Right to access bank documents Summary Our remarks A data subject made a request to their former bank for • Under Article 15 of the GDPR, individuals have the all documents containing their personal data that had right to access their personal data, but this does been processed. not mean that they can demand full copies of all documentation containing their personal data, The data subject specifically sought information about including underlying documents and personal potential EVA registration (a Dutch fraud prevention notes made by others. system) and the bank’s security affairs department’s report. • Furthermore, a request for access may be rejected if it is deemed manifestly unfounded or excessive. However, the bank stated that it no longer had these This could be the case if the data subject submits documents due to exceeding retention periods. requests for access every other week to harass or The bank did, however, offer to conduct an internal annoy an organization. investigation. • If the organization chooses not to comply with a District Court request, it must be able to demonstrate why the The District Court rejected the data subject’s request request is unfounded or excessive, and must still but allowed the bank to conduct an investigation and respond to the individual within one month of provide a report to the data subject. The data subject receiving the request. The organization must also filed an appeal claiming that under GDPR, Article explain the reasons for not complying with the 15 they had the right to access complete copies of request and inform the individual of their right to documentation containing their personal data, and complain to the relevant supervisory authority and that the bank had conducted multiple investigations to seek a judicial remedy. into their activities. The bank argued that it no longer had the data as the retention period had lapsed. The decision of the Court of Appeal The Court of Appeal rejected the access request. Published: 27-07-2021, Journal number: 200.290.520_01 Tags: 02 Right of access and obligation to provide information 34