The Icelandic Data Protection Authority has ruled in a case where a complaint was made about the processing of personal data by Arion Bank hf.

The Icelandic Data Protection Authority has ruled in a case where a complaint was made about the processing of personal data by Arion Bank hf. Specifically, it was complained that the bank had registered the complainant on the bank’s target group list without his consent, the bank had prevented the legal expiry of information about the complainant’s financial affairs by conducting regular credit assessments and other types of financial analysis without authorization, and financial information about credit cards, sureties and mortgage agreements had been retained longer than necessary.

The Data Protection Authority concluded that the bank’s processing of the complainant’s personal information for marketing purposes was permitted on the basis of the bank’s legitimate interests until the complainant objected to the processing, at which point the complainant was removed from the bank’s target group lists. The Data Protection Authority then concluded that the bank’s processing of the complainant’s personal information regarding his other financial matters had been in accordance with the provisions of the Act on the Protection of Personal Information and the Processing of Personal Information.

Decision of the Icelandic Data Protection Authority, dated 14 February 2025.

https://island.is/s/personuvernd/frett/vinnsla-arion-banka-hf-a-personuupplysingum-i-markadslegum-tilgangi-og-i