“Dutch DPA: Banks May Not Use Payment Data for Marketing Purposes”
Partner Privacy & Cybersecurity
In the wake of a recent announcement by a major Dutch bank that it would start providing its customers with personalized advertisements based on their spending patterns, the Dutch Data Protection Authority (DPA) has sent a letter to all Dutch banks urging them to thoroughly review their direct marketing practices. The DPA specifically asked any bank contemplating the use of transaction data for direct marketing to reconsider. In its analysis, the DPA may have introduced a very onerous obligation to re-collect personal data for every single use.
The DPA stated that it received a “significant amount of complaints” after the Dutch bank announced in June that it would start showing advertisements for financial products offered by the Dutch bank to customers based on their spending habits. The complaints prompted the DPA to investigate.
Together with its request for reconsideration, the DPA provided an outline of factors to assess whether the use of transaction data for marketing purposes can be considered compatible with the purpose of performing financial transactions for customers.
Under the GDPR, personal data must be collected for a specific purpose and not further processed for a different purpose if that further purpose is incompatible with the original purpose. This is the so called “purpose limitation” principle. According to the DPA, banks collect transaction data for the purpose of enabling financial transactions pursuant to the contract between the customer and the bank. The DPA then specifically held that a bank does not collect transaction data for the purpose of direct marketing (contrary to the Dutch bank’s privacy statement).
The DPA subsequently concluded that the purpose of direct marketing is incompatible with the purpose of enabling financial transactions. It supported this argument by pointing out that having a bank account is a requirement for participation in modern society and that the mere fact that someone has a bank account cannot be used to infer interest in other financial products. This, in combination with the fact that financial transaction data can be very sensitive, leads the DPA to conclude that it is not within the reasonable expectations of customers that their data would be used for direct marketing purposes. The DPA therefore found that since the purposes are incompatible, using the transaction data for direct marketing purposes is only possible if a customer gives consent.
Too strict an interpretation by the DPA?
The DPA’s analysis is interesting due to the fact that the Dutch bank explicitly indicated that it would also collect the financial data for marketing purposes, in addition to processing financial transactions. However, according to the DPA’s assessment this is not possible due to the principle of purpose limitation. While this may have been true for data collected in the past, the Dutch bank clearly announced that it was also going to use future transaction data for direct marketing. The DPA therefore seems to imply that personal data cannot be collected for multiple purposes at once, unless those purposes are compatible.
This is an interesting interpretation as the GDPR states that personal data must be collected for specified purposes and not further processed in an incompatible manner. It does not state that it must be collected for compatible purposes and not further processed. The DPA’s interpretation would, somewhat impractically require data subjects to provide the same data multiple times if required for multiple, yet incompatible purposes.
It is unclear why the DPA focussed on the principle of purpose limitation in assessing the legality of the Dutch bank’s plans. Perhaps the more obvious question to assess here would have been whether it is possible to rely on legitimate interest instead of consent for the analysis of transaction data for direct marketing purposes. Several banks have publicly announced that they are suspending their direct marketing analyses pending further discussion with the DPA on the subject.
For more information, please contact Joke Bodewits.