Direct marketing on the basis of transaction data: is your bank allowed to offer travel insurance after booking a holiday?

On June 19 of this year, with the upcoming holiday season just around the corner, my bank – the Dutch ING Group – sent me a message informing me of an update to their privacy statement. They also told me that, based on my credit and debit statements, they knew me sufficiently well to be in a position where they could offer me personal advice and recommend specialised ING products to me just when I needed them most. I had no problems buying into their claim of having a pretty clear picture of me, since I use my debit card for practically every single purchase I make and I readily confess to being a prolific online shopper. Whether or not, however, ING is entitled to use my financial transaction information for purposes of personalised direct marketing, I was not so sure of.

When I applied for a bank account, I entered into an contract with ING. Based on this contract, ING is entitled to process my personal data as part of transaction information, allowing me to make and receive payments.^[1]But when ING sets about processing these transaction data for purposes other than those for which I opened my account in the first place, they may very well act in violation of the principle of purpose limitation, which requires the collection of personal data to be restricted to specified, explicit and legitimate purposes. By the same token, personal data cannot be further processed in a manner that are incompatible with those original purposes.^[2]So, is facilitating payments compatible with engaging in direct marketing? In a letter to the Dutch Bankers’ Association, the Data Protection Authority (DPA) for The Netherlands has answered that question negatively, noting as an important consideration ‘’that, in this day and age, in order to properly participate in society, it is a practical prerequisite for natural persons to have a payment account’’. As such, it follows, according to the DPA, that having a payment account can in no way be construed as indicating an interest in personalised direct marketing. Moreover, the DPA also notes that financial transaction data may yield detailed insight into an individual’s personal life, to the point of allowing the deduction of special categories of personal data,^[3]as in the case of payments made to medical institutions, to sex clubs or for membership of a political party.

Of course, all of this would be different if I had given consent for the further processing of my transaction data for direct marketing purposes.^[4]Which then raises the question whether my having received notification of an update to my bank’s privacy statement, can in itself be considered to imply such consent. The mere fact that the possibility of my personal data being used for purposes of direct marketing has been defined as the default setting, to which I would have to explicitly object, though constituting an “opt-out” mechanism, certainly does not carry enough weight.

In its reaction, the Dutch Bankers’ Association wonders, among other things, how the DPA’s position would hold up in a future of ever increasing importance of data to many different sorts of organisations and how the DPA’s objections are to be reconciled with the leeway offered by privacy legislation for judicial use of data for marketing purposes.^[1]With the latter, the Association is obviously referring to the provision in the GDPR stating that processing of personal data is lawful if based on the purposes of the legitimate interests of, in this case, the bank. ^[2]According to the GDPR, the processing of personal data for direct marketing may be regarded as carried out for a legitimate interest.^[3]On the one hand, in view of the utilitarian nature of a payment account, it may be undesirable for financial institutions to have legitimate interests in direct marketing outweighing the obligation of personal data protection. On the other hand, this specific case of marketing exclusively promotes proprietary ING products and services, which fact has transparently been communicated by the bank to its customers. In a preliminary governmental reaction, the Dutch Secretary of Finance has stated that it is up to the DPA, and eventually the court, if it would come to that, to decide whether or not ING has acted within the limits of applicable privacy legislation.^[4]The Dutch Bankers’ Association has declared itself open to continued discussion with the DPA,^[5]adding that, until such time, further direct marketing efforts are to be suspended. So, when booking my next holiday, I will not be receiving promotional offers for travel insurance from my bank.^[6]

Robin Creuels, LLM

^[1]Article 6,1,b of the GDPR.

^[2]Article 5,1,b of the GDPR.

^[3]Special categories of personal data are sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and data concerning health or a natural person’s sex life or sexual orientation, the processing of which is prohibited. (ex. Article 9,1 of the GDPR).

^[4]Article 6,4 of the GDPR.

^[5]https://www.nvb.nl/nieuws/banken-gaan-graag-in-gesprek-met-autoriteit-persoonsgegevens-over-betaaldata/.

^[6]Article 6,1, of of the GDPR.

^[7]Recital 47 to the GDPR.

^[8]https://www.tweedekamer.nl/kamerstukken/kamervragen/detail?id=2019D30265&did=2019D30265.

^[9]https://www.nvb.nl/nieuws/banken-gaan-graag-in-gesprek-met-autoriteit-persoonsgegevens-over-betaaldata/.

^[10]https://www.ing.nl/de-ing/privacy-statement/reactie-op-bericht-AP.html.