The European Association of Co-operative Banks (EACB) welcomes the opportunity to provide the Article 29 Working Party (WP29) with its comments on the draft Guidelines on Transparency and Consent under Regulation 2016/679 adopted on 28 November 2017.
As a general comment and with regard to the draft Guidelines on Transparency, EACB members fully support the WP29’s concept of a multi-layered notice format for data subject notices to ensure readability. We believe that the WP29 should encourage this concept given the prevalence of digital media. However, EACB members note that in several respects the WP29’s draft Guidelines go beyond what is required by the GDPR or set too strict conditions (e.g. for identifying ‘recipients’ and for listing all third countries to which the data will be transferred; the ‘appropriate measures’; ‘time of notifications’; and many other topics).
With regard to the Guidelines on Consent, we wish to note that banks make little use of consent as a legal basis for their processing of customer data, which is rather based on the execution of a contract or pre-contractual measures; a legal obligation; and/or the legitimate interest of the controller. Nevertheless, EACB members believe that some aspects described in the draft Guidelines should be considered cautiously as they could be very restrictive of co-operative banks’ practices. For examples, the Guidelines set too strict consequences for controllers relating to refusal or withdrawal of consent or go too far when addressing granularity, data processing for marketing purposes and many other examples.