• Ask the Community

  • Consumer Bond Privacy Report Discussion

@JohnDo#168844 I have read the article and inspected the systems running in the bunq app (FYI: I work in the field of data protection/GDPR) and done an analysis. Based on this analysis I can conclude that the statements made in the article are valid. There are systems loaded which are under GDPR definition “trackers” for which consent is mandatory. I can not find information on these systems in the bunq privacy/cookie statement (also mandatory under the Dutch “cookie law” Tw 11.7a).

The bunq privacy statement does state that it is possible to revoke & limit consent for direct marketing although I’m unable to find the appropriate setting to do so (maybe I’m missing something).
But there has to be a proper lawful basis to collect/process data.
For marketing purposes this lawful basis is consent (given in advance, being able to revoke is not enough).

So I trust bunq to have good intentions but from a legislation perspective the app doesn’t comply with the GDPR and specifically AVG (GDPR implementation the Netherlands) and Tw (telecommunication law, article 11.7a)

    @Roel-Turquoise-Panda#169528 Interesting analysis, thank you for that!

      @Roel-Turquoise-Panda#169528 Hi 👋🏼 Roel!

      Thanks for the extra info. Good to know.

      Asking for consent is the most weak way to go from a legal perspective. Consent basically means “I can’t think of any legitimate reason, so I will ask for your permission”.

      I think bunq can easily go for “Contractual necessity” or “Legitimate interests” as legal ground for 99% of all the third parties that are used in the app. No need to ask for consent if they play it right. At least that is my humble opinion.

      By the way, bunq will notify you in the app before you start using some of the features. For instance when you start to using Invoice 🧾 scanning... or when you go to Together for the first time. So that is very thoughtful (not necessary).

      I have to say, I don’t find the privacy statement a very clear document. Often vague use of words.

      But the more interesting question would be what bunq is sharing exactly (how invasive is it) and if they have taken the proper measurements. Aka, privacy by design and default. I trust that they have.

      Revoking consent is only possible for the things bunq ask consent for in the first place. However, I believe you can ask bunq via email or support chat to opt out of direct marketing. There is also an unsubscribe button in the footer of email.

        @JohnDo#169536 Als ze bij een overschrijving naar een andere bank gegevens moeten delen met een noodzakelijke tussenliggende partij, hoeven ze geen toestemming te vragen. Bij marketing trackers moet dat wel degelijk.

          @JohnDo Thanks for your reply!

          The Dutch Data protection authority (DDPA) states consent as as the number 1 (of 6 bases) to lawful process data. It's not so much "I can't think of other legitimate reasons" as it is "the other 5 bases do not apply, so I must have consent".

          @wanja correct!
          If you look at “Contractual necessity”. bunq could rely on this basis if the agreement with a customer requires the processing of personal data. In the case of (direct) marketing/tracking tools this isn't the case. bunq does have a valid contractual necessity to process the customers phone number to be able to validate and authorize the bunq app or to share bank account detail with an other bank to facilitate a transaction.

          “Legitimate interests” can be an base for processing data but in this case the bar is set quite high.
          To make valid Legitimate interests claim the "interest" should be considered by society so important that it has found recognition in law and bunq can only(!) fulfill/promote this interest by processing personal data.

          The DDPA has posted an explanation of 'justified interest' (based on guidance of the European Court of Justice) and provides a few examples. One of the examples of 'justified interest' is the right (as a person) to have a safe and healthy life. If data processing of bunq is needed to make sure it's customers can have a safe and healthy life it could qualify as a 'justified interest' (although then you still have to prove necessity and weighing/balance the interests of bunq vs the privacy of customers). As I said the legal bar for 'justified interest' is quite high ;-)

          There is an example of 'justified interest' regarding inform existing customers after a purchase about similar products or services of their own. But in this case processing data via marketing trackers would not meet the necessity and balance of interests requirement of the GDPR. Informing customers via a (non-targeted email or a simple push message and Together forum post would yield the same result but in a much more privacy friendly way).

          Although bunq as a bank does have many cases where a claim of 'justified interest' are valid (e.g. fraud prevention, obligations imposed by legislation e.g. money laundering regulations) but to fit marketing trackers under this category would be quite a stretch.

            @Wanja-Purple-Penguin#169539 Sure, but it depends on the definition of "marketing trackers".

            bunq is a very data driven organisation, so inevitably they collects loads of data :)

            An example
            bunq used Hotjar according to their privacy statement. Hotjar is a powerful tool that tracks how users uses the app. What screens do the open? What does the user do on that page ? How long does the user stay on that page? How does the user navigate trough the app?

            That sounds scary, lets all get worried... like the Consumentenbond kind of is suggesting. Or we can take a closer look ;). This data is very essential for bunq and a tremendous source of Information in the development process. All to make the app even beter... for you!
            bunq configures these tools as privacy friendly as possible. So that external parties know as little as possible and yet the data is still useable for bunq. And of course bunq has agreements with these kind of external parties. And finally these tools are even bound by GDPR rules!

            In the case above bunq doesn't need any consent whatsoever, bunq can argue that this essential for their service. It will fall under the Legitimate interests ground. I think this is the case in almost every 'tracker' they use. Even direct marketing can be places onder Legitimate interests when you already have a relation with that customer.

            So we might thing bunq needs to ask our permission in most cases and 'track' us like this, but that is very seldom the case. The GDPR gives companies much room to proces personal data. But of source, a company cant pull the Legitimate interests card 💳 every time they feel like. That have to be able to show a risk based analysis that will show why the interests or the company outweighs your interests.

            Anyway, fun subject ;)

              @Roel-Turquoise-Panda#169540 he Dutch Data protection authority (DDPA) states consent as as the number 1 (of 6 bases) to lawful process data. It's not so much "I can't think of other legitimate reasons" as it is "the other 5 bases do not apply, so I must have consent".

              We say the same :).... If a company ask for my consent, all my alarms bells start to ring. Because a company can almost always at least use Legitimate interests as ground. That means that you can argue why you need the data and it outweighs the interest of you customer. And if you even cant do that.. well then you use the consent card 💳.

              Often a company argues in this order: Legal obligation -> Contractual necessity -> Legitimate interests -> and Consent as last resort. And the other 2 often dont appy at all :)

              My privacy teacher calls consent the emergency lane of the GDPR :)...

                @JohnDo#169542 They can track whatever they want in order to evaluate how their features are percieved. However, when they use a third party and that party recieves data, they need your consent.
                There is nothing wrong with using third parties. They often do the job better for less. However, if the third party demands data, any data, you have to ask for consent. Unless you can't deliver your services without the consent.

                  @Wanja-Purple-Penguin#169548 However, when they use a third party and that party recieves data, they need your consent.

                  Absolutely not.

                  If bunq has grounds to process data, it doesnt make any difference who is actually processing the data. Sure, bunq stays accountable, and has to follow all kinds of guidelines... but they absolutely don't need your consent to outsource anything.

                  But lets say, bunq outsourced some things... and that third party wants to use that data for its own purposes... well that changes the story often! That is one of the reasons bunq will need a processor agreement with every party that processes personal data. This agreement will state how that party can use that data.

                    @JohnDo#169556 Though true for features that are part of the service you deliver, I doubt that's true for functionality tracking users behavior. I would love to hear a legal opinion on that.
                    I guess most companies are better safe than sorry, though.

                      @Wanja-Purple-Penguin#169557 The Dutch Data Protection authority have a guideline under which circumstances data processing for purely analytical purposes (with limited impact on the privacy of people) is allowed without consent. Although the telecommunication law still mandates to have a clear cookie statement describing the use. An example for instance is the use of Google Analytics with can be used without consent when specific privacy preserving settings are enables and data is not used for any other purposes.

                        @Roel-Turquoise-Panda#169576 You are mainly talking about trackers on a website. Not in context of an app that I use as part of contract I have.

                        And GA is one thing that bunq does the right way on their website... the others cookies? Not so much ;)

                          @JohnDo#169583 Agreed, the example is regarding web tracking but can be a guideline for data collection on apps as there isn’t any legal difference between data collection within an app or on a website from a GDPR or telecommunication 11.7a (cookie law) perspective

                            Write a Reply...