The Hague District Court confirms Bunq’s ruling in GDPR data access case | A&O Shearman

(co-author: Lucie Rontchevsky)

In an important ruling (dated September 9, 2024), the court in The Hague sided with Bunq BV (Bunq) and rejected part of the customer’s GDPR access request. This decision emphasizes that the interests of a financial entity protected by anti-money laundering legislation may take precedence over the rights of data subjects under the GDPR.

This case highlights that the risk of exposing a company’s models for detecting suspicious transactions under anti-money laundering laws may be a valid reason for not returning certain personal data when responding to a data subject’s access request.

Background to the case

In the context of a customer due diligence, Bunq had requested (additional) documentation from the customer to verify the source of his income, citing security and compliance reasons. Bunq blocked the customer’s account before the customer’s deadline for submitting the required documents. However, Bunq unblocked the accounts the same day after the customer provided the requested documentation. Nevertheless, the customer has submitted a GDPR access request regarding the personal data processed in this decision-making process.

Bunq then disclosed various information to the customer. It was further explained that the (additional) customer research had been started following a flagged payment transaction by Bunq’s Transaction Monitoring System. The customer subsequently requested full disclosure of all information referred to in Article 15 GDPR, including the reasons for the investigation and meaningful insight into the logic of the processing, as the customer believed that automated decision-making was involved.

Bunq argued that it had sufficiently complied with the customer’s GDPR access request and was not obliged to provide more details about its customer due diligence process. The bank also stated that there was no automated decision-making and therefore there was no need to disclose the logic behind its Transaction Monitoring System. In addition, Bunq has cited Article 41 of the General Data Protection Regulation Implementation Act (UAVG) to justify not granting further access, with the aim of preventing criminal activities and protecting trade secrets. (Article 41 UAVG essentially copies the possible grounds for limiting the rights of the data subject by a legal measure under Article 23 GDPR.) Bunq emphasized that it complies with the Money Laundering and Terrorism Financing (Prevention) Act (Wwft) and warned that disclosing the This operation could help malicious actors to circumvent it.

Ruling by the court of The Hague

The Court agreed with Bunq.

1.) The court ruled that Bunq had complied with the customer’s data access requests regarding the personal data received from third parties of Bunq, received by various departments within Bunq, as well as personal data received from external sources (including in particular his name, contact details , nationality, number of payments and risk score, documentation provided by him about the source of his income and the online public sources about the customer consulted by Bunq).

2.) The court then dealt with the remaining customer request regarding information about the customer that led to and was processed in the context of the account block, and access to the logic and processing of automated decision-making. The Court emphasized that there was no automated decision-making process. The judges recalled that Bunq is subject to a stricter customer due diligence obligation to prevent money laundering and terrorist financing under the Wwft. To meet this obligation, Bunq uses a Transaction Monitoring System. In this case, the system flagged a payment transaction involving the customer, prompting enhanced customer due diligence. While the Transaction Monitoring System algorithm flagged the transaction without human intervention, all subsequent actions involving the customer required human decision-making. Bunq explained that the decision to take further action in response to the System’s warning, as well as the subsequent investigation, was taken by Bunq employees. Therefore, the Court ruled that the process in question did not constitute automated decision-making within the meaning of Article 22 GDPR. Consequently, Bunq was not obliged to disclose the logic of the Transaction Monitoring System under Article 15(1)(h) and 22 GDPR.

3.) The court furthermore rejected the customer’s request for (additional) information about the reason and decision-making regarding the customer investigation, even though no automated decision-making took place. The court upheld Bunq’s appeal on the exception ground of Article 41(1)(d) UAVG, which concerns the prevention of criminal offences. Bunq does not have to provide any further information about the customer research process.
The court concludes that Bunq’s interest in complying with its legal obligations under the Wwft and contributing to the prevention of criminal offenses outweighs the customer’s individual interest in understanding why he is subject to a customer investigation. In addition, the court notes that the customer was informed that a payment transaction gave rise to the customer due diligence. Furthermore, he had access to all his payment transactions. The customer was therefore not completely without explanation.

The Court’s decision is based on an express limitation of the right of access under Dutch law, namely Article 41(1)(d) UAVG, which is a literal copy of Article 23(1)(d). In our opinion, the Court’s consideration of the conflicting interests between Bunq and the customer could also apply under Article 15(4) GDPR. This provision allows the controller to restrict the data subject’s right to receive a copy of his or her personal data where doing so would prejudice the rights and freedoms of others, including potentially the controller’s own rights and interests, as long as these trade secrets and intellectual property rights. or other protected rights. As the Court has done under Article 41(1)(d) UGDPR, Article 15(4) GDPR also requires a balance of interests between the right of the data subject to access his personal data and the rights and freedoms of others who may be harmed by the disclosure of such data. A controller could therefore withhold the logic and outcomes of its models for detecting suspicious transactions under anti-money laundering legislation under Article 15(4) GDPR, on the grounds that disclosing this information would could circumvent the models and undermine the fight against money laundering. money laundering, which is a risk that outweighs the data subject’s right to receive this information (provided it concerns personal data).

The full text of the decision is available here.

(View source.)