Deutsche Bank – €20,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Deutsche Bank was fined €20,000 for not responding to a customer's request for access to their personal data in a timely manner. The Italian data protection authority found that the bank failed to meet the required deadlines for such requests. This case highlights the importance of responding quickly to customers' data access requests.
What happened
Deutsche Bank did not respond to a customer's request for access to their personal data within the required time limits.
Who was affected
A customer of Deutsche Bank who requested access to their personal data was affected.
What the authority found
The Italian data protection authority ruled that Deutsche Bank failed to comply with GDPR's time limits for responding to data access requests.
Why this matters
This case emphasizes that banks and other companies must prioritize timely responses to data access requests. Small businesses should ensure they have efficient processes in place.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
The data subject is a customer of Deutsche Bank. Deutsche Bank is the data controller. In 2017 the data subject entered into a loan agreement with the data controller. The data controller disclosed the data subject’s name to CRIF Italy, an Italian database for credit scoring. The data subject later learned about the disclosure. In July 2020 he submitted an access request with the controller, asking to provide him with the information as laid down under Article 13 GDPR (the data subject invoked Article 13 GDPR but apparently meant Article 15 GDPR, see comment below). The controller failed to reply. In October 2020 the data subject filed a complaint with the Italian DPA. He claimed that the controller failed to respond to his request within the time limits laid out by Article 12(3) GDPR. In June 2021, after the complaint was notified, the controller admitted that they failed to respond to the request in time and provided the data subject with the information under Article 15 GDPR (see comments for clarification). The controller claimed that the data subject’s request was only a small part of a longer communication, in which he complained that the disclosure of his personal data to CRIF Italy was unlawful. The controller claimed that they needed more time in order to properly address the data subject’s complaints in their entirety. The controller also claimed that they already provided the data subject with the information he requested when he agreed to the loan contract, in compliance with Article 13 GDPR. The DPA reject the controller’s arguments entirely. The DPA held that the controller violated Article 12 and Article 15 GDPR. The controller was under an obligation to respond to the data subject’s acccess request, even though the information he requested had already been provided at the time his personal data were collected, pursuant to Article 13 GDPR. Compliance with Article 13 GDPR at the moment of data collection does not exempt the controller from his
Related Enforcement Actions (0)
No other enforcement actions found for Deutsche Bank in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
16 June 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€20,000
GDPRhub ID
gdprhub-5206About this data
Cite as: Cookie Fines. Deutsche Bank - Italy (2022). Retrieved from cookiefines.eu
Last updated: