The Danish Data Protection Agency (DPA) has filed a criminal complaint against Danske Bank for violation of General Data Protection Regulations.
In 2020, Danske Bank informed the DPA that it had identified instances where personal customer data had been stored across multiple systems for a longer period than necessary. The bank said that a multi-year effort to ensure all of its systems were compliant with GDPR rules had been a more complex undertaking than anticipated.
Bo Svejstrup, EVP and CIO core banking and data at Danske Bank says: “Unfortunately, the process has taken longer than we would have wished for. This is mainly because of the volume of the task, but also because it is our clear aim to make the implementation as hassle-free as possible for our customers.”
Dismayed by the ongoing issues, the country's data protection rule maker has commenced criminal proceedings and recommended that the Danish prosecution service impose a fine on the bank.
Svejstrup emphasises that customer data remains secure, but concedes: “We have continuously focused on adjusting and implementing time limits for deleting data in our systems, and we have made good progress with our efforts. However, we have also had to recognise that the task is very complex and that the implementation of time limits for deleting data in certain systems has proven time-consuming. We now take note of the DPA’s recommendation and continue the task of deleting the data that we no longer have any reason to store while we await the outcome of the matter.”