The European Association of Co-operative Banks (EACB) welcomes the opportunity to provide the Article 29 Working Party (WP29) with its comments on the draft Guidelines on ‘Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679’ adopted in April 2016.
EACB members believe that the requirements set out by the WP29 can lead to a considerable but unnecessary increase in workload for co-operative banks. Requirements effectively leading to DPIAs for a large number of data processing activities, where this is not necessary, would have a significant negative impact on the operations of credit institutions compared to the status quo, where only a ‘pre-control’ is needed.
Moreover, we would like to bring to the attention of the WP29 that the Anti-Money Laundering Directive requires a systematic monitoring of customers in order to fulfil its objectives. We believe processing activities falling under such legal requirement clearly fall under the exceptions identified in the draft Guidelines, whereby a DPIA is not required where a processing operation has a legal basis in EU or Member State law (page 11). Processing data in order to apply AML rules should be out of the scope of DPIAs and the EACB would appreciate an explicit mention of this in the final Guidelines.
Similarly processing carried out conforming to guidelines issued by the European Supervisory Authorities (ESAs) as part of the implementation of banking regulation, e.g. guidelines on arrears and foreclosure and on creditworthiness assessment under the Mortgage Credit Directive (MCD), should also fall under such exception.
23 May 2017
EACB’s views on the Article 29 Working Party DPIA Guidelines
EACB