Of course, all of this would be different if I had given consent for the further processing of my transaction data for direct marketing purposes. Which then raises the question whether my having received notification of an update to my bank’s privacy statement, can in itself be considered to imply such consent. The mere fact that the possibility of my personal data being used for purposes of direct marketing has been defined as the default setting, to which I would have to explicitly object, though constituting an “opt-out” mechanism, certainly does not carry enough weight.
In its reaction, the Dutch Bankers’ Association wonders, among other things, how the DPA’s position would hold up in a future of ever increasing importance of data to many different sorts of organisations and how the DPA’s objections are to be reconciled with the leeway offered by privacy legislation for judicial use of data for marketing purposes.With the latter, the Association is obviously referring to the provision in the GDPR stating that processing of personal data is lawful if based on the purposes of the legitimate interests of, in this case, the bank. According to the GDPR, the processing of personal data for direct marketing may be regarded as carried out for a legitimate interest.On the one hand, in view of the utilitarian nature of a payment account, it may be undesirable for financial institutions to have legitimate interests in direct marketing outweighing the obligation of personal data protection. On the other hand, this specific case of marketing exclusively promotes proprietary ING products and services, which fact has transparently been communicated by the bank to its customers. In a preliminary governmental reaction, the Dutch Secretary of Finance has stated that it is up to the DPA, and eventually the court, if it would come to that, to decide whether or not ING has acted within the limits of applicable privacy legislation.The Dutch Bankers’ Association has declared itself open to continued discussion with the DPA,adding that, until such time, further direct marketing efforts are to be suspended. So, when booking my next holiday, I will not be receiving promotional offers for travel insurance from my bank.
Robin Creuels, LLM
 Article 6,1,b of the GDPR.
 Article 5,1,b of the GDPR.
 Special categories of personal data are sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and data concerning health or a natural person’s sex life or sexual orientation, the processing of which is prohibited. (ex. Article 9,1 of the GDPR).
 Article 6,4 of the GDPR.
 Article 6,1, of of the GDPR.
 Recital 47 to the GDPR.