ING Bank N.V. – Court Ruling (Netherlands, 2024)

In 2003, the data subject opened an account with revolving credit at a Dutch bank, ING Bank N.V. (the controller). In October 2006, the data subject had a delay in the payment of his credit. In December 2006, the controller terminated the data subject’s contract and claimed payment of the then outstanding debt of €27,985.63. In 2007, the data subject made a payment arrangement, but ceased to honour this arrangement after paying only a few instalments. The controller sent letters requesting payments in 2015, 2017 and 2019 to the data subject. On 23 March 2023, the data subject successfully invoked the statute of limitations. The data subject’s balance deficit was registered by the controller in the Central Credit Information System (“Centraal Krediet Informatiesysteem – CKI”), which is administered by the Central Credit Registration Office (“Bureau Krediet Registratie – BKR”). The controller is obligated under [https://wetten.overheid.nl/BWBR0020368/2024-07-10 Article 4(32) of the Dutch financial Supervision Act] (“Wet financieel toezicht – Wft”) to participate in the Central Credit Information System. The aim of the credit registration is twofold: on the one hand to protect consumers from over-indebtedness, and on the other hand to protect credit providers from borrowers who have been found to be unable or unwilling to repay their loans. The workings of the CKI is laid down in the Dutch General Regulations CKI (“Algemeen Reglement CKI – AR”), including that the retention period is five years after fulfilling the debts. In this case, the retention period started when the data subject invoked the statute of limitations, thereby writing off his debts. The data subject then requested the controller to erase the registration. The controller did not comply. The data subject filed an urgency procedure (“kort geding”) under Dutch civil law at the Amsterdam District Court (“Rechtbank Amsterdam”) against the controller. The data subject requested the court to order the cont