a.

establish the rules in line with which specific categories of ‘customer data’ - including personal data - in finance (7) may be accessed, shared, and used by financial institutions and financial information service providers (‘FISPs’) - the ‘eligible entities’ (8) - acting as either data holders (9) or users (10);

b.

provide the customer - who may be a natural or legal person (11) - with the right to request that the data holder shares this data with a data user for the purposes and under the conditions agreed between the data user and the customer (12);

c.

impose certain obligations on data users receiving data at the request of customers and set certain boundaries on how customer data may be used (13);

d.

mandate the European Banking Authority (‘EBA’) and the European Insurance and Occupational Pensions Authority (‘EIOPA’) - in cooperation with the European Data Protection Board (‘EDPB’) - to develop targeted guidelines addressing areas where the data sharing and access envisaged in the Proposal could entail higher exclusion risks for customers (14), thereby establishing a ‘data use perimeter’ (15);

e.

allow customers to monitor and manage the data permissions they have given to data users through financial data access permission dashboards (to be mandatorily set up by data holders) (16); and

f.

introduce requirements for the creation and governance of financial data sharing schemes (‘FDSS’) - of which data holders, data users and consumer organisations would be parties - to develop (inter alia) data and interface standards and a joint standardised contractual framework governing access to specific datasets (17).

(1)

to clarify in Recital (48) that processing of personal data in the context of the Proposal Regulation should be carried out in accordance with the GDPR (19), the EUDPR and the ePrivacy Directive (20);

(2)

to clearly circumscribe the categories of personal data included in Article 2(1) of the Proposal, taking into account the nature of the financial services and products offered by eligible entities listed in Article 2(2) of the Proposal and the risks for individuals whose personal data would be accessed and used by data users;

(3)

to explicitly exclude data created as a result of profiling from the definition of ‘customer data’ in Article 3(3) of the Proposal;

(4)

to avoid any ambiguity between the term ‘permission’ within the meaning of the Proposal and the legal basis for processing under the GDPR, by additionally clarifying in Recital (48) that permission should not be construed as ‘consent’ or ‘explicit consent’ or ‘necessity for the performance of a contract’ as defined in the GDPR;

(5)

to insert in the enacting terms of the Proposal a provision that would prohibit the denial of financial services listed in Article 2(2) of the Proposal to customers who do not install and avail themselves of the permission dashboard under Article 8 of the Proposal or otherwise enable data sharing by data holders with data users under the Proposal;

(6)

to include a requirement in Article 6 of the Proposal for data users to clearly outline in their access requests to customers the specific types of customer data they seek access to;

(7)

to amend the wording of Article 6(2) of the Proposal as follows: ‘A data user shall only request and access customer data under Article 5(1) that is adequate, relevant and necessary for the purposes and under the conditions for which the customer has granted its permission’;

(8)

to specify that a data user may only contact customers for direct marketing purposes subject to their prior consent or with offers for products or services similar to the ones for which they have accessed customer data and under the conditions provided by Article 13(2) of the ePrivacy Directive;

(9)

to include an explicit reference, in Article 7 of the Proposal, to the need to comply with the existing EU sectoral rules and guidelines regarding the access to and use of personal data for the purpose of the provision of the financial services and products in scope of the Proposal;

(10)

to provide for a formal consultation of the EDPB by both EBA and EIOPA when developing the proposed data use perimeter guidelines, by adding to Article 7(4), after ‘in close cooperation with’, the wording ‘and subject to a formal consultation of’;

(11)

to provide for the adoption of the guidelines under Article 7, subject to the formal consultation of the EDPB, at the earliest possible moment considering the date of applicability of the Proposal;

(12)

to extend the scope of the guidelines under Article 7 to other important financial products and services in scope of the Proposal;

(13)

to specify that the guidelines under Article 7 should also address, where appropriate, the limits of the combination for combining ‘customer data’ obtained pursuant to the Proposal with other types of personal data;

(14)

to require data users under Article 8(4)(b) to also inform data holders about the customer account, financial product or financial service to which access is being sought;

(15)

to require data users under Article 8(4)(b) to inform data holders about the legal basis under Article 6(1) GDPR and (if applicable) the exception under Article 9(2) GDPR that they would rely on to access personal data contained in the customer dataset;

(16)

to specify in Article 8 of the Proposal that the permissions dashboard should not be designed in a way that would encourage or unduly influence the customer to grant or withdraw permissions;

(17)

to require data users to demonstrate to data holders in an appropriate manner that they have obtained the customer’s permission to access the customer data held by the data holder;

(18)

if data users may request access to customer data on behalf of a customer, to require data holders to request (and data users to provide) proof of the representation powers obtained from the customer;

(19)

to amend Article 14(7) of the Proposal to clarify that competent authorities may withdraw the authorisation they have granted to a FISP in cases where supervisory authorities under the GDPR establish that a FISP has breached its obligations under EU data protection law;

(20)

to provide for a definition of ‘financial information services’ in Article 3 of the Proposal;

(21)

to require FDSS to lay down the minimum technical and organisational measures that FDSS members should implement to ensure an appropriate level of security for exchanged personal data;

(22)

to replace the word ‘similar’ after ‘to draw up codes of conduct’ in Recital (25) of the Proposal with ‘in accordance with Article 40 GDPR’;

(23)

to specify that supervisory authorities under the GDPR are among the ‘other relevant public authorities’ or ‘other competent authorities’ to be consulted by competent authorities pursuant to Articles 14(1) and 10(6) of the Proposal; and

(24)

to make explicit reference to supervisory authorities under the GDPR in Article 18(3) of the Proposal.