The European Association of Co-operative Banks (EACB) welcomes the opportunity to provide the Article 29 Working Party (WP29) with its comments on the draft Guidelines adopted in December 2016. The EACB’s main concerns relate to the Guidelines on the Right to Data Portability and to the Guidelines on Data Protection Officers (DPOs).
With regard to the Guidelines on the right to data portability, co-operative banks welcome the WP29’s guidance to data controllers in clarifying the meaning and application of data portability. However, co-operative banks are concerned about the wide interpretation given by the WP29 to Article 20(1) when it comes to data ‘provided by’ the data subject. We believe the broad interpretation of the Article 20 provisions goes beyond the end goal of Article 20, which attempts to find a balance between the data subject’s interest in obtaining his or her data for the purpose of switching to an alternative provider and the data controller’s obligations. Indeed, given that the main objective of data portability is to facilitate switching, it should be kept in mind that switching is already provided by banks and regulated (i.e. PAD) in Europe. For customers to switch their account (or even a securities account) to another bank, only information about the current status of the account (balance, standing instructions, securities positions, etc.) is needed, but not all the data ever provided by the client, that is, historical data that bears no effect on the current account balance. Therefore, data portability should focus on ‘all data provided by the client, which is relevant for switching to an other provider for a given service’. Other key concerns relate to the need for the Guidelines to stay within the boundaries of what the GDPR has stipulated; controllership; personal data concerning other data subjects; and the cost for data controllers to satisfy data portability requests.
With regard to the Guidelines on the DPOs, for many EACB members the requirements reported by the WP29 largely correspond to the existing requirements under their national laws for the activities of an operational data protection officer. However, we call the WP29’s attention on some aspects that should be taken into consideration when formulating the requirements. In particular with regard to the accessibility to the DPO from each establishment; DPOs on the basis of a service contract; and the position and tasks of the DPO.
