Bank fined for creating costumer profiles without a legal basis Summary A commercial bank*, acting as the controller, used • The use of third-party data enrichment, such as personal data of both current and former customers to data from a commercial credit reporting agency identify those with a preference for digital media usage. to create precise profiles, weighs heavily in favor The customer profiles were created to target them with of the rights and freedoms of the data subject in a intense electronic communications for commercial balancing of interests. Thus, consent should have purposes, in the form of advertisements. been obtained. To carry out this analysis, a service provider was hired Note: The DPA press release states that the decision to analyze digital usage behavior including app-store is not final. However, as no appeal was made within purchases, frequency of bank statement printers’ the two-week appeal period, the decision is now usage, and online banking transfers. This data was considered final. compared to offline usage at local branch offices and further enriched with data from a commercial Our remarks credit reporting agency. Although most customers were notified in advance, the controller did not obtain • When basing the data processing on a legitimate consent from the data subjects. interest such as direct marketing, perform a balancing test to weigh the legitimate interest of The bank relied on legitimate interests, in the form of the data processing against the fundamental rights direct marketing, as the basis for the processing of and freedoms of the data subjects. data, analysis, and creation of customer profiles. *Possibly Hannoversche Volksbank. This is not ° While it might not be obvious what the specific confirmed by the DPA. interests of the data subject are, it’s crucial to consider their reasonable expectations. Do these The Decision of the DPA reasonable expectations align with your legitimate interests? In the case in question, third-party The LfD Lower Saxony fined the bank 900,000 EUR for the enrichments to create precise profiles and the use following violations: of large databases for advertisement purposes both • The bank’s analysis of large amounts of data to exceeded what could be considered reasonable create customer profiles could not be based on expectations. legitimate interests as it did not properly balance its interests with the fundamental rights and freedoms • Ensure that any third-party data enrichment is of the data subject (GDPR, Article 6(1)(f)). based on a legal basis. In the case in question, consent should have been obtained. As third- • The data subject could not reasonably expect their party enrichments allow for collection of data from personal data to be analyzed on such a large scale different areas of life, potentially creating very for targeted advertising. The bank could not invoke precise profiles, it’s important to carefully consider a weighing of interests and should have obtained the implications of the data processing and choose consent for the processing. a legal basis accordingly. Also keep in mind the principles of data minimization and transparency. Published: 28-07-2022 Journal number: N/A Tags: 01 Legal basis and principles of processing 50 Published: 24-09-2021 Journal number: N/A Tags: 02 Right to access and obligation to provide information.