Hoge Raad - 24/02161
| Hoge Raad - 24/02161 | |
|---|---|
 | |
| Court: | Hoge Raad (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 4(14) GDPR Article 9(1) GDPR Directive (EU) 2015/849 |
| Decided: | 21.02.2025 |
| Published: | 27.02.2025 |
| Parties: | |
| National Case Number/Name: | 24/02161 |
| European Case Law Identifier: | ECLI:NL:PHR:2025:260, |
| Appeal from: | |
| Appeal to: | Not appealed |
| Original Language(s): | Dutch |
| Original Source: | de Rechtspraak (in Dutch) |
| Initial Contributor: | cwa |
The Public Prosecutor (Parket) advised the Supreme Court that a bank’s identification process should not constitute processing of biometric data since it did not result from specific technical processing because the identification was performed by an employee and not by a software.
English Summary
Facts
The data subject applied for a credit card in 2008 and was granted it.
In July 2020, the bank (controller) requested that the data subject identify themselves online by providing a copy of their ID and a digital selfie. A bank employee would then compare the two images and approve it. The data subject was informed that this was necessary to comply with the provisions of the Fourth Anti-Money Laundering Directive (AMLD) and failure to do this would result in their card being terminated.
In late July and early August, the controller contacted the data subject, again requesting that they verify their identity through the online portal. On 17 August 2020, the data subject was informed that their credit card agreement would be cancelled in November 2020, unless they verified their identity before then.
In September 2020, the data subject sued the controller in the Subdistrict Court of Amsterdam, which declared some of her claims as inadmissible and dismissed others.
In August 2021, the data subject appealed to the Amsterdam Court of Appeal. The data subject sought, inter alia, the restoration of their credit card, the payment of compensation, and a declaration that the bank’s proposed method of identification is unlawful.
In March 2024, the Amsterdam Court of Appeal upheld the decision of the lower Court.
The data subject then appealed to the Supreme Court. The data subject argued that the processing of biometric data in the identity verification procedure is unlawful under Article 9(1) GDPR and that the appellate court had erred in finding that the controller could retain copies of their ID after the verification had been performed.
Holding
The Parket opined that the verification of the data subject’s identity in this method did not constitute biometric processing, falling under Article 9 GDPR. The Parket reasoned that the identification of the individual in this process is performed by an employee of the controller, not by software. The processing operation was therefore not performed by “technical means” as required in the definition of biometric data. The court noted that this was sufficiently clear so as to not require any questions to be referred to the Court of Justice.
In relation to the question of the legitimacy of the retention of the ID by the bank, the Parket ruled that this practice was lawful. The Parket referenced the obligation to perform customer due diligence under the ALMD and to store the documents and data used to comply with this provision “in a retrievable manner”. The Parket therefore ruled that a directive-compliant interpretation of this provision means that institutions are obliged to retain copies of IDs used for verification.
Accordingly, the Parket recommended that the Supreme Court dismiss the applicant’s appeal.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
