As part of its GDPR compliance obligations, a major European bank sought to clean up and gain full control over the entire lifecycle of personal data contained in its customer claims management system.

This system, historically fed by multiple channels (branches, calls, emails, customer interface), posed a significant risk of non-compliance with European regulations.

The project covered the following environments:
• the production database
• its “legal” copy for group reporting purposes
• as well as several lower-tier environments (testing, integration, pre-production), where real data had previously been used for testing purposes

Identified Business Issue

The lifecycle of customer claims exposes personal and sensitive data: identities, addresses, account information, exchange histories, and sometimes health or financial status details.

In practice, data were:

• Retained for too long in the production database and its copy
• Duplicated without any processing in test environments
• Not automatically purged according to retention periods defined by the DPO: 5 years for standard claims, 10 years for legal disputes

As a result, the bank was exposed to:

• Risks of sanctions
• An expanded attack surface in case of data breaches
• Group reporting errors based on obsolete or non-pseudonymized data
• Loss of trust from customers and partners

Our intervention: approach and methodology

We supported the bank with a three-pillar approach:

1. Inventory and mapping of sensitive data
   • Automated scanning of databases (production, legal copy, testing) with detection of sensitive fields (PII, potential health or banking data)
   • Validation of the scope of sensitive data through business/technical workshops, to ensure consistent labeling and the application of appropriate management rules
2. Automated remediation with our deepeo software
   • Implementation of differentiated automatic purging based on claim type and status (open, closed, in dispute)
   • Adapted anonymization/pseudonymization according to the target environment (e.g., pseudonymization for group reporting, strong anonymization for lower-tier environments)
   • Maintenance of data consistency (relationships, foreign keys) to ensure test cases remain usable
3. Traceability & compliance reporting
   • Generation of treatment logs (exportable GDPR logs)
   • Dashboard for the DPO on purged, pseudonymized, and remaining data to process
   • Integration with group reporting tools

Over 420 million data entries have been processed in 18 months. For each data family and associated database, the project timeline is about 6 months, including the deployment of remediation and anonymization agents.

A relationship of trust quickly developed between the client and the Infotel team, based on listening, responsiveness, and the quality of deliverables. This smooth collaboration enabled efficient progress at every stage of the project, in a climate of transparency and co-construction.

Results Achieved within 6 months of go-live

The implementation of deepeo quickly delivered measurable benefits in compliance, performance, and cross-team collaboration:

• Over 14 million records were purged or pseudonymized according to their status
• Zero real data remained in test environments by the end of the third month
• 70% reduction in GDPR-related anomalies identified during the initial audit
• Improved database performance, in terms of both size and indexing efficiency
• Restored trust among compliance, business, and IT teams

This use case demonstrates how coordinated action between compliance, data governance, and technical automation can not only reduce regulatory risk but also enhance the efficiency of a bank’s testing and reporting processes. It’s also a concrete illustration of deepeo’s added value in a complex, multi-source architecture.

Thanks to deepeo, the company was able to save hundreds of hours of manual labor while ensuring rigorous compliance with data protection regulations and avoiding the risk of fines. The tool was warmly embraced by teams, who could refocus their efforts on higher-value tasks. deepeo is now perceived as a true trusted partner, serving both their operational effectiveness and regulatory peace of mind.