Hof Amsterdam - C/13/640898/HARK17-386

From GDPRhub

Hof Amsterdam - 200.247.727/01

CourtsNL.png
Court: Hof Amsterdam (Netherlands)
Country: Netherlands
Relevant Law: Article 6(1)(c) GDPR

Article 17 GDPR

Article 46 of the Dutch Personal Data Protection Act (Wbp)

Decided: 3. Sep. 2019
Published: 29. Oct. 2019
Parties: ABN AMRO BANK N.V.
National Case Number: 200.247.727/01
European Case Law Identifier: ECLI:NL:GHAMS:2019:3232
Appeal from: District Court of Amsterdam
Language: Dutch
Original Source: de Rechtspraak (in NL)

The Amsterdam Court of Appeal rejected request to remove applicant's personal data from bank's register.

English Summary[edit | edit source]

Facts[edit | edit source]

A customer and later employee of a bank was put in an Incidents Register, after alleged fraud during certain transaction. The data subject requested from the Bank to delete the personal data kept at the Incidents Register and the External Referral Register ("EVR") and refrain from any further processing. The request was based on Article 46 of the Dutch Data Protection Act (Wet bescherming persoonsgegevens - Wbp), implementing GDPR. The Bank rejected the request, but said the data will be deleted within three years. The District Court of Amsterdam also rejected the customer's application. The customer has appealed.

Dispute[edit | edit source]

The Court had to assess whether the bank lawfully rejected the customer's request and keep processing his personal data according to the applicable data protection framework.

Holding[edit | edit source]

The Court found that that the inclusion of the applicant’s personal data in the EVR was necessary for the compliance with national legal obligation. In addition, retaining the personal data was in line with the principle of proportionality. The court based its decision on the national data protection law prior to the GDPR’s entry into force because the facts at stake took place before May 2018.

Comment[edit | edit source]

Share your comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Dutch original for more details.

DECISION
ECLI:NL:GHAMS:2019:3232
Authority
Amsterdam Court of Appeal
Date of judgment
03-09-2019
Date of publication
29-10-2019 
Case number
200.247.727/01
Areas of law
Civil Justice
Special features
Appeal
Decision
Content indication
Personal Data Protection Act (Wbp). Rejection of the request to remove Appellant's personal data recorded by the Bank in the Incidents Register and the External Referral Register (EVR). The Appellant has requested, by means of a declaration form, that a sum of money from the building depot be transferred to it in order to pay an invoice for construction work. It is not apparent that this sum of money has been used for the payment of the aforementioned invoice. Inclusion in the Incidents Register and the EVR has taken place on proper grounds. The principle of proportionality has been complied with.
Locations
Jurisprudence.nl
JAR 2019/234
Enriched pronunciation 

Pronunciation
AMSTERDAM COURT OF APPEAL

civil and tax law department, team I

Case number : 200.247.727/01

Case number court Amsterdam : C/13/640898 / HA RK 17-386

Order of the Multiple Civil Chamber of 3 September 2019

in terms of

[Appellant] ,

residing at [domicile] ,

Appellant,

Attorney at law: Mr. K. Both at Vleuten,

at the rate of

ABN AMRO BANK N.V.,

established in Amsterdam,

Intimate,

Attorney at law: M.J.M.T. Keulaerds, The Hague.
1 Procedure

The parties are hereinafter referred to as [the Appellant] and ABN AMRO.

In an appeal with productions, received at the Court Registry on 11 October 2018, [the appellant] appealed against the decision of the District Court of Amsterdam of 12 July 2018, given under the above-mentioned case-number/rebate number. The purpose of the notice of appeal is that the Court of Appeal will annul the aforementioned decision and, enforceable on a provisional basis, will order ABN AMRO to remove and keep removed the personal data of [appellant] from the External Referral Register (hereinafter referred to as the 'External Referral Register'): EVR) and the Incidents Register and for the rest to refrain from any form of data processing from which it could be inferred that [appellant] would be or would be involved in any form of unlawful conduct whatsoever, with simultaneous written notification of the removal to already informed third parties, all this on pain of a penalty payment, with an order that ABN AMRO pay the costs of the proceedings in both instances.

