The DPA has now informed Danske Bank that it has filed a criminal complaint against the bank for violation of the General Data Protection Regulation (GDPR) and recommends that the Danish prosecution service impose a fine on Danske Bank.
“First and foremost, it is important for me to emphasise that our customers’ data is secure and has been secure all along. As we have previously communicated, identified instances of personal data have, unfortunately, been stored for a longer period than necessary, and that should obviously not have taken place,” says Bo Svejstrup, Executive Vice President and Chief Technology Officer at Danske Bank, adding:
“We have continuously focused on adjusting and implementing time limits for deleting data in our systems, and we have made good progress with our efforts. Throughout the process, we have had a productive dialogue with the DPA. However, we have also had to recognise that the task is very complex and that the implementation of time limits for deleting data in certain systems has proven time-consuming. We now take note of the DPA’s recommendation and continue the task of deleting the data that we no longer have any reason to store while we await the outcome of the matter.”
We are constantly working to ensure that we and our systems meet the requirements for the storage and erasure of personal data. We note that the DPA has attached importance to Danske Bank’s active participation in the clarification of the matter.