ABN AMRO BANK N.V. – Court Ruling (Netherlands, 2019)

Court Ruling
DPA RbAmsterdam3 September 2019Netherlands
final
Court Ruling

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

ABN AMRO BANK N.V. rejected a customer's request to delete his data from an Incidents Register after he was accused of fraud. The court upheld the bank's decision, stating that keeping the data was necessary for legal compliance. This ruling shows that banks can retain data when required by law.

What happened

ABN AMRO BANK N.V. denied a customer's request to delete his data from an Incidents Register.

Who was affected

A customer who was accused of fraud and later became an employee of the bank.

What the authority found

The court found that the bank was justified in retaining the customer's data to comply with national legal obligations.

Why this matters

This ruling indicates that companies can maintain personal data if required by law, emphasizing the importance of understanding legal obligations. Businesses should be aware of how legal requirements can affect data retention practices.

GDPR Articles Cited

AI-verified

Art. 17(GDPR)
Art. 6(1)(c) GDPR
View original scraped data
Art. 6(1)(c) GDPR
Art. 17(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Article 46 of the Dutch Personal Data Protection Act (Wbp)
Decision AuthorityGHAMS
Reviewed AuthorityRb. Amsterdam (Netherlands)
Source verified 20 March 2026
articles corrected
national law identified
authority corrected
Netherlands enforcementDPA RbAmsterdam actionsAll ABN AMRO BANK N.V. actions
Full Legal Summary
Detailed

A customer and later employee of a bank was put in an Incidents Register, after alleged fraud during certain transaction. The data subject requested from the Bank to delete the personal data kept at the Incidents Register and the External Referral Register ("EVR") and refrain from any further processing. The request was based on Article 46 of the Dutch Data Protection Act (Wet bescherming persoonsgegevens - Wbp), implementing GDPR. The Bank rejected the request, but said the data will be deleted within three years. The District Court of Amsterdam also rejected the customer's application. The customer has appealed. The Court had to assess whether the bank lawfully rejected the customer's request and keep processing his personal data according to the applicable data protection framework. The Court found that that the inclusion of the applicant’s personal data in the EVR was necessary for the compliance with national legal obligation. In addition, retaining the personal data was in line with the principle of proportionality. The court based its decision on the national data protection law prior to the GDPR’s entry into force because the facts at stake took place before May 2018.

Outcome

Court Ruling

A ruling by a national court on a data-protection matter.

Related Cases (0)

No other cases found for ABN AMRO BANK N.V. in NL

This is the only recorded case for this entity in this jurisdiction.

Details

Ruling Date

3 September 2019

Authority

DPA RbAmsterdam

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. ABN AMRO BANK N.V. - Netherlands (2019). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: