ING – Court Ruling (Netherlands, 2023)

In 2018, the data subject secured a loan from ING bank (the controller). Following this, several unauthorized activities occurred on his checking account, and the controller subsequently placed registrations with respect to the data subject in the Dutch Central Credit Information System (CKI). These registrations contained payment behaviour data, among other things the fact that for a certain period, the data subject was unable to fulfill their payment obligations set out with the controller. The data subject objected the CKI registrations on the basis of Article 21 GDPR, explaining that it had an impact on a loan he was taking out for a new house. The controller denied the request and further considered it as inadmissible under national provisions. The court dismissed ING's plea for inadmissibility under national provisions. The court then clarified that under national law, credit providers are mandated to process personal data and participate in the Central Credit Information System. The aim of the provision is twofold: firstly, it seeks to protect consumers from over-indebtedness and secondly, shield creditors from non-paying borrowers. The court added that the rejection of a request for data deletion under Article 21 GDPR needs to be justified by a compelling legitimate interest, subject to the principles of proportionality and subsidiarity. Legitimate interest must be assessed on the basis of currently known facts and circumstances of the case, including those after the CKI registration. The court pointed out that the data subject had inconsistent debt repayment patterns but fully cleared his debt in 2023 (i.e. after the CKI registration). In the balance of interest, the court considered that the controller's interest in maintaining the registration outweighed the data subject's interest in their removal. Consequently, the court dismissed the appeal.