Discussion Paper on innovative uses of consumer data by financial institutions

Similar documents
Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

GENERAL DATA PROTECTION REGULATION.

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

GDPR: What Every MSP Needs to Know

December 28, 2018, New Delhi, INDIA

Trusted KYC Data Sharing Standards Scope and Governance Oversight

EU General Data Protection Regulation (GDPR)

EU GENERAL DATA PROTECTION REGULATION

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

ARTICLE 29 DATA PROTECTION WORKING PARTY

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

Introduction to the General Data Protection Regulation (GDPR)

ACCENTURE BINDING CORPORATE RULES ( BCR )

Brasenose College Data Protection Policy Statement v1.2

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

WHAT YOU NEED TO KNOW [WHITE PAPER] ABOUT GDPR HOW TO STAY COMPLIANT

GDPR & SMART PIA. Wageningen University Feb 2017

BROOKS PERSONAL TRAINING

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

DATA PROTECTION POLICY VERSION 1.0

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

Our Privacy Principles

KYC & Data Protection: Friends or Foes?

Data Protection Policy

DATA PROTECTION POLICY

General Personal Data Protection Policy

RBA Online Privacy Notice for

PRIVACY NOTICE FOR JOB APPLICANTS

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

Foundation trust membership and GDPR

Mature Accountants Limited ( MA ) are committed to protecting and respecting your privacy.

Input to Members of the European Parliament on the PSD2 RTS proposal covering banks obligations

The Privacy Battlefield What does the GDPR Require?

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

General Data Protection Regulation (GDPR) A brief guide

CNPD Training: Data Protection Basics

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

WSGR Getting Ready for the GDPR Series

New General Data Protection Regulation - an introduction

The GDPR: What does it mean for executive search?

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR

What does the GDPR mean for recruitment?

Contents. NRTT Proprietary and Confidential - Reproduction and distribution without prior consent is prohibited. 2

HOTREC guidelines on the General Data Protection Regulation

Our position. AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA)

10/02/2017 Version pptx. 1

CINCINNATI PUBLIC RADIO PRIVACY NOTICE FOR EU RESIDENTS

DATA PROTECTION POLICY

Data Protection Policy

PMI CONSUMER PRIVACY NOTICE

Information Requirements in the Consumer Rights Directive Proposal and in Other Directives

GDPR - 10 THINGS YOU NEED TO KNOW (US PERSPECTIVE) 1. Privacy and data protection are fundamental rights

VMS Software Ltd- Data Protection Privacy Policy

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

The data protection rules require that personal information we hold about you must be:-

EU General Data Protection Regulation (GDPR)

Audit. Committee. Guide

Introduction to basic principles of Regulation (EC) 45/2001. Sophie Louveaux María Verónica Pérez Asinari

ARTICLE 29 DATA PROTECTION WORKING PARTY

W h i t t l e s C h a r t e r e d A c c o u n t a n t s

Privacy Statement AVG-GDPR

Please read the following carefully in order to understand our policies and practices regarding your personal data and how we process them.

Privacy Policy. To invest significant resources in order to respect your rights in connection with Personal Data about you:

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

EDRi analysis on the most dangerous flexibilities allowed by the General Data Protection Regulation (*)

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

DELL BANK INTERNATIONAL D.A.C DATA PROTECTION STATEMENT - USE OF PERSONAL DATA 1

GENERAL DATA PROTECTION REGULATION Guidance Notes

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

ARTICLE 29 Data Protection Working Party

The Association of Executive Search and Leadership Consultants AESC BEST PRACTICES FOR DATA PROTECTION. aesc.org

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

PSD2 and GDPR: An awkward match?

Preparation Guide to the New European General Data Protection Regulation

Standard Advisory London Limited Third Party Privacy Statement

DATA PROTECTION POLICY 2018

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

Data protection (GDPR) policy

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

RAW MARKETING DATA PROTECTION POLICY

Rutherford Briant Recruitment Services Limited. Privacy Notice

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

The Sage quick start guide for businesses

HOTREC guidelines on the General Data Protection Regulation

EUROPEAN UNION. Brussels, 27 March 2013 (OR. en) 2011/0374 (COD) PE-CONS 80/12 CONSOM 164 MI 853 JUSTCIV 382 CODEC 3131 OC 774

