The Danish Data Protection Agency (Datatilsynet) has reported Danske Bank to the police and fined it 10 million Danish kroner (U.S. $1.47 million) for violations of the European Union’s General Data Protection Regulation (GDPR).

The regulator recommended the Danish prosecution service impose its own separate fine over the bank’s failure to erase customers’ personal data in its systems. The Datatilsynet said Tuesday that Danske Bank had not been able to present proper procedures for deleting and storing personal data in more than 400 systems that hold millions of people’s data.

“One of the basic principles of the GDPR is that you can only process information you need—and when you no longer need it, it must be deleted,” said Kenni Elm Olsen, specialist consultant at the Datatilsynet, in a translated statement. “When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place.”

The regulator began its investigation in November 2020 after Danske Bank self-reported concerns it was storing personal data longer than necessary and that its systems were not fully GDPR compliant.

In December 2020, the bank told the Datatilsynet that despite making preparations in early 2016 for the GDPR to come into force in May 2018, the required compliance work would not be completed until the end of 2021—some 42 months after the legislation took effect—“mainly because of the volume of the task.”

Danske Bank added, “Due to the large number of IT systems and the high complexity and interconnectedness between the systems, it was not possible to build retention and deletion functionality in all systems at the same time.” The bank chose a phase-based approach to handle the work on retention and deletion in “manageable portions.”

Even though the bank knew it could not meet the May 2018 deadline for GDPR compliance regarding data retention and deletion, it chose not to notify the regulator until more than two years later, possibly because it felt there was no risk to customer data since no breach had taken place.

Danske Bank’s data protection compliance team identified the lack of a group-wide information records management framework, as well as limited data governance, in 2018 and raised concerns internally highlighting the associated risks of being noncompliant with the GDPR. These concerns were raised again in October 2019.

“First and foremost, it is important for me to emphasize that our customers’ data is secure and has been secure all along,” said Bo Svejstrup, Danske Bank’s executive vice president and chief technology officer, in a statement Tuesday. “As we have previously communicated, identified instances of personal data have, unfortunately, been stored for a longer period than necessary, and that should obviously not have taken place.”

He added, “[W]e have also had to recognize that the task is very complex and that the implementation of time limits for deleting data in certain systems has proven time-consuming. We now take note of the DPA’s recommendation and continue the task of deleting the data that we no longer have any reason to store while we await the outcome of the matter.”

Danske Bank also told the Datatilsynet it retained some personal data due to legal obligations related to ongoing investigations and litigation concerning the bank’s failure to prevent widespread money laundering at its now closed branch in Estonia.