Rb. Den Haag - C/09/662309 / HA RK 24-104
Rb. Den Haag - C/09/662309 / HA RK 24-104 | |
---|---|
Court: | Rb. Den Haag (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 15 GDPR Article 22(1) GDPR Artikel 41(1)(d) UAVG |
Decided: | 09.09.2024 |
Published: | 12.09.2024 |
Parties: | Bunq BV |
National Case Number/Name: | C/09/662309 / HA RK 24-104 |
European Case Law Identifier: | ECLI:NL:RBDHA:2024:14477 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | fb |
A court ruled that national law allowed a bank to restrict the data subject's right to access regarding the logic involved in flagging suspicious transactions.
English Summary
Facts
The data subject has multiple bank accounts with the controller, a bank.
On 13 November 2023, the controller asked the data subject to provide documents concerning their source of income. Since the data subject did not reply to this request, the controller closed their bank account.
On 29 November 2023, the data subject filed an access request to the controller according to Article 15 GDPR.
On 2 January 2024, the controller replied to the data subject, sending several data processed by it.
However, the data subject considered it implausible that the controller does not process any data about the blocking of the account and that the logic behind the decision-making cannot be explained. Therefore, the data subject informed the controller about this and requested the latter not to delete their data pursuant to Article 18(1) GDPR since they intended to file a lawsuit.
On 5 February 2024, the data subject initiated legal proceeding against the controller before the District Court of The Hague (Rechtbank Den Haag – Rb. Den Haag). More specifically, the data subject aimed at acquiring more information about the decision-making process about the blocking of their bank account and if this decision had been taken through automated means.
The controller argued that it had already sufficiently acted on the access request and pointed out that there was no automated decision-making (ADM). Indeed, the controller explained that, even though an alert about a suspicious transaction is triggered automatically, then human intervention is required to decide whether to take further action.
Furthermore, it noted that in the case at hand Article 41(1)(d) of the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming – UAVG) applies, since the purpose of this processing is preventing criminal offences pursuant to the Prevention of Money Laundering and Financing of Terrorism Act (Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft).
Holding
First, the court assessed if there has been an automated decision-making by the controller.
The court upheld the controller’s argument, ruling that there was no ADM since the subsequent investigation and the final decision was carried out by employees of the controller.
Secondly, the court noted that providing more information about how the transaction monitoring system works could have the effect of providing insight into how the controller's process, designed to prevent criminal offences, operates. According to the court, disclosing this information could result in malicious persons gaining knowledge that could undermine the operation of the system.
Thus, the court found that the controller rightfully relied on Article 41(1)(d) UAVG in order to partially restrict the data subject’s right of access.
On these grounds, the court rejected the data subject’s claims.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
order THE HAGUE DISTRICT COURT Trade team case number / application number: C/09/662309 / HA RK 24-104 Order of 9 September 2024 in the case of [applicant] , in [place of residence] , applicant, appeared in person, against BUNQ B.V., in Amsterdam, respondent, attorneys Mr. I.J. de Laat and Mr. R.A. Siebelink in Amsterdam. The parties will hereinafter be referred to as [applicant] and Bunq. 1 The procedure 1.1. The course of the procedure is apparent from: - the application received on 5 February 2024, with appendices A to D; - the letter dated 27 March 2024 from Bunq; - the letter of 10 April 2024 from Bunq; - the email of 28 May 2024 from [applicant]; - the email of 30 May 2024 from [applicant]; - the email of 10 June 2024 from [applicant]; - the statement of defence received on 3 July 2024, with exhibits. 1.2. On 11 July 2024, the case was discussed during the oral hearing. The following were present: - [applicant] in person; - on behalf of Bunq: Ms [name] (legal counsel at Bunq), together with Mr De Laat, aforementioned. Both parties submitted speaking notes. During the oral hearing, the registrar took notes of what was discussed during the hearing. 1.3. The parties have been informed that a decision will be made no later than 9 September 2024. 2 The facts 2.1. [Applicant] is a Bunq customer and has multiple bank accounts with Bunq. 2.2. On 13 November 2023, Bunq asked [Applicant] via WhatsApp to send documents to Bunq no later than 27 November 2023. This message states: […] In the interest of your account’s safety, we regularly monitor the activity and transactions on bunq accounts. That’s why we kindly ask you to provide documents about your source(s) of income before 2023-11-27. Accepted documents are recent salary payslip employment contract tax declaration bank statement of another account of yours no older than 3 months another document clarifying the source of the money received on your bunq account, not older than 3 months Once you provide the requested documents, our team will review your response and get back to you in 2-4 business days. […] 2.3. On November 17, 2023 and November 21, 2023, Bunq sent a reminder to [applicant] via WhatsApp to send the requested documents. [Applicant] did not respond to these messages. 2.4. On November 24, 2023, Bunq blocked [applicant]'s bank accounts. Bunq informed [applicant] of this via WhatsApp. [Applicant] sent the documents requested by Bunq on 13 November 2023 to Bunq on the same day, whereupon Bunq lifted the block on [Applicant]'s bank accounts. 2.5. On 29 November 2023, [Applicant] requested Bunq in writing (pursuant to Article 12 and 15, first paragraph, of the General Data Protection Regulation, hereinafter: GDPR) for access to data about him in general and data processed about him in the context of the blocking of his accounts. 2.6. On 2 January 2024, in response to [Applicant]'s request for access, Bunq provided [Applicant] with various data that Bunq had processed from [Applicant]. 2.7. On 5 January 2024, [Applicant] approached Bunq's data protection officer by e-mail. This message states: […] Your response shows that Bunq states that no personal data is currently being processed by Bunq in relation to the blocking of my account and that any logic behind the decision-making cannot be explained. Because I do not find it credible that Bunq does not keep any accounting or logs on such drastic actions, I intend to go to court to have the defective access resolved. I therefore request Bunq under Article 18 of the GDPR to secure all my personal data that are relevant to my request for access and to prevent them from being deleted. If you have accidentally forgotten to include an attachment with the requested information, I request that you provide it to me before 10 January 2024.[…] 2.8. On 31 January 2024, Bunq informed [applicant] that it had received his request and that it would not delete his data. 2.9. On 5 February 2024, [applicant] filed this petition. 2.10. On 10 April 2024, Bunq provided [applicant] with additional information that Bunq processed in relation to [applicant]. This concerns the name, contact details, nationality, number of payments and risk score of [applicant] and the documentation that [applicant] himself provided to determine (the origin of) his income. Bunq also stated which online public sources about [applicant] were consulted by Bunq. 2.11. On 23 April 2024, Bunq provided [applicant] with further explanation regarding the blocking of his accounts. Bunq explained that the reason that a client investigation was initiated against him was a hit from the Transaction Monitoring System on a specific payment transaction of [applicant]. 2.12. Bunq did not include [applicant] in any (reference) register. 3 The request and the defence 3.1. [Applicant] requests that Bunq be ordered to provide him with full access to his personal data, including all information specified in Article 15 GDPR. Without limiting the request to these specific elements, [Applicant] specifically requests the following information: 1. a copy of all personal data relating to the following aspects: a. information about [Applicant] that led to the check and the subsequent blocking and lifting of the block; b. information processed about [Applicant] as part of the decision-making process surrounding the blocking and lifting thereof, including employee comments about [Applicant], risk profiles drawn up and information exchanged with third parties; 2. if [Applicant]'s personal data have been received by third parties, access to this data, as well as access to the recipients within Bunq, where the job description or name of the department of the recipient is sufficient information; 3. if personal data of [applicant] has been received from external sources, insight into what those sources are, also if they are public sources; 4. if automated decision-making or related processing has been used, such as the allocation of risk profiles, [applicant] wants meaningful insight into the logic of the processing and the anticipated consequences of this processing. Finally, [applicant] requests that Bunq be ordered to pay the costs of these proceedings. 3.2. To this end, [applicant] argues in summary as follows. Bunq has conducted a customer investigation. In doing so, Bunq acted carelessly; three days before the expiry of the period within which [applicant] had to provide documents, all of his accounts were blocked by Bunq. [applicant] wants to know why he was subjected to the investigation. Bunq has indeed provided some information about the data it has processed about [applicant] and about the blocking, but that information is not complete or not specific enough. [applicant] still does not know why his accounts were blocked. There has been automated decision-making. Under the GDPR, Bunq must provide [applicant] with an explanation of the underlying logic of the system that Bunq uses for this purpose. 