ING Bank N.V. – Court Ruling (Netherlands, 2020)

The appellant has a complicated credit history with the ING bank, which resulted in debts and outstanding payments. At some point her name was added to the Central Credit Information System of the Dutch Credit Registration Office. In 2017 the appellant paid all her debts, but the registration with the Credit Registration Office is to remain for the period of 5 years until 2022. In 2019 the appellant submitted the request for erasure which was rejected by ING. Subsequent Judgement of the Court of First Instance upheld this decision, which is now being contested by the appellant. The appellant requests the Court, among others, to order ING to remove the registration with the Credit Registration Office, limit its duration period or remove the registration temporarily until she gets another loan. The appellant claims that the necessity and proportionality balance assessment done by the Court of First Instance was wrong: for example, she can not get the mortgage she needs to improve her life. Her objection to processing follows from Article 21(1) GDPR. ING argues that Article 21(1) GDPR cannot be relied on in this case because it applies only to personal data processed under legitimate interest or public interest, but not under a legal obligation which is the case here. The Court agreed with the appellant: legal basis of the processing of her personal data by ING is legitimate interest and not the legal obligation under the Dutch Financial Supervision Act (Wet op het financieel toezicht). This means, that she has the right to object to her personal data processing based on Article 21(1). However, the Court rejects the appeal as such because the principles of necessity and proportionality are respected in this case. The appellant could not demonstrate that maintaining the registration would disproportionately affect her. The fact that she is financial reliable (even though challenged by ING) does not mean that she does not need protection from excessive loans. The m