Miðlun Arion banka hf. – Dismissed (Iceland, 2020)

Information on the complainant's legal domicile, contained in the Icelandic National Registry, was disclosed to three banks without the complainant's consent. The complainant argued that she did not want her address to be made available to third parties on her behalf. The banks argued that they had a legitimate interest to process this information, because it was necessary for the carrying out of certain activities by the bank, such as transferring money securely online or creating claims via online banking, and and that the data minimisation principle was upheld, i.e. that the personal data processed was adequate, relevant and limited to what was necessary for the purposes of the processing. Did the banks have a legitimate interest to process the personal data, within the meaning of Article 6(1)(f) GDPR? Did the banks respect the data minimisation principle within the 5(1)(c) GDPR requirements? The Persónuvernd held that the banks had a legitimate interest to process the domicile information, because the security of the bank's operations online were "urgently needed" in light of the financial interest at stake. The Persónuvernd then concluded that the complainant's interests did not override the banks' legitimate interests because data minimisation had been ensured by the banks' restrictions on who could access the domicile information.