LfD (Lower Saxony) - Fine EUR 900,000 against bank

From GDPRhub
LfD - None
LogoDE-NI.jpg
Authority: LfD (Lower Saxony)
Jurisdiction: Germany
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 28.06.2022
Fine: 900.000 EUR
Parties: n/a
National Case Number/Name: None
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: LfD Niedersachsen (lower saxony) (in DE)
Initial Contributor: lacrosse

The DPA of Lower Saxony fined a bank €900,000 for creating customer profiles, enriched with third-party data, for advertising purposes, without consent. The DPA held that such processing cannot be based upon legitimate interest as per Article 6(1)(f).

English Summary

Facts

A commercial bank (controller) used personal data of current and former customers (data subjects) to identify customers with an affinity for digital media usage, in order to address them more intensely through electronic communication channels for further commercial communication (advertisement).

A service provider analyzed digital usage behavior on behalf of the controller, including the total amount of app-store purchases, the usage frequency of bank statement printers as well as the total amount of transfers in online banking system (in comparison to the offline usage in their local branch offices). The results were compared and further enriched with data from a commercial credit reporting agency. Most customers were informed in advance, but no consent under Article 6(1)(a) GDPR was obtained.

The controller based the data analysis, data enrichment and the subsequent creation of customer profiles on legitimate interest as per Article 6(1)(f) GDPR.

Holding

The DPA found that the analysis of large amounts of data to create customer profiles could not be based on Article 6(1)(f). It followed that processing based on a legitimate interest requires a balancing act between the interest of the controller and the fundamental rights and freedoms if the data subject. The controller had to consider the reasonable expectations of the data subjects.

The DPA argued that a data subject could not reasonably expect large amounts of its personal data to be analyzed by the controller to better target its advertising. Third-party data enrichment, like the use of commercial credit reporting agency data, further overrides the interest of the controller and tips the balancing test in favor of the data subject.

The DPA held that in addition, data enrichment from a third-party source and linking it to profiles could also not be based on legitimate interest. This could potentially link data from all areas of life to an accurate customer profile, which could also not be reasonably expected by a customer. Customer consent (see Article 6(1)(a)) is required.

The controller cooperated with the DPA throughout the process.

For the violation, the DPA fined the controller €900,000.

Comment

According to an article from IT Finanzmagazin, the bank is Hannoversche Volksbank and the other credit institution is Schufa, however the information in the article isn't confirmed by the authorities.

The DPA's press release states that the decsion was not yet legally binding, but no appeal was made within the appeal period (of two weeks) and the decision is as such final as per August 2022.

Further Resources

There are various news articles on this decision, which should be read with care as much of the information is unconfirmed.

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

900,000 euros fine against bank for profiling for advertising purposes

The State Commissioner for Data Protection (LfD) Lower Saxony has imposed a fine of 900,000 euros on a bank. The fine is not yet final.

The company had evaluated data from active and former customers without their consent. To do this, it analyzed digital usage behavior and evaluated, among other things, the total volume of purchases in app stores, the frequency of use of account statement printers and the total amount of transfers in online banking in comparison to the use of the branch offer. For this it used a service provider. In addition, the results of the analysis were compared with a credit agency and enriched from there. The aim was to identify customers with an increased inclination for digital media and to use electronic communication channels more to address them for contract-related or advertising purposes. Information was sent to most customers in advance along with other documents. However, these do not replace the necessary consents.

The company is accused of not being compatible with Article 6(1)(f) of the General Data Protection Regulation (GDPR). According to this, a person responsible can process personal data on the basis of a balance of interests. The interests of the person concerned must not prevail. When setting the fine, it was taken into account that the company had not used the results of its evaluations. The company has also been cooperative throughout the process.

accumulation of similar cases

The LfD Lower Saxony is increasingly aware of cases in which those responsible evaluate data from customers that were initially lawfully processed for profiling purposes. To do this, they sometimes use external providers or compare their results with them.

"Those responsible for such evaluations often do not obtain the consent of customers," says state data protection officer Barbara Thiel. “Instead, they refer to a balancing of interests according to Article 6 paragraph 1 letter f DS-GVO. However, this legal basis does not allow profiles to be created for advertising purposes by evaluating large databases.”

It is true that advertising to (potential) customers is in the interests of those responsible. However, the legislator classifies this interest as less important by providing the data subjects with a simplified opportunity to object. The objection does not have to be justified. When weighing up the interests, the interests of the customers concerned also prevail.

Reasonable expectation prevails

When balancing interests, those responsible must take into account, among other things, the reasonable expectations of customers. "However, those affected usually do not expect that those responsible will use databases on a large scale to identify their inclination towards certain product categories or communication channels," says Barbara Thiel. In these cases, those responsible cannot therefore invoke a balancing of interests and must instead obtain consent.

If external bodies are also included (e.g. credit agencies), data from different areas of life can be linked and more precise profiles can be created. Customers do not have to expect this, which is why consent must be obtained for this as well.