Details:
| Summary | The complainants stated during the case that they concluded a credit agreement with the bank, which sold its claim against the complainants and transferred their respective data to a third-party company (controller). NAIH determined in the case that the controller can neither rely on the consent of the data subjects nor the performance of the credit contract as the legal basis of the data processing, since the data subjects concluded such contract with the bank, not with the controller. The appropriate legal basis for processing could have been the legitimate interest of the controller. |
| Link: | link |
| Related articles: | Art. 5 GDPR, Art. 6 GDPR |
| Type: | Insufficient legal basis for data processing |
| Fine: | EUR 2,850 |
| Sector | Finance, Insurance and Consulting |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/