Privacy & Information Security Law Blog

On November 23, 2010, the data protection authority of the German federal state of Hamburg issued a €200,000 fine against financial institution Hamburger Sparkasse AG (“Haspa”) for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers. The bank cooperated with the DPA and has discontinued the illegal practices.

Illegal Data Access:  From late 2005 to August 2010, Haspa allowed its self-employed, mobile customer service representatives access to customers’ bank data, often without first obtaining the customers’ consent.  The bank was aware of this practice through reviews of log files that detailed the representatives’ access.

Customer Profiling:  In addition, the bank created customer character profiles which were available for all mobile customer service representatives to access.  The profiles were based on neurological research and customer data, including customers’ socio-demographic data and information about product usage, such as data about direct deposit accounts and the number of transactions.  The creation and use of the profiles occurred without notice to the customer.

Fine Criteria:  According to the head of Hamburg’s Data Protection Authority, Prof. Dr. Johannes Caspar, the fine was based on the following criteria: (i) bank data is considered highly sensitive data that provides a great deal of information about the individual customer, (ii) the severity and degree of the violation of data protection law, and (iii) the amount of the fine should exceed the economic benefit derived from the data protection violation.  Furthermore, the DPA sought to discourage future data protection law violations, while cautioning against the use of modern neuromarketing tactics to exploit customers.

In the bank’s defense, the DPA considered that the bank’s management responded with a quick clarification of the issues and has cooperated with the DPA’s investigation.  Furthermore, Haspa terminated mobile customer service representatives’ access to the data in July 2010.  The DPA’s assessment found that the bank promptly put in place an amended technical procedure that complies with German data protection law, and that the illegally created customer profiles have been deleted.