On 12 December 2018, a statement of defence of ABN AMRO was received at the registry of the Court of Appeal. It asked the Court of Appeal to declare the order under appeal inadmissible, or at least to uphold the order under appeal, and to order the appellant to pay the costs of the proceedings at first instance and on appeal (provisionally enforceable).

On 1 April 2019, further production was received at the Registry of the Court of Appeal on behalf of [Appellant].

The oral hearing of the appeal took place on 17 April 2019. On that occasion [appellant] appeared, assisted by Mr Both mentioned above, who explained the notice of appeal on the basis of notes of speech submitted to the Court of Appeal. On the side of ABN AMRO [X] , legal counsel employment affairs, and [Y] , intelligence specialist at the Security & Intelligence Management department (hereinafter: SIM) of ABN AMRO, assisted by Mr. Keulaerds aforesaid, have appeared, who has explained ABN AMRO's defence on the basis of speaking notes submitted to the Court of Appeal.

The decision has been further determined today.

2 Facts

2.1
In the contested decision under 2.1 up to and including 2.17, the court established the facts that it had taken as a starting point. The facts are not in dispute on appeal and therefore also serve as a starting point for the Court of Appeal. In this case - in so far as relevant for the assessment of the appeal - the following is at stake.

2.2
On 8 November 2006, [appellant] and its then partner, [A] (hereinafter: [A] ), concluded a mortgage loan of € 795,000 with AMEV Praktijkvoorziening, the legal predecessor of Direktbank N.V. and currently part of the ABN AMRO Hypothekengroep (hereinafter: AAHG), for the purchase of building land and the construction of a new house at [address 1].

2.3
The deed of loan stipulates, among other things, the following:

"Article 7

1. The debtor declares to give the creditor a share of € 154,810.73 in deposit of the principal amount of the loan. (…)

2. (…)

3. If and to the extent that the deposit is intended for payment of the construction period(s), payment shall only be made after the creditor has received a statement/original invoices signed by the architect/contractor in question, showing that the construction period/note in question is/are expired/due.".

2.4
On 14 August 2009 [the appellant] requested, by means of an invoice form signed by her, that an amount of € 32,368 be transferred to her by virtue of this money loan in order to pay an invoice from Trishul Bouw Service (hereinafter: Trishul). This request was accompanied by a quotation stating the work to be carried out and stating: "A first advance of 40% of the principal sum: € 32,368.00 of a total contract sum of € 80,920.00. In the accompanying letter from Trishul, the aforementioned advance amount was requested to be transferred by bank to the account number mentioned there in the name of [B] and it is stated that after receipt of the advance amount a start would be made within 48 hours with the activities mentioned in that letter.

2.5
The amount of € 32,368 was received by [appellant] on 24 August 2009 on her payment account at ING Bank.

2.6
Research by the SIM department has shown that the aforementioned amount was never transferred to Trishul or [B] by [appellant] by bank transfer. It also appeared that on 24 August 2009 [appellant] transferred an amount of € 34,000 to her savings account, that on 11 September 2009 she transferred an amount of € 16,500 to her payment account, that on the same date she withdrew an amount of € 6,000 in cash and transferred an amount of € 10,000 to [company 1], stating "auto mercedes benz CLK". On 20 November 2009, [appellant] repaid € 16,000.00 to its payment account, transferred an amount of € 2,677.50 to Aadler B.V. stating "roofing [address 2]" and transferred an amount of € 12,533.00 to [company 2] stating "Debiteurnr [number] Invoice no. [number] ".

2.7
On 1 June 2015, [Appellant] joined ABN AMRO.

2.8
In the context of ABN AMRO's investigation into a possible mortgage fraud, [appellant] was heard by employees of the SIM department on 1 June 2017. She was heard again on 17 July 2017.

2.9
As from 17 July 2017, [the appellant] was exempted from its activities.

2.10
On 1 August 2017, ABN AMRO had the data of [appellant] registered in the EVR and the Incidents Register for a period of three years.

2.11
On 7 August 2017, the SIM department issued an investigation report. The report includes the following as a summary:
"The account details of [appellant] provided by ING to AAB do not show that the building deposit declaration in the amount of €32,368 was spent on the invoices of Trishul Bouw Services used in support of the declaration. An analysis of the account mentioned on the invoice of Trishul Bouw Services did not result in any payments being received from [appellant] for the work as stated on the invoice."
2.12

ABN AMRO informed [appellant] on 13 November 2017 that it would have registered [appellant] in the EVR. The lawyer of [appellant] protested against the various forms of registration in e-mails, but ABN AMRO announced in writing on 13 November 2017 that the registration would not be undone.
2.13

By letter of 1 December 2017 to [appellant], ABN AMRO informed the following, among other things:

"We have included your details in our Incidents Register and in the External Referral Register (...).

