Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection in Financial Institutions

Published byNigel Martin Modified over 6 years ago

Similar presentations

Presentation on theme: "Data Protection in Financial Institutions"— Presentation transcript:

1 Data Protection in Financial Institutions
EU Twinning Project Expert: Dr Jens Ambrock Date: This project is funded by the European Union

2 Data Protection in Financial Institutions
Cultural impact: Bank secrecy in Germany  Very sensitised branch of business Highly regulated financial markets Powerful banking supervision Provisions which partly collide with data protection requirements Ambrock: Data Protection in Financial Institutions

3 Principle of Lawfulness
Processing of personal data only allowed on the basis of or legal ground (= law) consent Ambrock: Data Protection in Financial Institutions

4 Consent Consent only if no legal ground is applicable
Must be freely given Can be withdrawn anytime Prohibition of linkage Only recommendable for extra processings for individual clients e.g. newsletters, telephone marketing Ambrock: Data Protection in Financial Institutions

5 Execution of a Contract
Most important legal ground for the relationship between bank and customer Art. 5 (1) b of Moldovan data protection law: „the processing is required for the execution of a contract” e.g. Storage of personal details Required: name, address, birthdate… Required for consultation: Income/salary, rent, number of children… Not required: telephone number, names of children…  Consent e.g. money transfer to another bank (including senders‘ names) e.g. production of a debit card Ambrock: Data Protection in Financial Institutions

6 Execution of a Contract
Example: Are Banks allowed to take a look into the bank account‘s payment histoy? Criterion: Required for the execution of the contract? Depends on the contract. Mainly the bank‘s duty is not only to store the money but also to take care of the client‘s financial situation. If so: Duty to check whether money investment is optimal Actively suggest dept conversion, optimising of investments etc. Strict puropse limitation Only the account manager who ist personally responsible for the individual client Logfiles as safeguards Ambrock: Data Protection in Financial Institutions

7 Legitimate Interest Interests of the controller the subject If data is not required for the contract, but processing is „fair“ for everyone Art. 5 (1) f: Balancing test Example: CCTV in the bank‘s service hall Example: A customer does not pay his debt. The seller mandates a debt collecting company and therefor transmits the invoice data. Ambrock: Data Protection in Financial Institutions

8 Legal Obligation Art. 5 (1) c: „the processing is required for fulfilling the controller’s legal obligation” e.g. tax law allowing the revenue office to access the bank account e.g. AML-Directive Moldovan law on preventing and combating money laundering and the financing of terrorism Ambrock: Data Protection in Financial Institutions

9 Legal Obligation Anti money laundry law Data minimisation
Both is based on EU-law  Most special law is applicable If national law is proportionate European Court of Justice ( – C-212/11): Spanish law obliging banks to send suspicious clients‘ data to a public AML-office ist valid. Interpretation of national law must be proportionate (only transfer required data) European Court of Justice ( – C-235/14): Spanish law obliging banks to send data on all financial transactions to foreign countries is invalid. Ambrock: Data Protection in Financial Institutions

10 Anti Money Laundry Law Example: Bank copies the client‘s ID-Card every time he visits the bank. Legal obligation: “identification and verification of customer identity based on identity documents” (Art. 5 (1) d of Molovan AML-Law) “Reporting entities shall keep all documents and information on customers […], including copies of identification documents” (Art. 9 (2)) Principle of data minimisation leads to a narrow interpretation No repeated copies of the same document Documentation that ID-card has been shown is sometimes sufficient Blackening of unnecessary entrys: sdfsdfsdfsdfs Purpose limitation: Copies only for AML-reasons, not for e.g. accuracy of address data Ambrock: Data Protection in Financial Institutions

11 German AML-Law Former § 4 (4) 1 of German AML-Law:
„For the purpose of the identification of a person to be identified corresponding to paragraph 3, the obliged party has to assure itself that the collected information is correct, as far as it is included in the documents: 1. for natural persons […] by a valid official identification card.“ New § 15 (2) 2: „[…] the obliged parties have the right and the obligation to make complete copies or complete digitalisations of these documents or records.“ Ambrock: Data Protection in Financial Institutions

12 Video Identification Online identification without personal contact
Importance for rural areas Highly increasing in Germany Requirements of the German banking supervisory authority: Consent Live transmission without interruptions Sufficient image quality Bank employee sitting in a separate, locked room Trained bank employees Termination of the procedure if any problems occur Ambrock: Data Protection in Financial Institutions

13 Access to Public Registers
Example: Bank asks for access to the public population register. Art. 2 (2) a AML: „identification and verification of customer identity based on […] information obtained from a credible and independent source“ Two-Doors-Principle of the German Constitutional Court Legal ground for the collector: Legitimate interest Legal ground for the sender: ?? Ambrock: Data Protection in Financial Institutions

14 Transparency Bank‘s identity and contact details Contact details of the data protection officer (not name) Puprose of the processing Categories of personal data Legal grounds for the processings If Art. 5 (1) f: Legitimate interests Recipients of the data (or categories): e.g. public authorities e.g. SWIFT, clearing systems etc. Cross border transfers without adequate data protection level Storage period (or at least criterias) Automated decision making: Used logic and possible consequences Subjects‘ rights to access, rectification, erasure, restriction, object, data portability, withdraw the consent Right to submit a complaint to the Center Clients must be actively informed about who you are and what you‘re planning with their data (Art. 18) Before the data collection Recommended: Attachment to the account opening contract Afterwarts (in cases of changes): Postal letter Bank account statement printer Online banking Ambrock: Data Protection in Financial Institutions

15 Privacy Impact Assessment
probability of occurrence Severity of damage To be undertaken e.g. before processing data concerning the clients credit-worthyness Step 1: How risky is the processing? Step 2: What measures can be taken to minimise the risk? Step 3: Is the risk controllable? If not: Obligation to contact the DPA Ambrock: Data Protection in Financial Institutions

16 Privacy Impact Assessment
Helpful tool: software-20-available-and- growth-pia-ecosystem Provided by French DPA Many languages, e.g. English an Romanian Ambrock: Data Protection in Financial Institutions

17 International Data Transfer
EEA Ambrock: Data Protection in Financial Institutions Map designed by Layerace - Freepik.com

18 Adequacy Decisions of the European Commission
Faroe Islands EEA Canada Guerrnsey Isle of Man Jersey Switzerland USA Japan Israel Argentina Uruguay New Zealand Ambrock: Data Protection in Financial Institutions Map designed by Layerace - Freepik.com

19 Transfer into Countries without Adequacy
Establish adequate level of data protection on your own (Art. 50) Contract with the recipient Need to be approved by DPA Mainly used in EU: Standard Contractual Clauses (SCC) of the European Council Not to be modified In Moldova, it is up to the Center to approve SCCs For individual use only: Derogations (Art. 53) e.g. necessary for the performance of a contract e.g. defence of legal claims e.g. specific consent  Only individual cases / No constant transfers Ambrock: Data Protection in Financial Institutions

20 Payment Services Directive 2
New European Union law (mandatory from September 2019) Applicable also to foreingn banks with entablishments in the EU Fundamental change of financial economy Banks must offer access to bank account data to third parties Future business models: Smartphone applications with acces to multiple bank accounts Online shops can examine the credit-worthieness using the last transactions Credit brokerage – external consultant with access to the bank account Always based on consent! Ambrock: Data Protection in Financial Institutions

21 Thank you for your attention!
Dr Jens Ambrock Office of the Hamburg Commissioner for Data Protection and Freedom of Information The slides are based on the speakers’ personal opinions only. This project is funded by the European Union

Download ppt "Data Protection in Financial Institutions"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
1 Raymond Doray Conflicts between the new Canadian Money Laundering Act and the rules of professional conduct and ethics September 13, 2002.

1 Raymond Doray Conflicts between the new Canadian Money Laundering Act and the rules of professional conduct and ethics September 13, 2002.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.
Good practices from and for the EU accountability process Irena Petruškevičienė Vilnius, 17 October 2006.

Good practices from and for the EU accountability process Irena Petruškevičienė Vilnius, 17 October 2006.
Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.

Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING

ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING
World Bank International Standards and their Measures for Financial Institutions and Non-Financial Businesses and Professions to Prevent Money Laundering.

World Bank International Standards and their Measures for Financial Institutions and Non-Financial Businesses and Professions to Prevent Money Laundering.
Responsibilities of Financial Institutions in the AML Architecture – AML Regulations in Afghanistan Mr. Jafar Sadat, Da Afghanistan Bank.

Responsibilities of Financial Institutions in the AML Architecture – AML Regulations in Afghanistan Mr. Jafar Sadat, Da Afghanistan Bank.
Workshop on Privacy of Public Figures and Freedom of Information - Skopje, 9-10 October 2012.

Workshop on Privacy of Public Figures and Freedom of Information - Skopje, 9-10 October 2012.
1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Ukraine (nr 46514): Expert Mission on Supervision of Investment Funds` Activities - TAIEX On-site supervision of the investment funds industry in Poland.

Ukraine (nr 46514): Expert Mission on Supervision of Investment Funds` Activities - TAIEX On-site supervision of the investment funds industry in Poland.

Similar presentations

Ads by Google