The Danish data protection authority, Datatilsynet, has filed a criminal complaint against Danske Bank. At the same time, it requested that a fine of the equivalent of CHF 1.37 million. would be imposed. The reason was that the bank had not documented in more than 400 systems that Rules for deletion and storage of personal data existed or the deletion was carried out manually. The amount of the fine was based on the consideration that the obligation to erase is an essential principle of the GDPR and that several million individuals were affected (Media release of the Beörde in Danish).
The proceedings were preceded by an investigation by the data protection authority, in the course of which Danske Bank had discovered that its problems with data deletion were more extensive than originally assumed. It disclosed this fact in 2020 in response to queries from the authority itself (this response is available here). No fine had been imposed at the time, but apparently the bank had not made significant progress with its data erasure project since then. In a response to the criminal complaint filed by the data protection authority the bank commented as follows:
We have continuously focused on adjusting and implementing time limits for deleting data in our systems, and we have made good progress with our efforts. Throughout the process, we have had a productive dialogue with the DPA. However, we have also had to recognise that the task is very complex and that the implementation of time limits for deleting data in certain systems has proven time-consuming. We now take note of the DPA’s recommendation and continue the task of deleting the data that we no longer have any reason to store while we await the outcome of the matter.
Lessons learned: It is perfectly acceptable to disclose non-compliance to an authority, but then you have to take a serious look at solving the problem. And data erasure is very demanding and time-consuming in a complex system landscape, but this does not (any longer) prevent authorities from imposing sanctions.
After all, under the revised DPA, insufficient deletion is not punishable, but it is a violation of privacy and can lead to unpleasant situations when information is requested (and in the case of regulated institutions, it can raise supervisory issues).