On 21 December 2020, Danske Bank responded, detailing in its letter to the DPA our ongoing efforts to become compliant with GDPR requirements on retention and deletion of data in all of our systems.
“Our customers’ data is secure. We have, however, identified instances of data having been stored for longer than necessary. That should obviously not have happened, and we are working to solve this issue,” says Bo Svejstrup, Executive Vice President at CIO Core Banking & Data at Danske Bank.
Since 2016, Danske Bank has worked to become compliant with the requirements on retention and deletion of data in all systems, and we have completed many aspects. Regrettably, however, we have not yet completed the required work, but we currently expect our systems to be compliant by the end of 2021.
“Unfortunately, the process has taken longer than we would have wished for. This is mainly because of the volume of the task, but also because it is our clear aim to make the implementation as hassle-free as possible for our customers,” says Bo Svejstrup.
Finally, Danske Bank has informed the DPA that we are currently retaining personal data due to legal obligations related to ongoing investigations and litigation concerning the Estonia case. Danske Bank does not, however, see this as part of the identified GDPR compliance issue.
Danske Bank has also notified the Danish FSA of this matter.
Read Danske Bank’s response to the Danish Data Protection Agency here.