Gerechtshof Amsterdam - 200.258.200/01

From GDPRhub
GHAMS - 200.258.200/01
Court: GHAMS (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 6(1)(f) GDPR
Decided: 07.07.2020
Published: 31.07.2020
Parties: ING Bank N.V.
National Case Number/Name: 200.258.200/01
European Case Law Identifier: ECLI:NL:GHAMS:2020:1984
Appeal from: Rb. Amsterdam (Netherlands)
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtspraak (in Dutch)
Initial Contributor: n/a

The Amsterdam Court of Appeal rejected request to remove appellant's personal data from the internal register.

English Summary


Appellant is a customer of ING who had his personal data registered in ING's Internal Referral Register ("IVR") in 2013 for the period of 8 years. In 2017 appellant's credit card request was rejected by ING because of the record in IVR. Before 2013 the appellant had opened and closed 15 business accounts on behalf of different companies, two of which were closed with a negative balance.


Appellant claims that ING has no legal basis for registering his personal data in the IVR.


The Court upheld the decision of the Court of First instance: 1) registering appellant's personal data in the IVR was necessary to protect legitimate interest of ING and to protect integrity and security of the bank sector. The Court took into account ING's adherence to the Code of Conduct for the Processing of Personal Data by Financial Institutions ("Gedragscode Verwerking Persoonsgegevens Financiële Instellingen"); 2) IVR is an internal register of ING, appellant failed to demonstrate that the record in the IVR has prevented him from getting financial services at other institutions; 3) the fact that appellant was added to the register in 2013, but noticed this only in 2017 was quite significant, according to the Court. ING has added appellant's personal data to its internal register on good grounds and in compliance with the Code of Conduct and the GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Amsterdam Court of Appeal
Date of pronunciation
Date of publication
Case number
Civil Justice
Special features
Content indication
Processing of personal data by the Bank; registration in the Internal Referral Register; no conflict with the Code of Conduct for the Processing of Personal Data by Financial Institutions or the General Data Protection Regulation.
Enriched pronunciation 
Department of Civil and Tax Law, Team I
Case number : 200.258.200/01
case number court : 68233560 CV EXPL 18-8294
judgment of the multiple civil chamber of 7 July 2020 
[appellant] ,
living at [residence] ,
Attorney at law: Mr. J.M. Molkenboer in Tilburg,
based in Amsterdam,
Attorney at law: Mr. I.M.C.A. Reinders Folmer, Amsterdam.
1 The appeal proceedings
The parties are hereinafter referred to as [Appellant] and ING.
By writ of summons dated 17 January 2019, [the appellant] appealed against the judgment of 22 October 2018 of the Subdistrict Court of the District Court of Amsterdam (referred to below as 'the Subdistrict Court') between [the appellant] as plaintiff and ING as defendant.
The parties subsequently submitted the following documents:
- memorial of grievances, with productions;
- memorandum of reply, with production. 
The parties had the case argued on 25 May 2020, [appellant] by M.C.A.M. Van der Meer, attorney at law in Tilburg, and ING by A.L. de Vogel, attorney at law in Amsterdam, each on the basis of pleading notes submitted. An additional production was brought into dispute by [the appellant].
Finally, judgment has been sought.
The [Appellant] has concluded that the Court of Appeal will set aside the contested judgment and will grant the claims brought, with ING being ordered, enforceable provisionally, to pay the costs of the proceedings in both instances.
ING concluded that the contested judgment should be dismissed and upheld and, provisionally enforceable, the [Appellant] ordered to pay the costs of the proceedings.
Both parties offered evidence of their claims on appeal.
2 Facts
In the judgment under appeal, the Subdistrict Court established the facts on which it based its decision. These facts are not in dispute on appeal and therefore also serve as a starting point for the Court of Appeal. In summary, the facts boil down to the following.
[appellant] has been a private customer of ING for some time now. In addition, he has opened business accounts with ING for fifteen different limited partnerships, foundations and private limited companies. 
On 19 November 2013, ING entered the [Appellant's] personal details in ING's internal referral register (IVR) for a period of eight years. 
In June 2017 [appellant] applied for a credit card. ING refused this request without justification. After [the appellant] contacted an employee of the Bureau Krediet Registratie (BKR), he was informed that he was registered in ING's IVR. 
[Appellant] subsequently asked ING on several occasions to remove its data from the IVR. ING did not comply with these requests. 