In the letters sent to you in mid-2012, it was announced that if you did not respond, your details would be included in the incident register as included in the Protocol Incidents Warning System for Financial Institutions. Because you did not respond to the letters in question, registration should have taken place at the time. As you know, registration did not take place by mistake. In August 2017, your details, as also mentioned in the letter of 29 June 2017, were still registered. (…)

Why are your data included in these registers?

We have established that you are or have been involved in an event that poses or may pose a risk to the interests, integrity or safety of ABN AMRO or its clients or employees, or to the financial sector as a whole.

What are the consequences of including your data in the Incidents Register?

(…)

Normally the term is 8 years. Because in your case the registration did not take place by mistake in 2012, it has been decided to only register for the remaining 3 years. (…)

What is the consequence of inclusion in the External Referral Register?

(…)

After 3 years (normally 8 years), your data will be deleted from the External Referral Register."

2.14
On 11 December 2017, [appellant] sent ABN AMRO a renewed demand for the deletion of the registrations in the EVR and the Incidents Register (hereinafter jointly: the registries) as well as any other form of registration. ABN AMRO has not complied with this requirement.

2.15
ABN AMRO submitted a petition to the Subdistrict Court for the dissolution of the employment contract on the grounds of allegations of fraud with the construction depot. The Subdistrict Court rejected the application by decision of 8 December 2017.

2.16
ABN AMRO appealed the decision referred to under 2.15 above. By order of this court of appeal of 18 December 2018, the employment contract between ABN AMRO and [appellant] was dissolved because of a disturbed employment relationship.

2.17
The Dutch Banking Association (NVB), in cooperation with other parties in the financial and insurance sector, has drawn up the Protocol to the Incident Warning System for Financial Institutions (the Protocol). In short, its purpose is to protect financial institutions against (legal) persons who wish to damage a financial institution or make improper use of the services of a financial institution, which poses a threat to the continuity and integrity of the financial sector. The Protocol also complies with the obligations arising from the Financial Supervision Act (Wft) and the Prevention of Money Laundering and Terrorist Financing Act (Wwft). Bearing in mind its objective, the Protocol provides for the recording of the conduct of legal entities that have led or may lead to the disadvantage of Financial Institutions. To this end, data will be included in an Incident Register. The EVR is linked to this.

The Protocol reads, in so far as relevant here, as follows:

"3.1 Incidents Register and External Referral Register
3.1.1
Each Participant has an Incident Register, in which the Participant concerned

data of (legal) persons will be recorded for the purpose of the

Protocol, in connection with or relating to a (possible)

Incident. (…)

4.1
Purpose of the Incident Register

4.1.1
In order to be able to participate in the Early Warning System, each Participant is obliged to have the following objective for recording data in the

Use the incident register:

"The purpose of all the processing operations in relation to the Incidents Register is to

supporting activities aimed at ensuring the safety and integrity of the financial sector, including (all) activities that are aimed at ensuring the safety and integrity of the financial sector:

to identify, prevent, investigate and combat conduct that can be

lead to a disadvantage for the branch of activity of which the financial institution is a part, of

the economic unit (group) to which the financial institution belongs, of the

financial institution itself, as well as its clients and employees;

on identifying, preventing, investigating and combating the improper use of

products, services and facilities and/or (attempted) punishable or reprehensible

conduct and/or violation of (statutory) regulations, aimed at the sector

to which the financial institution belongs, the economic unit (group) to which

the financial institution, the financial institution itself, as well as its customers, and

employees;

on the use of and participation in alert systems." (…)

5.2
Recording of data in the External Referral Register

5.2.1
The Participant must enter the Referral Data of (legal) persons who meet the criteria set out below under (a) and (b) and after application of the principle of proportionality set out under (c) in the External Referral Register.

a. a) The behaviour(s) of the person(s) or legal entity(ies) constituted, formed or may constitute a threat to (I) the (financial) interests of clients and/or employees of a Financial Institution, as well as the (Organisation of the) Financial Institution(s) themselves or (II) the continuity and/or integrity of the financial sector.

b) There is sufficient evidence that the (legal) person in question is involved in the conduct(s) referred to in point (a). This means that, in principle, criminal offences are reported or complained about to an investigating officer.

(c) The principle of proportionality shall be observed. This means that Security Matters determines that the importance of inclusion in the External Referral Register takes precedence over the possible adverse consequences for the Complainant as a result of the inclusion of his/her Personal Data in the External Referral Register. (…)”

3 Review
3.1
In an introductory application pursuant to Article 46 of the Personal Data Protection Act (Wbp), [appellant] requested the court to order ABN AMRO to remove the personal data of [appellant] from the registers and to refrain for the rest from any form of processing or registration of personal data from which it could be deduced that [appellant] would have been involved in any form of unlawful conduct whatsoever, on pain of a penalty payment. The court rejected the application and compensated for the costs of the proceedings. The Appellant contests this decision with five pleas in law.

3.2
In summary, the complaints, which lend themselves to joint processing, challenge the Court's consideration that there is a serious suspicion (to be qualified as fraud within the meaning of Article 326 of the Penal Code (Sr)) that [the appellant] deliberately, by means of an invoice, induced ABN AMRO to hand over money from the construction depot and did not use it for the intended purpose. Furthermore, [the appellant] argues that the judgment of the Court and of this Court of Appeal in the dissolution proceedings should be taken as a starting point, that - in short - on the basis of the facts and circumstances it cannot be said that it was guilty of mortgage fraud. Finally, [the appellant] argues that ABN AMRO has failed to report any criminal offence in violation of the Protocol. ABN AMRO contested the complaints.

The Court of Appeal considered as follows.

3.3.
Since 25 May 2018 the General Data Protection Ordinance (AVG) has been applicable and the Data Protection Act has expired. Pursuant to the transitional law, Article 48 paragraph 10 of the General Data Protection Implementing Act (AVG Implementation Act), written requests as referred to in Article 46 of the Personal Data Protection Act (Wbp), which were already pending at the time the AVG Implementation Act came into force, are subject to the law as it applied prior to the AVG Implementation Act coming into force. Since this transitional provision applies in the present case, the application will be assessed on the basis of the Wbp.

3.4.
The inclusion of (legal) persons in the Incidents Register and the associated EHR can have far-reaching consequences for the person concerned. Therefore, high requirements must be set for this and the procedure for inclusion in the registers must be accompanied by sufficient guarantees. The Dutch Data Protection Authority (CBP) ruled at the time that the processing of personal data is lawful in accordance with the Protocol. The Protocol must therefore be regarded as a regulation that satisfies the guarantees prescribed for the processing of personal data by the Personal Data Protection Act (Wbp).

3.5
It has been established that [the appellant] submitted the declaration form signed by her and the offer of € 32,368 on which it is based to ABN AMRO in order to pay the advance on the activities offered by Trishul. The bank account analysis carried out by the SIM department has shown that [appellant] has not paid the amount of € 32,368 received from the building depot in the manner described in the offer, namely by bank transfer to [B], and that this amount has not been transferred either to the bank account held by Trishul at ING Bank. It would have been up to [the appellant] to prove that she nevertheless used the sum of money for the payment of the advance invoice. On the occasion of the oral hearing on appeal [appellant] stated that at the request of [A] she withdrew a down payment of € 6,000 and subsequently an amount of € 54,000 in cash from her bank account, that she handed over these amounts to [A] for this purpose and that she did not know what happened to these amounts afterwards, since the contact with Trishul only took place via [A] and her relationship with [A] was seriously disrupted. Apart from the fact that [the appellant] has insufficiently substantiated this assertion, the Court of Appeal does not consider this assertion plausible since the withdrawn amounts of € 6,000 and € 54,000 do not correspond with the advance charged by Trishul. Moreover, it did not withdraw the amount of € 54,000 until 22 April 2010, i.e. eight months after the date of the advance invoice and after receipt of the money from the construction deposit. In agreement with ABN AMRO, the Court of Appeal is of the opinion that it is evident that funds from the building depot should only be used for payment of invoiced invoices and that the invoice should be paid in the manner described therein. Since [the appellant] failed to do so and, as considered, payment of the aforementioned invoice has not turned out to be the case in any other way, it must be assumed that it did not use the amount invoiced from the building depot for the payment of Trishul's advance invoice.

3.6
Contrary to what [the appellant] states, all this in itself is sufficient ground for registration of her personal data in the registers. After all, the actions of [appellant] described above can be qualified as an incident as referred to in Article 3.1.1 of the Protocol. ABN AMRO has made it sufficiently plausible that not using the funds declared from the building depot for the agreed construction work on the immovable property can, after all, lead to a decrease in the value of the collateral of the mortgage loan. The fact that there may not have been such a reduction in value, now that third parties have carried out work on the immovable property, does not detract from this. In the opinion of the Court of Appeal, the conduct of [appellant] can be qualified as an event that has resulted, could have resulted or has resulted in the interests of the financial institution being or could have been at stake. In addition, the actions of [appellant] meet the requirements for registration in the ECC as referred to in Article 5.2.1 of the Protocol. In view of the above, in the opinion of the Court of Appeal it is after all sufficiently plausible that [appellant's] conduct constituted or could constitute a threat to the (financial) interests of ABN AMRO, and it is sufficiently certain that [appellant] was involved in this conduct. The fact that ABN AMRO did not report a criminal offence does not in itself stand in the way of recording the personal data of [appellant] in the EVR, since Article 5.2.1 under b of the Protocol only stipulates that in principle a report or complaint is made to an investigating officer. Nor is a conviction by the criminal court required for the processing of personal data under criminal law (cf. HR 25 May 2009, ECLI:NL:HR:2009:BH4720).

3.7
The above under 3.5 also leads to the conclusion that there is a heavier suspicion than a reasonable suspicion of guilt with regard to (involvement in) fraud within the meaning of Article 326 of the Criminal Code. After all, the Court of Appeal agrees with the Court of Appeal that on the basis of the facts that have not been (sufficiently) contradicted, it is sufficiently plausible that [the appellant] deliberately moved ABN AMRO to deliver a sum of money from the construction depot by means of an invoice and did not use it for the intended purpose, and that these facts can bear a certificate of proof as referred to in Article 350 of the Code of Criminal Procedure. The fact that in the decision of 18 December 2018 between parties rendered in connection with the appeal against a request of ABN AMRO to dissolve the employment contract that was rejected by the Subdistrict Court of Amsterdam, the Court of Appeal considered that it cannot be said that [the appellant] was guilty of mortgage fraud does not affect what has been considered above, since the legal questions and the assessment framework in both proceedings differ.

3.8
Furthermore, the question must be answered as to whether the registration in the EVR complies with the principle of proportionality within the meaning of Article 5.2.1(c) of the Protocol. In view of the considerations set out in point 3.4 above, high requirements must be placed on the ground(s) for inclusion in the registers. In the case of the land referred to in point 3.5, it has been decided that such land should be included in the registers. The appellant has argued that maintaining the registrations in the registers means that she no longer has a chance of employment in the financial sector. ABN AMRO has argued that the registrations are not disproportionate because [appellant] is not dependent on the financial sector for its income provision, ABN AMRO has included [appellant's] personal data in the EVR for a relatively limited period of three years and because [appellant] does not currently apply. Although the registration of the personal data of [appellant] in the registers in the present case may have negative consequences for her career prospects in the financial sector, the Court of Appeal considers the registration - also in view of the fact that ABN AMRO has used a limited registration period of three years, which will end on 1 August 2020 - not disproportionate.

Since registration in both the Incidents Register and the EVR took place on the right grounds and since there is no mention of any of the situations referred to in Articles 4.3.1 and 5.3.1 of the Protocol, in which case the registration must be removed from the Incidents Register and the EVR respectively, the District Court has rejected the request on the right grounds.

3.9
The conclusion is that the grievances fail. The contested decision will be upheld. The appellant, as the unsuccessful party, is ordered to pay the costs of the appeal.

4 Decision
The court:

- upholds the contested order;

- orders [appellant] to pay the costs of the appeal proceedings and estimates those costs, in so far as they have been incurred by ABN AMRO to date, at € 726 in disbursements and € 2,148 for lawyer's salary.

This decision was made by J.C. Toorman, E.W. de Groot and A. van Zanten-Baris and by the role counsellor pronounced in public on 3 September 2019.