Richard A*** (data subject/complainant) – Complaint Upheld (Austria, 2020)

The data subject was an occasional customer at the controller, a bank. The data subject submitted a complaint to the Austrian DPA alleging that his right to privacy had been violated by the controller when it required that he produce photo ID to convert €100 to Turkish Lira (TRY). The bank then copied and saved the data subject's driver's license. The bank argued that the lawful basis for the processing (storage of the data subject's driver's license) was that it was necessary for compliance with a legal obligation imposed by §§ 5.2 and 6.1 of the Austrian Financial Markets Money Laundering Act (FM-GwG). The DPA pointed out that § 5.2 FM-GwG (Application of due diligence) required the controller to apply its due diligence obligations when an occasional transaction was over €1,000. The transaction at issue was only €100, thus the controller was under no obligation to verify the data subject's identity in accordance with § 6.1 FM-GwG (Scope of due diligence). Because the FM-GwG did not in fact impose any obligation on the controller to verify the data subject's identity, the controller did not have a legal basis for processing the data subject's data under Article 6(1)(c) GDPR. Thus, the data subject was entitled to have the controller delete his personal data per Article 17(1)(d), which allows a data subject to exercise their "right to be forgotten" in cases where their personal data has been unlawfully processed. The DPA accordingly ordered the controller to delete the copy it had retained of the data subject's driver's license within four weeks.