.svg)
As regulators announce multiple data protection fines across the EU, many financial institutions across the continent may be wondering, could we be next?
A slew of enforcement actions have been unveiled in recent days across the EU, including Denmark, Ireland and Sweden.
The Danish Data Protection Authority (Datatilsynet - DPA) has recommended that Danske Bank, Denmark’s largest financial institution, be hit with a fine of DKK10m (€134,466).
This decision has been under consideration since November 2020, when the authority initiated a case after the bank admitted that it had identified a problem with the deletion of personal data, which the bank had no commercial justification for continuing to process.
"One of the basic principles of the GDPR is that you can only process the information you need, and when you no longer need it, it must be deleted,” said Kenni Elm Olsen, a specialist consultant at the regulator.
When it comes to an organisation the size of Danske Bank, which has many complex systems, it is particularly crucial that you can also document that the deletion actually takes place, the regulator warned.
In connection with the investigation, it has emerged that the bank has not been able to document that the relevant rules have been adhered to for deletion and storage of personal data, or that manual deletion of personal data has been carried out in more than 400 of the bank's systems.
These systems process the personal data of some of the 5m personal customers that Danske Bank caters for.
The ruling will now be referred to Denmark’s police, who have the powers to administer the fine. This is a legal difference that Denmark has with the majority of other EU countries, so the details of the decision, as well as the final decision regarding the fine, will come from the courts.
Commenting on the ruling, Bo Svejstrup, vice president at Danske Bank, said: “First and foremost, it is important for me to emphasise that our customers’ data is secure and has been secure all along.”
Identified instances of personal data have, unfortunately, been stored for a longer period than necessary, and that should obviously not have taken place, Svejstrup continued.
“We have continuously focused on adjusting and implementing time limits for deleting data in our systems, and we have made good progress with our efforts. Throughout the process, we have had a productive dialogue with the DPA,” he said. “However, we have also had to recognise that the task is very complex and that the implementation of time limits for deleting data in certain systems has proven time-consuming.”
According to Svejstrup, the bank accepts the DPA’s recommendation and continues the task of deleting the data that it no longer has any reason to store while awaiting the outcome of the matter.
“This sector is used to strict regulations, so perhaps there is an expectation that they should do better,” said Rie Aleksandra Walle, a data protection consultant, commenting on the development.
It should worry other banks in Europe, she continued. “But not only other banks; everyone who doesn't regularly delete personal data or follow the other rules.”
Ireland and Sweden fines
Meanwhile, Ireland’s Data Protection Commissioner has hit the Bank of Ireland with a €463,000 fine for data breaches that affected more than 50,000 customers.
It follows an inquiry into 22 personal data breach notifications that the Bank of Ireland made to the commissioner between November 2018 and June 2019.
In a statement on its website, the Bank of Ireland said that it fully acknowledges and sincerely apologises for these breaches. “The bank takes its regulatory and compliance obligations very seriously and regrets that it has fallen short in this way.”
The bank has notified all affected customers, the statement continued, adding that it has rectified the inaccurate information reported to the Central Bank of Ireland’s credit register in all but 20 cases, which will be corrected shortly. “It has also taken measures to improve its ongoing CCR reporting, including error management procedures and a process that enables faster correction of errors.”
According to the Bank of Ireland, the Data Protection Commissioner has mandated further measures and work has already begun to put these in place. “The bank has engaged fully and proactively with the commission during its inquiry and will continue to do so as it implements these additional measures as quickly as possible.”
It is not just established financial institutions that are facing the music from General Data Protection Regulation (GDPR) enforcement either.
On March 31, the Swedish Authority for Privacy Protection (IMY) announced that it had fined buy now, pay later (BNPL) firm Klarna SEK7.5m (€728,240).
One of Europe’s largest fintechs, the regulator found that the company had not complied with several of the GDPR rules.
“During the investigation, Klarna has continuously changed the information provided on how the company handles personal data,” said Hans Kärnlöf, the lawyer responsible for the investigation.
The IMY's decision concerns the information provided in Spring 2020. In its decision, the supervisor states that Klarna failed to provide information on the purpose for which and on the basis of which legal basis personal data was processed in one of the company's services.
The company also provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies.
According to the IMY, Klarna also did not provide information on to which countries outside the EU and European Economic Area personal data were transferred or on where and how individuals could obtain information on the safeguards that applied to the transfer to third countries.
The Swedish authority also found that the company provided incomplete information about the data subjects' rights, including the right to delete data, the right to data portability and the right to object to how one's personal data is processed.
