A well-defined and established purpose of personal data processing before starting the processing activities is the cornerstone of the personal data protection regime.
There is a wide range of purposes for which financial institutions may process data, from “core” purposes specific to other types of institutions, such as processing personal data for employment/employment purposes, to purposes relating to the provision customer services or specific purposes that comply with requirements arising from national laws.
Thus, Article 10 of the Law on the Protection of Personal Data prescribes six legal fundamentals.
In general, the consent that financial institutions used until the entry into force of the new law can be an appropriate legal basis for the processing of personal data only if the conditions of Article 11 of the Law on Personal Data Protection are met. The law also defines consent as a freely given, specific, informed and unambiguously expressed will of the natural person through a statement or a clearly confirmed action giving consent to the processing of his/her personal data.
It is important to audit current work activities and record them in detail to ensure that consent statements meet the standards of the new Personal Data Protection Act.
Article 10, paragraph (1), subparagraph b) of the Law on the Protection of Personal Data stipulates that the processing of personal data is legal only if:
- the processing is necessary for the fulfillment of a contract where the subject of personal data is a contracting party, or
- to take certain steps at the request of the subject of personal data before entering into the contract.
When you use this legal exception for processing, in order to satisfy the condition of legality the contracts must be valid according to the applicable contract law. For example, when a contract is concluded with children, this entails ensuring compliance with national laws relating to the legal capacity of children in relation to the conclusion of contracts. In addition, to ensure compliance with the principles of fairness and legality, you should meet other legal requirements that apply to the specific contract, for example, conditions related to consumer contracts or, in particular, related to customer credit agreements.
It should be noted that according to Article 10, paragraph (1), subparagraph b) of the Personal Data Protection Law, an important element of a legal processing is the concept of “necessity”. For this purpose, for example, the processing of personal data for fraud prevention purposes is likely to involve much more data than is necessary for the performance of a contract. However, such processing may be necessary for financial institutions to achieve compliance with the legal obligation of Article 10, paragraph (1), subparagraph c) of the ZZLP.
In the financial sector there are certain national provisions regarding the processing of personal data carried out by financial institutions, and hence such processing should be in compliance with the legal obligation prescribed by law applicable to the specific controller. In such a situation, the parent national law may contain specific provisions for adjusting the application of the rules of the Law on the Protection of Personal Data and general conditions relating to the legality of the processing by the controller, such as: determining the categories of personal data which are subject to processing, determination of the affected subjects of personal data, determination of the purposes for which personal data may be disclosed to other parties, limitation of the purpose of processing, time limits for data storage, etc.
One example of the above is the Law on Prevention of Money Laundering and Financing of Terrorism (“Official Gazette of RSM” No. 120/18, 275/19 and 317/20) in connection with the use of data obtained in accordance with that law.
Article 60
(1) Data provided on the basis of this law, including personal data, are used solely for the detection and prevention of money laundering and terrorist financing.
(2) The submission of the data from paragraph (1) of this article to the Financial Intelligence Authority and to the appropriate supervisory authority from Article 146 of this law when performing supervision in accordance with this law is not considered to be the disclosure of a business secret or the disclosure of classified data and information.
(3) The employees of the entities and the persons who manage the entities that have an obligation to take measures and actions for the detection and prevention of money laundering and terrorist financing in accordance with this law, may not use the personal data from the files of the clients for purposes other than the implementation of the measures and actions to detect and prevent money laundering and terrorist financing in accordance with the objectives provided by this law.
Related content
Guide to the protection of personal data in the financial sector
