Data Protection Authorities in Ireland and Denmark have proposed sizeable financial penalties for Bank of Ireland and Danske Bank to resolve alleged violations of the General Data Protection Regulation (GDPR).
Danish Data Protection Agency Proposes 10 Million Kr GDPR Penalty for Danske Bank
The Danish Data Protection Agency (DPA) has proposed a fine of 10 million Danish Kroner – around $1.48 million – on the country’s largest lender, Danske Bank, for failing to implement GDPR-compliant procedures concerning the storage and deletion of the personal data of its customers. The DPA has also filed a criminal complaint against the bank and has reported it to the police over the failure to delete customers’ personal data from its systems.
The case against Danske Bank was opened in November 2020 when the DPA was made aware of customer data being stored in its systems for longer than was permitted by the GDPR. According to the DPA, Danske bank was unable to produce procedures concerning the storage and deletion of the data of millions of individuals stored in more than 400 of the bank’s systems.
The issue at hand was the complexity of the task of deleting data to comply with the requirements of the GDPR, which had been underestimated by Danske Bank. That process of deleting data when the reason for collection had expired spanned several years and is ongoing. “Unfortunately, the process has taken longer than we would have wished for. This is mainly because of the volume of the task, but also because it is our clear aim to make the implementation as hassle-free as possible for our customers,” said Bo Svejstrup, EVP and CIO core banking and data, Danske Bank. “We have continuously focused on adjusting and implementing time limits for deleting data in our systems, and we have made good progress with our efforts. We now take note of the DPA’s recommendation and continue the task of deleting the data that we no longer have any reason to store while we await the outcome of the matter.”
Irish Data Protection Commission Fines Bank of Ireland €463,000 for String of Data Breaches
The Data Protection Commission (DPC) in Ireland has fined Bank of Ireland €463,000 ($502,980) over a string of data breaches that occurred between November 2018 and June 2019, that involved the personal information of more than 50,000 of its customers, and also for unnecessarily delaying the issuing of breach notification letters.
One of the data breaches affected around 47,000 of its customers and resulted in the corruption of customer data in the Central Credit Register (CCR) data feed. The data was altered in a way that could have negatively impacted customers’ credit histories, with some customers having incorrect data added to their credit histories that indicated they were in financial distress.
The DPC found 19 incidents that qualified as personal data breaches, and that there had been unauthorized disclosures of personal data to the CCR. When data breaches are experienced, affected individuals must be notified about the exposure/theft/impermissible disclosure of their personal data without undue delay. In one instance, which involved the inaccurate reporting of the credit card information of 236 of its customers to the CCR in June 2019, notifications were not sent until November/December 2019.
“Bank of Ireland fully acknowledges, and sincerely apologises for, these breaches. The bank takes its regulatory and compliance obligations very seriously and regrets that it has fallen short in this way,” explained Bank of Ireland in a statement. It was also confirmed that all customers had been notified if they had been affected by the data breaches and the inaccurate information sent to the CCR has now been corrected for all but 20 customers, with the corrections for the outstanding customers to be made shortly. The bank also confirmed that steps have been taken to improve CCR reporting and that new procedures and processes have been implemented covering error management that will allow any errors to be corrected more quickly.