Cass.Civ. - 1/26778/2019

From GDPRhub
Cass.Civ. - 1/26778/2019
Courts logo1.png
Court: Cass.Civ. (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 1418 Italian Civil Code
Decided: 26.06.2019
Published: 21.10.2019
Parties: Deutsche Bank Italia
National Case Number/Name: 1/26778/2019
European Case Law Identifier:
Appeal from: Court of Appeal of Genoa (Italy)
Appeal to:
Original Language(s): Italian
Original Source: Cass.Civ. (in Italian)
Initial Contributor: n/a

The Civil Division of the Court of Cassation (Corte Suprema di Cassazione - Cass.Civ.) ruled that the processing of customers' sensitive data by the Deutsche Bank S.p.A. for the conclusion of an account contract violated the principle of data minimisation under Article 5(1)(c) GDPR.

English Summary


Deutsche Bank S.p.A. asked a customer to provide his sensitive data in order to sign a contract for a bank account. The customer initially accepted the clause included in the contract, but then he withdrew his consent. As a result, the bank interrupted the service.


The Court had to assess whether this sensitive data was necessary for the Bank in order to conclude a contract for a bank account.


The Court found that the processing of the customer's sensitive data was not necessary for the execution of the relevant contract. Such a clause violates the principle of data minimization as provided for in Article 5(1)(c) GDPR. Consequently, according to Article 1418 of the Italian Civil Code, the contractual clause was declared invalid as contrary to mandatory rules.


Share you comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Italian original for more details.


Civil Order Section 1 Num. 26778 Year 2019
Data publication: 21/10/2019
on appeal No 25950/2015 brought by Epis Luca, residing in Rome, Piazza Cavour, before the Civil Registry of the Court of Cassation, represented and defended by Daniele Minotti, lawyer, just power of attorney at the end of the appeal; -applicant - 
Deutsche Bank Spa, in the person of its legal representative pro tempore, residing in Rome, Via Sabotino 2/A, at the offices of Paris Filippo, represented and defended by Gian Maria Volpe, attorney at the foot of the defense; -Contractoricorrente - 
against Judgment No 1298/2014 of the COURT OF APPLICATION of GENOA, lodged on 18 October 2014; having heard the report of the case brought in the Council Chamber on 26 June 2009 by Cons. FIDANZIA ANDREA
By a decision filed on October 18, 2014, the Genoa Court of Appeal upheld the decision of first instance by which the Court of Chiavari rejected all the requests made by Epis Luca for Deutsche Bank s.p.a. to be held liable. the contractual and/or non-contractual liability and/or violation of the law, with consequent sentence to pay compensation for financial and non-financial damages, for having "blocked" the operations of the bank account and the securities deposit, in the ownership of the customer, from the first days of March 2008 as a consequence of the fact that the latter had not intended to authorise the bank to process its sensitive data. The Court of Appeal of Genoa shared the legal approach of the judge of first instance according to which the bank, as owner of the data processing, within its managerial and contractual autonomy, not subject to particular limitations of law, had legitimately considered it necessary, for a complete and better management of relations with customers, to acquire also sensitive data. Neither the bank had breached the privacy law or breached the contract, having expressly informed Mr. Epis, pursuant to art. 13 of Legislative Decree no. 196/2003, at the time of signing the contract, that in the event of failure to authorize the processing of sensitive data, the bank could not carry out the transactions requested by the current account holder, and, despite this, these contractual conditions were freely signed by the customer. Epis Luca has appealed against this sentence, entrusting it to seven reasons. Deutsche Bank joined the proceedings with a counterclaim, contesting the generality of the appeal and the ineligibility of the same pursuant to art. 360 bis of the Italian Civil Code. Both parties filed their pleadings pursuant to Article 180 bis.1 of the Italian Civil Code. 


1. Before explaining the grounds of Mr Epis' appeal, the objections of inadmissibility of the appeal raised by the counter-current must be disregarded. First, the applicant does not propose a different reading of the procedural findings, concentrating his complaints mainly on infringements of the law (Article 1322 of the Civil Code and the Privacy Act). Moreover, this exception is clearly generic, not making any reference to the specific case for which it is a procedure. Moreover, the reference to Article 360a of the Civil Procedure Code is clearly inconclusive, since the judges on the merits have not examined any questions of law on which the case-law has decided in accordance with it. 

