13 January 2020

What if a bank does not comply with the AVG

What if a bank does not comply with the AVG?

As of 25 May 2018, the Personal Data Protection Act (“Wbp“) no longer applies. What will then apply? As of that date, the General Data Protection Regulation, or AVG, will enter into force. This privacy legislation applies in the European Union. In English, the AVG is referred to as the General Data Protection Regulation (“GDPR“).

Banks will also have to deal with, and comply with, this new privacy legislation. Banks collect and use a lot of personal data. In particular, banks store and use sensitive data such as a citizen service number (BSN) and other financial data of their customers. After all, banks are obliged to identify their customers by presenting proof of identity. A copy of this proof of identity is made and kept in the file. In this way, the bank can demonstrate that it has fulfilled its legal obligation (including the Wwft). In addition, banks use the BSN to exchange data with the Tax and Customs Administration. Also turn your mind to cases where someone has made an incorrect payment and wants this money back. Under certain circumstances, the bank can pass on the name and address details of the receiving party to its customer (the bank’s principal).

An article in the Financieel Dagblad (dated 10 April 2018) shows that banks more commonly pass on name and address details to their business clients. Banks will want to have stopped passing on these name and address details as of 1 January 2019. It would appear that there was a great deal of abuse of the name and address details forwarded to them by business clients. In the article referred to above, it emerged that Rabobank had forwarded the name and address details of its client – a Red Cross donor – to the Red Cross, who then asked the donor to make another donation. The Red Cross acknowledged that this had not been possible. This is an improper use of personal data, for which the donor had not given permission.

The AVG is strict. If a provision of the AVG is breached, severe sanctions can be imposed.

Personal data supervisor: measures and sanctions

Under the AVG, the supervisory authority of the particular Member State has a number of powers. These can be divided into (1) investigative measures, (2) corrective measures, and (3) authorisation and advisory powers. In order to comply with the AVG, each power must be appropriate, necessary and proportionate, and each case must take into account the circumstances of the individual case, respect each person’s right to procedural fairness relating to the imposition of measures and avoid unnecessary and other costs. Additionally, the supervisory authority of the Member State must clearly and unambiguously, in writing, set out the measure it has imposed, stating when the measure was imposed, why the measure was imposed and indicating which (judicial) body an objection/appeal may be lodged to

I will expand on the various powers below.

What are the supervisory authority’s investigative powers?

On the basis of Article 58(1) of the AVG, the supervisory authority in question has the following obligations and powers of investigation:

(i) the obligation to provide information;

(ii) to conduct investigations in the form of data protection checks;

(iii) to carry out a review of the certificates referred to in Article 42 of the AVG;

(iv) to notify the controller of a breach of the AVG;

(v) to obtain access to premises (including business premises).

Investigative powers providing access to sites must ensure that the specific rules of the relevant Member State’s procedural law are complied with (including the obligation to obtain judicial authorisation before receiving access to sites).

What corrective measures and sanctions are in place?

On the basis of Article 58(2) AVG, the Member State supervisor has the following corrective possibilities/sanctions:

(i) issue a warning to the controller;

(ii) reprimand the controller;

(iii) oblige the controller to comply with the data subject’s requests;

(iv) oblige the controller to reconcile the processing of personal data with the AVG within a specified period of time;

(v) require the controller to notify data subjects that there has been a breach of the processing of their personal data;

(vi) impose a temporary or definitive processing restriction or prohibition on the controller;

(vii) rectify or erase personal data relating to data subjects;

(viii) revoke certificate(s);

(ix) impose an administrative fine;

(x) suspend data flows to a recipient in a third country and (or) international organisation.

As the AVG prescribes, all sanctions to be imposed must be not only proportionate but also effective and dissuasive. The measures referred to in (i), (viii) and (x) may be imposed at the same time as the imposition of an administrative fine. The amount of such a fine shall be determined according to the circumstances of the case. Circumstances relevant include the nature, seriousness and duration of the breach, the intentional or negligent nature of the breach, the measures taken by the controller, the extent to which the controller is responsible in view of the technical and organisational measures implemented, previous (relevant) breaches of the AVG, the extent to which the controller helped to remedy the breach, and any other potentially relevant circumstances.

How large can the administrative fine be?

The amount of the fine depends on the infringement committed by the controller. There are a number of possibilities:

  • It is either an amount of up to € 10,000,000, and for companies an amount up to 2% of the total worldwide annual turnover in the preceding business year in the case of: infringements relating to the conditions for consent of children (Article 8), processing for which identification is not required (Articles 11, 25 to 39, 42), certification bodies (Article 43) and 41(4); or
  • an amount of up to € 20,000,000, and for companies up to 4% of the total worldwide annual turnover in the preceding financial year in the event of: violations of the principles governing the processing of personal data (Article 5), the lawfulness of processing (Article 6), the conditions for consent (Article 7) and the processing of special categories of personal data (Articles 9, 12 to 22, 44 to 49 and a number of others).
  • What authorisation and advisory powers are there?
  • Under Article 58(3) of the AVG, the Member State’s supervisory authority has the following powers of authorisation and consultation:
  • (i) to provide advice to the controller;
  • (ii) to give advice to the national parliament, government, other institutions, etc;
  • (iii) to authorise the processing of personal data;
  • (iv) to give consent to draft codes of conduct;
  • (v) and a number of other powers.
  • Questions and (or) comments on the blog? Feel free to contact financial law lawyer, Hedwig Delescen (email: hd@blenheim.nl or tel.: 020-5210100).