Hannoversche Volksbank is to pay 900,000 euros for a breach of the General Data Protection Regulation (GDPR). The bank had analyzed customer data for advertising purposes without their consent.

Many companies use stored customer data to create an advertising profile. However, the customer's consent must be obtained for this. A circumstance that Hannoversche Volksbank did not take sufficiently into account - and for which it is now being asked to pay.

Supplementing customer data with the help of Schufa

At the end of 2019, Hannoversche Volksbank commissioned a credit agency - Schufa, according to media reports - to evaluate the data of active and former customers. Schufa then analyzed their digital usage behavior. Specifically: purchases in app stores and the frequency of use of bank statement printers. In addition, the total amount of online transfers was evaluated in comparison to the use of branch services. Schufa then enriched the profiles created with its own data and sent the data set to Hannoversche Volksbank.

Lack of consent leads to a fine

The customers concerned were sent corresponding information documents in advance. However, consent for data analysis was not obtained. A clear violation of the GDPR, according to Barbara Thiel, the data protection officer for Lower Saxony. In her opinion, it is permissible to work with customer data in the sense of balancing interests in the case of a "legitimate interest", but it is not permitted to evaluate large databases in order to create advertising profiles.

Hannoversche Volksbank is not an isolated case

The fine of 900,000 euros seems comparatively high. However, according to a statement from the data protection commissioner for the state of Lower Saxony, more and more cases have become known in which banks have acted in this way. "Bank customers cannot assume that their preferences for certain product categories or communication channels will be spied on and linked to an advertising profile by external agencies," says Thiel. There is no way around an informed and voluntary opt-in - i.e. an explicit consent procedure - even for banks.

Subscribe to the newsletter

and always up to date on data protection.

Read more articles

4.3 million euro fine for ING Bank - When will the financial sector finally wake up?

4.3 million euro fine for ING Bank - When will the financial sector finally wake up?

October 17, 2025
440,000 dollars for copy-paste from AI? Deloitte has to pay back money to Australia!

440,000 dollars for copy-paste from AI? Deloitte has to pay back money to Australia!

October 10, 2025
Google warns against EU law: Digital Markets Act hits the wrong people!

Google warns against EU law: Digital Markets Act hits the wrong people!

September 30, 2025