European DPAs in Action: Periodic Penalties and Deletion of Personal Data
The Dutch Data Protection Authority (Dutch DPA) has issued fixed and periodic fines to a government ministry over its lack of security measures and transparency about who it shares personal data with, while the Danish Data Protection Agency (Danish DPA) has issued fines to a national bank for its lack of documentation on the deletion of personal data.
Periodic penalties, in addition to fixed fines, could be a new modus operandi for data protection authorities to encourage organisations to move fast and fix things
The Dutch DPA has issued two periodic penalties to encourage the Dutch Ministry of Foreign Affairs to fix its lack of security measures and information provisions regarding its visa system and to comply with Articles 13(1)(e) and 32(1) GDPR as quickly as possible.
The Ministry had handled 530,000 visa applications on average each year since 2019. The Dutch DPA found that the applicants’ personal data were insufficiently secured. There was no security plan, a lack of physical security for and access controls to its visa system, and reporting procedure deficiencies for security incidents. Additionally, the Ministry’s privacy statement gave insufficient information to visa applicants about all third party recipients of their personal data.
As a result, the Dutch DPA has issued a fixed EUR 565,000 fine and ordered the Ministry to fix these issues. To encourage the Ministry to rectify and improve its measures as soon as possible, the DPA has issued two periodic penalties: EUR 50,000 for every two weeks’ delay improving its security measures; and EUR 10,000 for each week delayed improving its information provisions.
Deletion and destruction of data counts as processing of personal data, even when there may be no perceived risk to customer data
Danske Bank has been reported to the Danish prosecution service and fined EUR 1.3 million (DRK 10,000) for failing to implement proper procedures for the deletion and storage of personal data by the Danish DPA.
In addition to storage, the bank’s deletion of personal data – or rather its failure to delete the data with the right procedures and within the correct timeframe – still falls under the ‘processing’ definition of Article 4(2) GDPR:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
The fine was issued after the Danish DPA started investigating Danske Bank’s GDPR compliance, which the bank self-reported in November 2020. Its reasons for non-compliance after the 2018 deadline were the size and complexity of the task, which had taken longer than anticipated, as the bank has over 400 IT systems and holds the personal data of millions of people.
Additionally, Danske Bank did not have a group-wide information records management framework and limited data governance, which had previously been flagged internally. While Danske Bank has issued a statement reassuring customers that their data has and is secure, this did not negate the fact that customer data has been stored for longer than necessary, and if and when it was deleted, this procedure was not documented correctly.
Hannah-Mei Grisley also contributed to this article