This case highlights that the risk of exposing a company’s models for detecting suspicious transactions under anti money-laundering laws can be a valid reason for not returning certain personal data when responding to a data subject access request.
Case Background
In the context of a customer due diligence process, Bunq had requested (additional) documentation from the customer to verify the source of his income, citing security and compliance reasons. Bunq blocked the customer's account before the customer’s deadline for submitting the required documents. However, Bunq unblocked the accounts the same day after the customer provided the requested documentation. Nevertheless, the customer filed a GDPR access request regarding the personal processed in this decision-making process.
Subsequently, Bunq disclosed various data to the customer. It further explained that the customer (additional) due diligence process was initiated due to a flagged payment transaction by Bunq’s Transaction Monitoring System. The customer then requested full disclosure of all information specified in Article 15 of the GDPR, including the reasons for the investigation and meaningful insight into the logic of the processing as the customer assumed that automated decision-making was involved.
Bunq argued that it had sufficiently met the customer's GDPR access request and was not required to provide more details about its customer due diligence process. The bank also stated that no automated decision-making was involved, so there was no need to disclose the logic behind its Transaction Monitoring System. Additionally, Bunq cited Article 41 of the Dutch General Data Protection Regulation Implementation Act (UAVG) to justify not providing further access, aiming to prevent criminal activities and protect trade secrets. (Article 41 UAVG essentially copies the possible grounds for restricting the data subject's rights by a legislative measure under Article 23 GDPR.) Bunq emphasized its compliance with the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft) and warned that revealing the system's operation could help malicious individuals bypass it.
The Hague District Court's Ruling
The Court concurred with Bunq.
1.) It ruled that Bunq had complied with the customer's data access requests regarding the personal data received from Bunq third parties, received by various departments within Bunq, as well as personal data received from external sources (including notably his name, contact details, nationality, number of payments and risk score, documentation disclosed by him concerning the source of his income and the online public sources consulted by Bunq regarding the customer).
2.) The Court then addressed the remaining customer request concerning information about the customer that led to and was processed in the context of the account blockade, and access to the logic and processing of automated decision-making. The Court outlined that there was no automated decision-making process involved. The judges recalled that Bunq is subject to an enhanced customer due diligence obligation to prevent money laundering and terrorist financing under the Wwft. To fulfill this obligation, Bunq employs a Transaction Monitoring System. In this case, the system flagged a payment transaction involving the customer, prompting an enhanced customer due diligence. While the Transaction Monitoring System's algorithm flagged the transaction without human intervention, any subsequent actions with respect to the customer required human decision-making. Indeed, Bunq explained that the decision to take further action following the System's alert, as well as the subsequent investigation, were carried out by Bunq's employees. Therefore, the Court considered that the process at stake was not automated decision-making within the meaning of Article 22 GDPR. Consequently, Bunq was not obliged under Articles 15(1)(h) and 22 of the GDPR to disclose the logic of the Transaction Monitoring System.
3.) The Court further dismissed the customer’s request for (additional) information about the cause and decision-making regarding the customer due diligence, even if there had been no automated decision-making. The Court upheld Bunq's reliance on the exception ground in Article 41(1)(d) of the UAVG, which pertains to the prevention of criminal offenses. Bunq is not required to provide further information about the customer due diligence process.
The Court concluded that Bunq's interest in fulfilling its legal obligations under the Wwft and contributing to the prevention of criminal offenses outweighs the customer's individual interest in understanding why he was subject to customer due diligence. Besides, the Court noted that the customer had been informed that a payment transaction was the reason for the customer due diligence. He further had access to all his payment transactions. Therefore, the customer was not entirely deprived of an explanation.
The Court's decision relies on an express restriction of the access right under Dutch law, namely Article 41(1)(d) UAVG, which is a verbatim copy of Article 23(1)(d). However, in our view, the Court's balancing of the conflicting interests between Bunq and the customer could also apply under Article 15(4) GDPR. This provision allows the controller to restrict the data subject's right to receive a copy of their personal data if this would harm the rights and freedoms of others, which may include the controller's own rights and interests, as long as they concern trade secrets, intellectual property or other protected rights. As the Court did under Article 41(1)(d) UAVG, Article 15(4) GDPR also requires a balancing of interests between the data subject's right to access their personal data and the rights and freedoms of others that may be adversely affected by disclosing such data. A controller could thus withhold the logic and outcomes of its models for detecting suspicious transactions under anti money-laundering laws under Article 15(4) GDPR, on the basis that disclosing this information could allow third parties to circumvent the models and undermine the fight against money laundering, which is a risk that outweighs the data subject’s right in receiving this information (provided it is personal data to begin with).
The full text of the decision is available here.
