The Dutch Data Protection Authority has written to the Dutch Banking Association to state that processing customers' transaction data for direct marketing purposes may not be in compliance with the General Data Protection Regulation.
In a letter dated 1 July 2019 (in Dutch) (the "Letter"), Dutch Data Protection Authority (the "Dutch DPA") informed the Dutch Banking Association that processing individuals' transaction data for the further purpose of direct marketing to the same individuals may not be compliant with the requirements of the General Data Protection Regulation ("GDPR") (which regulates the processing of personal data). This is a potentially serious issue for financial services companies, as they increasingly look to extract value from consumer data.
The data protection principles under the GDPR
Article 5 of the GDPR sets out principles that a controller must comply with when collecting and further processing personal data of individuals. The principles state that controllers must, among other things, collect personal data for specified, explicit and legitimate purposes and not use that personal data for other purposes that are incompatible with the original purpose. In addition, under Article 6 of the GDPR, controllers must have a valid legal basis for each of the purposes for which they process personal data – a list of these legal bases is set out in Article 6(1), and further guidance can be found here.
Letter from the Dutch DPA
The Letter addresses the intention of financial service companies to process individuals' payment transaction data for the purposes of sending tailored direct marketing messages to those individuals. The Dutch DPA decided to investigate this matter after receiving a number of complaints from individuals following that same announcement.
As an Appendix to the Letter, the Dutch DPA also issued guidance (the "Guidance") intended to help banks determine whether the processing of transaction data for direct marketing purposes would be compatible with the original purpose for which the data were collected. In the Guidance, the Dutch DPA stated that if personal data in transaction data are collected and processed for the purpose of executing a payment transaction, then the further processing of that personal data for the purpose of sending direct marketing messages to individuals would be incompatible with the original purpose of processing in nearly all cases. The Dutch DPA sets out a number of factors that would need to be taken into account to determine whether these two purposes for processing are compatible. These factors relate specifically to payment accounts and transaction data, including the need for payment accounts in modern society, the evolution towards a cashless society, and the potential confidentiality of the collected data. On that basis, the Dutch DPA concluded that banks would need to obtain the consent of those individuals to process transaction data for direct marketing purposes.
Impact on businesses
Although the Letter and the Guidance relate to banks in particular, the legal principles they address are not exclusive to a financial services context – they apply equally to business in all sectors. Businesses should therefore be aware of the position taken by the Dutch DPA in the Letter and the Guidance, and consider the ways in which they use personal data collected for other purposes to send direct marketing messages. However, it should also be noted that the position adopted by the Dutch DPA is not legally binding (because DPA guidance has advisory status only) and has not yet been publicly adopted by other EU DPAs. It is therefore unclear whether the enforcement position in the EU as a whole will follow the Dutch approach.
Businesses should therefore keep an eye out for further developments in this area, particularly in the Netherlands as the Dutch DPA has indicated that it may take enforcement action against businesses, and in particular banks, that process customers' personal data for direct marketing purposes that are incompatible with the original purposes for which the data were collected.
Click here to download PDF.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP