On August 22, 2023, the European Data Protection Supervisor (EDPS) published its opinion on the European Commission's proposal for a new legislative framework for financial data access, published on June 28, 2023.

In particular, the EDPS suggested further safeguards and limitations concerning the processing of sensitive financial customer data by data users to protect individuals against risks to their fundamental rights to privacy and data protection. Additionally, the EDPS provided that the proposal empowered customers, including data subjects, to decide how and by whom their data would be used. However, the EDPS noted that the definition of 'customer data' is broad, and suggested excluding data created as a result of profiling from the categories of personal data included, taking into account the sensitivity of the data and the risk to individuals.

The EDPS further recommended extending the scope of any future guidelines under the proposal to other relevant financial products and services, such as to mortgage credit agreements, payment services, other insurance products, investment products, and pension products. The EDPS stated that any guidelines should elaborate on the limits for combining customer data with other types of personal data, such as personal data obtained from third-party sources such as data obtained from social media networks or data brokers.

Finally, the EDPS also recommended cooperation between competent authorities under the proposal and data protection authorities to ensure consistency in the enforcement of the proposal and the General Data Protection Regulation (GDPR).

You can read the press release here, the opinion here, and the proposal here.