Knowledge table Privacy – NEWS

It is not allowed by the GDPR, but it must be by the Wwft: legal dilemma

By Peter Westdijk, Member of the Knowlegdetable Privacy
(this contribution is written in a personal capacity)

Even the Declaration of Human Rights, as adopted in 1948, recognized that the right to freedom of expression and the right to the protection of privacy do not always run in parallel and pointed to a careful balancing of the two.

In a recent case before the Kifid, that consideration also comes up again. A bank requests a copy of ID as part of identifying and verifying the customer. The client refuses to do so and only wants to provide an edited copy. The yes/no argument comes to the Kifid’s Disputes Committee, which rules as follows rules as follows and follows the spirit of the GDPR:
The final conclusion is that to identify and verify a customer’s identity, the bank may require a raw copy of the ID proof. However, the bank may not record and keep an unprocessed copy of a consumer’s ID document; if the bank does this, this is in violation of the minimum data processing according to the GDPR.

However, the Appeals Committee ocomes to a different interpretation of the GDPR and judges:
… that the bank must keep the raw ID document. On the basis of this, the bank can show the supervisors that the customer due diligence has taken place in accordance with the legal requirements.

For me, this is a good example of a trade-off between privacy rights on the one hand and other interests on the other. In this case, the GDPR provides sufficient starting points (see the ruling for explanation) for the Appeals Committee to reach its position. I wonder how this assessment relates to the discussion about the UBO register. There, too, there was a trade-off between privacy rights and another (social) interest, also arising from legal provisions and obligations. And the commotion about ‘monitoring all payments above EUR100’. We always see that with the protection of individual privacy, it wins, as it were, over a more general interest.

We can then jump on any measure and contest the measure with the GDPR in hand. But who stands up for the common good, which is not always captured in articles of law? And when should this have been done; is this a contraction in the measure? I advocate the balanced balancing of interests in the drafting of measures and, if necessary, also a legal enshrinement when a public interest must prevail over an individual interest in privacy That would prevent much discussion. And increase its implementation and impact.

Too often people say, “the GDPR doesn’t allow that.” And then the conversation strikes dead. But let us interpret the rules from the spirit of the legislation, keeping in mind all the interests at stake. Interests that are not always explicitly defined in legislation. But which are no less important for that.