Financial institution breaches GDPR in direct marketing | Nordax Bank decision IMY

The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, ‘IMY’) has dealt with a GDPR-complaint regarding the Nordax Bank.

This bank has instructed another company, Iper Direkt, to provide direct marketing services, including an address register, to the bank. Someone has complained with Nordax and asked for erasure of his/her personal data. Nordax is of the opinion that the complainant should go to Iper for that. Nordax was willing to institute a block on addressed direct marketing regarding complainant and has provided general information to the complainant that Nordax may process the complainant’s personal data in order to maintain a block on addressed direct marketing. The complainant did not provide the requested personal data (pre- and surname and full address) to Nordax. According to the decision at a later date complainant was  blocked against further direct marketing mailing regarding Nordax products.

In the decision IMY points out that Nordax is the controller, as Nordax determines the purposes and means of the processing of personal data. It can not refer to Iper for complying with GDPR-requests of data subjects.

IMY is of the opinion that Nordax unnecessarily asked the complainant to submit additional information in order to comply with the blocking request, even though the existing information in the request according to Nordax was sufficient to actually satisfy the request directly. For this reason Nordax has requested additional information that has not been necessary to confirm the identity of the data subject in violation of Article 12(6) GDPR. Further Nordax has breached GDPR by failing to inform complainant that it had blocked complainant against further addressed direct marketing.

The violations of the GDPR are grounds for IMY to issue a reprimand to Nordax and to issue some orders to the bank to correct its practices:

  • to comply with complainant’s request to exercise its right of access, “This is done by providing the complainant access to all personal data that Nordax process regarding the complainant by arranging a copy to the complainant of the personal data referred to in Article 15(3) and provide information pursuant to points (a) to (h) of Article 15(1) and 15.2.“;
  • to comply with complainant’s request for erasure;
  • to provide the complainant with information on the measures which been taken in response to the complainant’s request to exercise his right of objection to processing for direct marketing purposes.


More information:

Over Ellen Timmer

Weblog: ||| Microblog: ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in English - posts in English on this blog, Financieel recht, onder meer Wft, Wtt, ICT, privacy, e-commerce en getagged met , , , , . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen. logo

Je reageert onder je account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s