On October 9, 2019, the Court of Appeal of Brussels passed judgment 2019/AR/1006 whereby it established, pursuant to and in accordance with Article 16 of the General Data Protection Regulation (“GDPR”), that banks are obliged to use correct diacritics when spelling clients’ names, since these are personal data, and therefore subject to accurate writing.
Case Background
Namely, a client requested from a bank, as controller of personal data in terms of the subject data regulation governing this matter at the EU level, to write his name with the appropriate diacritics (additions to letters that change pronunciation or make a distinction between similar words), which request the bank refused, claiming that it was not possible due to the characteristics of the computer system used at the time. After that, the client filed a complaint to the Belgian authority for personal data protection.
In subsequent procedure, the aforementioned authority decided that the bank’s argument on technical impossibility was not sufficient, so the bank is obliged to act upon client’s request, which decision was appealed against by the bank. In the procedure upon the said appeal, the bank argued that this is not personal data, so provisions of GDPR cannot not be applied.
Reasons of the Judgment
However, according to the comprehension of the personal data protection authority, the acting Belgian court decided that provisions of Article 16 of the GDPR unreservedly grant the right to the data subject to request the rectification of incorrect personal data without delay.
This also applies to the case where the client’s personal name is processed by computer program used by the bank, whereas the fact that the program concerned does not provide such possibility, and that adapting a computer system to correctly handle diacritics would take certain time and/or constitute additional costs for the bank, does not allow the bank to disregard the provisions of the GDPR, i.e. to properly spell personal data.
Solution from the Serbian Law on Personal Data Protection and Domestic Practice in This Matter
The current Serbian Law on Personal Data Protection, alike the GDPR, stipulates the right to rectify and supplement personal data (Article 29), indicating that a data subject shall have the right for his/her incorrect personal data to be rectified without undue delay, while, depending on the purpose of processing, the data subject may supplement his/her incomplete personal data, including the provision of additional statement.
However, when it comes to practice, there are still no decisions of the domestic courts or the Commissioner regarding the obligation to use diacritics in personal names as personal data in terms of the said regulation.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.
By Lara Maksimovic, Senior Associate, and Danica Nikitovic, Junior Associate, PR Legal
