ING Bank N.V. – Court Ruling (Netherlands, 2020)

Appellant is a customer of ING who had his personal data registered in ING's Internal Referral Register ("IVR") in 2013 for the period of 8 years. In 2017 appellant's credit card request was rejected by ING because of the record in IVR. Before 2013 the appellant had opened and closed 15 business accounts on behalf of different companies, two of which were closed with a negative balance. Appellant claims that ING has no legal basis for registering his personal data in the IVR. The Court upheld the decision of the Court of First instance: 1) registering appellant's personal data in the IVR was necessary to protect legitimate interest of ING and to protect integrity and security of the bank sector. The Court took into account ING's adherence to the Code of Conduct for the Processing of Personal Data by Financial Institutions ("Gedragscode Verwerking Persoonsgegevens Financiële Instellingen"); 2) IVR is an internal register of ING, appellant failed to demonstrate that the record in the IVR has prevented him from getting financial services at other institutions; 3) the fact that appellant was added to the register in 2013, but noticed this only in 2017 was quite significant, according to the Court. ING has added appellant's personal data to its internal register on good grounds and in compliance with the Code of Conduct and the GDPR.