ING informed (the representative of) [Appellant] by letter dated 2 January 2018 of the following: 
(...) Your customer has been transferred to an ING referral register since 19 November 2013. This means that when extending financial services within ING, a separate assessment is made as to whether the extension is permitted or not. 
This report therefore does not apply to other financial institutions in the Netherlands and this internal report does not need to be actively fed back. In the e-mail from Bureau Krediet Registratie dated 4 October 2017, your client also received a confirmation that this was not an external notification. 
Incidentally, the relationship was already aware of the notification as of 2014 and your relationship has since spoken threatening and threatening language to ING employees on several occasions. 
In view of the historical telephone contacts with Mr [appellant] and the involvement in various business accounts in which ING had suffered financial loss, we will maintain the internal registration. Finally, we would reject the credit card application on the basis of risk perspective and our freedom of contract. (…) 
3 Assessment
In the first instance, the [Appellant] requested that ING be ordered to remove his personal data from the IVR and that ING be ordered to pay the costs of the proceedings. 
The Subdistrict Court rejected [the appellant's] claim, considering - in brief - that [the appellant] did not have a sufficient interest in his claim being allowed because it had not been established that, because of his registration in the IVR, he was actually experiencing, or would experience, problems in banking with other banks. Needless to say, the Subdistrict Court considered that ING did have a valid reason for the registration, because [the appellant] had opened several business accounts with ING that were not settled correctly and with a negative balance, as a result of which ING suffered loss. 
This decision and the grounds on which it was based are contested by [the appellant]. 
The Court of Appeal will first jointly discuss grievances 1, 2 and 4 with which [the appellant] challenges the opinion of the Subdistrict Court that there were sufficient grounds for ING to register [the appellant] in the IVR. 
ING registered the personal details of the [Appellant] in the IVR on 19 November 2013. The [Appellant] claims that this was done incorrectly because there were insufficient grounds for doing so. ING claims that it registered [appellant] as a result of an internal investigation in which it was found that [appellant] had opened business accounts with ING on behalf of various companies, which were subsequently not used or hardly used at all, and were then, sometimes after a short time and with a negative balance, closed again by ING. 
The relationship between ING as a banking institution and [Appellant] as an account holder and representative of the various limited partnerships, foundations and private limited companies for which a business account has been opened is governed by the Code of Conduct for the Processing of Personal Data by Financial Institutions (hereinafter: the Code of Conduct). In so far as relevant, the code of conduct includes the following:
Personal data will only be processed if and insofar as at least one of the following legitimate principles is met: 
f. the Processing of Personal Data is necessary to protect the legitimate interest of the Financial Institution or of a Third Party to whom the Personal Data are provided, unless the interest or the fundamental rights and freedoms of the Complainant, in particular the right to privacy, prevail. 
Processing of Personal Data by Financial Institutions shall take place in accordance with the Principles for Processing Personal Data for the purpose of efficient and effective business operations, in particular in the context of carrying out the following activities: 
d. guaranteeing the security and integrity of the financial sector, including recognising, preventing, investigating and combating (attempted) (punishable or reprehensible) conduct directed against the sector to which a Financial Institution belongs, the Group to which a Financial Institution belongs, the Financial Institution itself, its Clients and employees, as well as the use of and participation in warning systems; 
For the purposes of the security and integrity of the Financial Sector, data, including Personal Data, relating to: (i) events which, in view of the special nature of the Financial sector, require the care and attention of the Financial institution; (ii) (potential) claims, including in respect of an agreement concluded with the Financial institution; (iii) the non-fulfilment of contractual obligations or other (attributable) shortcomings; or (iv) acts of Financial institutions, including investigations as referred to in Article 5.6.1 Code of Conduct, may be included in an Events Records kept by Security Matters or a department designated for this purpose by the Financial institution concerned. The Code of Conduct applies to this Event record. 
