THE CRD AND EUROPEAN DATA PROTECTION LAWS: POTENTIAL CONFLICTS

Similar documents
in this web service Cambridge University Press

PREVIEW. AIFMD Implementation: Depositary. A closer look at the AIFMD depositary regimes across Europe. May 2014

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Survey on the Implementation of the EC Interest and Royalty Directive

Introduction and legal basis. EBA/Op/2014/ October 2014

COMMISSION OF THE EUROPEAN COMMUNITIES REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Second SHA2011-based pilot data collection 2014

AIFMD Implementation Fund Marketing

Name Organisation Date

Report Penalties and measures imposed under the UCITS Directive in 2016 and 2017

ANNUAL REVIEW BY THE COMMISSION. of Member States' Annual Activity Reports on Export Credits in the sense of Regulation (EU) No 1233/2011

Composition of capital IT044 IT044 POWSZECHNAIT044 UNIONE DI BANCHE ITALIANE SCPA (UBI BANCA)

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

1) The procedure followed by the Commission in establishing technical standards and the exercise of delegated powers

Public reporting for. Tax treaties Harmful tax practices Global solutions

Single Market Scoreboard

MEETING OF THE SUBGROUP ON TRACEABILITY AND SECURITY FEATURES SUMMARY RECORD

COMMISSION OF THE EUROPEAN COMMUNITIES

JC/2011/096 AMLTF/2011/05 EBA, ESMA and EIOPA s

COMMUNICATION FROM THE COMMISSION

ACCIDENT INVESTIGATION AND PREVENTION (AIG) DIVISIONAL MEETING (2008)

Implementation of the EBIC Common Principles on Bank Account Switching a), 2010

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING DOCUMENT

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Adopted on 26 November 2014

EJN Newsletter. Issue 2 - May Secretariat of the European Judicial Network. 44 th Plenary meeting in Riga, Latvia... 1.

European Parliament Committee on Economic and Monetary Affairs: Draft Report on the Proposal for a Disclosure Regulation. aba position paper

EBA Report on IRB modelling practices

Composition of capital as of 30 September 2011 (CRD3 rules)

Composition of capital as of 30 September 2011 (CRD3 rules)

Electricity & Gas Prices in Ireland. Annex Business Electricity Prices per kwh 2 nd Semester (July December) 2016

LEGAL OPINION on an issue raised by the implementation of the proportionality principle within the EU

Cross-border mergers and divisions

ARTICLE 29 Data Protection Working Party

TO CNMV (SPANISH SECURITIES EXCHANGE COMMISSION)

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND TO THE EUROPEAN PARLIAMENT

Summary of Conclusions of the. Brussels, 14 th February ) The agenda was adopted without any additional suggestions.

ANNUAL REVIEW BY THE COMMISSION. of Member States' Annual Activity Reports on Export Credits in the sense of Regulation (EU) No 1233/2011

EU Bail-in Rule - Publication of LMA and LSTA Contractual Recognition Clauses

CEBS s advice to the European Commission on the noneligibility of entities only producing credit scores for ECAI recognition

FSMA_2017_05-01 of 24/02/2017

Evaluation of the implementation of transparency in CAP beneficiaries

Snapshot Survey Of Impact of Economic Crisis

Consultation paper. Guidelines on key concepts of the AIFMD. 19 December 2012 ESMA/2012/845

State aid: Overview of national rescue measures and deposit guarantee schemes

Overview of the deductions from original own funds across Europe

COMPARISON OF RIA SYSTEMS IN OECD COUNTRIES

AIFMD: the road to implementation

CREDIT REPORTING: THE FUTURE

TEREX CORPORATION DATA PROTECTION POLICY

European Covered Bond Council (ECBC)

PUBLIC PROCUREMENT INDICATORS 2011, Brussels, 5 December 2012

Introduction. Contribution ID: 8e5ffe4e-93bb-41d0-83ce-9178d123b00b Date: 04/10/ :35:08

11 Economic and Financial Affairs

ARTICLE 29 Data Protection Working Party

DRAFT NOT FOR DISTRIBUTION OUTSIDE ACTIVITY 3 EU MSF

First Progress Report on Supervisory Convergence in the Field of Insurance and Occupational Pensions for the Financial Services Committee (FSC)

COMMISSION DELEGATED REGULATION (EU) /... of

Kristina Budimir 1 Debt Crisis in the EU Member States and Fiscal Rules

Key Concepts of the Alternative Investment Fund Managers Directive and types of AIFM

15 th ELD Government Experts Meeting 13 May 2015 Centre Borschette, Salle 1A. Commission Report under Article 18(2) ELD and REFIT Evaluation

VALUE ADDED TAX COMMITTEE (ARTICLE 398 OF DIRECTIVE 2006/112/EC) WORKING PAPER NO 924

Exchange of data to combat VAT fraud in the e- commerce

EUROPEAN COMMISSION. Annual Review of Member States' Annual Activity Reports on Export Credits in the sense of Regulation (EU) 1233/2011

How the FTT works in specific cases and other questions and answers

MUTUALS IN EUROPE: WHO THEY ARE, WHAT THEY DO AND WHY THEY MATTER

Assembly of the Republic EUROPEAN AFFAIRS COMMITTEE

Approach to Employment Injury (EI) compensation benefits in the EU and OECD

Effects of using International Financial Reporting Standards (IFRS) in the EU: public consultation

Drafting Effective International Contracts: Workshop-seminar on International Sales, Agency and Distributorship Contracts

The application of the Mutual Recognition Regulation to non-ce marked construction products

NOTE SFIC opinion on the Multi-Annual Roadmaps for international cooperation

Banking Guidance Note No. 3 Provision Of Cross-Border Services

Effects of using International Financial Reporting Standards (IFRS) in the EU: public consultation

ABN AMRO meets EBA Core Tier 1 capital ratio requirements in EBA capital exercise

VALUE ADDED TAX COMMITTEE (ARTICLE 398 OF DIRECTIVE 2006/112/EC) WORKING PAPER NO 850

BEPS Actions implementation by country Actions 8-10 Transfer pricing

Effects of using International Financial Reporting Standards (IFRS) in the EU: public consultation

Call for proposals. for civil society capacity building and monitoring of the implementation of national Roma integration strategies

Committee on Agriculture and Rural Development

Guidelines compliance table

Effects of using International Financial Reporting Standards (IFRS) in the EU: public consultation

Definition of Public Interest Entities (PIEs) in Europe

Eligibility? Activities covered? Clients covered? Application or notification required? N/A N/A N/A N/A N/A N/A N/A

COMMITTEE OF EUROPEAN SECURITIES REGULATORS GUIDANCE. Date: 4 th June 2010 Ref.: CESR/10-347

CFA Institute Member Poll: Euro zone Stability Bonds

COUNCIL OF THE EUROPEAN UNION. Brussels, 9 June /09 ADD 1 ECOFIN 429 UEM 158 EF 89 RC 9

Re.: Comment letter from European audit regulators relating to the IESBA s Exposure Draft "Responding to Non-Compliance with Laws and Regulations"

Public consultation. on a draft ECB Guide on options and discretions available in Union law

ESMA consultation on the technical advice to the European Commission on possible implementing measures of the AIFMD

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Statistical annex. Sources and definitions

T5-Europe The Jus Semper Global Alliance 01/09/16 1 6

Calculation of consolidated core original own funds Overview of the national rules. method

THE ROLE OF THE FLEXIBILITY CLAUSE : ARTICLE 352

12608/14 IS/sh 1 DG G II A

14349/16 MP/SC/mvk 1 DG D 2B

An Introduction to the EU Prospectus Directive

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING DOCUMENT. Annex to the

PREVIEW. A closer look at marketing under national placement rules across Europe. AIFMD Implementation. Fund Marketing. Edition 3 March 2015

Transcription:

EUROFINAS European Federation of Finance House Associations 267, Av. de Tervuren B 1150 Bruxelles +32/2/778 05 60 Fax : +32/2/778 05 79 Email: eurofinas@eurofinas.org Web: www.eurofinas.org THE CRD AND EUROPEAN DATA PROTECTION LAWS: POTENTIAL CONFLICTS I. BACKGROUND The issue of legality of the use of personal data under the Capital Requirements Directive was first brought to the attention of Eurofinas in mid 2005. At the time, the co-decision legislative process relating to the Directive was underway. The ECON Parliamentary Committee had already voted in a series of amendments to the Directive based on rapporteur MEP Radwan s report. Among the accepted amendments was a modification suggested by MEP Hoppenstedt to Recital 34 of the Directive. This amendment added (amongst others) the following provision to the Recital: The Commission is called upon to draw up a communication on the extent to which data protection requirements will hamper the implementation of the Directive. In a position paper dated August 29 th, 2005, Eurofinas sent its remaining concerns with the Directive to members of the ECON Parliamentary Committee. Among the concerns set out in this paper, Eurofinas pointed out that Recital 34 thus amended may not provide a sufficient legal basis for allowing the use of personal data under the IRB Approaches of the CRD. As a result, the Federation was of the opinion that an amendment to the articles of the Directive was necessary, thus going a step further than the amendment proposed by MEP Hoppenstedt. The Eurofinas proposal stated that Member Stats should ensure that a framework explicitly permitting the collection and processing of personal data for the purposes of developing and validating risk management systems as required by the CRD be provided. However, this amendment was not approved by the European Parliament s Plenary Vote of September 2005 and, at the beginning of 2006, Eurofinas decided to examine the existence and extent of any potential conflicts between data protection laws and the application of the CRD. It appeared that the issue was particularly acute in certain countries, such as Germany, while other member states remained unsure as to the effects of their data protection legislation on CRD implementation. On the 13 th of March 2006, as part of an EBIC delegation, Eurofinas attended a meeting of industry and the Capital Requirements Directive Transposition Group (CRD TG). During this meeting, Eurofinas was able to draw the CRD TG s attention to the difficulties some institutions were facing when using personal data within the scope of the CRD. The Commission responded by saying that it was aware of the issue and that they had asked the CEBS Groupe de Contact to look into it. They therefore invited Eurofinas to get in touch with the Groupe de Contact and to provide them with as much specific information as was possible. - Page 1 of 7 -

II. OBJECTIVES In order to fully comprehend the situation in each individual state, Eurofinas has developed a framework of analysis that allows for the identification of potential obstacles to CRD implementation. Section III of this document sets out the framework proposed by Eurofinas while Section IV of the paper briefly describes the situation in the countries of the Eurofinas Member Associations, using the framework to understand the issues at stake. Having thus provided CEBS with as much information as we can, we would ask that: 1) CEBS consult their members to clarify the situation in the member states for which Eurofinas has not had any feedback 2) CEBS report these findings to the Commission 3) The Commission provide solutions to ensure that it is legal for financial institutions to make use of personal data when necessary under the CRD III. THE FRAMEWORK There are three cases in which Data Protection requirements are likely to cause difficulties in CRD implementation. These are as follows: i) The CRD Requires the Use of Personal Data The CRD requires the use of personal data and this can be hampered by the way the European Data Protection Directive 95/46/EC has been implemented into national legislation. Personal data is any information relating to an identified or identifiable natural person and its use is required under the CRD in several circumstances, particularly when dealing with retail exposures such as consumer credit. Indeed, an institution would have to use personal data when performing the following tasks: 1) When developing a credit risk model. The CRD allows institutions to use data from varying sources (internal, external or pooled) to construct their models. If indeed several sources are used, it is necessary to consolidate the data relating to a same obligor. The institution thus has to be able to identify the obligors in the data sets under consideration. 2) When assessing an obligor's credit risk with the model. 3) For validating internal estimates - institutions are required to confront their estimates with actual data. 4) For purposes of the use test (CEBS Validation guidelines / art 84 of the CRD) institutions must demonstrate to supervisors that the information used in or produced by its rating system is also used in the course of conducting its regular business). The following conflicts may thus arise: - Page 2 of 7 -

Firstly, certain local implementations will render the processing of personal data legal only if it is a requirement of another law. In such cases, when member states implement the Directive it is essential that they ensure that the CRD is such a law. If it is not, the result will be that any use of personal data by an institution, be it its own internal data or data originating from external sources, will be illegal. It should thus be ensured that the CRD is given the appropriate status when it is implemented in each EU member state. Secondly, when implementing the Data Protection Directive, some member states have chosen to allow the use of personal data under certain conditions only. The nature of these conditions (for example requiring unambiguous consent from the data subject 1 ) may be overly burdensome in the case of an institution attempting to comply with the CRD. Another issue relating to the use of personal data is that the use of specific criteria such as age, nationality, sex or religion for instance may not be used for credit scoring purposes. The restrictions on these special criteria may vary from one country to another and in certain cases may seem unjustified. When we have been able to collect a list of criteria that may not be used for credit scoring, we have included this information in a separate Excel spreadsheet 2 attached to this document so as to draw attention to the varying attitudes of the authorities in the individual member states. Furthermore, some local implementations of the Data Protection Directive will not have put in place a safeguard that will result in the consolidation of data from internal and external sources as described above being illegal. Lastly, Under the Data Protection Directive 3, member states must also ensure that if personal data is transferred, the data subject must be informed. If member states have failed to provide adequate safeguards in cases where informing the data subject amounts to a disproportionate exercise, institutions will also be unable to use data from external sources ii) Local Legislation Imposes a Data Deletion Period that Conflicts with CRD Minimum Requirements Some local data protection acts impose that data may only be kept for a certain amount of time, inferior to the CRD minimum requirement periods for historical data. In such cases, institutions building and using their models will be strongly limited and even unable to fulfill the requirements of Annex VII, Part 4, 66, 71, 81, 85, 92 and 94. These sections of the CRD require an institution to reach a minimum period of 5 years historical data 4 and institutions not meeting these requirements will not be able to qualify for the Internal Ratings Based Approaches through no fault of their own as they will have been required to delete data by another law. In some countries, institutions may keep their own internal data indefinitely while data originating from external sources must be deleted before the CRD minimum historical data period. Given that sufficient data availability is a necessity to construct models, we would 1 The criteria for allowing the use of personal data are given in Article 7 of the Data Protection Directive. 2 Document entitled PP_Special Credit Scoring Criteria 3 Article 11 of the Data Protection Directive 4 Except for cases of National Discretion or for LGD and CF estimates for the corporates, institutions, central governments and central banks exposure classes - Page 3 of 7 -

urge that CEBS and the Commission aim to find a practical solution to this problem. Furthermore, as the situation varies from country to country, the current situation goes against the level playing field objective. iii) The Transferal of Data The last issue relates to the transfer of data used to build up models under CRD from one entity of a group to another. In some cases, provisions are put in place to prevent this exchange of data (e.g. so-called banking secrecy ). This issue is particularly problematic when a group has several databases (as is often the case) spread though various entities and countries. IV. INDIVIDUAL SITUATIONS An Excel spreadsheet 5 summarising the above potential conflicts can be found in attachment. This spread sheet has also been used to indicate in which areas the National Associations of Eurofinas have come across CRD and data protection conflicts in their countries. This section of the paper provides further detail on each individual case. Austria It would appear that banking groups with databases in Austria are not allowed to transfer their data out of the country to entities within the same group. Belgium Belgium does not foresee any conflicts except for the exclusion of certain specific criteria being used for credit scoring purposes (see attached list) Czech Republic The explicit consent of the data subject is required to use personal data An institution s data relating to a prematurely terminated contract (e.g. default) have to be deleted within a 3 year period or at request of the data subject Credit bureaux may retain data originating from credit institutions for up to 4 years Credit bureaux may retain data from finance houses for up to four years except for data on rejected credit applications which may only be kept for 6 months. Data may not be transferred from one group entity to another 5 Document entitled PP_Synopsis Check List - Page 4 of 7 -

Germany Under the draft revision of the German Credit Act, banks are permitted to collect and use personal data regarding their customers only under certain conditions. Sentence 7 provides that these data may also be collected by rating agencies and credit bureaus. If the collection of data by banks is therefore legally permissible, this does not necessarily mean that the release of corresponding data by credit bureaux to banks is also definitively permissible under current data protection law. The release of data to banks by credit bureaux is essentially subject to the requirement of weighing of interests set forth in Art. 29 of the Federal Data Protection Act (BDSG). It remains at the unclear whether in the case of positive data the requirement of weighing of interests can even be applied as a criterion for legality, as the language of the consent clause ( Schufa Clause ) imposes limits which do not permit such weighing of interests. The same applies to the legality of the release of data from the Debtors Register, which is subject to the provisions of Art. 915 of the Code of Civil Procedure (ZPO). The German Credit Act also specifies in Article 10, Sentence 8 that banks may release personal data to service providers only in pseudonymised form. This provision is in conflict with the practical requirements relating to the conception and development of integrated scoring models. Arts. 915 a), 915 b) and 915 g) of the German Code of Civil Procedure contain strict provisions requiring the deletion of data after three years. Consent of the data subject is needed when transferring data from one entity to another Spain No conflicts have been identified so far. However, in practice the applicability of the CRD (and use of personal data) will depend on the transposition of the CRD into local law. In other words, when the CRD is transposed, Spanish authorities must ensure that the transposition is a law recognised by the criteria of their data protection acts that allow for the processing of personal data. Thus, there will be no conflict if the CRD is adequately transposed. Finland If a credit institution uses information from an external rating agency, a conflict may arise as data on payment disruptions may only be stored for less than five years - Page 5 of 7 -

France Certain specific criteria are not allowed for credit scoring purposes (see list). Due to current uncertainties on the general situation in France, the French member association of Eurofinas would like to reserve the possibility to refer to CEBS with further information at a later date. United Kingdom The UK does not foresee any conflicts except for the exclusion of certain specific criteria being used for credit scoring purposes (see attached list) Italy Article 6 of the Italian Code of Conduct states that credit bureau data may be retained for no longer than thirty-six months The hierarchy of legal sources is such that Data Protection Laws (relating to human rights) will always have precedence over the CRD transposition Norway The transferral of data from one group entity to another is forbidden. The Netherlands No conflicts have been identified so far Poland The explicit consent of the data subject is required for banks and credit bureaus to process data when the data is positive (if there is no consent, then the data must be deleted and can thus not be used for model building) Negative data may be processed by banks and credit bureaus without consent if client had been in a situation of delay of payment for more than 60 days Alternatively, negative data may be processed if 30 days have passed since the interruption of payment and the institution has sent notice to client that it intends to process data without consent If client has paid within 30 days, under no circumstances may the data be used Data may not be stored for more than 5 years - Page 6 of 7 -

Sweden The Swedish Personal Data Act allows for the use of personal data if it is necessary for the purposes of the legitimate interests pursues by the controller (in this case the financial institution). Swedish data protection experts consider that institutions having to comply with the CRD should have legitimate interest and should thus be allowed to process personal data. However, if the need for personal data use is not clearly expressed within the local transposition of the CRD, this conclusion is less apparent. The issue is currently being examined by the Swedish Finance Ministry who will produce a memo on the topic in late autumn. The period of time data may be kept for depends on the wording of the CRD The national CRD implementation will have precedence over the Swedish Personal Data Act provided that it contains the necessary provisions on the processing of personal data. Slovakia No conflicts have been identified so far expect relating to the transferral of data from one group entity to another (banking secrecy) - Page 7 of 7 -

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback