The Danish Data Protection Agency (DPA) has initiated a criminal complaint against Danske Bank for breaches of General Data Protection Regulations (GDPR).
In 2020, Danske Bank notified the DPA of issues with the handling of personal customer data, which had been stored across various systems for longer than necessary. The bank acknowledged that its efforts to ensure compliance with GDPR regulations proved to be more complex and time-consuming than expected.
Bo Svejstrup, EVP and CIO of core banking and data at Danske Bank, commented, “Unfortunately, the process has taken longer than we would have wished for. This is mainly because of the volume of the task, but also because it is our clear aim to make the implementation as hassle-free as possible for our customers.”
In light of the ongoing difficulties, the DPA has begun criminal proceedings and advised the Danish prosecution service to impose a fine on the bank.
Svejstrup reassured that customer data remains secure, stating, “We have continuously focused on adjusting and implementing time limits for deleting data in our systems, and we have made good progress with our efforts. However, we have also had to recognise that the task is very complex and that the implementation of time limits for deleting data in certain systems has proven time-consuming. We now take note of the DPA’s recommendation and continue the task of deleting the data that we no longer have any reason to store while we await the outcome of the matter.”