Opinion of the European Data Protection Supervisor on the proposal for a Directive of the European Parliament and of the Council on Deposit Guarantee Schemes (recast).
In this Opinion, the EDPS briefly explains and analyses the data protection aspects of the proposal. He recalls that the improved procedure for the repayment of depositors entails an increased processing of personal data of depositors within a Member State, but also between Member States. In case the depositor is a natural person, information about the depositor constitutes personal data within the meaning of Directive 95/46/EC. The EDPS is pleased to see that this is confirmed in the proposal.
He is also pleased to see that certain data protection elements have been addressed in the proposal in substantive terms. The proposal provides that the information obtained for the preparation of repayments may only be used for that purpose and shall not be kept longer than is necessary for that purpose. This conforms to the principle of purpose limitation, as laid down in Directive 95/46/EC and the obligation to keep data no longer than is necessary for the purpose for which it was collected or is further processed. It is explicitly pointed out that the information obtained for the preparation of repayments also includes markings under Article 4(2). On the basis of the latter Article, credit institutions are obliged to mark deposits if the deposit is for some reason not eligible for repayment, for instance because the deposits arise out of transactions which are connected with a criminal conviction for money laundering. Since the purpose of the information exchange is the repayment of the deposit, the communication of such a marking can be considered to be a necessary measure. The EDPS therefore takes the view that the transfer of such a marking, when considered personal data, is in conformity with the data protection rules as long as the marking itself does not reveal more information than necessary. A simple mark stating that the deposit is not eligible would serve the purpose. Therefore the obligation contained in Article 4(2) of the proposal should be applied in that way, in order to comply with the rules stemming from Directive 95/46/EC.
The proposal also deals with the collection of information by DGSs which is necessary to perform regular stress tests of their systems. This information is submitted to the DGSs by the credit institutions on an ongoing basis. In informal consultation the EDPS expressed concerns as to whether this information would also include personal data. The EDPS expressed doubts as to whether it was actually necessary to process personal data for performing stress tests. The Commission has adjusted the proposal on this point and added that such information shall be rendered anonymous. In terms of data protection this means that the information cannot, after taking into account all means likely to be used, be linked to an identified natural person. The EDPS is satisfied with this assurance.
With further regard to the information received for the performance of stress tests it is stated in the proposal that that such information may only be used for that purpose and that it shall be kept no longer than is necessary for that purpose. The EDPS would like to point out that if information is made anonymous, it no longer falls within the definition of personal data to which the rules contained in Directive 95/46/EC apply. There may be good reasons to provide for limited use of this information. However, the EDPS would like to make clear that data protection rules do not require this.
In conclusion, the EDPS is satisfied with the way in which the data protection aspects are addressed in the proposed Directive, and would only like to refer to the comments made above.