Evaluation of customer data without legal basis by Hannoversche Volksbank
Hannoversche Volksbank analyzed the data of its current and former customers with regard to their online user behavior without any legal basis.
Information on the frequency of app store purchases, how often the account statement printer was used, and the monetary amount of transfers made in online banking were analyzed. This information should be used to determine which customers have a digital affinity and who should receive advertising and content relevant to the contract in a way that is digitally appropriate to the addressee.
An unnamed service provider was commissioned to evaluate the information collected, and the results were compared and supplemented with information from a credit agency.
Although the recipient of the fine had informed the data subjects about the analysis in advance, the data subjects were not asked for their consent. In the opinion of the LfD Lower Saxony, the bank could not base the data evaluation on its legitimate interest either, since profiling for advertising purposes by evaluating large data sets is not permissible and the interests of the data subjects outweigh this.
However, it was deemed favorable for Hannoversche Volksbank that the results of the analysis were not used and that it cooperated with the data protection authority in the course of the investigation.
The penalty notice is not yet legally binding.
Entscheidungsdatum:
28.07.2022
Land:
Germany
Art des Verstoßes:
Illegal data processing
Betroffene Datensätze:
unknown
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 900,000,-
Violation of GDPR Paragraph:
6. Lawfulness of processing