Danske bank logo on front of branch showing GDPR violations

Danske Bank Fined for GDPR Violations, Customer Data Held for Longer Than Legally Allowed

Danske Bank, the largest bank in Denmark and a former Fortune Global 500 member, is facing a fine of 10 million Danish kroner for General Data Protection Regulation (GDPR) violations pertaining to data storage. This comes just as the bank begins to recover from a €200 billion money laundering scandal that rocked its Estonia branch and halved its share price.

The bank was fined the equivalent of about $1.5 million by the Danish Data Protection Agency (Datatilsynet), for storing the personal data of customers for an excessive amount of time and failing to delete it as required by GDPR terms. The fine also comes with a recommendation to the Danish police to impose an additional penalty on the bank.

GDPR violations cost Denmark’s biggest bank millions, another fine may be coming

The fine ultimately stems from a 2020 self-reporting by the bank of potential GDPR violations. Danske Bank has struggled with GDPR compliance since the rules went into effect in 2018, arguing at the time that it would not be able to process the data of its five million retail customers properly until the end of 2021.

A statement from the bank indicates that the GDPR violations are tied to an inability to build data deletion functionality into its complex interlocked IT systems despite beginning efforts in 2016 when it became clear the GDPR was becoming an imminent reality. The bank has worked on this functionality in phases over the years, with some amount of customer data being retained for an excessive amount of time during this process.

Regulators say that Danske Bank failed to notify them of these plans, in spite of the organization’s internal data protection compliance team raising concerns about inappropriate data governance during inspections in both 2018 and 2019. The bank appears to have felt that notifying regulators was not necessary so long as customer data was safe and a data breach did not occur.

The GDPR requires all personal data to be deleted by service providers upon the end of services or the expiration of a legal agreement. Many organizations handle this by implementing automated systems to avoid GDPR violations, something that Danske Bank appeared to be attempting but was unable to complete in a timely manner due to its presence in multiple locations throughout Europe, IT system structure (some 400 systems in total) and volume of customers.

There are some exceptions to this rule when there is a reason to hold data to satisfy a legal obligation, something that Danske Bank said was the case with some of the information that triggered the GDPR violations. It said that some data was being held for a longer period of time than usual due to ongoing investigation into the money laundering scandal that took place at its Estonia branch. However, executive vice president Bo Svejstrup acknowledged that other personal data was held for inappropriate amounts of time and that the company was continuing to work to delete it.

Continuing troubles for Danske Bank

These are the first GDPR violations on record for Danske Bank, though it is something of an unusual case as it appears ongoing violations since 2018 had simply not been uncovered until recently.

The company’s recent troubles have not involved GDPR violations, but have had much more serious and expensive consequences. They have also taken on new relevance given the Russian invasion of Ukraine and the sanctions and seizures of assets of Russian oligarchs throughout the world. The Estonian branch of the bank essentially went rogue for almost a decade (beginning in 2007), laundering money for sanctioned parties and criminals in countries throughout the world but with a particular focus on business in Estonia and Russia.

Whistleblowers began coming forward in 2013, with the first of them indicating that the bank was handling money for the Russian Federal Security Service and for a family member of Vladimir Putin. Others linked shell companies dealing with the branch to the Russian government. An investigation that the Estonian government began in 2014 eventually led to arrests in 2018 and the suicide of the executive that was in charge of the branch from 2007 to 2015 (who had been acting as a key witness in the case). The Estonian branch was closed permanently in 2019.

#GDPR violations are tied to an inability to build data deletion functionality into its complex interlocked IT systems despite beginning efforts in 2016. #privacy #respectdataClick to Tweet

Danske Bank is now on the hook for billions of dollars in fines in both the United States and a variety of European countries due to that incident, and has only just begun to repair its reputational damage. It will have extra work to do to regain consumer trust now that GDPR violations are a part of the equation.

 

Senior Correspondent at CPO Magazine