Persónuvernd (Island) - 2021061295

The Icelandic DPA held that a bank requiring uniquely identifying information (i.e. a social security number) to avoid anonymous transactions did not violate the GDPR as the bank had a statutory obligation to do so.

English Summary

Facts

The data subject wanted to deposit cash in the amount of ISK 99,000 (approx. € 700) into their daughter’s bank account at Landsbankans hf. (the bank or the controller).

The bank requested for the data subject’s social security number due to the banking transaction in question. The data subject considered that to be unlawful and claimed, inter alia, that the law on actions against money laundering and the financing of terrorism 140/2018 (Law 140/2018) does not require financial institutions - such as the bank - to identify the customers when the amount of the transaction does not reach a certain threshold amount.

The bank argued that it has a statutory obligation to prohibit anonymous transactions. In addition, the bank highlighted that the collection of social security numbers is important for the sake of the security and traceability of transactions. In other words, it is to ensure the reliability of transactions, to be able to correct possible mistakes in processing and/or to inform about identity theft, fraud, money laundering or other criminal acts.

Holding

In its decision, the Icelandic DPA noted that processing of personal data must have a legal basis under Article 6 GDPR. For example, the DPA stated that, in the present case, personal data may be processed on the basis of a legal obligation pursuant to Article 6(1)(c) GDPR. Furthermore, the DPA noted that all processing operations must also comply with the general principles enshrined in Article 5 GDPR. The principles stipulate, inter alia, that personal data processed must be adequate, relevant and limited to what is necessary (Article(5)(1)(c) GDPR).

In the context of the present case, the DPA concluded that the collection of a social security number is subject to the fact that it has a practical purpose and is necessary to ensure secure personal identification. Furthermore, the DPA noted that the controller in quetion is a financial institution and, therefore, falls under the scope of the Law 140/2018, and that the controller is a so-called 'reporting party'. The Law 140/2018 requires to avoid anonymous transactions and obliges the reporting parties to know the identity of their customers.

The DPA considers that the data subject's name alone is not enough to ensure secure personal identification in banking transactions in accordance with the Law 140/2018. As a result, it was in practice necessary for the controller to obtain the additional information (social security number) for customer identification in order to fulfill its legal obligation(s).

As a conclusion, the Icelandic DPA found that it was necessary for the bank to collect the data subject's social security number in order to ensure their secure identification, in order to fulfill the requirements that rested on the bank according to the Law 140/2018. As a result no GDPR violation was found. The processing of the data subject’s personal data by the controller was permitted on the basis of Law 140/2018 to the effect that the processing was necessary to fulfill the legal obligation(s).

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Processing of personal information by Landsbankinn hf.

Case no. 2021061295

10.7.2023

The use of a social security number is permitted if it has an objective purpose and is necessary to ensure secure personal identification. In this case, the complainant wanted to deposit cash into a bank account and his name alone was not sufficient to ensure secure identification in banking transactions.

Personal Protection ruled in a case where there was a complaint about the registration of social security numbers during cash transactions in a branch of Landsbankinn hf. Specifically, the bank demanded the complainant's social security number when he deposited cash into his daughter's bank account at the bank's branch.

The conclusion of the Privacy Protection was that the processing of Landsbankinn hf. on personal information has been in accordance with the provisions of the Act on Personal Protection and Processing of Personal Information.

Ruling

about a complaint about the processing of personal information during cash transactions by Landsbankinn hf. in case no. 2021061295:

i
Procedure

On June 7, 2021, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about Landsbankin hf's claim. (hereafter Landsbankinn) regarding the registration of his social security number during cash transactions in the bank's branch.

Personal protection invited Landsbankin to comment on the complaint in a letter dated 28 July 2021, and the bank's responses were received in a letter dated 28 July 2021. August 13, 2021. The complainant was then given the opportunity to provide comments on Landsbankinn's answers by letter, dated August 26, 2021, and they were received by today's letter. September 27, 2021. When resolving the case, all of the above-mentioned documents have been taken into account, although not all of them are separately explained in the following decision.

The processing of the case has been delayed due to the heavy workload at Personal Protection.

___________________

There is a dispute as to whether Landsbanki was allowed to demand the complainant's social security number when he deposited cash in the amount of ISK 99,000 into his daughter's bank account with the bank.

The complainant believes that Landsbankin was not authorized to require his social security number during the transaction in question. He points out that Personal Protection has a ruling in case no. 583/2010 came to the conclusion that Landsbanki Íslands/NBI hf. it was not permitted to record a person's social security number when he intended to pay two payment slips for another person. The complainant also believes that the provisions of Act no. 140/2018, on actions against money laundering and the financing of terrorism, does not impose the requirements on financial companies to check the reliability of customers when the amounts of transactions do not reach the threshold amount according to the law. The provisions of the Act on the prohibition of anonymous transactions also do not apply where the complainant intends to deposit the cash into an account in the name of a specific person.

Landsbankinn believes that the processing is based on a legal obligation that stipulates that financial companies are prohibited from offering anonymous transactions. It is also important that the bank can assess whether individual transactions or transactions can be related to each other and thus reach the standard set by law no. 140/2018 make an unconditional demand that due diligence is carried out. Registration of social security numbers is also necessary to ensure safe identification, but cash transactions involve risky transactions, as stated in the current risk assessment of the National Police Commissioner for money laundering and terrorist financing. Also, the use of social security numbers is necessary for the sake of security and traceability of transactions, i.a. in order to take the necessary precautions to ensure the reliability of transactions, can correct possible mistakes in processing and/or inform about identity theft, fraud, money laundering or other types of criminal acts in the bank's operations.

II.
Conclusion
1.
Lawfulness of processing

This case concerns Landsbankin's registration of the complainant's social security number during cash transactions in the bank's branch. It concerns the processing of personal data that falls under the scope of Act no. 90/2018 and regulation (EU) 2016/679 and thus the authority of the Data Protection Authority. Landsbankinn is considered to be the responsible party for the processing in question according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679.

All processing of personal information must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. For example, it is possible to work with personal data if it is necessary to fulfill a legal obligation that rests on the responsible party, cf. Number 3. of the legal provision and point c of the regulatory provision.

In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Article 5 of regulation (EU) 2016/679. The principles stipulate, among other things, that personal data must be sufficient, relevant and not beyond what is necessary based on the purpose of the processing (item 3 of the legal provision).

Finally, the use of a social security number is subject to the fact that it has a practical purpose and is necessary to ensure secure personal identification, cf. Article 13 Act no. 90/2018.

When assessing the legality of processing according to the above-mentioned provisions, provisions in other laws that apply in each case must be taken into account. Landsbankinn is a financial company and falls under the scope of Act no. 140/2018, on actions against money laundering and terrorist financing, cf. a.-item 1. paragraph Article 2 of them, and is a reporting party according to the same law, cf. Number 17. Article 3 of the law.

The objective of Act no. 140/2018 is to prevent money laundering and terrorist financing by obliging entities that engage in activities that may be used for money laundering or terrorist financing to know the identity of their customers and their activities and to report this to the competent authorities if they suspect or become aware of such illegal activities, cf. Article 1 of the law.

Notifiable parties are also prohibited from offering anonymous transactions, cf. Paragraph 1 Article 7 Act no. 140/2018. This prohibition applies regardless of whether the reporting party must carry out due diligence according to Article 8. of the law. In the comments to Article 7 in the bill that became law no. 140/2018 says that the provision removes all doubt that notifiable parties are not allowed to offer anonymous transactions. The provision covers all transactions, by whatever name they are called, such as deposit accounts, trust accounts, safe deposit boxes, asset management, company creation, digital wallets, etc. A similar provision was not found in law no. 64/2006 on measures against money laundering and terrorist financing, which were in force when the ruling of the Personal Protection Authority in case no. no. 583/2010 was pronounced.

In the opinion of the Personal Protection Authority, the provisions of paragraph 1 should be clarified. Article 7 Act no. 140/2018 taking into account the objective of the law, as determined in Article 1. them, and the aforementioned comments in the bill that became the law. It must be aimed at banning anonymous transactions according to paragraph 1. Article 7 the law also requires reporting parties to know the identity of their customers. This obligation applies equally to account owners as well as those who intend to deposit cash into accounts with financial institutions that they do not own.

Personal protection believes that it can be agreed that the customer's name alone is not enough to ensure secure personal identification in banking transactions. As a result, it is in practice necessary for the notifying party to obtain additional information for personal identification of customers in order to fulfill the legal obligation that rests on him according to paragraph 1. Article 7 Act no. 140/2018, as the provision is explained above.

In light of this, the Data Protection Authority considers that it was necessary for Landsbanki to record the complainant's social security number in order to ensure his secure identification, in order to fulfill the requirements that rested on the bank according to Act no. 140/2018.

Taking into account all of the above, it is the opinion of the Personal Protection Authority that Landsbankin's processing of the complainant's personal information was permitted on the basis of item 3. Paragraph 1 Article 9 Act no. 90/2018, to the effect that the processing was necessary to fulfill the legal obligation that rested on the bank according to paragraph 1. Article 7 Act no. 140/2018. In addition, it will not be considered that the processing of personal information by Landsbankin has violated the principle of proportionality, item 3. Paragraph 1 Article 8 Act no. 90/2018, cf. c-point 1. paragraph Article 5 of Regulation (EU) 2016/679, or other principles of the legislation. Finally, the processing is compatible with the provisions of Article 13. Act no. 90/2018 concerning the use of social security numbers. The processing therefore complied with Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

Ruling:

The processing of Landsbankinn hf. on personal information about [A] conformed to the provisions of Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679.

Privacy, 10 July 2023

Helga Sigríður Þórhallsdóttir              Bjarni Freyr Rúnarsson