Danske Bank – €1,340,000 Fine (Denmark, 2022)

€1,340,000Datatilsynet (Denmark)5 April 2022Denmark
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Danske Bank was fined €1.34 million by the Danish DPA for not having proper policies to delete personal data. The bank couldn't prove it had deleted data it no longer needed, affecting millions of people. This case shows the importance of having clear data deletion policies.

What happened

Danske Bank failed to have policies for deleting personal data in over 400 systems.

Who was affected

Millions of individuals whose personal data was stored without proper deletion policies.

What the authority found

The Danish DPA found that Danske Bank breached GDPR by not deleting personal data it no longer needed.

Why this matters

This case highlights the need for businesses to implement clear data retention and deletion policies. It serves as a reminder that failing to manage personal data properly can lead to significant fines.

GDPR Articles Cited

AI-verified

Art. 5(1)(a) GDPR
Art. 5(1)(e) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 5(1)(e) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
articles corrected
Denmark enforcementDatatilsynet (Denmark) actionsAll Danske Bank actions
Full Legal Summary
Detailed

In 2020, Danish Bank reported an issue with personal data deletion to the Danish DPA. In its investigation, the DPA discovered that the bank lacked policies and procedures for storage and erasure of personal data in over 400 systems. The bank could not demonstrate that it had manually deleted personal data either. The systems contain the personal data of millions of data subjects. The Danish DPA Datatilsynet held that Danske Bank had breached a fundamental principle of the GDPR, where one is required to delete personal data one no longer needs (likely referring to Article 5(1)(e) GDPR). Due to this, the DPA has filed a police report against Danske Bank and proposed a fine of €1,345,000 (DKK 10 million). The police will investigate the case before a final decision is made in the courts.

Related Enforcement Actions (2)

Other enforcement actions involving Danske Bank in DK

Fine
Apr 2022· Datatilsynet (Denmark)

The Danish DPA has imposed a fine of EUR 1.3 million on Danske Bank. The DPA had opened an investigation against the bank after it informed the DPA th...

€1.3M
Current
Apr 2022

Fine

€1.3M

Violation Found
Jun 2022· Datatilsynet (Norway)

Danske Bank (controller) had developed an electronic registry database for invoices, which was connected to the controller's 'District platform' appli...

Details

Fine Date

5 April 2022

Authority

Datatilsynet (Denmark)

Fine Amount

€1,340,000

10,000,000 DKK

GDPRhub ID

gdprhub-4840

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Danske Bank - Denmark (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: