Bunq BV – Court Ruling (Netherlands, 2024)

The data subject has multiple bank accounts with the controller, a bank. On 13 November 2023, the controller asked the data subject to provide documents concerning their source of income. Since the data subject did not reply to this request, the controller closed their bank account. On 29 November 2023, the data subject filed an access request to the controller according to Article 15 GDPR. On 2 January 2024, the controller replied to the data subject, sending several data processed by it. However, the data subject considered it implausible that the controller does not process any data about the blocking of the account and that the logic behind the decision-making cannot be explained. Therefore, the data subject informed the controller about this and requested the latter not to delete their data pursuant to Article 18(1) GDPR since they intended to file a lawsuit. On 5 February 2024, the data subject initiated legal proceeding against the controller before the District Court of The Hague (Rechtbank Den Haag – Rb. Den Haag). More specifically, the data subject aimed at acquiring more information about the decision-making process about the blocking of their bank account and if this decision had been taken through automated means. The controller argued that it had already sufficiently acted on the access request and pointed out that there was no automated decision-making (ADM). Indeed, the controller explained that, even though an alert about a suspicious transaction is triggered automatically, then human intervention is required to decide whether to take further action. Furthermore, it noted that in the case at hand [https://wetten.overheid.nl/jci1.3:c:BWBR0040940&hoofdstuk=4&artikel=41&z=2021-07-01&g=2021-07-01 Article 41(1)(d) of the Dutch GDPR Implementation Act] (Uitvoeringswet Algemene verordening gegevensbescherming – UAVG) applies, since the purpose of this processing is preventing criminal offences pursuant to the [https://wetten.overheid.nl/jci1.3:c:BWBR0024