Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Denmark: Datatilsynet expresses criticism against Danske Bank for handling of DSARs

The Danish data protection authority ('Datatilsynet') published, on 30 September 2022, its decision in Case No. 2021-41-0121, in which it had expressed criticism against Danske Bank A/S, for violations of Articles 12 and 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an inspection carried out by the same.

Background to the decision

In particular, the Datatilsynet stated that, after completing a series of inspections focused on the handling of banks' data subject access requests ('DSARs'), it had issued decisions against the internal procedures of each of the five banks concerned. More specifically, the Datatilsynet noted that, with regard to its inspection of Danske Bank, it found that the bank adopted a layered approach to handling DSARs, whereby customers can gain insight/access into their information in the following three ways:

  • by accessing certain information about themselves via the bank's self-service solution;
  • by requesting a 'CDI report', which does not contain all the information that the bank processes about the person in question; and
  • by specifically requesting an 'in-depth report', which contains more information about the person concerned.

Findings of the Datatilsynet

Notably, the Datatilsynet found that, since data subjects had only been given access to reports that do not contain all the information to which they are entitled to under the GDPR, the bank had been in breach of Article 15 of the GDPR. Nonetheless, the Datatilsynet expressed that, to the extent that the data subject is directed to access certain information themselves, this is in compliance with Articles 12 and 15 of the GDPR, provided that it is simple and straightforward for the data subject to find the relevant information.

Outcomes

Ultimately, the Datatilsynet expressed criticism against Danske Bank for its handling of DSARs in violation of Articles 12 and 15 of the GDPR. However, the Datatilsynet noted that the bank has informed the same that it had conducted changes to its existing processes for handling DSARs.

You can read the press release here and the decisions here, both only available in Danish.