The terms of the licenses issued by the Autoriteit Persoonsgegevens (AP) are conditional – the institutions must process the personal data involved in line with a strict protocol that has been drawn up by trade bodies in the banking and insurance sectors and which the AP approved earlier this year.
The protocol effectively enables a system of decentralised data exchange, with relevant controls on access to certain data. It is designed to make it possible for financial institutions to proactively investigate and check whether individuals such as customers or job applications form a fraud risk.
The AP previously considered whether the protocol complied with the requirements of data protection law in the Netherlands and concluded that it “is likely to ensure proper and careful data processing”. Now the regulator has issued its decision on the licence applications submitted by individual institutions.
Amsterdam-based data protection law expert Wouter Seinen of Pinsent Masons, the law firm behind Out-Law, said: “This is pretty much as far as the AP could go under the powers it has under Dutch law. It is to be hoped that this will inspire EU policy makers to step up their efforts to implement a best practice data exchange on a European scale.
Nienke Kingma, also of Pinsent Masons in Amsterdam, said: “The ability to share fraud data with others in the same ecosystem is paramount for many companies and the rigour of the General Data Protection Regulation (GDPR) restrictions have been a concern for many trying to do the right thing. This is a small but important step to achieve best practices which aim to strike a fair balance between protecting individuals’ privacy rights and the interests of society.”
In the Netherlands the processing of criminal data is prohibited unless the AP has granted a licence for such processing. This condition stems from the Dutch law that implements and complements the GDPR.
In considering the legal basis for granting the licenses, the AP considered the fact that the financial institutions are not under a specific statutory obligation to prevent fraud and can therefore not claim that the collection and exchange is necessary to comply with the lawful grounds for processing such data.
The AP considered that the the Dutch Banking Association, the Dutch Association of Insurers, the Association of Finance Companies in the Netherlands, the Foundation for the Prevention of Fraud in Mortgages, and an umbrella organisation for Dutch health insurers, had demonstrated that the fraud data exchange protocol is necessary and proportionate relative to the objective being pursued. It also found that processing in accordance with the protocol will be fair, lawful and transparent, and was satisfied that other data protection principles and requirements can be met by institutions that follow the protocol.
In accordance with the right of access under the GDPR, individuals will have the right to know whether their personal data is included in the incident register, unless an exceptional situation applies, such as the refusal being necessary to prevent, detect and prosecute criminal offences.
The licences granted by the AP only applies to processing activities taking place in the Netherlands.