The Dutch National Bank (De Nederlandsche Bank, DNB) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) have entered into a cooperation protocol to ensure effective and efficient supervision with respect to areas where the respective tasks of both supervisors meet (the Cooperation Protocol). The reason to enter into this Cooperation Protocol is that the second Payment Services Directive (PSD2) became effective in the Netherlands on 19 February 2019.
PSD2 aims to increase competition on the financial markets by allowing start-ups and tech companies to compete with traditional banks. PSD2 enables new payment services providers to gain access to consumers’ bank accounts. One of the most important new requirements of PSD2 is an obligation for banks to share their customer data with third parties, if the respective customer has given its (explicit) consent thereto. In the Netherlands, PSD2 has inter alia been implemented in the Financial Supervision Act (Wet op het financieel toezicht, Wft).
Although the DNB is the authorized supervisory authority with respect to PSD2, the DPA also has an important supervisory role since PSD2 also raises various privacy related questions. These include, amongst others, the consent that consumers are required to give to banks in order to share their personal data. In its capacity of supervisory authority, the DPA shall monitor compliance with the data protection legislation of parties that (will) gain access to personal data shared by banks (with the consumer’s explicit consent).
In the Cooperation Protocol, the DNB and the DPA have agreed on (i) how each of them will deal with matters that touch upon the other’s respective (supervisory) authorities and (ii) the exchange of information.
Both authorities intend to inform one another (both on request and proactively) of matters that might be of importance for the performance of their respective tasks. As a result thereof, both authorities will be able to identify potential violations earlier.
Furthermore, the Cooperation Protocol includes several specific situations in which the DNB and the DPA shall exchange information. Such as the situation where a party has filed a permit application with the DNB for which a mandatory data protection impact assessment has demonstrated that there is a high risk involved (which requires that the DPA is consulted in advance). The DNB is obliged to report such matters to the DPA. In the event that the applicant has already consulted the DPA, the DPA shall inform the DNB of the outcome of the investigation that the DPA carried out following on such consultation. This may lead to delays in the application procedure with the DNB.
In addition, the Cooperation Protocol includes an obligation to exchange information on (mandatory) notifications made by the payment services providers. On the basis of the Cooperation Protocol, the DNB must inform the DPA for instance, if a payment services provider has notified an incident on the basis of the Wft, which concerns the processing of personal data. Payment services providers are (amongst others) required to notify an ‘incident’ with the DNB, in the event that such incident could have a (material) adverse effect on the public’s confidence and trust in the financial market or the financial sector. Likewise, the DPA must inform the DNB in the event that it receives a data breach notification from a payment services provider.
The DPA and the DNB have also agreed on certain safeguards. For instance, the DNB and the DPA shall ensure that they will not use information that they receive upon each other’s requests for different purposes than for which such information was obtained. In light thereof, the requesting party must include the purposes in its request. However, the Cooperation Protocol does not include any specific agreements with respect to the purposes for which information provided on a voluntarily basis may be used.
In view of the overlap of the authorities’ respective tasks, parties have agreed that the DPA will inform the DNB in case it has the intention to impose a fine on a payment services provider. Similarly, the DNB will inform the DPA of its intention to impose a fine on a payment services provider in the event that the processing of personal data is concerned. The Cooperation Protocol does not further specify in which situations ‘processing of personal data is concerned’. Therefore, the exact meaning thereof remains currently unclear. This agreement only entails an information obligation.
The authorities are not required to request each other’s advice. Furthermore, no ‘precedents arrangements’ have been made for cases where both the DPA and the DNB intend to issue a fine with respect to the same set of facts, although such cases are not imaginary. For instance, the DNB could impose a fine in the event that a bank lacks to sufficiently protect the data (of its customers). This could have an adverse effect on the public’s confidence in the financial sector. For the same set of facts, the DPA is also authorized to impose a fine for a violation of the GDPR. Practice will show how the supervisory authorities will deal with such overlap.
This is not the first cooperation the DPA has entered into. Before this Cooperation Agreement, the DPA entered into similar agreements with other supervisory authorities. These include a cooperation agreement between the DPA and the Dutch Healthcare Authority (Nederlandse Zorgautoriteit) with respect to joint supervision on healthcare providers and healthcare insurers. Another example is the cooperation agreement between the DPA and the Netherlands Authority for Consumers & Markets (Autoriteit Consument en Markt) which, amongst others, includes the supervision of the telecommunications sector. Seeing how personal data are at the core of PSD2, it is logical that the DPA would also enter into a cooperation agreement with the relevant supervisory authority on this topic.