Lower Saxony: LfD Niedersachsen fines credit institution €900,000 for data processing without sufficient legal basis
The Lower Saxony data protection authority ('LfD Niedersachsen') announced, on 28 July 2022, that it had issued a decision in which it imposed a fine of €900,000 on a credit institution, for violations of Article 6(1)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation by the LfD Niedersachsen.
Background to the case
In particular, the LfD Niedersachsen stated that the decision concerns the credit institution's processing of data from active and former customers without their prior consent. More specifically, the LfD Niedersachsen noted that through the use of a service provider, the company analysed digital-use behaviour and evaluated, among other things, the total volume of app store purchases, the frequency of use of account statement printers, and the total amount of online banking transfers in comparison to the use of branches. Additionally, the LfD Niedersachsen highlighted that the company had compared the results of its analyses with information from a credit agency and thereby enriched their analyses from there, with the ultimate aim of identifying and targeting customers with an increased inclination for digital media for advertising purposes.
Findings of the LfD Niedersachsen
Notably, the LfD Niedersachsen found that the company's reliance on legitimate interests as a legal basis for its processing of personal data, pursuant to Article 6(1)(f) of the GDPR, was inadequate in the circumstances of the case. More specifically, the LfD Niedersachsen stated that when balancing interests in connection with use of legitimate interest legal basis, controllers must, among other things, take into account the reasonable expectations of data subjects, who in this context would not expect the use of databases on a large scale to identify their inclination towards certain product categories or communication channels. As such, the LfD Niedersachsen noted that the company could therefore not invoke legitimate interest as a legal basis and must instead obtain consent from data subjects.
Ultimately, the LfD Niedersachsen stated that it had accused the company of being in contravention of Article 6(1)(f) of the GDPR and thus lacking a sufficient legal basis to process customers' personal data and in this regard imposed a fine of €900,000 on the company. Notably, however the LfD Niedersachsen expressed that the fine is not yet final.
You can read the press release, only available in German, here.