Danske Bank, Denmark’s largest bank, faces a fine of approximately $1.5 million from the Danish Data Protection Agency (DPA) for a failure to comply with the GDPR’s data deletion requirements. The GDPR requires all personal data to be deleted by service providers upon the end of services or the expiration of a legal agreement. Here, Danske Bank held customer data in excess of that. Interestingly, this fine stems from Danske Bank self-reporting this violation to the DPA back in 2020. Danske Bank believes that these violations arise from difficulties of deleting data in its complex interlocked IT systems.
This latest enforcement action from a DPA shows that businesses won’t necessarily receive a free pass for the GDPR’s stringent data deletion requirements when presented with technically complex problems such as ensuring data deletion across multiple IT systems. That includes even when self-reporting problems to a DPA. Keep tuned for further significant developments with DPA GDPR enforcement.
Sources: