Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (679/2016/EU)
This criterion requires financial institutions to be able to justify the use of certain data categories as well as ensure the data is accurate and updated over time. This is done by defining a purpose for the collection of personal data and ensuring that any further processing is compatible with the original purpose.
Data accuracy and data minimization
According to GDPR, data must be accurate and up-to date, adequate, relevant and not excessive in relation to the purposes for which they are processed. Further to these requirements financial institutions should be able to justify the use of certain data categories as well as ensure the data is accurate and updated over time. This consent must be freely given, specific, informed and unambiguous, and given a clear, affirmative action that shows the data-subject has given his/her consent.
According to an Article of GDPR, the processing of personal data must be carried out with the unambiguous consent16 of the individual whose data is being used (the “data subject” or, for the purpose of this report, the consumer).
Right to Access to Data
According to GDPR, consumers have a right (i) to exercise the right of access to their data, in order to verify the accuracy of the data and the lawfulness of the processing, (ii) to request modifications or even (iii) to object to processing in certain circumstances.
Furthermore, consumers should be informed in advance, if data about them is to be used in an automated decision-making process, including profiling, and should be given information about the consequences of such processing.
- Organisational and governance requirements
The protection of consumers’ rights with regard to the processing of personal data also requires that appropriate technical and organisational measures are taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and to prevent any unauthorised access and processing. Financial institutions are also expected under the GDPR to be able to demonstrate that they have taken the necessary steps to ensure compliance with the GDPR. Among the measures that many firms may be required to take under the GDPR are the adoption of internal policies and measures that meet the principles of privacy by design and by default, the appointment of a data protection officer and the carrying out of data protection impact assessments.
For more information and guidance please email Michalaki, Pitsillidou & Co LLC – iMPK Global Business Law Firm – Cyprus Lawyers, at firstname.lastname@example.org or visit our website at www.impklawyers.com Tel. +357 25660092 – Fax +357 25 660097.