Denmark: Datatilsynet expresses criticism against Danske Bank for handling of DSARs
The Danish data protection authority ('Datatilsynet') published, on 30 September 2022, its decision in Case No. 2021-41-0121, in which it had expressed criticism against Danske Bank A/S, for violations of Articles 12 and 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an inspection carried out by the same.
Background to the decision
In particular, the Datatilsynet stated that, after completing a series of inspections focused on the handling of banks' data subject access requests ('DSARs'), it had issued decisions against the internal procedures of each of the five banks concerned. More specifically, the Datatilsynet noted that, with regard to its inspection of Danske Bank, it found that the bank adopted a layered approach to handling DSARs, whereby customers can gain insight/access into their information in the following three ways:
- by accessing certain information about themselves via the bank's self-service solution;
- by requesting a 'CDI report', which does not contain all the information that the bank processes about the person in question; and
- by specifically requesting an 'in-depth report', which contains more information about the person concerned.
Findings of the Datatilsynet
Notably, the Datatilsynet found that, since data subjects had only been given access to reports that do not contain all the information to which they are entitled to under the GDPR, the bank had been in breach of Article 15 of the GDPR. Nonetheless, the Datatilsynet expressed that, to the extent that the data subject is directed to access certain information themselves, this is in compliance with Articles 12 and 15 of the GDPR, provided that it is simple and straightforward for the data subject to find the relevant information.
Ultimately, the Datatilsynet expressed criticism against Danske Bank for its handling of DSARs in violation of Articles 12 and 15 of the GDPR. However, the Datatilsynet noted that the bank has informed the same that it had conducted changes to its existing processes for handling DSARs.