Data protection for bank data and payment transactions

Whenever the effort put into data protection is in doubt, such experiences should be brought up: Malware, online shopping fraud or insults on social networks - three out of four Internet users (75 percent) were affected by cybercrime in 2022, according to the digital association Bitkom.

Many have been victims of fraud, both when shopping online (29 percent) and in money transactions such as online banking or misuse of their own account data (13 percent).

For good reason, bank data or payment transaction data are among the most sensitive data for most people, because the potential for misuse is high, as is the potential damage for those affected.

Data misuse: Not only by Internet criminals

However, it is not the case that only online criminals have a high interest in payment transaction data; banks and other financial institutions do too. In this context, the interest in the financial data of bank customers sometimes goes further than data protection allows.

One example: The State Commissioner for Data Protection (LfD) in Lower Saxony had examined a cooperative bank that was testing so-called smart data procedures as a pilot bank.

Smart data processes are used to filter out specific individuals from the customer base for certain advertising measures. To do this, score values are generated to indicate whether a customer is likely to be interested in a particular product.

This could be a real estate loan, a credit card or a securities savings plan, for example. The customer then receives advertising for the corresponding product. To create the score values, payment transaction data is analyzed, among other things, and in some procedures, data on the customer's residential environment is also obtained from external service providers.

Extensive analyses of payment data

To calculate whether someone is interested in a consumer loan, for example, 162 data fields are used, including the following information from payment transaction data: Receipt of social benefits, household and food expenses, amount of vehicle costs, amount of "basic costs" for energy suppliers, among others, amount of salary or pension received, amount of ATM withdrawals, sales in the e-payment category, for example Paypal and Amazon, to name just a few examples.

The data protection supervisory authority makes it clear: these processing operations cannot be justified either by weighing the interests of the bank and the data subject or by the consent forms used. They are therefore unlawful.

Conducting behavioral predictions based on payment transaction data does not meet the reasonable expectations of customers. However, this would have to be the case, among other things, for a balancing of interests to be used as a legal basis. In another case, the LfD Lower Saxony had already imposed a fine of 900,000 euros in July 2022 because a bank had exceeded the limits of the balance of interests when processing personal data for advertising purposes.

"Payment transaction data are very sensitive because they contain information about consumer behavior, relationships with other people, economic situation and personal preferences. In this way, they allow a large number of conclusions to be drawn about the professional and private lives of the people concerned," said Barbara Thiel, the State Data Protection Commissioner of Lower Saxony. "It must therefore be ensured that the data subjects can exercise control over the processing of this data. I have decided to issue warnings to deter banks from committing serious violations of data protection law. I will also conduct on-site inspections to verify whether banks are implementing the procedures despite the warning."

The European Data Protection Supervisor (EDPS) has now also taken up the issue of payment data. Wojciech Wiewiórowski, EDPS, said, "Many individuals make payments online several times a day. They need to be confident that their payment data and other related personal data are securely protected during transactions such as money transfers."

Data protection for instant credit transfers

Another example of the importance that data protection must have in payment transactions, but also of the fact that data protection does not hinder modern payment transactions, but makes them possible:

On October 26, 2022, the European Commission presented a proposal for a regulation relating to instant credit transfers in euros. The proposal aims to improve the low uptake of euro instant transfers so that their benefits can be realized, including efficiency gains for consumers, merchants, business users, payment service providers and financial technology companies, as well as public administrations.

The SEPA Regulation would now require payment service providers to check whether the payment account identifier and the payee name provided by the payer match. If they do not match, this payment service provider will notify the payer of any discrepancies found and their extent.

However, data protection has no objection here: the EDPS recalls that banks require the payer to provide the payee's name for other purposes. The data collected is therefore the same. However, payment service providers offering instant transfers must now jointly check the payer's payee details in an automated manner and notify the payer of any discrepancies.

The EDPS states that this is additional processing of the payee's personal data, but he believes that this is justified by the purpose of ensuring that an instant transfer reaches the person for whom it is intended.

It turns out: data protection certainly restricts the processing of payment transaction data, but those of an abusive nature, such as extensive analysis for advertising purposes. However, it is not a problem for data protection to carry out certain data processing in the payment area if it serves the defined purpose of payment security, as in the case of the planned instant credit transfers in the EU.