory Authority has reported Danske Bank to the police and proposed a fine of DKK 10 million (1.3 million EUR) for the infringement of Article 5 (2) of the GDPR.

For further information: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/apr/danske-bank-indstilles-til-boede (DA)

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.