On November 23, 2010, the data protection authority (the “DPA”) of the German federal state of Hamburg fined regional financial institution Hamburger Sparkasse AG (“Haspa”) €200,000 for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers and also granting the representatives access to such profiles. The bank cooperated with the DPA and immediately discontinued the illegal practices.

From the end of 2005 until August 2010, Haspa allowed its self-employed, external customer service representatives access to customer bank data, often without having first obtained the customers’ consent. According to the DPA, the number of bank accounts accessed is not clear. The bank was aware of this practice through reviews of log files that detailed the representatives’ access.

In addition, the bank created customer character profiles which were available for all external customer service representatives. The bank used tracked account balances and data on the use of financial products to create profiles of customers. The profiles were based on neurological research and customer data, including customers’ socio-demographic status and financial products, such as direct deposit accounts and the number of transactions. The creation and use of the profiles occurred without notice to the customer.

According to the head of the Hamburg DPA, Johannes Caspar, the fine was based on the following factors: (i) bank data is considered highly sensitive as it provides a great deal of information about the individual customer, (ii) the severity and degree of the violation, and (iii) the fact that the amount of the fine should exceed the economic benefit derived from the violation. Furthermore, the DPA sought to discourage future data protection law violations, while cautioning against the use of modern neuromarketing tactics to exploit customers.

In the bank’s defense, the DPA considered that the bank’s management responded quickly with a clarification of the issues and cooperated with the DPA’s investigation. Furthermore, on July 9 the bank withdrew access rights to customer data from external service representatives. The DPA also took into consideration that, in August, the bank implemented new technical procedures designed to comply with data protection requirements and deleted unlawful customer profiles.

The case highlights the willingness of the German Data Protection Authorities to impose significant fines on companies which fail to protect customer data. In a similar case, Postbank was fined EUR 120,000 in early 2010.