Profiling is by no means just a term used in the fight against crime. It is now also used on the Internet as a basis for creating personalized advertising. For some time now, this approach has been a thorn in the side of data protection authorities, as many users are not even aware of the gigantic amounts of data that are sometimes collected from them. As a rule, the user’s explicit consent is a prerequisite for the legality of profiling. Hannoversche Volksbank has now apparently disregarded this regulation. The bank wanted to open up new and targeted advertising opportunities. It evaluated the collected data and forwarded it to Schufa – without consent. This blatant violation of the GDPR has now resulted in a heavy fine.
Fine of 900,000 euros for profiling
An example from Germany now makes clear just how expensive a breach of the General Data Protection Regulation (GDPR) can be. Hannoversche Volksbank is alleged to have used the data of its current as well as former customers for advertising purposes and without their consent in the sense of profiling. The aim was to be able to display personalized advertising. The data protection commissioner of Lower Saxony, Barbara Thiel, is naturally not pleased about this. Accordingly, she imposed a hefty fine of 900,000 euros on the bank, citing a violation of the GDPR, which applies throughout Europe.
This stipulates that personalized advertising is only possible in exceptional cases without the express consent of the person concerned. Particularly brazen is the fact that Hannoversche Volksbank sought support from Schufa in its data evaluation. This emerges from a report in the taz. The data of the credit agency was then to serve as a comparison object so that the bank could match the usage behavior it had collected itself and thus also the details of its customers. On top of that, the Schufa data were then supposed to have been included as additional parameters in the customer profiles.
Targeted search for groups of people to be advertised to
The Hannoversche Volksbank went with its profiling apparently purposefully on the search for a certain customer master. It focused on people who, for example, rarely used a statement printer and regularly made payments in online stores such as the Apple App Store. In short, the focus was obviously on people who are perfectly at home in the digital age. So it comes as no surprise what conclusion Data Protection Officer Thiel drew from the bank’s actions. In her opinion, the bank wanted to identify people who have a penchant for digital media. These should be contacted after successful “filtering out” then primarily by electronic means.
Possibly not an isolated case
Looking at this case, one quickly feels reminded of the diesel scandal that boiled up a few years ago. Here it turned out over time that more and more companies were deceiving their customers and giving false emissions readings. Accordingly, Thiel also assumes that Hannoversche Volksbank is almost certainly not an isolated case. According to her statement, the data protection authority has received information several times in the meantime that other companies are also using this procedure. First of all, they collect customer data and then compare it with data from Schufa or other comparable credit agencies.
The companies always justify the purpose of profiling with the “legitimate interest”, which, according to the GDPR, allows such data collection even without consent. However, Thiel again emphasizes in her statement that profiling in this sense is by no means covered by these facts. Hannoversche Volksbank has therefore obviously been guilty of this. Especially with the widely unpopular cookie banners, personalized advertising plays a role. The UK has meanwhile taken a pioneering role in the fight against the annoying insertions. Google announced back in 2020 that it would ban this from its in-house Chrome browser. Unfortunately, the project has now been postponed again and is not expected to make its way into the browser until 2024.