Landsbankinn hf. – Dismissed (Iceland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Landsbankinn hf. was involved in a case where a customer challenged the bank's request for their social security number to deposit cash. The bank argued that it needed this information to comply with laws against money laundering. The Icelandic data protection authority agreed that the bank had a legal reason to ask for the information, which is important for secure transactions.
What happened
A customer objected to Landsbankinn hf. requesting their social security number for a cash deposit.
Who was affected
The customer who wanted to deposit ISK 99,000 into their daughter's bank account.
What the authority found
The authority found that the bank had a valid legal basis for processing the social security number under GDPR due to its obligations for secure transactions.
Why this matters
This case highlights that banks can require personal information to comply with legal obligations. Small business owners should understand the importance of collecting necessary data to prevent fraud and comply with laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject wanted to deposit cash in the amount of ISK 99,000 (approx. € 700) into their daughter’s bank account at Landsbankans hf. (the bank or the controller). The bank requested for the data subject’s social security number due to the banking transaction in question. The data subject considered that to be unlawful and claimed, inter alia, that the law on actions against money laundering and the financing of terrorism 140/2018 (Law 140/2018) does not require financial institutions - such as the bank - to identify the customers when the amount of the transaction does not reach a certain threshold amount. The bank argued that it has a statutory obligation to prohibit anonymous transactions. In addition, the bank highlighted that the collection of social security numbers is important for the sake of the security and traceability of transactions. In other words, it is to ensure the reliability of transactions, to be able to correct possible mistakes in processing and/or to inform about identity theft, fraud, money laundering or other criminal acts. In its decision, the Icelandic DPA noted that processing of personal data must have a legal basis under Article 6 GDPR. For example, the DPA stated that, in the present case, personal data may be processed on the basis of a legal obligation pursuant to Article 6(1)(c) GDPR. Furthermore, the DPA noted that all processing operations must also comply with the general principles enshrined in Article 5 GDPR. The principles stipulate, inter alia, that personal data processed must be adequate, relevant and limited to what is necessary (Article(5)(1)(c) GDPR). In the context of the present case, the DPA concluded that the collection of a social security number is subject to the fact that it has a practical purpose and is necessary to ensure secure personal identification. Furthermore, the DPA noted that the controller in quetion is a financial institution and, therefore, falls under the scope of the Law 140/2018, and
Outcome
Dismissed
The complaint or investigation was dismissed.
Related Enforcement Actions (1)
Other enforcement actions involving Landsbankinn hf. in IS
Details
About this data
Cite as: Cookie Fines. Landsbankinn hf. - Iceland (2023). Retrieved from cookiefines.eu
Last updated: