We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
08 November 2019
In a recent decision,(1) the Federal Administrative Court confirmed that a credit institution had violated its obligations under Article 15 of the EU Data Protection Regulation (2016/679) (GDPR) by refusing to provide its customer access to information – at no cost – on specific payment transactions effected in the previous five years.
As part of a legal dispute with his landlord, the applicant needed evidence of his rent payments to property management companies in the previous five years. However, his bank's online system limited his access to transactions made during the previous 12 months. Accordingly, the applicant asked his bank for the corresponding information for the preceding four years. The bank offered to provide this information for a charge of approximately €30 per year, based on Section 33(2) of the Payment Services Act 2018 (ZaDig 2018),(2) which implements Article 40(2) of the EU Payment Services Directive (2015/2366/EC) (PSD II). In reply, the applicant submitted a request for information under data protection legislation, asking the bank to provide information about his personal data processed by the bank, in particular on the transfers that he had made to the various property management companies during the previous five years. The bank did not answer this request. On the applicant's motion, the Data Protection Authority rendered a decision(3) in favour of the applicant and held that the bank:
The Federal Administrative Court dismissed the bank's appeal against the Data Protection Authority's decision and held that:
With respect to the bank's claim that the applicant's request for information was unjustified because it had been made to circumvent the charging mechanisms provided for in ZaDiG 2018 and PSD II to provide said information, the Federal Administrative Court (with reference to Recital 63 of the GDPR) held that the fact that the applicant had wished to avoid being charged for copies of his account statements and information on payment transactions by exercising his right of access to personal information under data protection legislation could not be seen as an evident violation of his rights as a data subject pursuant to Article 15 of the GDPR. In this respect, the Federal Administrative Court also held that an exercise of the right of access does not need to be substantiated.
Consumer protection organisations and the Austrian press celebrated the decisions by the Data Protection Authority and the Federal Administrative Court. However, on closer inspection, those cheers seem to have been uttered a little too early and the celebrants' expectations appear to have been a little too high.
First, the applicant did not ask for duplicates of full account statements, but for information on specific payment transactions. Second, the meaning of the term "copy [of the personal data undergoing processing]" may not correspond to the colloquial meaning of an original reproduction of an account statement. Further, under Article 15(3) of the GDPR, if a data subject makes a request by electronic means, unless otherwise requested, the relevant information must be provided in a "commonly used electronic form". Banks may thus limit the amount of information by providing information on payment transactions only in a simple electronic form (eg, a spreadsheet or a printout of a mere list of such data).
Third, Article 15(4) of the GDPR provides for a restriction of content where relevant, as obtaining information must "not adversely affect the rights and freedoms of others" (ie, there may be a need to provide information with some details blacked out). However, following Recital 63 of the GDPR, including the International Bank Account Number of a recipient's payment account and the amount transferred seems mandatory to ensure that the data subject has access to the data needed to exercise this right and to "be aware of, and verify, the lawfulness of the processing". Accordingly, providing such information (even though it may qualify as personal data of the recipient), will most likely not adversely affect the rights of the recipient of the transfer.
It remains to be seen whether the lex specialis argument used by the bank will be upheld by the European Court of Justice. According to the bank, Article 15 of the GDPR should not be construed in a way that contradicts the PSD II and its comprehensive set of provisions on consumer information obligations or payment service providers' right to charge for duplicates and more frequent provisions of information.
At present, several Austrian banks charge considerable fees for reprinting individual account statements. Whether these charges qualify "as reasonable fees based on administrative costs" (GDPR) or "are reasonable and in line with the payment service provider's actual costs" (PSD II) remains to be seen. From a pragmatic point of view, limiting a customer's access to (electronically stored) information about payment transactions made more than 12 months ago through a paywall may seem an odd business decision for a bank, particularly considering the Data Protection Authority's current view of customer rights under the GDPR.
For further information on this topic please contact Stephan Schmalzl at Schima Mayer Starlinger by telephone (+43 1 383 60) or email (firstname.lastname@example.org). The Schima Mayer Starlinger website can be accessed at www.sms.law.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.