Financial Privacy and Data Protection in the enlarged European UnionProf. Dr. Alfred Büllesbach, Chief Corporate Data ProtectionOfficerProf. Dr. Alfred Büllesbachcustomer dataPIN TAN credit line account balance debit balancename address telephone number account number spreading of risks Income financial obligations Places of whereabout sRisks and Dangers •Creation of User profiles•Manipulation of transferred or stored data •Unauthorised knowledge of data•Misuse of data for purposes they were not collected for•Unauthorised use of data•Deletion of data by unauthorised personsObjective of Data Protection:Protection of the personal rights of those whose data is being processedProf. Dr. Alfred BüllesbachBasic Principles of Data Protection in Europe I ➔Data Avoidance and Economy➔Legal authorisation or customer consent➔Data integrity and accuracy➔Compliance with the purpose➔Restrictions on data transfer to foreign countries➔Binding employees to data secrecy and limitation/control of access to personal customer data➔Assuring technical data securityProf. Dr. Alfred BüllesbachBasic Principles of Data Protection in Europe II ➔Rights to individuals:•notice•access•correction an deletion•objection against data use for marketing purposes•right not to be subject to an automatedindividual decision➔Only in Germany:•According to Section 6c of the BDSG, mobile storage media (chip cards) must besubmitted to prior data-protection checks bythe corporate data-protection officer.•Section 6b of the BDSG restricts the optical supervision of rooms open to the public. Theconcerned individual must be informed aboutProf. Dr. Alfred BüllesbachInternational data-protection regulations in Europe: Conventions and Charters •Article 8 of the Convention of the Council of Europe for the Protection of Human Rights and Fundamental Freedoms:“Everyone has the right to respect for his private and family life,his home and his correspondence.”•Convention of the Council of Europe for the Protection of Individuals with regard to AutomaticProcessing of personal Data•Article 8 Section 1 of the Charter of Fundamental Rights of the European Union:“Everyone has the right to the protection of personal dataconcerning him or her.”➨The right to data protection is a human right inProf. Dr. Alfred BüllesbachProf. Dr. Alfred Büllesbach International data-protection regulations in Europe: Directives I •1991:Council Directive on money laundering •1995: Data Protection Directive –implementation still not successful in France, Luxembourg, Ireland –will create a standardised legal data protection in the member states, allow data transfer within the EU domestic market and facilitate the cross-border flow of financial data within the EU •1997: Telecommunication Data Protection Directive Article 12: –The use of automated calling systems or fax for the purposes of direct marketing are only allowed if addressees have given their prior consent.–Member States take appropriate measures by national legislation.–Right to choice applies to subscribers who are naturalInternational data-protection regulations in Europe: Directives II •1999: Directive about Electronic Signaturesobjective: facilitating the use of electronic signatures andcontributing to their legal recognitiondistinction between “electronic” and “advancedelectronic” signaturescreates the conditions that ensure safe use of digitalsignatures in legal and business transactionsopportunities have been little used•2000: E-Commerce Directiveobjective: ensuring the free movement of informationsociety services between the Member Statesapproximates national provisions on information societyservices relating to the internal market, theestablishment of service providers, commercialcommunications, electronic contracts, the liability ofintermediaries, codes of conduct, out-of-court disputeProf. Dr. Alfred BüllesbachProf. Dr. Alfred Büllesbach International data-protection regulations in Europe: Proposal of the EU-Commission •1999: Amended proposal for a Directive concerning the distance marketing of consumer financial services objective: access without discrimination to the widest possible range of financial services available in the Community, so that the consumer can choose the best suited to their needs guarantees high level of consumer protection ensuring the free movement of financial services in order to enhance consumer confidence in distance selling …financial service“ means any banking, insurance, investment or payment service Covers all financial services liable to be provided at a distance …distance contracts“: offer, negotiation and conclusion are carried out at a distance Member States may not adopt provisions other than those laid down in this Directive Problems:•Disparities in legal provisions concerning contracts andData-protection and bank secrecy •Bank secrecy is a product of the contractual relationship between bank and customer, data protection is imposed by act of law•Unlike bank secrecy, the German BDSG only protects natural persons•Bank secrecy is relevant only in connection to third parties, data protection also regulates the collection, storage, changing or use of data by the bank •Before a bank discloses customer data to third parties, it must observe both sets of legal obligations, if its customers are natural persons➨data protection and bank secrecy represent two separate regulations that do not oppose oneProf. Dr. Alfred BüllesbachNational data protection regulations I Right of the concerned individual toNotice Access Correction/Deletion Belgium x x x Denmark x x x Germany x x x Finland x x x France-x x Greece x x x Great Britain x x x Ireland x x x Italy x x x Luxembourg x x x The Netherlandsx x x Austria x x x Portugal x x x Sweden x x x Switzerland-x x Spain x x xProf. Dr. Alfred BüllesbachNational data protection regulations I Right of the concerned individual toNotice Access Correction/Deletion Bulgaria (Draft)Cyprus (Draft)Czech Rep.x x x Estonia if consent necessary x x Hungary x x x Latvia x x x Lithuania x x x Malta(Draft)Poland x x x Romania (Draft)Russia x x x Slovak Rep. x x x Slovenia if consent necessary x x Turkey (Draft)Prof. Dr. Alfred BüllesbachNational data protection regulations II Right of the concerned individual toChoice Onward Enforcement(opt-out) Transfer Belgium x x x Denmark x x x Germany x x x Finland x x x France x-x Greece x x x Great Britain x x x Ireland x-x Italy x x x Luxembourg x-x The Netherlands x xxAustria x x x Portugal x x x Sweden x x x Switzerland x-xProf. Dr. Alfred BüllesbachNational data protection regulations II Right of the concerned individual toChoice Onward Enforcement(opt-out) Transfer Bulgaria(Draft)Cyprus(Draft)Czech Rep.x x x Estonia x-x Hungary x x x Latvia x x x Lithuania x x x Malta(Draft)Poland x x x Romania(Draft)Russia x-x Slovak Rep.x x x Slovenia x-x Turkey(Draft)Prof. Dr. Alfred BüllesbachProf. Dr. Alfred Büllesbach National data protection regulations IIIconcerning to notify Data Protectionautomated OfficerdecisionsBelgium x x possibleDenmark x x -Germany x x xFinland x x -France x not generally -Greece x x -Great Britain x x -Ireland -x -Italy x x -Luxembourg -x-The Netherlands xx xAustria x x -Portugal x x -Sweden x x x Switzerland -x -National data protection regulations IIIconcerning to notify Data Protectionautomated OfficerdecisionsBulgaria(Draft)Cyprus(Draft)Czech Rep.-x-Estonia-processing of sensitive data-Hungary-x-Latvia-x-Lithuania-x-Malta(Draft)Poland-x-Romania(Draft)Russia-x-Slovak Rep.x x-Slovenia-x-Turkey(Draft)Prof. Dr. Alfred BüllesbachApplicability of the BDSG to Financial-Service Providers ➔Financial-service providers under private law: general provisions of the BDSG, as well as specific regulations for the private sector apply (Sections27-38a)➔Federal credit institutions under public law in free competition: Sections 27-38a apply as well➔The BDSG does not recognise any so-called corporate privileges: associated corporations in a corporate group are considered third parties inrelation to one anotherProf. Dr. Alfred BüllesbachCollecting, processing and use of personal data by financial-service providers: Relevant legal regulations outside the BDSG I ➔Data collected according to Section 31 of the Securities Trading Act about the financial situation of the client may be stored according to Section 34➔According to Sections 2 and 9 of the Money Laundering Act in connection with Section 154 of the Fiscal Code, financial institutions must storethe acquired data of depositors of cash amounts over 30.000 DM➔General accounting or recording obligations (Section 257 of the Commercial Code, Section319 of the Fiscal Code) can legitimise data-processing activities according to commercial and fiscal regulations➔Sections 915ff. of the Code of Civil Procedure and the List of Insolvent Debtors Code contain special data-protection regulations for the accessing ofdata in the debtors’ index and their use in creditindustryProf. Dr. Alfred BüllesbachCollecting, processing, and use of personal data by financial-service providers: Relevant legal regulations outside the BDSG II ➔According to Sections 13 and 14 of the Act Regulating Banking and Credit Business specific loans are to be disclosed➔In the case of the decease of a bank customer, transmission obligations of the bank are applicable to the revenue authority according to theInheritance Tax Law➔Credit institutions have information obligations for the control of investment-income-tax payment and have to respect official inspection rights in othertaxation procedures, public-investigationprocedures and criminal proceedings➔Employment offices have information rights before they agree to pay unemployment benefits (Section 315 of the Social Security Code Vol. III)➔Finally, an institution that acts as an employer has information-collecting obligations towards Social Security carriersProf. Dr. Alfred BüllesbachCollecting, processing, and use of personal data by financial-service providers: Legal basis in the BDSG ➔Section 28 of the BDSG concerns data processing for an entity’s own corporate purpose➔Data processing offered as a service, such as credit-information systems or directory distributors, is regulated by Section 29➔Data processing on behalf of others is regulated in Section 11 of the BDSG and Section 25a of the Act Regulating Banking and Credit BusinessProf. Dr. Alfred BüllesbachCollecting, processing, and use of personal data by financial-service providers: Section28 of the BDSG ➔Data processing to fulfil a contract with a client is permitted according to Section 28 of the BDSG➔Pre-contractual relationships are equivalent to contract➔Producing user profiles is included by credit-card contracts only for the purpose to minimise the risk for the customer and not for advertising➔Data processing and use without contract or exceeding the contract is allowed if it is required to preserve the justified interests (even advertising,marketing in coherence with the contract ) of thefinancial institution and protection-worthy interests of the concerned individual do not predominate➔According to Section 6a of the BDSG Credit Scoring and “Automated individual Decisions”Prof. Dr. Alfred BüllesbachData exchange with credit-protection systems: Section 29 of the BDSG ➔The customer releases the credit agency from the bank secrecy in the contract, e.g. by signing theGerman SCHUFA clause➔The transfer of data from the database of the credit protection system is based on the justified interest of associated corporations, e.g. Sections 29Paragraph 2 of the BDSG for the SCHUFAorganisations in Germany➔The credit protection system is obligated to document all retrievals from their databaseProf. Dr. Alfred BüllesbachCross-border data and payment transactions ➔According to Art. 25 I of the Data protection Directive, data transfer is permitted by law if anadequate level of protection is ensured➔If the third country does not ensure an adequate level of protection, the transfer is exceptionallypermitted according to Art. 26 I—if the data subject has given his consent—if the data transfer is part of a contract—if the transfer is necessary in the interest of the data subject—if the transfer is made from a register according to a law ➔If none of these exceptions applies, Contract Clauses or Codes of Conduct may guarantee an adequate level of protection➔The safe harbor principles can guarantee anProf. Dr. Alfred BüllesbachData-protection obligations for financial services offered by teleservice providers •To facilitate anonymous use and use based on a pseudonym if economically reasonable•To secure data protection using information technology•Not to create user profiles related to individuals •To observe regulation with regard to the use of contract, connecting, and billing data•To provide a right of access that can be electronically requested and granted➨long-term acceptance for electronic commerceProf. Dr. Alfred BüllesbachProf. Dr. Alfred Büllesbach。