ABN AMRO Bank NV – Court Ruling (Netherlands, 2020)

In order to obtain a loan, the data subject provided false document to the bank. Once the bank realized the fraud, it cancelled the contract and inserted the data subject's details into two registries (the Incident Register and the External Change Register) meant to protect and preserve the integrity of the financial system, for a maximum duration of 8 years. Before the Court of First Instance, the data subject asked the deletion of her personal data from the registries or alternatively to limit the duration of the registrations to one year, or a period to be determined by the Court. The Court of First Instance rejected the requests and the data subject challenged the decision before the Arnhem-Leeuwarden Court of Appeal. Under Article 21(1) GDPR, the Court balanced the interests at stake between the bank and the data subject. The data subject argued that her interests should prevail because as an accountant in the financial sector, this information would damage her reputation and work life. In addition, the registrations would make it impossible for her to obtain another mortgage and buy a new house. The Court of Appeal rejected these arguments. The incident was serious, especially for an accountant. This therefore justified the adverse consequences that the data subject may experience in her work. Furthermore, she had not proved the necessity of a new house, since she had been living in a (different) home that she owned. The interests and circumstances alleged by the data subject were therefore insufficient for the Court to reform the first decision. In view of the above, the interest of the bank in maintaining the registrations outweighs the interests of the data subject. As per the alternative request, the Court of Appeal did not consider the 8-years limit to be disproportionate due to the seriousness of the incident. The alternative request is therefore also rejected and the first decision entirely upheld.