The European Association of Co-operative Banks (EACB) welcomes the opportunity to provide the Article 29 Working Party (WP29) with its comments on the draft Guidelines on automated individual decision-making and profiling and on personal data breach notification under Regulation 2016/679 adopted on 3 October 2017.
As a general comment and with regard to the draft Guidelines on profiling, EACB members believe that the Guidelines might be putting too much emphasis on data processing operations that have more to do with the simple identification of customers than with the adoption of decisions that might have an impact on them. We believe that the pure processing of static data about an individual cannot be considered, in and of itself, a form of profiling in the absence of activities on the part of the controller aimed at evaluating, analysing or predicting elements linked to the data subject.
With regard to the Guidelines on data breach notification, EACB members appreciate the fact that the WP29 recalls the existence of additional notification and communication breaches under other legislation controllers should comply with. However and as reported in the report following the second FabLab (April 2017), not only the banking industry but also other sectors such as telecoms called on the WP29 to take into consideration the different deadlines for notifications set by other EU legislation and the usefulness of having a single organisation to notify in relation to the same incident. EACB members strongly stress the need for articulation between the three reporting obligation burdens (i.e. data breach under GDPR (Art. 33), incident reporting under PSD2 (Art. 96 + EBA draft Guidelines on major incidents reporting under PSD2) and NIS Directive (Articles 14(3) and 16(3)), which also applies to banks). The problem of banking institutions is the concurrence of three notification obligations, with different deadlines, in the event of incidents with different authorities.