Garante Fines Bank for Failure to Respond to Subject Access Request
Customers have a right to access their personal data contained in recorded telephone conversations, Italian DPA Garante said Thursday as it fined a bank 100,000 euros ($117,000) for failing to respond adequately to a consumer's access request.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The customer, a fraud victim, asked the bank for the recordings made with customer service so he could contest a transfer of around 10,000 euros and determine what had happened, the DPA said. When the bank didn't respond satisfactorily, he complained to the DPA. Only then did the bank provide the information, but it did so beyond the 30-day deadline required under the GDPR.
The DPA stressed that even phone calls between a client and his bank can be considered personal data and, as such, must be accessible upon request while respecting the rights of any third parties involved.
In determining the fine, the watchdog said, it considered the bank's revenue, its cooperation with the investigation and the absence of prior violations.