2. With the first plea Epis Luca deduced the violation and misapplication of art. 360, paragraph 1, no. 3 of the Italian Civil Code in relation to articles 1322 of the Italian Civil Code and 41 of the Italian Civil Code. The complainant complains that the contractual autonomy cannot be exercised without limits, such as that provided for by art. 23 of Legislative Decree no. 196/2003, according to which consent to the processing of personal data is validly given only if expressed freely. Obliging the customer to give consent to the processing of sensitive data with the prospect of blocking, otherwise, the current account or securities deposit, falls within the forms of pressure not allowed by contractual autonomy, affecting the free discernment, and this also in contrast with various provisions of the Constitution, including Articles 2, 41 and 47. 

3. With the second plea, the violation and the false application of Art. 13, 23, para 3 and 24 of Legislative Decree no. 196/2003 was deduced. The plaintiff reiterates that it does not comply with the law on privacy to oblige the other party to give consent to sensitive data, without this corresponds to any need, suggesting, otherwise, the failure to perform banking operations. The guidelines on the processing of personal data of customers in the banking sector issued by the Guarantor of Privacy reaffirm the principles of relevance and not exceeding expressed in art. 11 of paragraph 1 letter. d) of Legislative Decree no. 196/2003. 

4. With the third plea, the false application of clause 8.1 of the contract was deduced. The complainant complains that chapter 5, clause 8.1. of the uniform contract indicated as necessary only the consent relating to personal data. 

5. The fourth plea alleges that the judgment and the proceedings are null and void for breach of the principle of the right to a fair hearing, as set out in Article 101(2) of the Code of Civil Procedure and Articles 24 and 111 of the Italian Civil Code. The appellant complains that the appellate court based its decision on three exceptions of its own motion, such as those relating to the principle of specificity of the grounds, the incorrect application of Article 115 of the Code of Civil Procedure and the grievance over the settlement of the costs of the proceedings at first instance. 

6. The fifth plea alleges infringement of the principle of specificity, in accordance with the wording of Article 342(1) of the Code of Civil Procedure. The appellant complains that he put forward in detail and in detail all the reasons for the error of the judgment at first instance, noting that, in any event, Article 342(1) of the Code of Civil Procedure in force did not require a rigorous and formalistic statement of the reasons relied on in support of the appeal. 

7. The sixth plea alleges infringement of the law in relation to Articles 113 of the Civil Code, 24.54, 101 and 111 of the Constitution. The applicant complains that it never supported the subordination of regulatory sources to contractual ones. 

8. Seventh plea in law, alleging that the judgment on appeal has been contested in so far as it declared inadmissible, on grounds of lack of specificity, the grievance concerning the settlement of costs. The appellant complains that the court of first instance had ordered an all-inclusive order without the possibility of analytically checking the correctness of the settlement with the tables in force at the time. 

9. The first three pleas, which must be examined together in the light of the close connection between the questions dealt with, are well-founded. It should be noted that it is not disputed between the parties that the counter-current bank, at the time of the conclusion of the current account contract, with the relative opening of the securities deposit, brought to the attention of the customer, with notice countersigned by the latter, the clause that, in the absence of consent to the processing of sensitive data, the credit institution would not have been able to carry out the transactions and services requested. Precisely because of the circumstance that the customer, with the above information, had been fully informed of the consequences provided by the bank in case of refusal to give consent to the processing of sensitive data (and despite this, the customer had still signed the contract), both courts considered that the bank has not incurred any breach of contract, nor in violation of the privacy law, having the bank established such a regulation in the exercise of its contractual and managerial autonomy, not subject to particular limitations of law, for the purpose of a complete and better management of relations with customers. 

