European Data Protection Supervisor
European Data Protection Supervisor

Rebuilding trust in financial services markets: 10 steps for responsible handling of personal information

Rebuilding trust in financial services markets: 10 steps for responsible handling of personal information


Rebuilding trust in financial services markets: 10 steps for responsible handling of personal information

Data protection can support the European economy, said the European Data Protection Supervisor (EDPS) today, following the publication of his Guidelines on data protection in EU financial services regulation.  In his guidelines, the EDPS explains how the close supervision of financial markets should respect the rights of individuals to privacy and data protection in addition to rebuilding trust in markets for financial services.

Peter Hustinx, EDPS, said: "Sweeping regulatory reforms are being put in place to prevent a repeat of the 2008 financial crisis. The accountability and transparency of markets are legitimate policy aims, but in practice this means the collection, use and storage of large amounts of personal information by industry and by regulators. Our guidelines are a practical toolkit for ensuring that EU data protection rules are integrated when developing EU financial policies and rules."

Over 40 new laws in the area of financial services have been introduced since 2008, and the EDPS has been active in advising the Parliament, the Council and the Commission on the need for compliance with the Charter of Fundamental Rights. The EDPS guidelines bring together this advice in a single document.

Giovanni Buttarelli, Assistant Supervisor, said: "Data protection rules, like financial services regulation, can seem complex for non-specialists. Our guidelines explain in easy-to-follow, practical steps how the protection of the rights of the individual is necessary - and compatible - with effective financial services regulation. The value of personal information has increased in line with the growth of the digital economy and it is important that it is protected across all industry sectors. This is the first of several planned guidelines from the EDPS which will address the specific needs of different sectors."

The EDPS is working with other EU institutions in their efforts to stabilise the financial services sector and to address similar privacy issues in other sectors. A policy toolkit consisting of guidelines by sector was one of the undertakings announced in the policy paper published in June 2014, The EDPS as an advisor to EU institutions on policy and legislation: building on ten years of experience.

Background information

Privacy and data protection are fundamental rights in the EU. Under the Data Protection Regulation (EC) No 45/2001, one of the duties of the EDPS is to advise the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues that have an impact on data protection. Furthermore, EU institutions and bodies processing personal data presenting specific risks to the rights and freedoms of individuals ('data subjects') are subject to prior-checking by the EDPS. If in the opinion of the EDPS, the notified processing may involve a breach of any provision of the Regulation, he shall make proposals to avoid such a breach.

Policy Paper, June 2014: The EDPS as an advisor to EU institutions on policy and legislation: building on ten years of experience is available on the EDPS website.

Financial services regulation in the EU aims to ensure financial stability, the efficiency of the single market for financial services and market integrity and confidence. Measures include banking capital requirements and rules on the derivatives markets, insurance, securities and investment funds, financial markets infrastructure, retail financial services and payment systems. A large number of new laws have been proposed and adopted since 2008, extending supervision of market behaviour and strengthening the powers of regulators, transparency and protections against risky activities. These rules also involve processing of information relating to individuals, often on a large scale, requiring compliance with EU principles and rules, particularly where there is an interference with the right to privacy. To date, EDPS has published 14 separate Opinions on proposals for legislation in this area.

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).