The bank is member of Intesa Saopaolo group, don't want to specify the concrete country, probably all banks in that group use the same blacklist so it doesn't matter.
They blocked my internet banking at least twice when I was trying to send money, and another time they just sent notification about cancelled transaction. But they allow sending some transactions, and the amount is not the problem: they allow sending 900 euros to personA but prohibit 600 euros to personB. All recipients are international, but within EU and SEPA area.
I tried from my account in another bank, and I could send without problems. So this must be some proprietary blacklist made by Intesa.
I wonder where they get the data to populate the blacklist.
Do I need to rant about how scary this is? The bank just decides that you are on a list, that you are unworthy of receiving money. And it is not even your bank which decides this, so you are not even informed. Maybe the payers inform you, but maybe they just think you are a terrorist - why else would the payer's bank block you?
Yes, banks (for example Santander) have been limiting transfers to bitcoin centralized exchanges, for example. But this is another level, my bank is blocking private individuals, and my bank doesn't even know that transactions are bitcoin-related, at least I never told them nor mentioned it in payment data.
GDPR to the rescue?
They must process the data from the blacklist when checking whether to allow the transaction. So let's see when they can use the data, according to Article 6 of GDPR:
- (a) consent? - I doubt they even contacted the recipient
- (b) to fulfill contractual obligations with a data subject? My bank has no contract with the recipient.
- (c) to comply with a data controller's legal obligations? But I could send from another bank, which should have the same legal obligations.
- (d) To protect the vital interests of a data subject or another individual? Again, I sent from other bank, it doesn't protect those interests?
- (e) To perform a task in the public interest or in official authority? Ditto.
- (f) For the legitimate interests of a data controller or a third party? Ditto.
One problem is I am not a "victim" of this, it is not my data, my rights were not infringed (well, not by my bank in this particular case and in context of GDPR). So I cannot ask my bank to stop this practice (at least not formally using GDPR, informally I can ask anything and they can ignore it. ). I could complain at national Data Protection Office (DPO), which will promptly ignore me, I am afraid. And even if they don't ignore it, I will not be a formal participant in the proceeding, and I will not be informed about the results.
I don't like begging the daddy government for help, but it is the daddy government which helps the banks by bailouts and limiting cash. So I see it more like self-defense.
Let's spam the banks?
But I can do a subject access request (SAR) to a random EU bank, not as a payer, but as I potential payee. Actually, anyone with a bank account can do this. "Hello Random Bank. Is my account $IBAN on your blacklist, meaning that your clients cannot send funds to me? If so, delete my IBAN from that blacklist, or give me a reason why not. And there is a stupid bank which does such blacklisting, so maybe you are doing it too, I have no way to know, but this other bank proves I am not making stuff up, so this request is not manifestly unfounded."
One good candidate is Santander, already mentioned.
I am probably going to do this, but will give up quickly, not sure it achieves anything. They may ignore me, theoretically they have to respond in 30 days, but if not, I need to complain at DPO, maybe they come up with a seemingly plausible response...
Any tips about an organization which could investigate this? I am thinking EFF or HRF.