.svg)
Neobank Bunq has emerged victorious in a court case centred on a customer’s data access request, in a decision that highlights the balance between EU citizens’ data privacy rights and compliance with anti-money laundering (AML) rules.
In a case heard by the District Court of The Hague, a Bunq customer sought access to personal data related to a customer due diligence investigation that resulted in the temporary blocking of his accounts.
The court rejected the customer’s request, ruling in favour of Bunq and ordering the applicant to pay legal costs.
The decision confirms that financial institutions have the right to withhold certain information if revealing it could compromise crime prevention efforts.
Data use and access
The case was initiated by the customer — referred to in court documents as "[applicant]" — who held multiple accounts with Bunq.
In November 2023, Bunq requested documents from the customer to verify the source of his income, citing security and compliance reasons.
After failing to provide the requested documents by the deadline, Bunq temporarily blocked the customer’s accounts on November 24, 2023, but the accounts were subsequently reinstated once the documents were submitted.
Despite the account restoration, the customer sought further clarification from Bunq regarding the reasons for the block, and filed a formal request under the General Data Protection Regulation (GDPR) for access to all personal data used in the decision-making process, as well as insight into the bank’s automated systems.
The applicant argued that Bunq had failed to provide adequate information, especially regarding the underlying logic of its transaction monitoring system, which had flagged his account for investigation.
He sought full disclosure of the data and reasoning behind the block, citing GDPR provisions on automated decision-making.
Bunq argued that it had fulfilled its obligations by providing relevant data and stated that its internal systems did not involve fully automated decision-making.
The neobank asserted that human intervention had been involved in the customer investigation, making the GDPR provisions on automated decision-making inapplicable.
The court ultimately sided with Bunq, determining that the customer’s request for more detailed data had already been sufficiently met, and the judge ruled that the bank’s compliance with money laundering and terrorism financing regulations justified withholding certain internal processes from disclosure, citing the risk of system circumvention by bad actors.
The court rejected the customer’s claims, including his demand for insight into the logic of Bunq's transaction monitoring system, and dismissed the case, with the applicant ordered to pay Bunq’s legal costs, which totalled €2,062.
Matching GDPR with AML laws
The decision in this case highlights the complex interaction between the GDPR and AML laws, which are among the EU’s most significant pieces of regulation.
The GDPR has emerged as one of the trading bloc’s most notable laws, considering the trend it set globally for data protection regulation.
At the same time, the EU’s approach to AML is stringent, and only going to become more so.
It is clear with recent actions, such as the Single Rulebook for AML in the EU, and the incoming Anti-Money Laundering Authority (AMLA) in Frankfurt, that the EU is keen to show that it is a leader in routing out dirty money.
What it has done so far has not worked entirely, especially considering Malta went onto the Financial Action Task Force's (FATF) greylist, and although it came off relatively quickly, Bulgaria and Croatia also found themselves under increased scrutiny not long after.
The case in the Netherlands shows how privacy rights are balanced with the need for financial institutions to prevent illegal activities.
Although the GDPR grants individuals the right to access their personal data, this right is not absolute, and financial institutions, like Bunq in this case, can withhold certain information if revealing it could undermine AML efforts.
The court ruled that Bunq’s refusal to provide detailed explanations of its transaction monitoring system was justified under AML laws, and the ruling underscores that there are exceptions to the GDPR’s right of access.
Article 15 of the GDPR grants individuals the right to access personal data held by organisations, but these rights can be restricted under certain conditions.
For example, the court cited Article 23 of the GDPR, which allows for such restrictions when necessary to safeguard public security or prevent criminal offences.
Bunq successfully argued that disclosing more information about its AML systems could expose sensitive processes that criminals might exploit, therefore justifying its withholding of certain details from the customer.
Automation of processes
The case also addressed concerns around automated decision-making.
Under the GDPR, individuals are protected from decisions made solely by automated systems without human intervention.
However, the court found that Bunq’s decision-making involved human review, meaning the stricter rules on automated decision-making did not apply.
Although algorithms flagged a suspicious transaction, human employees reviewed and acted on the case, which aligned with the GDPR’s requirements.
The decision also clarifies the precedence of AML obligations. Financial institutions across the EU are legally required to comply with AML regulations, such as conducting customer due diligence and monitoring transactions for suspicious activity.
These obligations, outlined in laws such as the Netherlands' Money Laundering and Terrorist Financing (Prevention) Act (Wwft), appear to take precedence over privacy rights when the two conflict.
