Hannoversche Volksbank is to pay 900,000 euros for a breach of the General Data Protection Regulation (DSGVO for short). The bank had evaluated customer data for advertising purposes without their consent.
Many companies use stored data of their customers to create an advertising profile. However, the customers’ consent must be obtained for this. This is a circumstance that Hannoversche Volksbank did not sufficiently take into account – and for which it is now being asked to pay.
Supplementing customer data with the help of Schufa
As early as the end of 2019, Hannoversche Volksbank commissioned a credit agency – Schufa, according to media reports – to evaluate data on active and former customers. Schufa then analyzed their digital usage behavior. Specifically, purchases in app stores and the frequency of use of statement printers. In addition, the total amount of online transfers was evaluated in comparison to the use of branch services. Schufa then enriched the profiles created with its own data and transmitted the data set to Hannoversche Volksbank.
Lack of consent leads to fine
The customers concerned were sent relevant information documents in advance. However, consent to the data analysis was not obtained. A clear offence against the DSGVO, means the data protection commissioner of Lower Saxony Barbara Thiel. In her opinion, it is permissible to work with customer data in the sense of weighing up interests in the case of a “legitimate interest”, but it is not permitted to evaluate large databases in order to create advertising profiles.
Hannoversche Volksbank not an isolated case
The fine of 900,000 euros seems comparatively high. But: according to a statement by the Lower Saxony state data protection commissioner, an increasing number of cases had become known in which banks proceeded in this way. “Bank customers cannot assume that their inclinations toward certain product categories or communication channels will be spied out and linked to an advertising profile by means of external agencies,” says Thiel. There is no way around an informed and voluntary opt-in – in other words, an explicit consent procedure – even for banks.