3.3. Bunq defends itself against [applicant]'s request. Firstly, Bunq states that it has sufficiently complied with [applicant]'s request for access and that it is not at liberty to provide more information about the client investigation, in particular its design, than it has done so far. Secondly, it states that there has been no automated decision-making, so that there are also no grounds for providing [applicant] with access to the underlying logic of the Transaction Monitoring System. Finally, Bunq states that, relying on the grounds for exception in Article 41 of the General Data Protection Regulation Implementation Act (hereinafter: UAVG), it does not have to provide further access with a view to preventing criminal offences and protecting trade secrets. Bunq must comply with the obligations arising from the Money Laundering and Terrorist Financing (Prevention) Act (hereinafter: Wwft) and uses its Transaction Monitoring System for this purpose, among other things. Disclosing the operation of that system and the decision-making process in this regard poses a risk that malicious persons will circumvent the system. 4 The assessment Preliminary 4.1. Before the period that it had granted [applicant] to provide information and without any specific prior warning, Bunq blocked [applicant]'s accounts. [Applicant] was uncertain when his accounts would be accessible again and when he would be able to pay important term-related payments (such as his mortgage obligation) on time. [Applicant] wanted to file a complaint about this, but he could not find any information about an internal complaints procedure at Bunq. During the oral hearing, Bunq was also unable to specify where [applicant] could find information about this procedure. In that light, the court considers the dissatisfaction and annoyance that clearly resonates in the current request of [petitioner] and his explanation at the hearing to be completely understandable. The remaining request 4.2. After filing the petition, Bunq sent more information to [petitioner] about the data it had processed about him. In doing so, Bunq has met the requests of [petitioner] as formulated under 2 (which personal data of Bunq third parties and various departments within Bunq have received) and 3 (personal data received from external sources) of his request. Because [petitioner] has received this information from Bunq, the court will reject these requests for lack of interest. 4.3. The requests that still require assessment are the requests as formulated under 1 (information about [applicant] that gave rise to and was processed in the context of the block) and 4 (insight into the logic and processing of automated decision-making). The question that the court must answer is whether Bunq must provide [applicant] with more information on the basis of Article 15 GDPR than it has done so far and whether Bunq used automated decision-making when blocking [applicant]'s accounts. According to [applicant], this is the case. In summary, it comes down to [applicant] wanting to know why he was flagged by the Transaction Monitoring System, how this system works, what the background is to the assignment of his risk score, why his accounts were blocked and why the block was lifted. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to that personal data and the following information: The assessment framework 4.4. Pursuant to Article 15 GDPR, a data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to that personal data. This enables a data subject to check whether the data are accurate and lawfully collected. 4.5. Pursuant to Article 22 GDPR, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 4.6. Based on Article 23 GDPR, an exception can be made (by means of national provisions) to (among other things) the right of access as formulated in Article 15 GDPR. Article 41 of the Implementation Act General Data Protection Regulation (UAVG) gives substance to the restriction options offered by Article 23 GDPR, whereby it always applies that a restriction must be necessary and proportionate. The restrictions relevant to this case are included in Article 41 UAVG paragraph 1 sub d) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security and in Article 41 UAVG paragraph 1 sub i) the protection of the data subject or of the rights and freedoms of others. 4.7. The GDPR does not provide a definition of the term automated decision. A definition can be found in the guidelines of the European Data Protection Board, an independent European body that monitors the consistent application of the GDPR. In ‘Guidelines on automated individual decision-making and profiling for the purposes of Regulation (EU) 2016/679 (WP251rev.01)’, Chapter 1 under B contains the following definition: exclusively automated decision-making is the taking of decisions by technological means and without human intervention. The court assumes this definition. Whether or not an automated decision was made 4.8. Because the debate between the parties has mainly focused on the question of whether Bunq has made automated decision-making, the court will answer this question first. 4.9. Bunq is obliged under Articles 3 and 8 Wwft to carry out (enhanced) customer due diligence to prevent money laundering and terrorist financing. In order to comply with this obligation, Bunq uses its Transaction Monitoring System. Bunq explained that [applicant] was subject to enhanced customer due diligence because the Transaction Monitoring System gave a hit on a payment transaction from [applicant]. [Applicant] states that this involved automated decision-making and wishes to gain insight into the underlying logic of this system on the basis of Article 15 paragraph 1 under h and Article 22 GDPR. However, the court – with Bunq – is of the opinion that there was no automated decision-making and Bunq therefore does not have to provide insight into the operation and underlying logic of the Transaction Monitoring System. The following is the reason for this. 4.10. The hit of the Transaction Monitoring System is created on the basis of an algorithm without human intervention, as Bunq has explained. A hit remains without (legal) consequences if no action is taken. Bunq has explained that human intervention is required to decide whether further action is taken as a result of a hit. In this case, a Bunq employee decided to start a client investigation as a result of the hit of the Transaction Monitoring System. This was not a decision made by the system itself. The subsequent investigation was carried out by Bunq employees, which included requesting documents, blocking [applicant]'s accounts (wrongly too early), assessing the documents he submitted and lifting the block. All these actions were carried out by human intervention. In the court's opinion, Bunq has sufficiently substantiated with this explanation that there was no automated decision in the process of the customer investigation. This means that Article 15 paragraph 1 under h and Article 22 GDPR do not provide a basis for [applicant] to order Bunq to provide information about the underlying logic of the Transaction Monitoring System. The court will not discuss the case law cited by [applicant] in this regard, because this case law concerns situations in which automated decision-making does occur. Access to other data, a weighing of interests 4.11. [Applicant]'s request is formulated in such a way that he wishes to see information about the reason and decision-making surrounding the client investigation, even if there has been no automated decision-making. The court is of the opinion that Bunq's appeal to the exception in article 41 paragraph 1 under d UAVG (prevention of criminal offences) is successful and that it does not have to provide further information about the client investigation. The following is reason for this. 4.12. Bunq has various obligations under the Wwft to prevent money laundering and terrorist financing. Bunq explained that a payment transaction from [applicant] resulted in a hit in the Transaction Monitoring System and Bunq believed that it had to conduct a client investigation under the Wwft. Insight into the process of information collection and selection as well as Bunq's decision-making on this basis can result in insight being provided into the operation and triggers of the Transaction Monitoring System. The disclosure of this information may result in malicious persons acquiring knowledge that can undermine the functioning of the system. The court is of the opinion that in this case, Bunq's interest in complying with the statutory obligations under the Wwft and thus contributing to the prevention of criminal offences outweighs [applicant]'s individual interest in specifying why he is subject to a client investigation. The court takes into account that [applicant] has been informed that a payment transaction was the reason for the client investigation and that he has access to all payment transactions he has made himself. As a result, [applicant] has not been completely deprived of any form of explanation. Conclusion 4.13. All in all, the conclusion is that [applicant]'s requests will be rejected. Legal costs 4.14. [Applicant] has been proven wrong, which is why he must pay Bunq's legal costs (including subsequent costs). The costs on the side of Bunq are estimated at: - court fee € 688.00 - authorized representative's salary € 1,196.00 (2 points x rate II € 598.00) - additional costs € 178.00 (plus the increase as stated in the decision) Total € 2,062.00 5 The decision The court 5.1. dismisses the request; 5.2. orders [applicant] to pay the costs of these proceedings, estimated at € 2,062.00 on the side of Bunq, to be paid within fourteen days after notice to that effect. If [applicant] does not comply with the judgment in time and this decision is subsequently served, [applicant] must pay an additional € 92.00, plus the costs of service. This decision was given by Mr. H.J. Vetter and pronounced in public on 9 September 2024.1