All modern financial services require the processing and free movement of their customers’ personal data. In particular, banks and other financial services companies store and process personal data either on hard copy or in electronic form to facilitate their business activities.
Such business activities are lending, securities transactions, investments, retail or corporate accounts services, and regulatory compliance (e.g. Anti-Money Laundering/Combating the Financing of Terrorism – AML/CFT).
In this context, banking service providers often transfer personal data of customers, employees or managers of these businesses as a necessary condition for their processing to other locations (e.g. specific facilities).
Within the European Union, the personal data transfer beyond national borders is currently under the scope of the Directive 95/46/EC, which establishes the minimum data subject’s protection for the storage, processing, access and transfer of his/her personal data.
Consequently, financial businesses that comply with these data protection requirements are free to transfer this personal data across the EU.
*Caution! The Data Protection Framework within the EU is currently being revised:
- The Directive 95/46/EC is repealed and replaced by the General Data Protection Regulation 2016/679 (G.D.P.R.), which will apply in all Member States from 25 May 2018.
- In one hand, the G.D.P.R. introduces stricter requirements for businesses (e.g. for the responsibility to assess the data protection adequacy from Third Countries), a more centralized system of regulation and an arbitration system among the national data protection authorities when they disagree.
- On the other hand, the G.D.P.R. provides a high level of data transfer freedom between companies, banks or other organizations when a stricter regulation is not applied (e.g. provisions for «sensitive personal data»).
- In the context of facilitating the exchange of information on tax issues within the EU, including information on bank accounts, on 27 May 2015 was signed the Agreement between the European Union and the Swiss Confederation in relation to the automatic information exchange in tax matters.
- This Agreement applies in parallel to the Convention of the Council of Europe and the OECD in relation to Mutual Administrative Assistance in Tax Matters.
- The Contracting Member States from 1 January 2017 will collect data from financial accounts and from 2018 will exchange them, subject the necessary legal bases in the national legislations will enter into force.
- The exchange of information will take place automatically, without the need for a request, allowing the concerned tax administrations to identify taxable persons and any cases of tax evasion.
- The data to be exchanged will concern:
– The bank account holder: name, address, national VAT registration number, date and place of birth and
– The bank account itself: account number, currency, account balance, interest, dividends and income from the sale of financial assets.
However, in order to lift banking secrecy, safeguards should be provided for the protection of depositors’ personal data (e.g. data minimisation, legitimate purpose, provision of information to the data subjects, security and data protection standards, and provision of an explicit period of storage).
Due to this reason, the European Data Protection Supervisor, in his Οpinion No C 289/6 – OJ/3.9.2015, highlighted that the provisions of Article 6 of the EU / Switzerland Agreement, related to Data Protection, are incomplete and suggested the adoption of specific recommendations for its proper implementation.
- Finally, the Payment Services Directive 2015/2366/EC (PSD2), which will have to be transposed into the Member States’ national law until 13th of January 2018, provides that the processing of personal data will be under the scope of the Directive 95/46/EC (as will be replaced by G.D.P.R.), e.g compliance to specific principles of processing, existence of a legal base and safety requirements either by design or by default will be necessary conditions.
In any case, it is worth to be noted that in our broadened digital era the «battle» between the economic integration and the personal data protection must end in favor of the last.
Edited by Dimitra Panagidi