We have prepared a general privacy notice covering all subject data and including use of our website at

Transcription:

Datum 28 juli 2016 Referentie OD15800 NVB response to the European Banking Authority Consultation form Discussion Paper on innovative uses of consumer data by financial institutions The EBA invites comments on all proposals put forward in this paper and in particular on the specific questions detailed below. 1. In what capacity (i.e. consumer, financial institution, technology providers, etc.) have you had experience with innovative uses of consumer data? The Dutch Banking Association (Nederlandse Vereniging van Banken, in short NVB) represents the common interests of the Dutch banking sector. We would like to thank you for the opportunity to comment on this discussion paper, as published by EBA in May 2016. These comments should be seen as an addition to the comments made by the European Banking Federation (EBF), which we fully support. As stated by the EBF, the banking sector supports a competitive and innovative EU Digital Single Market which safeguards existing consumer protection, trust and security. To do so, the right competitive environment should be set and allow for an open and fair competition among the market players. Given this, it is important that the same rights and the same obligations apply to the same type of services across EU Member States. All banks use consumer data, for example: to conclude contracts and agreements, develop products and services, for relationship management, to safeguard the security and integrity of the financial sector, and to comply with legal and regulatory requirements. Most banks rely on data which they acquire directly from their clients. Sometimes banks use external data within the strict remits of the law - for example of credit agencies, information trade bureaus or publicly available sources such as the internet. The NVB is of the opinion that the privacy rules and regulations (current and upcoming) already address the risks as described in the discussion paper and constitute a sufficient safeguard of the privacy rights of banking clients. We would like to elaborate on our position and indicate (outlined under question 8) how these risks are already mitigated by current and upcoming rules and regulations. Dutch research MOB 1 *, shows that customers generally accept the use by banks of (payment) data as it is used to fulfill requirements by law and adherence to security issues (acceptance rate 80%), improvement of customer care and services (68%) and following trends (47%). 1 November 2015 link: http://goo.gl/k55tk5 in Dutch. This research was conducted by an independent research institute and was commissioned by the Dutch National Forum on the Payment System, which is chaired by Dutch Central Bank DNB. Gustav Mahlerplein 29-35 1082 MS Amsterdam +31(0)20 55 02 888 www.nvb.nl 1/6

Acceptance decreases if the use of data is further removed from these types of use and informed consent (opt-in) becomes more relevant to customers. 64 to 90% does not approve of use of (payment) data for commercial purposes by the bank or a third party without consent. The acceptance rate increases when customers can give their informed consent to this use to 55-76%. In conclusion, if third parties get access to (payment) data, transparent and uniform information to customers and a level playing field are essential. 2. Based on your knowledge, what types of consumer data do financial institutions use most? 3. Based on your knowledge, what sources of consumer data do financial institutions rely on most? 4. Based on your knowledge, for what purposes do financial institutions use consumer data most? 5. How do you picture the evolution of the use of consumer data by financial institutions in the upcoming years? How do you think this will affect the market? 6. Do you consider the potential benefits described in this chapter to be complete and accurate? If not, what other benefits do you consider should be included? 7. Are you aware of any barriers that prevent financial institutions from using consumer data in a beneficial way? If so, what are these barriers? NVB adheres to EBF the position 8. Do you consider the potential risks described in this chapter to be complete and accurate? If not, what other risks do you consider should be included? R1 Consumers experience detriment if they are unaware of the way financial institutions make use of their personal data The processing of personal data is already subject to strict rules. Article 5.1 (a) GDPR mentions that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 6 of the GDPR states that the processing should be lawfully and provides the controller (banks) with 6 conditions (legal grounds) on which processing is allowed. For example in case the processing is necessary for compliance with a legal obligation. Without a legal ground as mentioned in article 6 GDPR, it is not allowed to process personal data. If a bank wants to reuse the Gustav Mahlerplein 29-35 1082 MS Amsterdam +31(0)20 55 02 888 www.nvb.nl 2/6

data for another purpose as collected, this new purpose has to be compatible with the purpose for which the personal data are initially collected. 2 These are existing rules; they are also part of present regulation: Directive 95/46EU. Therefore the risk mentioned is mitigated by existing legal obligations and national privacy law. Banks in the Netherlands have undertaken major steps to ensure all available information to their clients is available in clear and plain language as concluded by the Netherlands Authorities for the National Markets (AFM 3 The GDPR requires the information to be presented in clear and plain language 4. The duty on transparency is further elaborated in the General Data Protection Regulation (GDPR), 5 ; transparency (and modalities) are part of a chapter on the rights of data subjects. R2 Consumers are locked-in by their current provider because their data is not assessable to other financial institutions The banks in the Netherlands provide the possibility to their clients (both consumers and businesses) to use a jointly developed Bank Switch Service ( Overstapservice ) 6 to migrate their payment traffic to a payment account held at another bank. The Overstapservice aims to facilitate account holders who want to move their payments relationship from one bank to another, thus increasing customer mobility. We would like to mention that Directive 2014/92/EU (Payment Account Directive) obliges Member States to implement a national payment account switching service as per 18 September 2016. Besides this, Article 20 of the GDPR introduces the Right to data portability. Clients will have the right to receive the personal data provided to a controller and have the right to transmit those data to another controller without hindrance from the controller. R3: Consumers experience detriment if financial institutions misuse their personal data If a bank wants to reuse the data for another purpose as collected, this new purpose has to be compatible with the purpose for which the personal data are initially collected. 7 Article 5. 1 (a) GDPR mentions that Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 6 of the GDPR states that the processing should be lawfully and provides the controller (banks) with 6 conditions (legal grounds) on which processing is allowed. For example in case the processing is necessary for compliance with a legal obligation. Without a legal ground as mentioned in article 6 GDPR, it is not allowed to process personal data. Banks are also bound by the Directive on privacy and electronic communications 8 which, among other things, provides for rules concerning the protection on data on the internet (cookies), the use of unsolicited communications for direct marketing purposes (especially on e-mails and SMS messages) and processing of location data giving the geographical location. In the Netherlands these obligations have been transposed in the Telecommunications Act. This means that financial 2 Article 6 (4) GDPR 3 AFM see https://www.afm.nl/nl-nl/nieuws/2014/mei/taal-klant 4 Article 12 (1) GDPR 5 Regulation EU 2016/679 articles 12-14 6 With the Overstapservice all payments destined for the old personal current account are automatically rerouted to the new account during a period of 13 months. 7 Article 6 (4) GDPR 8 2002/58/EC amended by 2009/136 EC Gustav Mahlerplein 29-35 1082 MS Amsterdam +31(0)20 55 02 888 www.nvb.nl 3/6

institutions are already under the obligation to abide these rules. The sanctions that can be imposed by the Authority for Consumers & Markets (ACM) are significant. Under the current legislation and the GDPR, processing of client data for marketing purposes is allowed provided that this occurs within legal boundaries. For example, article 21 (2) GDPR gives data subjects the right to object in case their data is used for direct marketing purposes. Financial institutions misusing data (for example by using client data for marketing purposes in a way that goes beyond the legal boundaries) undermine their reputation and potentially breach the law, which is and shall remain very strict on this point, including the possibility of a fine. The fact that at least two regulators in the Netherlands oversee the compliance of the use of data for commercial purposes constitutes a sufficient guarantee for clients to trust that banks shall not misuse their data for these purposes. R4: Consumers experience detriment as a result of wrong decisions by financial institutions on the basis of wrong information Clients of financial institutions have the right not to be subject to a decision relating to him or her which is based solely on automated processing and which produces legal effects or similarly affects, such as automated refusal of an online credit application 9. Besides the data a financial institution processes has to be accurate and kept up to date. 10 The risk of wrong decisions on the basis of wrong information is mitigated by these principles. Processing of health data or other special categories of personal data is also addressed in the GDPR. Processing of this data is prohibited except in strictly formulated cases. In case of automated decision making, including profiling, the GDPR states that the data subject shall not be subject to a decision solely based on automated processing including profiling. Especially it is not allowed to base a decision on special categories of data (e.g. health data) unless suitable measures to safeguard the data subject s right and freedoms and legitimate interests are in place 11. R5: Consumers have restricted or no access to financial products or services because they do not allow for their information to be used by financial institutions Practically and lawfully a bank is in need of access to certain information to be able to provide a product or service. Personal data that is being processed by banks needs to be processed because it is necessary to fulfill a contractual obligation or to abide the law. As mentioned before, banks have the obligation to process lawfully, fairly and in a transparent manner. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimalisation). 12 Banks will therefore only process the data necessary for the purposes as mentioned in the Introduction. In case a data subject doesn t want a bank to use his data commercially, it has the possibility to use his right to object to processing for direct marketing purposes. 13 That does not preclude a financial institution from processing for a legitimate purpose and still give access to financial products and services. 9 Preamble 76 GDPR 10 Article 5.1 (d) 11 Article 22 (4) GDPR 12 Article 5 GDPR 13 Article 21 (3) GDPR Gustav Mahlerplein 29-35 1082 MS Amsterdam +31(0)20 55 02 888 www.nvb.nl 4/6

