Opinion of the European Data Protection Supervisor (EDPS) on the Commission proposals for a Directive on the access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, and for a Regulation on prudential requirements for credit institutions and investment firms.
The EDPS notes that while most of the provisions of the proposed instruments relate to the pursuit of the activities of credit institutions, the implementation and application of the legal framework may in certain cases affect the rights of individuals relating to the processing of their personal data.
Several provisions of the proposed Directive allow for the exchange of information between the authorities of the Member States and, possibly, third countries. This information may well relate to individuals, such as the members of the management of the credit institutions, their employees and shareholders. Furthermore, under the proposed Directive competent authorities may impose sanctions directly on individuals and are obliged to publish the sanctions inflicted, including the identity of the individuals responsible. In order to facilitate the detection of violations, the proposal introduces the obligation for the competent authorities to put in place mechanisms encouraging the reporting of breaches.
Moreover, the proposed Regulation obliges credit institutions and investment firms to disclose information relating to their remuneration policies, including the amounts paid segregated per categories of staff and per pay-bands.
The EDPS’s opinion focuses on the following aspects of the packet of measures relating to data protection:
(1) Applicability of data protection legislation: Recital 74 of the proposed Directive contains a reference to the full applicability of data protection legislation. However, a reference to the applicable data protection legislation should be inserted in a substantive article of the proposals according to the EDPS.
(2) Transfers to third countries: the EDPS recommends: i) clarifying that agreements with third countries or third countries authorities for the transfer of personal data must comply with the conditions for the transfer of personal data to third countries contained in Chapter IV of Directive 95/46/EC and Regulation (EC) No 45/2001; ii) inserting in the draft directive a provision similar to that contained in Article 23 of the proposal Regulation of the European Parliament and the Council on insider dealing and market manipulation (market abuse).
(3) Professional secrecy and use of confidential information: the EDPS recommends extending the prohibition of disclosing confidential information contained in the proposal to cases where individuals are identifiable (i.e. not only ‘individual credit institutions’). In other words, the provision should be reformulated so as to prohibit the disclosure of confidential information, ‘except in summary or collective form, such that individual credit institutions and individuals cannot be identified’.
(4) Mandatory publication of sanctions: the EDPS is of the view that the provision on the mandatory publication of sanctions — as it is currently formulated — does not comply with the fundamental right to privacy and data protection.
The legislator should carefully assess the necessity of the proposed system and verify whether the publication obligation goes beyond what is necessary to achieve the public interest objective pursued and whether there are less restrictive measures to attain the same objective.
Subject to the outcome of this proportionality test, the publication obligation should in any event be supported by adequate safeguards to ensure respect of the presumption of innocence, the right of the persons concerned to object, the security/accuracy of the data and their deletion after an appropriate period of time.
(5) Reporting of breaches: Article 70 of the proposed Directive deals with mechanisms for reporting violations, also known as whistle-blowing schemes. The EDPS welcomes the fact that the Proposal contains specific safeguards, to be further developed at national level, concerning the protection of the persons reporting on the suspected violation and more in general the protection of personal data.
- The EDPS highlights the need to introduce a specific reference to the need to respect the confidentiality of whistleblowers' and informants' identity. In view of the above, the EDPS recommends to adding to Article 70 (2)(b) the following provision: ‘the identity of these persons should be guaranteed at all stages of the procedure, unless its disclosure is required by national law in the context of further investigation or subsequent judicial proceedings’.
- The EDPS further highlights the importance of providing appropriate rules in order to safeguard the access rights of the accused persons, which are closely related to the rights of defence.
- The EDPS suggests adding, in the proposed Directive, the provision on insider dealing and market manipulation, which requires Member State to put in place ‘appropriate procedures to ensure the right of the accused person of defence and to be heard before the adoption of a decision concerning him and the right to seek effective judicial remedy against any decision or measure concerning him’.
- Lastly, as regards Article 70(2)(c) the EDPS is pleased to see that this provision requires Member States to ensure the protection of personal data of both the accused and the accusing person, in compliance with the principles laid down in Directive 95/46/EC. He suggests however removing ‘the principles laid down in’, to make the reference to the Directive more comprehensive and binding.