Court case 24/02161 – Court Ruling (Netherlands, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that a bank's method of verifying identity for credit card holders was lawful. The court decided that the bank's process did not involve biometric data processing, which is subject to stricter rules. This matters because it clarifies how banks can verify identities without violating privacy laws.
What happened
The bank required a credit card holder to provide a copy of their ID and a selfie for identity verification.
Who was affected
The credit card holder whose identity was being verified by the bank.
What the authority found
The court found that the bank's identity verification method did not involve biometric data processing, thus complying with GDPR rules.
Why this matters
This ruling helps define what constitutes biometric data and informs banks about acceptable identity verification methods. Other companies should ensure their verification processes align with privacy regulations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject applied for a credit card in 2008 and was granted it. In July 2020, the bank (controller) requested that the data subject identify themselves online by providing a copy of their ID and a digital selfie. A bank employee would then compare the two images and approve it. The data subject was informed that this was necessary to comply with the provisions of the Fourth Anti-Money Laundering Directive (AMLD) and failure to do this would result in their card being terminated. In late July and early August, the controller contacted the data subject, again requesting that they verify their identity through the online portal. On 17 August 2020, the data subject was informed that their credit card agreement would be cancelled in November 2020, unless they verified their identity before then. In September 2020, the data subject sued the controller in the Subdistrict Court of Amsterdam, which declared some of her claims as inadmissible and dismissed others. In August 2021, the data subject appealed to the Amsterdam Court of Appeal. The data subject sought, inter alia, the restoration of their credit card, the payment of compensation, and a declaration that the bank’s proposed method of identification is unlawful. In March 2024, the Amsterdam Court of Appeal upheld the decision of the lower Court. The data subject then appealed to the Supreme Court. The data subject argued that the processing of biometric data in the identity verification procedure is unlawful under Article 9(1) GDPR and that the appellate court had erred in finding that the controller could retain copies of their ID after the verification had been performed. The Parket opined that the verification of the data subject’s identity in this method did not constitute biometric processing, falling under Article 9 GDPR. The Parket reasoned that the identification of the individual in this process is performed by an employee of the controller, not by software. The processing operation was therefor
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 24/02161 in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 24/02161 - Netherlands (2025). Retrieved from cookiefines.eu
Last updated: