In Ireland and Denmark the relevant local data protection authorities have proposed large General Data Protection Regulation (GDPR) fines in relations to alleged data breaches.
In Ireland the Data Protection Commission (DPC) has sanctioned a fine of €463,000 ($502,980) against Bank of Ireland in relation to a range of data breaches that took place from November 2018 to June 2019, that impacted the personal data of over 50,000 customers, and also for not complying with the legal time parameters related to make those impacted by the breach aware of it via breach notification letters.
The DPC discovered 19 incidents at Bank of Ireland that could be classified as personal data breaches, additionally it was found that there had been unauthorized sharing of personal data with the CCR. When data breaches are discovered, impacted individuals must be made aware of the exposure/theft/impermissible sharing of their personal data without unnecessary delay. On one occasion, which included the inaccurate reporting of the credit card data of 236 of its customers to the CCR in June 2019, breach alerts were not issued until November/December 2019.
Bank of Ireland said in a statement related to the breach: “Bank of Ireland fully acknowledges, and sincerely apologises for, these breaches. The bank takes its regulatory and compliance obligations very seriously and regrets that it has fallen short in this way.”
It was also confirmed that every impacted customer had been notified if they were impacted by the data breaches. The inaccurate details shared with the CCR has now been amended for all but 20 customers, with the corrections for the outstanding customers to be made in the next short while. The group also revealed that a review has taken place and new measures have been implemented to enhance CCR reporting.
Meanwhile in Denmark, the Danish Data Protection Agency (DPA) is in the process of imposing a GDPR penalty of 10 million Danish Kroner – around $1.48m – on the country’s largest lending group, Danske Bank, for not putting in place GDPR-compliant processes related to the storage and erasure of the personal data of its clients. The DPA has also submitted a criminal complaint against the bank and has made the police aware of the failure to delete customers’ personal data from its databases.
According to the DPA, Danske bank was not in a position to provide procedure details related to the storage and deletion of the data of millions of people held in more than 400 of the bank’s databases.
Bo Svejstrup, EVP and CIO core banking and data, Danske Bank said: “Unfortunately, the process has taken longer than we would have wished for. This is mainly because of the volume of the task, but also because it is our clear aim to make the implementation as hassle-free as possible for our customers. We have continuously focused on adjusting and implementing time limits for deleting data in our systems, and we have made good progress with our efforts. We now take note of the DPA’s recommendation and continue the task of deleting the data that we no longer have any reason to store while we await the outcome of the matter.”