R6 Consumers suffer detriment if consumer data stored by financial institutions is obtained fraudulently by third parties Financial institutions have the obligation to implement appropriate technical and organizational measures 14. In case of a data breach, a financial institution will be obligated to notify the breach to the supervisory authority and the data subject. 15 Besides these obligations, banks in the Netherlands have specialized departments to prevent fraud and to comply to 3:17 Wft (Dutch Act on Financial Supervision) which amongst others stipulates that: A clearing institution, entity for risk acceptance, credit institution or insurer having its registered office in the Netherlands shall organize its operations in such a way as to safeguard controlled and sound business operations. R7: Financial institutions are exposed to reputational risk if they make questionable use of consumer data As enumerated, banks are of the opinion that it is not allowed by law to use data in a questionable way. Since banks are bound by the GDPR and the Directive, we do not anticipate a reputational risks from this perspective in the Netherlands. However, if third parties would have access to payment data we could envisage potential reputational risks. As stated before, Dutch research shows that an explicit op- in/consent for use of (payment) data for commercial purposes is valued by consumers. Dutch banks are strongly in favor of creating broader support for the use of (payment) data, which can be achieved if authorities communicate to consumers in a transparent and uniform way regarding the rules that financial institutions (including third parties) have to abide to. R8: Financial institutions that are not in a position to process consumer data cannot compete with new entrants in the market that specialize in using consumer data New entrants to the markets may only process data if they take the GDPR into consideration. Financial Institutions do see a risk in the interpretation of new entrants in for example the re-use of data (further processing) and combining data that new entrants already possess/have access to in another role. As long as financial institutions act in line with the GDPR and the Directive, it is allowed to use consumer data for commercial purposes. Preamble 47 of the GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. The assumption as stated in the discussion paper that financial institutions may not use consumer data for commercial purposes seems to be a too strict interpretation of the applicable laws and regulations. Of course the consumer data may only be used commercially within the boundaries of the GDPR and the Directive. Another risk regarding new entrants is Directive 2015/2366, Payment Service Directive II. New entrants and other institutions (so called Third Party Providers ) can get access to the consumer (payment account-related) data held by account servicing PSP s (banks). Although they have to agree, data subjects may not always be aware of the fact that other institutions could process the data provided by banks. Although these other institutions also have to fulfill the obligations of the GDPR, the risk of non-compliance as well as uncertainty for the clients might increase. 14 Article 24 and 25 GDPR 15 Articles 33-34 GDPR Gustav Mahlerplein 29-35 1082 MS Amsterdam +31(0)20 55 02 888 www.nvb.nl 5/6

R9: Financial institutions are exposed to legal risks if their IT systems are compromised As mentioned under R6 financial institutions have the obligation to take appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimalisation. Since financial institutions process sensitive and financial data, they already have sufficient measures in place to protect the data of their clients. New entrants might not always be aware of the existing rules and therefore they might not have these measures in place. So instead of new lawmaking more publicity should be given to the rules and regulations that are already in place. Conclusion According to the banking sector the risks as mentioned in the discussion paper of EBA are all addressed in the Directive and the GDPR. If a financial institution does not comply with the GDPR, fines can be imposed up to 4% of the worldwide annual turnover 16 of a financial institution. The GDPR also provides clients with the possibility to lodge a complaint to the supervisor and of course to the financial institution itself. Transparent and uniform communication to customers is deemed necessary, as well as a level playing field (same services, same risks) between all parties allowed access to (payment) data. 9. Have you observed any of these risks materialising? If so, please provide examples. 16 83 GDPR Gustav Mahlerplein 29-35 1082 MS Amsterdam +31(0)20 55 02 888 www.nvb.nl 6/6

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback