It is hard to avoid the topic of third country transfers and deletion of data: A Danish it-solutions company, KOMBIT, contacted Danish Data Protection Authority with a specific question related to the disclosure of information to authorities in third countries (countries outside the EEA).
KOMBIT delivers computer systems which process personal data to the Danish municipalities. KOMBIT use a subcontractor, Netcompany AS for delivering the services. Netcompany AS in turn has a subcontracting agreement with Amazon Web Services ("AWS"). In principle, the relevant personal data is only processed within the EU/EEA, but it is stated in the subcontracting agreement between Netcompany A/S and AWS that this can be deviated from if AWS is required to disclose the data to public authorities.
In their response to KOMBIT's question, the Danish Data Protection Authority has stated the invoking the deviation provision in the this subcontracting agreement between Netcompany A/S and AWS would amount to an intentional transfer to a third country. This means that a provision that is common in most cloud service agreements, namely that the supplier will provide surveillance authorities in third countries access to data if so required, is problematic.
This has broad consequences as it will probably be difficult for suppliers to change this type of clause in their contracts. It remains to be seen how authorities will view this issue going forward. Read more here https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/apr/staar-det-i-databehandleraftalen-er-det-ikke-utilsigtet
In another case, the Danish Data Protection Authority notified a fine of DKK 10 million to Danske Bank because the bank did not have sufficient measures in place for deletion of personal data from its systems. The bank itself had contacted the Data Protection Authority and reported that they had problems deleting personal data that they no longer had any legitimate reason to keep. It was eventually revealed that there were almost 400 different computer systems where required deletion could not be carried out. Together, these systems processed personal data of several million people.
In connection with the notified fine, the Data Protection Authority stated the following:
"One of the basic principles of the GDPR is that you can only process data you need – and when you no longer need it, it must be deleted. With regard to an organisation of Danske Bank's size, which has many and complex systems, it is particularly crucial that it can also be documented that the deletion actually takes place."
This is not the first time that the Danish Data Protection Authority has been strict relating to the deletion of [personal] data. We have so far not had [any] similar cases in Norway, but there probably will be. Rules for deletion of [personal] data are without a doubt fundamental principal of the GDPR. Read more here https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/apr/danske-bank-indstilles-til-boede