Data protection in banking

Banks and financial institutions process a lot of personal data. They are also subject to the requirements of the GDPR. These requirements must be met not only in the branch, but also in online banking.

Accordingly, a bank's data protection concept must function both online and offline. The fight against cybercrime has become particularly important here. In addition to the tapping of bank data such as credit card numbers, the reading of data on individual payment transactions to determine customer preferences is also becoming increasingly economical.

In the end, responsible handling of personal data not only protects against possible fines, but also increases customer confidence enormously.

Processing of personal data

Every time personal data is processed, this must be based on a legal basis. In the case of banks, this can be based on the customer's consent (Art. 6 I lit. a DSGVO), the performance of a contract (Art. 6 I lit. b DSGVO) or the fulfillment of a legal obligation (Art. 6 I lit. c DSGVO).

The collected data must be protected against unauthorized access at every stage of processing. In particular, all systems and applications used must be checked for data security.

Documentation and storage

The bank must be able to demonstrate that the data is adequately protected upon request (accountability, Art. 5 II GDPR). Therefore, the bank must document the handling of the data. In this context, statutory retention periods must be taken into account depending on the type of data. If these expire, the data must be deleted immediately and securely.

IT Security

Advancing digitalization makes it necessary to pay a great deal of attention to IT security, especially in the financial sector.

All systems, software and hardware solutions, cloud services and websites used must always be kept up to date with the latest technology. To do this, it is usually sufficient to update the systems used as soon as there is a new update for them.

It must also always be pointed out when data is transferred to third countries.

Other addressees

In addition to traditional banks, all other financial institutions and FinTechs (financial technology companies) are also required to comply with the requirements of the GDPR. This is because sensitive data is also processed here to a comparable extent as in the traditional bank on site at the counter.

The higher the risks for and the need to protect data, the higher the requirements for protective measures. Of particular importance here is a suitable authorization management/concept, in which individual access authorizations become apparent and thus the data processing process becomes transparent.

Depending on the company, special regulations, such as those from the Securities Trading Act or the applicable tax law, must also be observed.

Consequences of violation: fines

Violation of the requirements of the GDPR threatens the imposition of a fine. Banks are not spared from this either: they, too, find themselves in the highest fines. This is also the case with the 17 fines in the millions of euros imposed in 2020.

To circumvent this and strengthen customer confidence, it is always a good idea to call in professional advice in the context of data protection and IT security.