Since 25 May 2018, the processing of personal data has been subject to the General Data Protection Regulation (AVG). Article 6.1 of the AVG states that: 
Processing is only lawful if and insofar as at least one of the following conditions is met: 
(f) processing is necessary for the purposes of pursuing the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. 
There is no dispute between the parties that [Appellant] opened business accounts with ING for the following companies before 19 November 2013: 
1) Artiflex Recreatiebouw BV,
2) Stichting Garantiegelden OXXIO Vastgoed & Invest, 
3) Stichting Administratiekantoor OXXIO Holding BV,
4) Stichting Derdengelden Recht-Net,
5) Stichting Derdengelden Credial,
6) Home Port Yachts International CV,
7) Sytisus Nedhold CV,
8) Cerxnet CV,
9) Sytisus CV,
10) StraightNet CV,
11) Credial CV, 
12) Arm-proof CV,
13) Verzion Foundation,
14) Verzitel Foundation,
15) OXXIO Vastgoed & Invest BV i.o.
ING has undisputedly stated that there was little or no payment traffic through these accounts. It has also been established that before 19 November 2013 the companies Artiflex Recreatiebouw B.V., Stichting Garantiegelden OXXIO Vastgoed & Invest, Stichting Administratiekantoor OXXIO Holding BV, Recht-Net CV, Credial CV, Armvast CV, Stichting Verzion, Stichting Verzitel were deregistered, dissolved or liquidated by the Chamber of Commerce. The bank accounts opened by [Appellant] on behalf of these companies have all been terminated by ING before 19 November 2013, whereby, according to ING's records, a negative balance of respectively € 262.19 and € 267.39 remained on the accounts of Recht-Net CV and Credial CV. ING has undisputedly stated that for reasons of cost efficiency it has waived recourse. 
With regard to the negative balances, [Appellant] stated that ING offered business accounts free of charge for six months in the relevant period and that therefore no negative balance could have arisen. ING has in turn stated that the accounts of Recht-Net CV and Credial CV were opened on 6 May 2011 and terminated in 2012 and therefore existed for more than six months. Although [the appellant] has argued in general terms that he would have instructed ING by telephone to terminate business accounts opened with ING, he has not stated that and when he specifically terminated the accounts of Recht-Net CV and Credial CV. Moreover, it is undisputed that ING's records, which, pursuant to Article 11 of the General Banking Conditions, provide full evidence to the relevant companies, show that both accounts with a negative balance have been terminated. 
The Court of Appeal is of the opinion that it follows from the foregoing that on 19 November 2013 a series of events took place that required ING's care and attention with respect to the [Appellant's] actions towards ING. In particular in view of the number of business bank accounts opened, the lack of payment transactions and the premature termination of the relevant companies in each case, in conjunction with the fact that in any event two accounts remained negative for ING after termination, ING was able to reasonably consider on 19 November 2013 that registration of [Appellant's] personal data was necessary in order to safeguard its legitimate interests and to safeguard the security and integrity of the financial sector, as referred to in the Code of Conduct. In this case, this interest must outweigh [the appellant's] interest in remaining exempt from registration in the IVR. In particular, the fact that ING's registration in the IVR is not transparent to third parties and that [the appellant] has not stated sufficiently that and to what extent he is actually hindered from purchasing financial services from financial institutions other than ING as a result of his registration in ING's IVR is of major importance. In that respect, it is significant that [Appellant] only noticed in June 2017 that ING had registered him in the IVR in 2013. This means that ING has registered the personal data of [Appellant] in IVR on good grounds and in accordance with the provisions of the Code of Conduct and the AVG. The claim of [Appellant] is therefore not imputable. 
In this state of affairs, ground 3, by which [the appellant] challenges the Subdistrict Court's opinion that he does not have a sufficient interest in his claim, can remain unanswered. 
The grievances don't work. The judgment of which appeal will be upheld. As the unsuccessful party, the [appellant] shall be ordered to pay the costs of the appeal proceedings. 
4 Decision
The court:
ratifies the judgment of which appeal;
orders [the appellant] to pay the costs of the proceedings on appeal on the part of ING estimated at € 741 in out-of-pocket expenses and € 2,148 in salary;
declares the cost order enforceable in stock.
This judgment was delivered by A.W.H. Vink, W.A.H. Melissen and J.M. de Jongh and publicly pronounced by the court on 7 July 2020.