.svg)
The Dutch Data Protection Authority has imposed a fine of €150,000 International Card Services BV (ICS) over non-compliance with data privacy rules.
ICS, a subsidiary of Dutch bank ABN AMRO, used customers' personal data on a large scale without first conducting a legally required data protection impact assessment (DPIA), according to the national competent authority.
A DPIA is an analysis that identifies possible privacy risks, and as it had not carried this out, ICS therefore violated the General Data Protection Regulation (GDPR).
"It is not without reason that organisations are legally obliged to check in advance what risks you run if they use your data,” said Katja Mur, a member of the board at the regulator, noting risks related to identity fraud.
“It is important that organisations thoroughly investigate in advance whether there are any privacy risks. And if so, that they do something about it,” she cautioned. “Preventing privacy problems is better than cure.”
ICS is the leading credit card specialist and largest credit card provider in the Netherlands, and apparently failed to carry out a DPIA before the company started digitally identifying customers in the Netherlands in 2019.
According to the regulator, ICS should have undertaken a DPIA because the identity checks involved around 1.5m customers.
Furthermore, the personal information used for identification was sensitive in nature.
In addition to customers' names, addresses, telephone numbers and emails, this included a photo that customers had to take of themselves and send via a mobile phone or webcam.
Subsequently, ICS then used these photos to compare them with copies of customers' IDs.
Financial institutions are legally obliged to determine the identity of their customers and may use such information for this purpose. However, they must handle the information with extreme caution — hence the necessity of a DPIA in line with GDPR rules.
When approached by Vixio, a spokesperson for ABN AMRO confirmed that the company will not appeal the decision.
"In 2019, ICS started a re-identification process on its entire customer base. This is to prevent credit cards from being used for financial crime, such as money laundering or terrorist financing," said the spokesperson. "That is why it is important that ICS knows who all its customers are, where money comes from and where it goes. Knowing customers well is also a legal obligation for banks."
The spokesperson added that ICS did carry out an extensive risk assessment during the design of the customer re-identification process in 2019, noting that this has also been mentioned in the regulator's extensive decision to impose a fine. "Ample attention has also been paid to privacy risks."
"Unfortunately, a specific DPIA was not carried out at the time where it should have been. ICS regrets and acknowledges this. In 2020, the process to determine the need to carry out a specific DPIA was tightened," the spokesperson said.
"In 2021, a DPIA was carried out on the customer (re-)identification process. No additional privacy risks have been identified from this DPIA," the spokesperson continued, adding that the Dutch Data Protection Authority has also not identified any privacy violations in the process. "This means that ICS had already carefully looked at privacy risks and handled privacy-sensitive data in the correct and secure manner."
