Special GDPR
Governance
Right to Privacy included in the
1950 European Convention on Human
Rights. It was updated in 1995 by the
European Data Protection Directive.
Lately, passed in 2018, it was updated by
Govern the General Data Protection Regulation
ment (GDPR). These represent a minimum and
some member-state can issue additional
elements.
Banks are considered like Healthcare to
be in ‘special category data’ and a data
processor.
Banks As processor they need to abide to 7
protection and accountability principles
(Article 5.1-2).
More on GDPR in financial services indus
try
.
A breach must be notified to the
member-state supervisory authority
(DPA) without undue delay, a scrutiny
of not more than 72 hours may be
Private given if the company seen defined as a
data controller.
Controllers are required to keep a
record of all data breaches and permit
audits of the record by the DPA
Enforcement Prosecution Resilience
Creation of Creation of European Data Protection Supervisor ( The DPAs decide whether or not to Board system (EDPB) with a
European Data EDPS) to monitor and ensure the protection of bring a GDPR related prosecution in the Supervisor (EDPS) and officers
Protection Board personal data and privacy when EU institutions and Courts; it will usually notify the (DPO) with each institution and
(EDPB) to bodies process the personal information of individual concerned in writing of its bodies
promote individuals. It also advises EU institutions and intention to do so.  This would usually
cooperation bodies on all matters relating to the processing of be followed by a formal summons to
between the EU’s
data protection
personal data Court for trial.
authorities. Each Institution needs to appoint a Data Protection Fines:
Officer (DPO) ensuring that the provisions of the The less severe fines could result in a
Enforcement regulation are correctly applied within the EU fine of up to €10 million, or 2% of
delegated to institutions and bodies global turnover
Member-state
Data Protection The more severe fines could result in a
Authorities ( Banks need to appoint a Personal Data Controller fine of up to €20 million, or 4% of global
DPA: CNIL in FR, and ensure that turnover.
AEPD in ES) customer personal data is always under control.
Member states may add additional fines
It is required to keeping track of who has access to and liabilities. For Instance, in France,
their customers' data, when and how the data is personal liabilities and criminal penalty
processed and protected. can be added (up to 5 years of prison
Banks need to show evidence of use of state-of-the- and €300,000 fine)
art technology to ensure the best possible data
protection.
Companies can opt to appoint a Data Protection Major fines put on corporations
Officer (DPO) unless a Member-state requires their
appointment. Their task is to advice on carrying out Name and shame companies on medi
data protection impact assessments, and in creating a, websites …
and keeping records of processing activities in an
Non-compliance leads to huge fines
organization.
Authorities enjoy investigative and corrective powers Provide Handbooks and
including the power to undertake on-site data Checklist for companies
protection audits and the power to issue public
warnings, reprimands. Offer the option to appoint a DPO