In the decision of May 28, 2020 on GZ: DSB-D124.720 2020-0.280.699, the data protection authority had to deal with a complaint regarding the right to confidentiality (Section 1 of the Data Protection Act) and the Financial Market Money Laundering Act (FMGwG).
The complainant wanted to have 100 euros changed into Turkish lira (TRY) at a bank branch. He was then prompted by the bank employee,
to present a photo ID for the bill of exchange, in case of other termination of the money exchange. The complainant refused at first, but eventually presented his driver’s license, which was copied and stored.
The bank, as the respondent to the complaint, justified the processing of the photo ID in question on the basis of its obligations under the FMLA. Accordingly, it must apply due diligence measures in the case of mere suspicion of money laundering or terrorist financing (Section 5 (4) FMLA), irrespective of the amount of the incoming or outgoing payment, and, in case of doubt, demand identity documents pursuant to Section 6 (1) (1) FMLA. His refusal had been interpreted as conspicuous customer behavior. Furthermore, the bank branch manager had been aware that the complainant had worked for a higher federal authority, therefore, according to section 2 no. 6 in conjunction with section 11 FM-GwG, a PeP (Politically Exposed Person) was
test would have had to be carried out.
The data protection authority upheld the complaint and found that the right to confidentiality had been violated, since the money exchanged by the complainant for the equivalent of EUR 100 was in any case an amount below the value limit of EUR 1,000, or EUR 15,000 under Section 5(2) FM-GwG. Furthermore, a refusal to present photo identification alone does not infer that an exchange of money constitutes terrorist financing or money laundering. Moreover, an employee of a higher federal authority is not equivalent to a PeP property, according to which they are, for example, heads of state, members of parliament or constitutional judges. Therefore, there was no justification for the processing of personal data in question.
This decision is not legally binding.