The EDPS published two Opinions: one on the proposal for a Regulation on a Financial Data Access Framework and one on the proposal for a Regulation and Directive on payment services in the EU’s internal market. Both proposals aim to foster the sharing of data to broaden the offer of financial services and products, whilst providing individuals or organisations control over the processing of their financial data.
According to the Proposals, individuals and organisations would manage access to their financial data using dashboards provided by financial institutions. This would allow individuals concerned to monitor, restrict or grant access to their information. The EDPS highlights that, to achieve this objective, individuals or organisations should be provided with complete, accurate and clear information on the provider of the financial service requesting access to their data. Information on the type of product, payment or service for which an individual’s personal data would be used and the types of data requested should also be communicated.
The EDPS welcomes the efforts made to ensure the Proposals’ consistency with the General Data Protection Regulation (GDPR). Both Proposals should specify that the granting of ‘permissions’ to access financial data does not equate to giving consent under the GDPR. Likewise, all processing of personal data following a request to access an individual’s financial data must have an appropriate legal basis under the GDPR.
Wojciech Wiewiórowski, EDPS, said: “Increased sharing of financial data should open new opportunities for individuals, not close doors. Without clear boundaries, one could see higher prices for important financial services or the exclusion of customers with an unfavourable risk profile. Financial authorities and data protection authorities will need to cooperate closely to ensure that individuals and their fundamental rights are protected”.
Alongside these general remarks, the EDPS makes specific recommendations for each Proposal.
Given the highly sensitive personal data that may be shared in the context of the proposed Financial Data Access Framework, the EDPS recommends clearly circumscribing the types of personal data that can be processed, and to exclude data obtained through the profiling of an individual.
The EDPS welcomes the development of Guidelines to set boundaries for the processing of individuals’ personal data in relation to financial services. To ensure that these Guidelines comply with data protection law, including the GDPR, the EDPS advises that the European Data Protection Board - which encompasses the data protection authorities of the EU/EAA - is formally consulted before their adoption. The EDPS further advises that the Guidelines elaborate on the limits of combining individuals’ financial information with other types of personal information, such as personal data obtained from third party sources, like social media networks. Such practice is already explicitly prohibited in sectoral legislation on certain financial services, points out the EDPS.
Addressing the Regulation and Directive on payment services, the EDPS provides recommendations on fraud prevention, stating that the categories of personal data that payment service providers process in this context should be clearly defined and limited to what is strictly necessary. The EDPS also recommends that the Regulation specifies which type of payment service and which payment service providers would be allowed to process special categories of personal data.
As advisor to the EU legislator on data protection matters, the EDPS will continue to monitor the development of these proposals and any additional, implementing measures envisaged.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
About the EDPS: The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.