Court case 24/02161 – Court Ruling (Netherlands, 2025)

The data subject applied for a credit card in 2008 and was granted it. In July 2020, the bank (controller) requested that the data subject identify themselves online by providing a copy of their ID and a digital selfie. A bank employee would then compare the two images and approve it. The data subject was informed that this was necessary to comply with the provisions of the Fourth Anti-Money Laundering Directive (AMLD) and failure to do this would result in their card being terminated. In late July and early August, the controller contacted the data subject, again requesting that they verify their identity through the online portal. On 17 August 2020, the data subject was informed that their credit card agreement would be cancelled in November 2020, unless they verified their identity before then. In September 2020, the data subject sued the controller in the Subdistrict Court of Amsterdam, which declared some of her claims as inadmissible and dismissed others. In August 2021, the data subject appealed to the Amsterdam Court of Appeal. The data subject sought, inter alia, the restoration of their credit card, the payment of compensation, and a declaration that the bank’s proposed method of identification is unlawful. In March 2024, the Amsterdam Court of Appeal upheld the decision of the lower Court. The data subject then appealed to the Supreme Court. The data subject argued that the processing of biometric data in the identity verification procedure is unlawful under Article 9(1) GDPR and that the appellate court had erred in finding that the controller could retain copies of their ID after the verification had been performed. The Parket opined that the verification of the data subject’s identity in this method did not constitute biometric processing, falling under Article 9 GDPR. The Parket reasoned that the identification of the individual in this process is performed by an employee of the controller, not by software. The processing operation was therefor