The protection of personal data of bank customers

Recent current events have once again brought to the attention of Guarantees Privacy on the topic of legitimate access, processing and sharing of customer banking dataprotected by the so-called banking secrecy.

Customers’ personal data may be processed by the bank to pursue purposes related to the execution of the contractual relationship or satisfy obligations deriving from the law, in compliance with the current legislation regulation of the GDPRas well as guidelines and guidelines of the Privacy Guarantor and the EDPB.

In this context, the course aims to delve deeper into the legitimate processing of personal data of bank customers by analyzing specific problems concrete issues related to information obligations and correct management of the exercise of customer rightsincluding the limitation of processing, deletion of data and access.

We will also focus on exceptions to the disclosure ban of customers’ banking data, as well as on limits on sharing the same data within the same banking group, between branches of the same bank, or, externally, to companies outsource.

Particular attention will be paid to organizational and technical measures for the protection of personal data within the bank itself, and in particular, to tracking of access to personal data by bank employees.

The webinar will illustrate, in summary, the obligations and operational implications of the application of framework regulations relating to the processing of personal data in the banking sector, combining the norms data protection with the rules applicable mainly to the banking sector, for the correct setting of technical-organizational policies and the correct management of customer data.

Topics subject to attention and discussion

Legitimacy of processing of customer data and consent

1. The “legitimate purposes” of the processing of personal data by banks
2. The processing of data in the course of banking activity, in light of the general principles of protection of personal data (lawfulness, relevance, transparency, as well as necessity, proportionality, quality of data)
3. Information obligations on the processing of customers’ personal data
   • Recording and storage of call content
4. Time limits on retention of customer data and right to deletion
5. The exercise of the rights of rectification and modification of consent to commercial initiatives and profiling
6. Outsourcing of information systems and transmission of personal data to companies outsource

The ban on disclosure of customers’ personal data and exceptions to the ban

1. The so-called banking secrecy
2. The circulation of personal data between banks belonging to the same group and between agencies/branches of the same bank
3. The communication of data to managers of credit information systems
4. Transfer of bank branches and information on personal data
5. Data communications due from the law and those authorized
   • The use of customers’ personal data in judicial proceedings
   • The lawfulness and correctness of data communication to the CAI (Interbank Alarm Centre)
   • Practice of the so-called benefunds and lawfulness of communication on sufficient funding

Organizational and technical measures to guarantee controlled access to personal data in the banking sector

1. Tracking of access to customer banking data carried out by bank employees: measures data governance
2. Data retention: the retention times of the relevant log files
3. The implementation of alert for the detection of intrusions or anomalous/abusive access to information systems
4. Log management and supplier relationships: organizational measures with third parties
5. Data breach: organizational procedures and information flows to the customer and the Guarantor in the event of illicit tracking operations carried out by those in charge

What strategies are banks ⁣employing to enhance transparency⁤ with ‍customers about how their data is used and processed, particularly in light of‌ recent ⁤regulatory changes?

Questions for⁣ Guest 1 (Bank Manager):

1. Could you please give us an ‍overview of the ‌recent changes in‌ regulations concerning the processing of customer banking data in Europe, and how they have affected the ⁣way ⁢financial ‍institutions like yours operate?

2. How has your bank‍ adapted to these new regulations regarding data protection,⁤ privacy, and consent? Can you share some specific changes ⁣made to ensure compliance with GDPR⁣ and other relevant‍ regulations?

3. What are the main challenges your bank has faced in ensuring ⁢that customer data is processed legally ‌and securely, and how have you addressed ‍these challenges?

4. Can you‌ explain the exceptions to the ban on disclosure of customer banking data, ⁣such as the transfer of data between branches of the same ​bank or ​to managers⁢ of credit information systems?

5. In what ways has your bank implemented technical and organizational measures to control access​ to customer data, such ⁤as tracking ⁣employee access and logging activities?

6. How do you balance the need for secure⁢ and controlled access to customer data with the need for efficient operations within ⁤the bank?

Questions for Guest 2 (Privacy Expert):

1. How‍ does the concept of “legitimate purposes” of processing personal data⁣ apply to the banking sector, and how ⁤has it‍ influenced the way financial institutions handle customer data?

2. What‍ are⁣ some‌ of the ⁤most significant changes in the way banks must handle customer data under the GDPR ‌and other relevant regulations?

3. What role do customers play in ensuring that their personal ⁣data​ is processed legally and securely by their​ bank? Can you discuss some⁣ of their rights ⁣and responsibilities in this regard?

4. Can you elaborate on‍ the ⁤specific challenges of managing and protecting customer data ⁢in the context of outsourcing and⁤ the use of third-party IT providers?

5.‍ How do you think the banking ⁣sector could improve its approach to​ customer data protection, both technically and organizationally?

6. What‌ impact, if any, do you‌ foresee these changes having on⁢ the overall trust between banks and their customers?