In a recent decision,(1) the Federal Administrative Court confirmed that a credit institution had violated its obligations under Article 15 of the EU Data Protection Regulation (2016/679) (GDPR) by refusing to provide its customer access to information – at no cost – on specific payment transactions effected in the previous five years.
As part of a legal dispute with his landlord, the applicant needed evidence of his rent payments to property management companies in the previous five years. However, his bank's online system limited his access to transactions made during the previous 12 months. Accordingly, the applicant asked his bank for the corresponding information for the preceding four years. The bank offered to provide this information for a charge of approximately €30 per year, based on Section 33(2) of the Payment Services Act 2018 (ZaDig 2018),(2) which implements Article 40(2) of the EU Payment Services Directive (2015/2366/EC) (PSD II). In reply, the applicant submitted a request for information under data protection legislation, asking the bank to provide information about his personal data processed by the bank, in particular on the transfers that he had made to the various property management companies during the previous five years. The bank did not answer this request. On the applicant's motion, the Data Protection Authority rendered a decision(3) in favour of the applicant and held that the bank:
- had violated the applicant's right to information; and
- had to provide the information within two weeks pursuant to Article 15 of the GDPR.
The Federal Administrative Court dismissed the bank's appeal against the Data Protection Authority's decision and held that:
- a conceptual distinction must be made between consumer information obligations and the right to access personal data, which must not restrict each other (by implementing PSD II, ZaDiG 2018 grants no right of access to information or inspections that could conflict with individuals' rights of access to personal data pursuant to Article 15 of the GDPR) and thereby denying the lex specialis argument raised by the bank; and
- any fulfilment of the bank's customer information obligations pursuant to ZaDiG 2018 could not entail its customer's loss of his right of access to information under Article 15 of the GDPR, as these rights exist side by side. The applicant could thus lawfully exercise his right to access his information under the GDPR irrespective of whether the bank had fulfilled its obligations in accordance with ZaDiG 2018.
With respect to the bank's claim that the applicant's request for information was unjustified because it had been made to circumvent the charging mechanisms provided for in ZaDiG 2018 and PSD II to provide said information, the Federal Administrative Court (with reference to Recital 63 of the GDPR) held that the fact that the applicant had wished to avoid being charged for copies of his account statements and information on payment transactions by exercising his right of access to personal information under data protection legislation could not be seen as an evident violation of his rights as a data subject pursuant to Article 15 of the GDPR. In this respect, the Federal Administrative Court also held that an exercise of the right of access does not need to be substantiated.
Consumer protection organisations and the Austrian press celebrated the decisions by the Data Protection Authority and the Federal Administrative Court. However, on closer inspection, those cheers seem to have been uttered a little too early and the celebrants' expectations appear to have been a little too high.
First, the applicant did not ask for duplicates of full account statements, but for information on specific payment transactions. Second, the meaning of the term "copy [of the personal data undergoing processing]" may not correspond to the colloquial meaning of an original reproduction of an account statement. Further, under Article 15(3) of the GDPR, if a data subject makes a request by electronic means, unless otherwise requested, the relevant information must be provided in a "commonly used electronic form". Banks may thus limit the amount of information by providing information on payment transactions only in a simple electronic form (eg, a spreadsheet or a printout of a mere list of such data).
Third, Article 15(4) of the GDPR provides for a restriction of content where relevant, as obtaining information must "not adversely affect the rights and freedoms of others" (ie, there may be a need to provide information with some details blacked out). However, following Recital 63 of the GDPR, including the International Bank Account Number of a recipient's payment account and the amount transferred seems mandatory to ensure that the data subject has access to the data needed to exercise this right and to "be aware of, and verify, the lawfulness of the processing". Accordingly, providing such information (even though it may qualify as personal data of the recipient), will most likely not adversely affect the rights of the recipient of the transfer.
It remains to be seen whether the lex specialis argument used by the bank will be upheld by the European Court of Justice. According to the bank, Article 15 of the GDPR should not be construed in a way that contradicts the PSD II and its comprehensive set of provisions on consumer information obligations or payment service providers' right to charge for duplicates and more frequent provisions of information.
At present, several Austrian banks charge considerable fees for reprinting individual account statements. Whether these charges qualify "as reasonable fees based on administrative costs" (GDPR) or "are reasonable and in line with the payment service provider's actual costs" (PSD II) remains to be seen. From a pragmatic point of view, limiting a customer's access to (electronically stored) information about payment transactions made more than 12 months ago through a paywall may seem an odd business decision for a bank, particularly considering the Data Protection Authority's current view of customer rights under the GDPR.
Endnotes
(1) BVwG, 24 May 2019, W258 2205602-1.
(2) Zahlungsdienstegesetz 2018 – ZaDiG 2018; BGBl 17/2018.
(3) DSB, 21 June 2018, D122.844/0006-DSB/2018.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
