In Perspective: Danish bank issued significant fine in relation to records management

Danish bank fined €1.3 million for noncompliance of the GDPR’s storage limitation principle
What happened
- The Danish data protection regulator recently fined Danske Bank €1.3 million for not being able to demonstrate a compliant data deletion process.
- It was found that Danske Bank did not properly document the rules around the storage and deletion of personal data.
- This resulted in the continued processing of personal data that was not strictly necessary (and therefore noncompliant with the ‘storage limitation’ principle of the GDPR).
Why it matters
- Even if personal data is collected and used fairly and lawfully, it cannot be stored for longer than it is needed.
- The GDPR does not set specify time limits for different types of data – instead, the business must determine how long it needs the data for its defined purposes.
- This can also be influenced by guidelines set out in laws and statutes
- It is therefore a good idea for organisations to maintain a retention policy and schedule that lists the types of information that are held, how long for and the deletion processes involved.
Romanian data protection regulator fines a data controller for not implementing appropriate security measures
What happened
- The Romanian data protection regulator recently fined a data controller €2,000 for not implementing appropriate security measures to prevent unauthorised access to the personal data of its employees.
- This data included the full name, salary, bank account details and personal identification number of current and former employees.
- It was also found that staff were not properly trained on the importance of protecting personal data.
Why it matters
- This case serves as important reminder of not just the significance of technical measures to boost an organisation’s digital security, but also organisational measures to raise staff awareness of particular policies and practices.
- All training programmes should detail data protection and why it is important. They should also capture requirements related to records management, data sharing, information security and breach management.
Catalan Department of Health is reprimanded for not maintaining adequate security measures
What happened
- A complaint was made to the Catalan data protection regulator in relation to the technical security of its Covid-19 vaccination website.
- It was found that the website allowed unauthorised third parties to get access to a data subject’s personal data just by simply entering their personal ID number – verification was not required.
- The personal data included full name, health card number, contact number, email address, vaccine type and appointment.
- The Catalan data protection regulator issued a reprimand and ordered the Department of Health the resolve the issues it had identified within one month.
Why it matters
- It was also found that the Department of Health had not carried out a Data Protection Impact Assessment (DPIA) that looked at the risks contained within the website.
- The completion of a DPIA is a useful way to identify the risks associated with a particular processing activity and the methods to ensure these are remediated.
- Had one been completed in advance, then the Department of Health would have quickly recognised the importance of authorisation and verification processes when accessing personal data online (this can be via a password or a unique code issued to users when retrieving their details).