In Perspective: Danish bank issued significant fine in relation to records management

Risk Management Consultancy

Security

Danish bank fined €1.3 million for noncompliance of the GDPR’s storage limitation principle

What happened

  • The Danish data protection regulator recently fined Danske Bank €1.3 million for not being able to demonstrate a compliant data deletion process.
  • It was found that Danske Bank did not properly document the rules around the storage and deletion of personal data.
  • This resulted in the continued processing of personal data that was not strictly necessary (and therefore noncompliant with the ‘storage limitation’ principle of the GDPR).

Why it matters

  • Even if personal data is collected and used fairly and lawfully, it cannot be stored for longer than it is needed.
  • The GDPR does not set specify time limits for different types of data – instead, the business must determine how long it needs the data for its defined purposes.
  • This can also be influenced by guidelines set out in laws and statutes
  • It is therefore a good idea for organisations to maintain a retention policy and schedule that lists the types of information that are held, how long for and the deletion processes involved.

Security

Romanian data protection regulator fines a data controller for not implementing appropriate security measures

What happened

  • The Romanian data protection regulator recently fined a data controller €2,000 for not implementing appropriate security measures to prevent unauthorised access to the personal data of its employees.
  • This data included the full name, salary, bank account details and personal identification number of current and former employees.
  • It was also found that staff were not properly trained on the importance of protecting personal data.

Why it matters

  • This case serves as important reminder of not just the significance of technical measures to boost an organisation’s digital security, but also organisational measures to raise staff awareness of particular policies and practices.
  • All training programmes should detail data protection and why it is important. They should also capture requirements related to records management, data sharing, information security and breach management.

Catalan Department of Health

Catalan Department of Health is reprimanded for not maintaining adequate security measures

What happened

  • A complaint was made to the Catalan data protection regulator in relation to the technical security of its Covid-19 vaccination website.
  • It was found that the website allowed unauthorised third parties to get access to a data subject’s personal data just by simply entering their personal ID number – verification was not required.
  • The personal data included full name, health card number, contact number, email address, vaccine type and appointment.
  • The Catalan data protection regulator issued a reprimand and ordered the Department of Health the resolve the issues it had identified within one month.

Why it matters

  • It was also found that the Department of Health had not carried out a Data Protection Impact Assessment (DPIA) that looked at the risks contained within the website.
  • The completion of a DPIA is a useful way to identify the risks associated with a particular processing activity and the methods to ensure these are remediated.
  • Had one been completed in advance, then the Department of Health would have quickly recognised the importance of authorisation and verification processes when accessing personal data online (this can be via a password or a unique code issued to users when retrieving their details).

We’d love to hear from you

Lindsey has a strong track record in providing risk advisory services with a focus on governance, regulatory compliance, conduct and culture, data protection, and third-party assurance. He helps organisations successfully address governance, risk management and compliance challenges.

To discuss how the areas highlighted in this post, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at info@xcinaconsulting.com. We’d love to hear from you.

Lindsey Domingo

Senior Director

Speak to me directly by Email, or
Telephone: +44 (0)203 745 7826

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>