ING Bank – Court Ruling (Netherlands, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that ING Bank must erase a negative credit record for a former customer who had paid off most of their debt. This decision is important because it shows that people's rights to have their data removed can outweigh a company's reasons for keeping it.
What happened
The court ordered ING Bank to erase a former customer's negative credit registration.
Who was affected
A former customer of ING Bank, who had declared bankruptcy and completed a debt-assistance program, was affected.
What the authority found
The court decided that the customer's rights to have their data erased were more important than ING Bank's interest in keeping the record.
Why this matters
This ruling reinforces the idea that individuals have strong rights over their personal data, even against large companies. Businesses should be aware that they may need to justify keeping personal data against requests for deletion.
GDPR Articles Cited
In December 2005, the data subject took out a €202,500 mortgage for a house with ING Bank (the controller). In 2008, the data subject faced financial hardship and could no longer pay off the mortgage, and had to declare bankruptcy. In 2009, the house was sold at auction for €147,788, which left the data subject with a residual debt of €77,575 (due to accrued interest). The data subject enrolled in a debt-assistance programme that they completed in 2021. By this time, ING Bank had received €72,000 from the data subject and wrote off its claim. Despite that, ING Bank still had the data subject negatively registered in the Central Credit Information System (CKI) of the Bureau Krediet Registratie (BKR). BKR is the body which collects and manages all credit data in the Netherlands. On 6 December 2022, the data subject made an erasure request under Article 17 GDPR and an objection under Article 21 GDPR to have their negative registration no longer processed and removed. ING Bank refused both requests. In particular, ING argued that its legitimate interest in recording the data subject’s credit history overrode the data subject's right to be forgotten. On 19 April 2023, the data subject filed a claim with the Amsterdam District Court. The Court held that the interests of the data subject overrode those of ING Bank (the controller) in relation to the erasure request. In reaching its conclusion, the Court undertook a balancing test to determine whether the Bank had sufficiently demonstrated compelling legitimate grounds for processing which were capable of overriding the data subject’s interests and rights. In the balancing test, the Court determined the scope of the controller's legitimate interest through the purposes behind the Bank’s credit registration system. The Court understood the purpose of the credit registration system to be twofold: 1. To protect consumers from taking on too much debt; 2. To protect lenders against consumers who do not or cannot fulfil t
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for ING Bank in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. ING Bank - Netherlands (2023). Retrieved from cookiefines.eu
Last updated: