1 / 21

Data Protection in Financial Institutions

EU Twinning Project Expert : Dr Jens Ambrock Date: 3.-4.4.2019 This project is funded by the European Union. Data Protection in Financial Institutions. Data Protection in Financial Institutions. Cultural impact : Bank secrecy in Germany  Very sensitised branch of business

albertam
Download Presentation

Data Protection in Financial Institutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EU Twinning Project Expert: Dr Jens Ambrock Date: 3.-4.4.2019 This project is funded by the European Union Data Protection in Financial Institutions

  2. Data Protection in Financial Institutions • Cultural impact: Bank secrecy in Germany •  Very sensitisedbranchofbusiness • Highlyregulatedfinancialmarkets • Powerful bankingsupervision • Provisionswhichpartlycollidewithdataprotectionrequirements Ambrock: Data Protection in Financial Institutions

  3. legal ground (= law) consent PrincipleofLawfulness • Processing of personal dataonlyallowed on thebasisof or Ambrock: Data Protection in Financial Institutions

  4. Consent • Consentonlyifno legal groundisapplicable • Must befreelygiven • Can bewithdrawnanytime • Prohibition oflinkage • Onlyrecommendable for extra processings for individual clients • e.g. newsletters, telephonemarketing Ambrock: Data Protection in Financial Institutions

  5. Executionof a Contract • Most important legal ground for the relationshipbetweenbank and customer • Art. 5 (1) b ofMoldovandataprotectionlaw: • „the processing is required for the execution of a contract” • e.g. Storage of personal details • Required: name, address, birthdate… • Required for consultation: Income/salary, rent, numberofchildren… • Not required: telephonenumber, namesofchildren…  Consent • e.g. moneytransfertoanotherbank (includingsenders‘ names) • e.g. productionof a debitcard Ambrock: Data Protection in Financial Institutions

  6. Executionof a Contract • Example: Are Banks allowedtotake a lookintothebankaccount‘spaymenthistoy? • Criterion: Required for theexecutionofthecontract? • Depends on thecontract. • Mainlythebank‘sdutyis not onlytostorethemoney but also totake care oftheclient‘sfinancialsituation. • If so: Duty to check whethermoneyinvestmentis optimal • Activelysuggestdeptconversion, optimisingofinvestments etc. • Strictpuropselimitation • Onlytheaccountmanagerwho ist personallyresponsible for the individual client • Logfiles assafeguards Ambrock: Data Protection in Financial Institutions

  7. Legitimate Interest • Ifdatais not required for thecontract, but processingis „fair“ for everyone • Art. 5 (1) f: Balancingtest Interestsof thesubject Interestsof thecontroller • Example: CCTV in thebank‘sservice hall • Example: A customerdoes not payhisdebt. The sellermandates a debtcollectingcompany and therefortransmitstheinvoicedata. Ambrock: Data Protection in Financial Institutions

  8. Legal Obligation • Art. 5 (1) c: „the processing is required for fulfilling the controller’s legal obligation” • e.g. tax law allowing the revenue office to access the bank account • e.g. AML-Directive • Moldovan law on preventing and combating money laundering and the financing of terrorism Ambrock: Data Protection in Financial Institutions

  9. Legal Obligation Anti moneylaundrylawData minimisation • Both isbased on EU-law Most speciallawisapplicable • If national lawisproportionate • European Court of Justice (25.4.2013 – C-212/11): • Spanishlawobligingbanksto send suspiciousclients‘ datato a public AML-office ist valid. • Interpretation of national law must beproportionate (onlytransferrequireddata) • European Court of Justice (10.3.2016 – C-235/14): • Spanishlawobligingbanksto send data on all financialtransactionstoforeign countries is invalid. Ambrock: Data Protection in Financial Institutions

  10. Anti Money Laundry Law • Example: Bank copiestheclient‘s ID-Card every time he visitsthebank. • Legal obligation: “identification and verification of customer identity based on identity documents” (Art. 5 (1) d ofMolovan AML-Law) • “Reporting entities shall keep all documents and information on customers […], including copies of identification documents” (Art. 9 (2)) • Principleofdataminimisationleadsto a narrowinterpretation • Norepeatedcopiesofthe same document • Documentationthat ID-card hasbeenshownissometimessufficient • Blackeningofunnecessaryentrys: sdfsdfsdfsdfs • Purpose limitation: Copiesonly for AML-reasons, not for e.g. accuracyofaddressdata Ambrock: Data Protection in Financial Institutions

  11. German AML-Law • Former § 4 (4) 1 of German AML-Law: „For thepurposeoftheidentificationof a persontobeidentifiedcorrespondingtoparagraph 3, theobligedpartyhastoassureitselfthatthecollectedinformationiscorrect, asfarasitisincluded in thedocuments: 1. for naturalpersons […] by a valid officialidentificationcard.“ • New § 15 (2) 2: „[…] theobligedpartieshavetheright and theobligationtomakecompletecopiesorcompletedigitalisationsofthesedocumentsorrecords.“ Ambrock: Data Protection in Financial Institutions

  12. Video Identification • Online identificationwithout personal contact • Importance for rural areas • Highlyincreasing in Germany • Requirementsofthe German bankingsupervisoryauthority: • Consent • Live transmissionwithoutinterruptions • Sufficientimagequality • Bank employeesitting in a separate, lockedroom • Trainedbankemployees • Termination oftheprocedureifanyproblemsoccur Ambrock: Data Protection in Financial Institutions

  13. Access to Public Registers • Example: Bank asks for accesstothepublicpopulationregister. • Art. 2 (2) a AML: „identification and verification of customer identity based on […] information obtained from a credible and independent source“ • Two-Doors-Principleofthe German Constitutional Court Legal ground for thecollector: Legitimateinterest Legal ground for thesender: ?? Ambrock: Data Protection in Financial Institutions

  14. Transparency • Bank‘sidentity and contactdetails • Contact detailsofthedataprotectionofficer (not name) • Puproseoftheprocessing • Categoriesof personal data • Legal grounds for theprocessings • If Art. 5 (1) f: Legitimateinterests • Recipientsofthedata (orcategories): • e.g. publicauthorities • e.g. SWIFT, clearingsystems etc. • Cross bordertransferswithoutadequatedataprotectionlevel • Storage period (or at least criterias) • Automateddecisionmaking: Usedlogic and possible consequences • Subjects‘ rightstoaccess, rectification, erasure, restriction, object, dataportability, withdrawtheconsent • Right tosubmit a complainttothe Center • Clients must beactivelyinformedaboutwhoyouare and whatyou‘replanningwiththeirdata (Art. 18) • Beforethedatacollection • Recommended: Attachment totheaccountopeningcontract • Afterwarts (in casesofchanges): • Postal letter • Bank accountstatementprinter • Online banking • … Ambrock: Data Protection in Financial Institutions

  15. Privacy Impact Assessment • Tobeundertaken e.g. beforeprocessingdataconcerningtheclientscredit-worthyness • Step 1: Howriskyistheprocessing? • Step 2: Whatmeasurescanbetakentominimisetherisk? • Step 3: Istheriskcontrollable? • If not: Obligation tocontactthe DPA Severityofdamage probabilityofoccurrence Ambrock: Data Protection in Financial Institutions

  16. Privacy Impact Assessment • Helpfultool: https://www.cnil.fr/en/pia-software-20-available-and-growth-pia-ecosystem • Providedby French DPA • Many languages, e.g. English an Romanian Ambrock: Data Protection in Financial Institutions

  17. International Data Transfer EEA Ambrock: Data Protection in Financial Institutions Map designed by Layerace - Freepik.com

  18. AdequacyDecisionsofthe European Commission Faroe Islands EEA Canada Guerrnsey Isle of Man Jersey Switzerland Japan USA Israel Argentina Uruguay New Zealand Ambrock: Data Protection in Financial Institutions Map designed by Layerace - Freepik.com

  19. Transfer into Countries withoutAdequacy • Establishadequatelevelofdataprotection on your own (Art. 50) • Contractwiththerecipient • Need tobeapprovedby DPA • Mainlyused in EU: Standard ContractualClauses (SCC) ofthe European Council • Not tobemodified • http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm • In Moldova, itisuptothe Center toapprove SCCs • For individual useonly: Derogations (Art. 53) • e.g. necessary for theperformanceof a contract • e.g. defenceof legal claims • e.g. specificconsent •  Only individual cases / Noconstanttransfers Ambrock: Data Protection in Financial Institutions

  20. Payment Services Directive 2 • New European Union law (mandatoryfrom September 2019) • Applicable also toforeingnbankswithentablishments in the EU • Fundamental changeoffinancialeconomy • Banks must offeraccesstobankaccountdatatothirdparties • Future businessmodels: • Smartphone applicationswithaccesto multiple bankaccounts • Online shopscanexaminethecredit-worthienessusingthe last transactions • Creditbrokerage – external consultantwithaccesstothebankaccount • Always based on consent! Ambrock: Data Protection in Financial Institutions

  21. This project is funded by the European Union Thank you for your attention! Dr Jens Ambrock Office of the Hamburg Commissioner for Data Protection and Freedom of Information The slides are based on the speakers’ personal opinions only.

More Related