DSB (Austria) - 2020-0.280.699
|DSB - DSB-D124.720|
Austrian Financial Markets Money Laundering Act
|Parties:||Richard A*** (data subject/complainant)|
N*** Bank (controller/respondent)
|National Case Number/Name:||DSB-D124.720|
|European Case Law Identifier:||n/a|
|Original Source:||RIS (in DE)|
The Austrian DPA ordered a bank to delete a copy of the data subject's driver's license it had retained to comply with the Austrian Financial Markets Money Laundering Act; the bank was not required to verify the data subject's identity under the law.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject was an occasional customer at the controller, a bank. The data subject submitted a complaint to the Austrian DPA alleging that his right to privacy had been violated by the controller when it required that he produce photo ID to convert €100 to Turkish Lira (TRY). The bank then copied and saved the data subject's driver's license.
The bank argued that the lawful basis for the processing (storage of the data subject's driver's license) was that it was necessary for compliance with a legal obligation imposed by §§ 5.2 and 6.1 of the Austrian Financial Markets Money Laundering Act (FM-GwG).
Holding[edit | edit source]
The DPA pointed out that § 5.2 FM-GwG (Application of due diligence) required the controller to apply its due diligence obligations when an occasional transaction was over €1,000. The transaction at issue was only €100, thus the controller was under no obligation to verify the data subject's identity in accordance with § 6.1 FM-GwG (Scope of due diligence).
Because the FM-GwG did not in fact impose any obligation on the controller to verify the data subject's identity, the controller did not have a legal basis for processing the data subject's data under Article 6(1)(c) GDPR. Thus, the data subject was entitled to have the controller delete his personal data per Article 17(1)(d), which allows a data subject to exercise their "right to be forgotten" in cases where their personal data has been unlawfully processed.
The DPA accordingly ordered the controller to delete the copy it had retained of the data subject's driver's license within four weeks.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
text GZ: 2020-0.280.699 from May 28, 2020 (case number: DSB-D124.720) [Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.] NOTICE SAY The data protection authority decides on the data protection complaint by Richard A*** (complainant) of April 29, 2019 against N*** Bank AG (respondent) for violation of the right to secrecy as follows: 1. The complaint is upheld and it is found that the Respondent violated the Complainant's right to secrecy by having an employee of the Respondent make a copy of the Complainant's driver's license in the course of a currency exchange of 100 euros into Turkish Lira and this copy was retained and stored by the Respondent. 2. The Respondent is instructed to delete the data specified in point 1 within a period of four weeks. Legal basis: Art. 4 Z 1, Z 2 and Z 11, Art. 6 Para. 1 lit. c, Art. 7 Para. 4, Art. 9, Art. 51 Para. 1, Art. 57 Para. f, Art. 58 Para. 2 lit. g and Art. 77 Para. §§ 1 Para. 1 and Para. 2, 18 Para. 1 as well as 24 Para. 1 and Para. 5 Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; §§ 2 Z 1, Z 6 and Z 15, 5 Z 4, 6 Para. 1 and Para. 2, 11 Para. 1 and 21 Para. 1 Z 1 of the Financial Market Money Laundering Act (FM-GwG), Federal Law Gazette I No . 118/2016 as amended. REASON A. Submissions of the parties and course of the proceedings 1. With a submission dated April 29, 2019, improved by the submission dated June 11, 2019, the complainant submitted in summary that the respondent had violated his right to secrecy. The respondent's branch manager had asked for a photo ID to be presented because the complainant wanted to have the sum of EUR 100 exchanged for Turkish lira (TRY). The complainant, who was a former customer of the respondent, initially refused, but finally presented his driver's license. The Respondent then copied and saved the Appellant's driver's license, with the Respondent retaining the copy. The Respondent's demands for an identity check were excessive and had no legal basis. The Complainant pointed out that the Respondent had referred to the FM-GwG in a letter sent to him on May 3, 2019 and that both the Respondent’s branch manager and the Respondent themselves had improperly collected and used the Complainant’s personal data had. The complainant also complained about a violation of Art. 9 GDPR. 2. With completion (GZ: DSB-D124.720/0003-DSB-2019) of June 28, 2019, the data protection authority requested the respondent to comment. 3. In a letter dated July 26, 2019 (received on July 31, 2019), the Respondent informed that the currency change from EUR to TRY or the ordering of a foreign currency required the collection of identity data so that the necessary cash deposit as Credit can be assigned to the collective customer account. In addition, the Respondent was legally obliged to determine the identity of the complainant due to the FM-GwG issued by the 4th EU Money Laundering Directive (RL 2015/849). On this basis, the Respondent must apply due diligence measures regardless of the amount paid in and out if there is even a suspicion of money laundering or terrorist financing in accordance with Section 5 no. 4 FM-GwG and, in case of doubt, identity documents in accordance with Section 6 para. 1 no 1 FM-GwG. The complainant's refusal to produce an identification document was interpreted as conspicuous customer behavior. The head of the bank who was consulted recognized the complainant as a former customer and remembered that the complainant was an employee of a higher federal authority and repeated the request to present an ID card in order to obtain a PeP (politically exposed person) within the meaning of the FM-GwG Person) to be able to carry out an audit in accordance with § 2 Z 6 in conjunction with § 11 FM-GwG. A customer who wants to carry out an occasional transaction within the meaning of § 2 Z 15 FM-GwG also poses an increased risk from the know-your-customer point of view, since the respondent in such a case is not aware of either the customer himself or his behavior . Furthermore, pursuant to Section 21 (1) FM-GwG, the Respondent is obliged to keep copies of the documents and information received that are necessary for fulfilling the duty of care towards customers for a period of five years. 4. With completion (GZ: DSB-D124.720/0004-DSB/2019) of July 31, 2019, the data protection authority granted the BF the right to be heard. 5. In a submission dated August 21, 2019, the complainant commented and stated that it was incomprehensible that the respondent based the collection of the identity data on the allocation of the credit balance, since he received a receipt from the bank for the deposit of 100 euros for the currency exchange and with this receipt each person was able to have the Turkish lira amount paid out, so an identity check was not necessary. Furthermore, the Respondent or the bank branch manager is wrong if it is assumed that the complainant is an employee of a higher federal authority, since he was a customs officer during the customer relationship with the Respondent. His current position is also referred to as a "legal employee". It follows from this that § 2 Z 6 in conjunction with § 11 FM-GwG is not applicable to the complainant. The Respondent had argued legally incorrectly with regard to the FM-GwG. The complainant cites the circular from the Financial Market Authority dated December 18, 2018 with regard to the "duty of care to prevent money laundering and terrorist financing" and the guidelines of the H***-Bank, according to which EUR 100 does not fall under the FM-GWG, since the value limit of EUR 1,000.00 or EUR 15,000 was not exceeded. It follows that the Respondent had requested the complainant's identity data without any legal basis. 6. With completion (GZ: DSB-D124.720/0006-DSB/2019) of November 15, 2019, the data protection authority again asked the respondent to comment. 7. The Respondent submitted a statement in an electronic and postal letter dated December 4, 2019 (received on December 9, 2019), in which it stated that the withdrawal of ordered foreign currencies could lead to overlaps in the collective customer account. An identification document is required to prevent the foreign currency amount from being paid out to another customer. The complainant misjudges the legal situation, since the value limit of EUR 1,000.00 only refers to the facts of § 5 Z 2 lit. b FM-GwG. On the other hand, § 5 Z 4 FM-GwG standardizes a fact that is based on subjective criteria. Therefore, the bank employees have to assess a priori whether there is conspicuous customer behavior in this sense and, in case of doubt, identity documents according to § 6 Para. 1 Z 1 FM-GwG should be requested. The branch manager had to decide without investigation and was not able to check whether the complainant was in fact a politically exposed person. 8. With the settlement (GZ: DSB-D124.720/0007-DSB/2019) of December 10, 2019, the data protection authority again granted the complainant the right to be heard. 9. No further submissions were made by the complainant. B. Subject of Complaint The subject of the complaint is the question of whether the Respondent violated the Complainant's right to secrecy in that an employee of the Respondent copied the Complainant's driver's license in the course of a currency exchange of 100 euros in TRY and the Respondent retained and stored the copy. C. Findings of Facts The respondent is N*** Bank AG, which is registered with the Regional Court O*** for FN: *3*80*1a and which, as a credit institution, provides domestic activities via branches. The branch N*** Bank E***Stadt as well as the branch manager of this branch are attributed to the Respondent. Evidence assessment: The findings are based on the information on the Respondent's website (www.n***bank.at/de/privatkunden/Standorte/filiale-e***stadt.html, accessed on May 20, 2020) and one Query of the company register by the data protection authority. On April 23, 2019, the complainant entered the bank branch N*** Bank E***Stadt of the respondent to have the cash amount of 100 euros changed into Turkish lira (TRY). The complainant was then asked to produce a photo ID for the currency exchange. The applicant refused. The head of the bank office was then called in, who recognized the complainant as a former customer and remembered that he was an employee of a higher federal authority. The bank manager then repeated the request to present a photo ID (passport) for identification, otherwise the currency exchange process would be aborted. The complainant then presented his driver's license, which was copied. The copy has been retained and stored. The complainant received a receipt for the payment. Evidence assessment: The findings result from the undisputed submissions of the parties in their submissions to the data protection authority and in particular from the complainant’s submission of April 29, 2019, improved by the submission of June 11, 2019. D. In legal terms it follows that: Regarding point 1: D1. Introductory: Although the complainant cites the bank office manager and the Respondent as responsible, it should be noted that as an employee of the Respondent, he is attributable to the Respondent and does not qualify as an independent data protection officer pursuant to Art. 4 no ) decided on the means of the relevant data processing, since he acted in compliance with his employer's specifications. First of all, it should also be noted that in the present case a violation of the right to secrecy according to § 1 Para. 1 DSG must be checked and restrictions of this right arise from Para. 2 leg. cit., but not from Art. 6 Para. 1 or 9 (2) GDPR. However, the GDPR and in particular the principles enshrined therein must be taken into account when interpreting the right to secrecy (cf. the decision of the DSB of October 31, 2018, GZ DSB-D123.076/0003-DSB/2018). According to Section 1 (1) DSG, everyone has the right to confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so. This means the protection of the data subject from having their data ascertained and protection from the disclosure of the data ascertained about them. From a purely conceptual point of view, this process therefore requires the processing of personal data by the person responsible. Processing is understood to mean any process or series of processes carried out with or without the help of automated processes in connection with personal data such as collecting, recording, organizing, arranging, storing, adapting or changing, reading out, querying , use, disclosure through transmission, distribution or any other form of provision, comparison or linking, restriction, deletion or destruction (cf. Art. 4 Z 2 GDPR). The collection and copying of the complainant's driver's license and the retention and storage of the copy are indisputably the processing of personal data. Contrary to the complainant's original submission, however, the data concerned are not special categories of personal data within the meaning of Art. 9 (1) GDPR (cf. the most recent decision of January 21, 2020, GZ 2020-0013649). D2. To restrict the right to secrecy: According to Section 1 (2) DSG, restrictions on the right to secrecy are only permissible if the use of personal data takes place in the vital interests of the data subject or with his consent, if there are overriding legitimate interests of another person or if there is a qualified legal basis. In the present case, no vital interests of the complainant can be identified, and there was also no consent to data processing. It is therefore first necessary to check whether a legal basis as a permit is possible or exists. On the legal basis: In the present case, the Respondent argued that, under the FM-GwG, it was legally obliged to establish the identity of the complainant and to keep the copies for a period of five years after the business relationship with the customer had ended or after the point in time of an occasional transaction . Applicable legal provisions of the FM-GwG: § 2 Z 1, Z 6 and Z 15 FM-GwG, Federal Law Gazette I No. 118/2016 as amended reads as follows including the heading: definitions § 2. For the purposes of this federal law, the term means: 1. Credit institution: a credit institution pursuant to Section 1 (1) BWG and a CRR credit institution pursuant to Section 9 BWG that performs domestic activities via a branch. [...] 6. politically exposed person: a natural person who holds or has held important public office; these include in particular: a) heads of state, heads of government, ministers, deputy ministers and secretaries of state; in Germany, this applies in particular to the Federal President, the Federal Chancellor and the members of the federal and state governments; b) MPs or members of comparable legislative bodies; in Germany, this applies in particular to members of the National Council and the Federal Council; c) members of the governing bodies of political parties; in Germany, this applies in particular to members of the executive bodies of political parties represented in the National Council; d) Members of supreme courts, constitutional courts or other high courts whose decisions, save in exceptional circumstances, are no longer subject to appeal; in Germany, this applies in particular to judges of the Supreme Court, the Constitutional Court and the Administrative Court; e) members of audit offices or the governing bodies of central banks; in Austria, this applies in particular to the president of the Federal Court of Auditors and the directors of the state courts of auditors and members of the board of directors of the Oesterreichische Nationalbank; f) ambassadors, chargé d'affaires and senior officers in the armed forces; in Germany, high-ranking officers of the armed forces are in particular military personnel from the rank of lieutenant general; G) members of the administrative, management or supervisory bodies of state-owned enterprises; in Germany, this applies in particular to companies in which the federal government holds at least 50% of the share capital, basic capital or equity or which the federal government operates alone or which the federal government actually controls through financial or other economic or organizational measures; for companies in which a country holds at least 50% of the share capital, basic capital or equity or which a country operates alone or which a country actually controls through financial or other economic or organizational measures - provided that the total annual turnover of such a company is 1,000 000 euros - the board or management. The total annual turnover is determined according to the annual turnover from the last approved annual financial statements. H) Directors, alternate directors and members of the governing body or a comparable role in an international organization. None of the public functions mentioned under lit. a to h include middle or lower ranked officials. [...] 15 Customer: any person who has established or intends to establish a business relationship with the obligated party, as well as any person for whom the obligated party carries out or is to carry out a transaction that does not fall within the framework of a business relationship (occasional transaction). Section 5 FM-GwG, Federal Law Gazette I No. 118/2016 as amended reads as follows, including the heading: Application of due diligence § 5. The obligated parties must apply due diligence obligations towards customers in accordance with § 6 in the following cases: 1. when establishing a business relationship; Savings deposit transactions according to § 31 Para. 1 BWG and transactions according to § 12 Deposit Act always count as a business relationship; 2. when carrying out all transactions that do not fall within the framework of a business relationship (occasional transactions), a) the amount of which is at least 15,000 euros or the equivalent in euros, whether the transaction is carried out in a single operation or in several operations which are clearly linked, or b) which are money transfers within the meaning of Art. 3 Z 9 of Regulation (EU) 2015/847 of more than 1,000 euros; if the amount in the cases of lit. a is not known before the start of the transaction, the due diligence requirements apply as soon as the amount is known and it is determined that it is at least 15,000 euros or the equivalent in euros; 3. for each payment to savings deposits and for each withdrawal from savings deposits, if the amount to be deposited or withdrawn is at least EUR 15,000 or the equivalent in euros; 4. if there is a suspicion or legitimate reason to assume that the customer belongs to a terrorist organization (§ 278b StGB) or that the customer is objectively involved in transactions that are associated with money laundering (§ 165 StGB - including assets from a criminal act of the perpetrator himself) or serve to finance terrorism (§ 278d StGB); 5. if there is any doubt about the authenticity or adequacy of previously obtained customer identification data. Section 6 (1) and (2) FM-GwG, Federal Law Gazette I No. 118/2016 as amended reads as follows, including the heading: Scope of Due Diligence § 6. (1) The duties of care towards customers include: 1. Customer identification and verification of identity based on documents, data or information obtained from a credible and independent source, including electronic means of identification and relevant trust services in accordance with Regulation (EU) No 910/2014 and others secure procedures for remote or electronic identification in accordance with paragraph 4; 2. Establishing the identity of the beneficial owner and taking reasonable steps to verify its identity so that the obliged entities are satisfied that they know who the beneficial owner is; in the case of legal entities, trusts, corporations, foundations and similar legal arrangements, this includes taking reasonable steps to understand the ownership and control structure of the customer. If the identified beneficial owner is a senior manager pursuant to section 2 no. 1 lit. b BORA, the obliged entities shall take the necessary reasonable measures to verify the identity of the natural persons who are senior managers and have records of the actions taken and any difficulties encountered during the verification process. An appropriate measure is to inspect the register of beneficial owners in accordance with Section 11 BORA; 3. Assessing and obtaining information about the purpose and intended nature of the business relationship; 4. Collection and verification of information about the origin of the funds used; such information may include, but is not limited to, the occupation, business, income or results of operations, or general financial circumstances of Customer and its beneficial owners; 5. Determination and verification of the identity of the trustor and the trustee in accordance with paragraph 3; 6. continuous monitoring of the business relationship, including a review of transactions executed during the business relationship to ensure that they are consistent with the obliged entity's knowledge of the customer, its business and risk profile, including where necessary the source of funds; 7. regular checking of the existence of all information, data and documents required by this federal law and updating of this information, data and documents. The identity of every person who states that they want to act on behalf of the customer (authorized representative) must be determined and verified in accordance with Z 1. The power of representation must be checked in a suitable manner. The customer must immediately notify us of any changes in the power of representation during the ongoing business relationship. (2) The verification of identity pursuant to para. 1 no. 1 has to be carried out 1. to a natural person by personally presenting an official photo ID. Official photo identification for this purpose is a document issued by a government agency which bears a non-replaceable recognizable headline photograph of the individual concerned and includes the individual's name, date of birth and signature and the issuing authority; in the case of travel documents from strangers, the signature and the full date of birth do not have to be included in the travel document if this corresponds to the law of the issuing country. Individual criteria of the official photo ID can be omitted if other equivalent criteria are introduced due to technical progress, such as biometric data, which are at least equivalent to the criteria that have been omitted in terms of their legitimating effect. However, the criterion of being issued by a state authority must always be met; 2. a legal person based on probative documents that are available in accordance with the legal standard customary in the country where the legal person is domiciled. In any case, the upright existence, the name, the legal form, the power of representation and the registered office of the legal entity must be checked. Section 11 (1) FM-GwG, Federal Law Gazette I No. 118/2016 as amended reads as follows, including the title: Transactions and business relationships with politically exposed persons § 11. (1) In addition to the duties of care specified in § 6, the obligated parties have duties towards customers 1. have in place adequate risk management systems, including risk-based procedures, to determine whether the customer, the customer's beneficial owner or the customer's trustor is a politically exposed person, and these procedures before establishing the business relationship and on a reasonable regular basis to apply at intervals during an ongoing business relationship. 2. in the case of business relationships with politically exposed persons a) Obtain senior management approval before entering into or maintaining business relationships with these individuals b) take reasonable steps to determine the source of property and funds involved in business relationships or transactions with such persons; and c) to subject the business relationship to increased continuous monitoring. If the beneficial owners of the customer according to § 2 Z 1 lit. b sublit. cc BORA were determined, Z 2 is not to be applied in the case of domestic politically exposed persons if there are no risk factors that indicate an increased risk. In general, it can be said that the FM-GwG aims to prevent money laundering and the financing of terrorism and therefore imposes certain due diligence obligations on banks, among others. However, not every transaction constitutes a transaction in favor of the above proscribed purposes. As stated, the Respondent is N*** Bank AG and, as a credit institution within the meaning of Section 2 no. 1 FM-GwG, is subject to the provisions of the FM-GwG. The Respondent's legal duty of care results from § 6 para. 1 no. 1 FM-GwG and includes "determining the identity of the customer and verifying the identity on the basis of documents, data or information originating from a credible and independent source". . Pursuant to Article 6 Paragraph 2 Z 1 leg. cit. in the case of a natural person, by personally presenting an official photo ID. The complainant was both a former and a new customer, who carried out an occasional transaction within the meaning of § 2 Z 15 leg. cit. wanted to perform. § 5 Z 2 FM-GwG stipulates that the due diligence requirements of § 6 FM-GwG are to be applied to occasional transactions under the following conditions: a) the amount of which is at least 15,000 euros or the equivalent in euros, whether the transaction is carried out in a single operation or in several operations which are clearly linked, or b) which are money transfers within the meaning of Art. 3 Z 9 of Regulation (EU) 2015/847 of more than 1,000 euros; The complainant’s change of money in the equivalent of 100 euros was an amount below the value limit of Section 5 no. 2 FM-GwG, so the duties of care set out in Section 5 no. 2 FM-GwG do not apply to the complainant. Pursuant to § 5 Z 4 FM-GwG, the obliged entity must already apply the due diligence measures if there is a suspicion of money laundering or terrorist financing. The Respondent's argument that a priori or through the Complainant's refusal to present a photo ID would have raised suspicions of money laundering or terrorist financing is not followed: From the established facts and from the submissions of the parties to the proceedings, there are no indications that the complainant has acted in a conspicuous manner that would justify a determination of identity pursuant to Section 5 no. 4 FM-GwG. The mere questioning or refusal to present an identity card cannot, without further evidence, lead to a legitimate reason to assume that a person concerned belongs to a terrorist organization within the meaning of § 278b StGB or that a person concerned is objectively involved in transactions that the Money laundering according to § 165 StGB - including assets that result from a criminal act by the perpetrator himself - or serving to finance terrorism according to § 278d StGB. The Respondent also stated that a determination of identity under § 6 FM-GwG was justified because it had to be checked whether the complainant was a PeP (politically exposed person) (§ 2 Z 6 in conjunction with § 11 FM-GwG). As established, the head of the bank office knew from previous business relationships with the complainant that he was an employee of a "higher federal authority". However, an employee of a "higher federal authority" is not equivalent to the PeP property of § 2 Z 6 FM-GwG, where, for example, heads of state, members of parliament or judges of the Constitutional Court are named. Here it becomes clear that the complainant, even with only rudimentary knowledge of the complainant's position, does not fulfill any of the facts listed there. In addition, with regard to the examination of whether the complainant is a PeP, a more lenient means within the meaning of Section 1 (2) last sentence DSG would have been to ask questions. In the opinion of the data protection authority, the determination of the identity of the complainant by the respondent was therefore not covered by Section 1 (2) DSG and was therefore unlawful. For consent: Art. 4 Z 11 GDPR defines consent as "any voluntary, informed and unequivocal expression of will in the specific case in the form of a declaration or other clear affirmative action by which the data subject indicates that they are in agreement with the processing of the personal data concerning you". According to Art. 7 Para. 4 GDPR and taking into account Art. 4 Z 11 and EG 43 GDPR, consent must be given voluntarily and may not be linked to the performance of a contract, although this consent is not required to fulfill this contract. Consent is involuntary if a disadvantage can be expected if consent is not given (cf. the decision of the data protection authority of April 16, 2019, GZ DSB-D213.679/0003-DSB/2018). In the present case, the question arises as to whether the complainant gave consent to the processing of his personal data (driver's license) or whether this was valid and met the requirements set out in the GDPR. As can be seen from the findings, the complainant makes it clear in his submissions that he did not voluntarily agree to the processing of his driving license, as otherwise the requested money exchange would not have been carried out and he would have had to expect a disadvantage if his driving license had not been presented. Consent to the processing of the complainant's personal data was also not required for the currency exchange into Turkish Lira (TRY), since the complainant received a receipt for the deposit of 100 euros for the currency exchange and the transfer was therefore attributable to the receipt. The processing of the driving license was not necessary for this. The data processing in question therefore proves to be unlawful D3. result The data protection authority therefore comes to the conclusion that, based on the examination of the requirements of the FM-GwG, the application of the due diligence obligations was not applicable to the transaction in question. Therefore, the processing of the driving license in question took place without the existence of a qualified legal basis. There was also no approval or any other permissible limitation of the secrecy claim iSd. § 1 Para. 2 DSG, which is why there is a violation of the right to secrecy. It was therefore to be decided accordingly. Regarding point 2: Since the requirements for the processing of the data at issue were not met, they were processed unlawfully from the start, which is why they are to be deleted in accordance with Art. 17 Para. 1 lit. d GDPR. The data protection authority therefore makes ex officio use of its power under Art. 58 Para. 2 lit. g GDPR (on the admissibility of an ex officio order, see the decision of the Federal Administrative Court of June 4, 2019, GZ W214 2213623-1).