Persónuvernd - 2020010532
Persónuvernd - 2020010532 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 6(1)(c) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 10.03.2021 |
Published: | 26.03.2021 |
Fine: | None |
Parties: | Landsbankinn |
National Case Number/Name: | 2020010532 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Icelandic |
Original Source: | Personunvernd (in IS) |
Initial Contributor: | n/a |
The Icelandic DPA ruled on the processing of personal information by a financial institution in connection with cash transactions. A complaint was made about the financial institution's request for information on the source of the funds requested to be audited. It was concluded that the processing was permitted on the basis of the Act on Measures against Money Laundering and Terrorist Financing.
English Summary
Facts
On January 8, 2020, the DPA received a complaint regarding the claim of Landsbankinn for information on the year-end balance of the complainant's account with Kvika banki in connection with the complainant's request for certain transactions with Landsbankinn.
The complainant had transferred approximately ISK 4 million from Kvika banki hf. to Landsbankinn in December 2019. In January 2020, the complainant requested Landsbankinn to withdraw ISK 3 million in cash. With reference to the Money Laundering Act, Landsbankinn demanded information on the origin of his funds and requested information on the complainant's account with Kvika banki from the last three years. The complainant considers that it would have been preferable, in order to ensure proportionality in processing, for him to be able to hand over to Landsbankinn, for example, confirmation of the legitimate origin of the capital from Kvika banki.
Dispute
Holding
The DPA concluded that Landsbankinn's processing of personal information about the complainant was permitted on the basis of point 3. Paragraph 1 Article 9 Act no. 90/2018, to the effect that the processing was necessary to fulfill the legal obligation that rests with the responsible party.
In view of the above, the conclusion of the Data Protection Authority is that Landsbankinn's processing of the complainant's personal information was in accordance with Act no. 90/2018, on personal protection and processing of personal information.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Processing of personal information by a financial institution in connection with cash transactions Case no. 2020010532 26.3.2021 The Data Protection Authority has ruled on the processing of personal information by a financial institution in connection with cash transactions. A complaint was made about the financial institution's request for information on the source of the funds requested to be audited. It was concluded that the processing was permitted on the basis of the Act on Measures against Money Laundering and Terrorist Financing. Ruling At a meeting of the Board of the Data Protection Authority on 10 March 2021, the following ruling was issued in case no. 2020010532. I. Procedure 1. Outline of case On January 8, 2020, the Data Protection Authority received a complaint from […] (hereinafter the complainant), regarding the claim of Landsbankinn hf. (hereinafter Landsbankinn) for information on the year-end balance of the complainant's account with Kvika banki in connection with the complainant's request for certain transactions with Landsbankinn By letter dated On 7 September 2020, Landsbankinn was notified of the above-mentioned complaint and given an opportunity to comment on it. Landsbankinn responded by letter dated 18. sm The handling of this case has been delayed due to significant concerns at the Data Protection Authority. 2. The complainant's views The complaint states that the complainant had transferred approximately ISK 4 million from Kvika banki hf. (hereafter Kvika banki) to Landsbankinn in December 2019. In January 2020, the complainant requested Landsbankinn to withdraw ISK 3 million in cash. The complaint states that with reference to the Money Laundering Act, Landsbankinn has demanded information on the origin of the funds and requested an annual settlement on the complainant's account with Kvika banki from the last three years. The complainant considers that it would have been preferable, in order to ensure proportionality in processing, for him to be able to hand over to Landsbankinn, for example, confirmation of the legitimate origin of the capital from Kvika banki. In the complainant's opinion, Landsbankinn's claim violates his right to privacy and he considers that information on the status of the complainant's account with Kvika banki cannot provide Landsbankinn with assurance that the funds are his legitimate assets and not badly received. The complainant also considers that proportionality was not observed as it would have been possible to request a simple confirmation from Kvika banki, or, as the case may be, the bank's compliance officer, to the effect that the funds were legally obtained. 3. The views of Landsbankinn hf. Landsbankinn's reply states that on 3 January 2020 […] came with the complainant to Landsbankinn's branch to assist him in withdrawing cash amounting to ISK 3 million from the complainant's account. It is stated that the funds had been transferred from the complainant's account at Kvika banki to Landsbankinn shortly before. It is also stated that Landsbankinn is a party subject to notification according to Act no. 140/2018 on measures against money laundering and terrorist financing and is therefore obliged to obtain information that confirms the origin of funds. The letter also refers to the risk assessment of the National Commissioner of Police regarding money laundering and terrorist financing, dated. April 5, 2019, as well as Landsbankinn's risk assessment, which states that the risk of cash transactions is in the highest risk category. It also states that in the case of individual transactions in excess of EUR 15,000, as well as cash transactions, the complainant was informed that the bank was obliged to confirm the origin of the funds and to carry out a due diligence, cf. paragraph 1 (b) Article 8 Act no. 140/2018, as well as an increased due diligence according to item c of the first paragraph. Article 13 the same law .This had been done by requesting a New Year's balance from the complainant's account at Kvika banki, from where the funds had been transferred to the complainant's account at Landsbankinn. It also states that the way in which the bank confirms the origin of funds depends on the circumstances at hand, e.g. á m. customer explanations of the origin of funds and the purpose of transactions. In the complainant's case, his explanation for the origin of the funds was that they were due to his savings. The bank also maintained proportionality by requesting only information on the New Year's balance sheet account, instead of requesting an overview of all transactions in the complainant's account over a certain period, as such a statement would have shown individual transactions, deposits and other movements that the New Year's balance sheet did not show. With reference to the above, Landsbankinn considers that the processing was permitted on the basis of point 3. Paragraph 1 Article 9 Act no. 90/2018, as the processing was necessary to fulfill the legal obligation according to Act no. 140/2018, and that proportionality was maintained by requesting only the year-end balance of the complainant's account with Kvika banki. 4. The Central Bank of Iceland's exchange rate Landsbankinn's reply letter refers, among other things, to item b of the first paragraph. Article 8 Act no. 140/2018, which states that parties subject to notification must check the reliability of their customers for individual transactions in the amount of EUR 15,000 or more based on the official reference exchange rate as recorded at any given time, but the explanatory notes to the provision state that the exchange rate on the day trading takes place. According to the Central Bank of Iceland's website, the official exchange rate of the euro on 3 January 2020, when the complainant requested an appraisal of ISK 3 million at Landsbanki's branch, was ISK 136.9, and the transaction therefore amounted to EUR 21,913. II. Assumptions and conclusion 1. Scope - Responsible party Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file. Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation. Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation. This case concerns Landsbankinn's request for information on the year - end balance on the complainant's account with Kvika banki in connection with the complainant's request for certain transactions with Landsbankinn. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority. The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Landsbankinn is considered to be responsible for the processing in question. 2. Legality of processing All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018. It may be mentioned that personal information may be processed if it is necessary to fulfill a legal obligation that rests with the responsible party, cf. 3. tölul. of that article. In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 11 of the Act. The case that is being resolved here concerns a complaint regarding the processing of financial information, but such information is not classified as sensitive personal information according to point 3. Article 3 Act no. 90/2018 and there is an authorization according to Article 11. of the Act therefore not for consideration. In assessing the authorization for the processing of personal data, the provisions of other applicable laws must also be taken into account at any given time. Landsbankinn is a financial company within the meaning of Act no. 161/2002 on financial undertakings, cf. 1. tölul. Paragraph 1 Article 1 a. of the law. Such companies fall within the scope of Act no. 140/2018, on measures against money laundering and terrorist financing, cf. point a of the first paragraph. Article 2 of them, and are notifiable parties according to that law, cf. 17. Paragraph 1 Article 3 the same law. According to Art. Act no. 140/2018, parties subject to notification are required to make a risk assessment of their operations and transactions. According to the first paragraph. of the provision, the assessment shall include a written analysis and assessment of the risk of money laundering and terrorist financing, and shall take into account, among other things, risk factors related to customers, products, services, trade, technology and distribution channels. When preparing a risk assessment, parties subject to notification must also take into account the risk assessment of the National Commissioner of Police, cf. Article 4 the same law. According to the National Commissioner of Police's risk assessment, dated April 2019, due to money laundering and terrorist financing, which is referred to in Landsbankinn's response, the risk due to cash transactions is considered high. Parties subject to notification pursuant to the first paragraph. Article 8 Act no. 140/2018 to carry out a due diligence on its customers in certain cases, such as for individual transactions in the amount of EUR 15,000 or more based on the official reference exchange rate as recorded at any given time, cf. paragraph 1 (b) of the provision. As stated in section I.4 above, the amount of the transaction in question was in excess of EUR 15,000. Parties subject to notification are also obliged, cf. Article 13 of the same Act, to apply an increased due diligence in the case of a risk assessment, according to the aforementioned Article 5. Act no. 140/2018, indicates that it involves a great deal of risk, but as stated above, the risk due to trading in cash is considered high according to the risk assessment of the National Commissioner of Police. With regard to the above provisions of Act no. 140/2018, it is the opinion of the Data Protection Authority that Landsbankinn's processing of personal information about the complainant was permitted on the basis of point 3. Paragraph 1 Article 9 Act no. 90/2018, to the effect that the processing was necessary to fulfill the legal obligation that rests with the responsible party. In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be sufficient, relevant and not in excess of what is necessary in view of the purpose of the processing (cf. point 3 of the provision). In the complaint, the complainant states, among other things, that he believes that proportionality was not observed as it would have been possible to request a simple confirmation from Kvika banki, or, as the case may be, the bank's compliance officer, to the effect that the funds were legally obtained. Landsbankinn has stated that the bank believes that proportionality has been maintained by not requesting more extensive information than was needed to verify the origin of the funds. Objectives of Act no. 140/2018 is to prevent money laundering and terrorist financing by obliging parties engaged in activities that may be used for money laundering or terrorist financing to identify the identities of their customers and their activities and notify the competent authorities of this. about or will they be warned of such illegal activities, cf. Article 1 of the Act. According to this, an independent obligation rests on those who fall within the scope of Act no. 140/2018 to identify the identity of its customers, e.g. á m. to confirm, as appropriate, the origin of the funds used in the transaction. In view of all the above, it will not be considered that the processing of personal information at Landsbankinn has violated the proportionality requirement of point 3. Paragraph 1 Article 8 Act no. 90/2018, Coll. paragraph 1 (c) Article 5 Regulation (EU) 2016/679. In view of the above, the conclusion of the Data Protection Authority is that Landsbankinn's processing of the complainant's personal information was in accordance with Act no. 90/2018, on personal protection and processing of personal information. Ú r s k u r ð a r o r ð: The processing of Landsbankinn hf. on personal information on […] due to a due diligence in connection with the bank's cash transactions was in accordance with Act no. 90/2018, on personal protection and processing of personal information. In Privacy, March 10, 2021 Ólafur Garðarsson acting chairman Björn Geirsson Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson