IP - 0712-1/2019/2504
|IP (Slovenia) - 0712-1/2019/2504
|Article 5(1)(c) GDPR
Article 6(1)(b) GDPR
Article 58(3) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|Informacijski Pooblascenec (in SL)
The IP issued an advisory opinion on the principle of data minimisation and on the processing which is necessary for the performance of a contract in the banking sector.
English Summary[edit | edit source]
Facts and questions arising[edit | edit source]
The IP received a request for an advisory opinion on the question which personal data could a bank lawfully collect for the purpose of opening a deposit account. Such an account would constitute a contract between the bank and the data subject.
Holding[edit | edit source]
The DPA pointed out that the processing of personal data such as the marital and employment status could be excessive with regard to the purpose of creating a deposit account. In any case, the DPA stressed that the bank has to provide information on the legal basis and the purposes of processing.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the Sloveian original for more details.
Search engine according to GDPR + - Date: 11/05/2019 Title: Personal information at account opening Number: 0712-1 / 2019/2504 Subject matter: Banking, Legal bases Legal act: Opinion On 23 October 2019, the Information Commissioner (hereinafter referred to as "IP") received your e-mail asking whether the bank had violated the rules on personal data protection if it requested information about your information when opening a personal account for deposit purposes. status (married or not), employment, length of service, number of household members, executions and debts… You also want to know if you can ask the bank to destroy this information after termination of the contract. On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the repeal of Directive 95/46 / EC (hereinafter referred to as the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter: ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter: ZInfP), we provide our non-binding written opinion regarding your questions. Banks are subject to a number of legal requirements when providing banking services, which, among other things, require them to process their customers' personal data for various purposes, but may also process personal data on other legal legal bases. For the bank to require detailed information about a variety of personal circumstances of an individual solely for the purpose of opening a personal or deposit account, IP could be considered as excessive collection of personal data, but the specific case could only be assessed through an inspection procedure. In any case, the Bank, as the controller of personal data, is obliged to provide the individual with the information in accordance with the provisions of the General Regulation, including the legal basis and purposes of the processing of personal data. A request to delete personal data or restrict the use of your personal data may be made in accordance with the conditions laid down in the General Regulation, and your request will be successful in particular if the controller processes your personal data on the basis of consent; if they are processed on the basis of legal provisions or a contract, then your request for termination or restriction of processing will generally not be sufficient. Justification: In the first paragraph of Article 6, the General Regulation defines the legal bases for the processing of personal data. In providing banking services to customers, banks are subject to the requirements of numerous laws which, among other things, require them to process (collect, store…) personal customer data for various purposes, such as The Consumer Credit Act, the Anti-Money Laundering and Terrorism Financing Act, the Payment Services Act, Electronic Money Issuance Services and Payment Systems, etc., but banks may also process individuals' personal data on other legal legal grounds referred to in the first paragraph of Article 6 of the General Decree. , in particular on the basis of a contract or assent. For a bank to require detailed information about a variety of personal circumstances of an individual solely for the purpose of opening a personal or deposit account, IP may, according to IP, constitute an over-collection of personal data, but IP cannot determine with certainty what reason or legal basis beyond a specific inspection procedure. and for what purpose is the bank in your case requesting information on your status, employment, length of service, number of household members, executions and debts ... It should also be taken into account that the bank owes an individual when he or she obtains personal information from him , to be acquainted with certain information in accordance with Article 13 of the General Regulation, including the legal basis for such processing of personal data and the purposes of processing, we therefore suggest that you contact the bank and request that they be informed of the specific information after 13. Article 2 of the General Regulation, but they will also provide you with all relevant notions Considerations regarding the concrete processing of your personal data. In the first place, it is always the controller of the personal data who is obliged to provide the individual with information regarding the processing of his personal data. A request for the erasure of personal data may be made subject to certain conditions, as defined in Article 17 of the General Regulation, if personal data are no longer needed for the purposes for which they were collected. Under similar conditions, you may also request a restriction on the use of your personal data under Article 18 of the General Regulation. Whether the controller will be able to satisfy your requirements depends, first and foremost, on the legal basis for the processing of your personal data and when the purpose of the processing is fulfilled. In the case of personal data processed by the controller based on your consent, the controller can stop processing it simply by revoking the consent. In the case of the processing of personal data on the basis of a law or a contract, however, the conditions for the termination of the processing of personal data must be fulfilled, in particular, by statutory or contractual conditions. In principle, personal data processed on the basis of a contract should be subject to termination or deletion, unless their further processing is required by law. With respect, Prepared by: Mojca Leitinger Okršlar, BSc, State Supervisor for Personal Data Protection Information Commissioner: Mojca Prelesnik, Information Commissioner