Financial and payment services: use of personal data should remain proportionate and fair

The EDPS published two Opinions: one on the proposal for a Regulation on a Financial Data Access Framework and one on the proposal for a Regulation and Directive on payment services in the EU’s internal market. Both proposals aim to foster the sharing of data to broaden the offer of financial services and products, whilst providing individuals or organisations control over the processing of their financial data.

According to the Proposals, individuals and organisations would manage access to their financial data using dashboards provided by financial institutions. This would allow individuals concerned to monitor, restrict or grant access to their information. The EDPS highlights that, to achieve this objective, individuals or organisations should be provided with complete, accurate and clear information on the provider of the financial service requesting access to their data. Information on the type of product, payment or service for which an individual’s personal data would be used and the types of data requested should also be communicated.

The EDPS welcomes the efforts made to ensure the Proposals’ consistency with the General Data Protection Regulation (GDPR).  Both Proposals should specify that the granting of ‘permissions’ to access financial data does not equate to giving consent under the GDPR. Likewise, all processing of personal data following a request to access an individual’s financial data must have an appropriate legal basis under the GDPR.

Wojciech Wiewiórowski, EDPS, said: “Increased sharing of financial data should open new opportunities for individuals, not close doors. Without clear boundaries, one could see higher prices for important financial services or the exclusion of customers with an unfavourable risk profile. Financial authorities and data protection authorities will need to cooperate closely to ensure that individuals and their fundamental rights are protected”.

Alongside these general remarks, the EDPS makes specific recommendations for each Proposal.

Given the highly sensitive personal data that may be shared in the context of the proposed Financial Data Access Framework, the EDPS recommends clearly circumscribing the types of personal data that can be processed, and to exclude data obtained through the profiling of an individual.

The EDPS welcomes the development of Guidelines to set boundaries for the processing of individuals’ personal data in relation to financial services. To ensure that these Guidelines comply with data protection law, including the GDPR, the EDPS advises that the European Data Protection Board - which encompasses the data protection authorities of the EU/EAA - is formally consulted before their adoption. The EDPS further advises that the Guidelines elaborate on the limits of combining individuals’ financial information with other types of personal information, such as personal data obtained from third party sources, like social media networks. Such practice is already explicitly prohibited in sectoral legislation on certain financial services, points out the EDPS.

Addressing the Regulation and Directive on payment services, the EDPS provides recommendations on fraud prevention, stating that the categories of personal data that payment service providers process in this context should be clearly defined and limited to what is strictly necessary. The EDPS also recommends that the Regulation specifies which type of payment service and which payment service providers would be allowed to process special categories of personal data.

As advisor to the EU legislator on data protection matters, the EDPS will continue to monitor the development of these proposals and any additional, implementing measures envisaged.