The issue of bank workers’ bank details was the focus of the Labor Division of the High Court of Justice of Murcia’s ruling of November 8, 2017. The case concerned the dismissal on disciplinary grounds of a bank worker who falsified documents to take out two loans, in his capacity as an employee, to buy a car, and then used the money he borrowed for other purposes.
Following an audit, the bank reviewed the employee’s banking movements, to find that he had not made a transfer to the company with which he had entered into the vehicle purchase agreement he had presented to justify the provision of the loans. Moreover, it emerged that, in the days after he received the loans, the employee made transfers to his relatives’ bank accounts and paid off his credit card debts, while there was no movement in his account justifying the purchase of the vehicle. It was also verified that the employee was not the owner of the vehicle specified in the agreement.
In court, the judge did not accept the audit report as documentary evidence, considering that, by collecting his banking data, the employee’s right to privacy had been violated. However, on appeal, the High Court of Justice of Murcia considered that the audit report should have been admitted and, without ruling on the merits of the case, invalidated the proceedings.
The High Court of Justice argued that the use of customers’ personal data cannot be considered to have been used for an illegitimate purpose or a purpose other than the one establishing the contractual relationship. Under article 6.2 of Act 15/1999, on personal data protection, the bank was entitled to process the employee’s banking data without seeking his consent, given that processing this data was necessary to comply with and maintain in force the loan agreement it had entered into with the employee. On analyzing the triple proportionality test our courts apply to determine whether a corporate measure violates employees’ right to privacy, the High Court of Justice considered that the measure was proportional because the employee’s and his relatives’ banking data that were included in the audit report only provided conclusions that could be used to prove the employee’s unlawful behavior. It also regarded the measure as necessary because the documents could be used as evidence of potential irregularities, and as balanced, to confirm the suspicion.
Analyzing the matter from the perspective of personal data protection law, it is worth considering the extent to which processing this data is justified based on the relationship between the bank and the employee, in a context where the data was collected and used for a single purpose, namely to manage the contractual relationship resulting from a loan agreement.
The dilemma will still be effective from May 25, 2018, when Regulation (EU) 2016/679 on personal data protection will be fully implemented. Article 6.1.b) of the regulation will allow data to be processed without seeking the affected party’s consent when that processing is required to execute an agreement to which the party belongs, as well as the steps taken at the request of the affected party before entering into an agreement.
In any case, it must be taken into account that the judgment is not final and, therefore, we must now await the ruling that, if admitted, the Supreme Court will issue on the appeal for the unification of doctrine.