This Board does not agree with the legal approach of the contested judgment. First, it should be noted that the clause with which the bank has subordinated the execution of its operations to the release of consent to the processing of sensitive data undoubtedly contrasts with the guiding principles of the law on privacy, which is normally imperative, containing such rules precepts that can not be derogated from the private autonomy as placed to protect general interests, moral values and social pregnant in our system, aimed at the respect of fundamental rights and freedoms, such as dignity, confidentiality, personal identity, the protection of personal data. Among the principles that regulate the protection of the so-called privacy is the minimization of the use of personal data, since only the data that is indispensable, pertinent and limited to what is necessary for the pursuit of the purposes for which it is collected and processed must be used. In particular, this principle is well expressed by art. 3 of Legislative Decree no. 196/2003, entitled "principle of necessity in the processing of data", by art. 11 letter. d) law cit. This law requires the relevance, completeness and not excess of the data with respect to the purposes for which they are collected and processed and has recently been reaffirmed with the entry into force of art. 5 letter. c) of the European regulation on the protection of personal data 2016/679. The principle in question must be, a fortiori, respected also in the treatment of sensitive data, meaning by such, pursuant to art. 4, paragraph 10, letter d) of Legislative Decree no. 196/2003, those personal data disclosing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, unions, associations or organizations of a religious, philosophical, political or trade union, as well as personal data disclosing health and sex life. In the present case, the bank has apodictically justified the necessity of a compulsory consent of the client to the release of the authorization to the treatment of the sensitive data with its own company "policy", for the purpose of an unspecified complete and better management of the relationships with the clientele, specifying, also according to the reconstruction of the judges of merit, to consider it necessary to acquire the sensitive data, not in the sense "that the bank needs to have available the data c.d. sensitive data in order to operate, but in the sense that, since such data can come to the knowledge of the Credit Institution, as a precautionary measure, the bank wants to obtain the consent to their treatment" (page 6 of the contested judgment). This statement has no plausible justification. The same bank has acknowledged - and could not do otherwise in consideration of the precise notion of sensitive data, evincible of art. 4, paragraph 1, letter d) of Legislative Decree no. 196/2003 - that it does not need such data to operate. It is therefore evident that the foundation, as a precautionary measure, of the obligatory request to the client for the release of the authorization to process sensitive data on the eventual (rather remote) possibility that the Bank becomes aware of it in the course of its activity assumes the connotation of a mere pretext. The Bank has therefore compulsorily requested - otherwise suggesting the impossibility of being able to carry out the operations and services requested - the consent to the processing of sensitive data not relevant, not indispensable (such are those relating to the racial or ethnic origin of the customer, his health, sexual life, etc.) clearly exceeding the purposes for which such data are processed and collected. Nor could the illegitimate request for authorization to process sensitive data be justified by the fact that in the notion of "processing", in accordance with art. 4, paragraph 1, of the law cited above, the data are processed in a manner that is not in keeping with the purposes for which they are processed and collected, The processing of sensitive data includes any operation or set of operations, carried out even without the aid of electronic instruments, and therefore not only the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination of data, even if not recorded in a database, but also the cancellation and destruction of the same. In this regard, it is clear that if the Bank had really been moved by the sole intention of providing for the mere cancellation and destruction of sensitive data of which it had become aware by pure chance, it would not have been necessary to impose the prior and general consent to their "treatment" (which includes all the operations of use mentioned above), being able to request one-off consent to the destruction and cancellation of such data, once the need had arisen. In conclusion, the clause with which the bank has subordinated the execution of the operations requested by the client to the consent to the processing of sensitive data is affected by nullity as contrary to mandatory rules, pursuant to art. 1418 of the Italian Civil Code. It follows that the conduct with which the same credit institution has subsequently "blocked" the current account and the securities deposit, precisely because it finds its title in a clause inserted void, does not exonerate it from liability for breach of contract. Moreover, the Bank, having submitted the information mentioned several times, to the attention of the customer at the time of signing the bank account contract, in the face of the refusal of the customer to sign consent to the processing of sensitive data, should have, if it had wanted to be consistent, refused to establish the contractual relationship and not instead, as actually happened, allow the customer to open the account and to operate on it for a certain period of time, and then "block" it for a cause of which it was already fully aware at the time of opening the current account (and securities account). Therefore, the contested sentence must be quashed and referred to the Court of Appeal of Genoa, in a different composition, for further examination and to provide for the costs of the lawsuit. 9. The fourth to seventh pleas in law are hereby absorbed. P.Q.M. Accepts the first three pleas, absorbs the others and refers the matter back to the Court of Appeal of Genoa, in a different composition, for further examination and to rule on the costs of the lawsuit. Roma , so decided on 26.6.2019