32 Amendments of Marco ZANNI related to 2023/0205(COD)
Amendment 172 #
Proposal for a regulation
Recital 10
Recital 10
(10) The sharing of theaccess of customer data in the scope of this Regulation should be based on the explicit permission of the customer. In seeking the explicit permission of the customer to use his or her data, the data users should specify what use they intend to make of the customer’s data, should the customer provide permission. The legal obligation on data holders to shareenable access to customer data should be triggered once the customer has explicitly requested their data to be shared with a data user. This request can be submitted by a data user acting on behalf of the customermade accessible to a data user. In accordance with Regulation (EU) [XXXX/XXXX] of the European Parliament of the Council (Data Act), an undertaking providing core platform services that has been designated as a gatekeeper under Regulation (EU) 2022/19251b cannot be eligible as data user under this Regulation. The limitation on granting access to gatekeepers would not exclude them from the market and prevent them from offering its services, as voluntary agreements between them and the data holders remain unaffected. Where the processing of personal data is involved, a data user should have arely on one of the valid lawful basies for processing under Article 6 of Regulation (EU) 2016/679. The customers data can be processed only for the agreed purposes in the context of the service provided. Under this Regulation, these purposes should be strictly limited to the provision of a financial product, a financial service or a financial information service. The processing of personal data must respect the principles of personal data protection, including lawfulness, fairness and transparency, purpose limitation and data minimisation. A customer has the right to withdraw the permission given to a data user. W at any time. For example, when data processing is necessary for the performance of a contract, a customer should be able to withdraw permissions according to the contractual obligations to which the data subject is party. WSimilarly, when personal data processing is based on consent, a data subject has the rightshould be able to withdraw his or her consent at any time, as provided for in Regulation (EU) 2016/679. It should not be possible for the data user to transfer customer data to a third-party actor without this explicit permission, or even to another entity within the same group.
Amendment 194 #
Proposal for a regulation
Recital 22
Recital 22
(22) The permission dashboard should display the permissions given by a customer, including when personal data are shared based on consent or are necessary for the performance of a contract. The permission dashboard should warn a customer in a standard way of the risk of possible contractual consequences of the withdrawal of a permission, but the customer should remain responsible for managing such risk. The permission dashboard should be used to manage existing permissions. Data holdusers should inform data usholders in real-timemmediately of any withdrawal of a permission. The permission dashboard should include a record of permissions that have been withdrawn or have expired for a period of up to two years to allow the customer to keep track of their permissions in an informed and impartial manner. Data users should inform data holders in real-time of new and re-establishedmmediately of new permissions granted by customers, including the duration of validity of the permission and a short summary of the purpose of the permission. The information provided on the permission dashboard is without prejudice to the information requirements under Regulation (EU) 2016/679.
Amendment 208 #
Proposal for a regulation
Recital 28
Recital 28
(28) Data holders and data users should be allowed to use existing market standards and infrastructures for technical interfaces like application programming interfaces when developing common standards for mandatory data sharingaccess.
Amendment 212 #
Proposal for a regulation
Recital 31
Recital 31
(31) To promote consumer protection, enhance customer trust and ensure a level playing field, it is necessary to lay down rules on who is eligible to access customers’ data. Such rules should ensure that all data users are authorised and supervised by competent authorities. This would ensure that data can be accessed only by regulated financial institutions or by firms subject to a dedicated authorisation as financial information service providers’ (‘FISPs’) which is subject to this Regulation. Eligibility rules on FISPs, are needed to safeguard financial stability, market integrity and consumer protection, as FISPs would provide financial products and services to customers in the Unioninformation services and would access data held by financial institutions and the integrity of which is essential to preserve the financial institutions’ ability to continue providing financial services in a safe and sound manner. Such rules are also required to guarantee the proper supervision of FISPs by competent authorities in line with their mandate to safeguard financial stability and integrity in the Union, which would allow FISPs to provide throughout the Union the financial information services for which they are authorised.
Amendment 216 #
Proposal for a regulation
Recital 33
Recital 33
(33) In order to enable effective supervision and to eliminate the possibility of evading or circumventing supervision, financial information service providers must be either legally incorporated in the Union or in case they are incorporaonly be provided by legal persons that have a registered office in a Member State in which they intend in a third country appoint a legal represento carry out or do carry out substantive in the Unionbusiness activities. An effective supervision by the competent authorities is necessary for the enforcement of requirements under this Regulation to ensure integrity and stability of the financial system and to protect consumers. The requirement of legal incorporation of financial information service providers in the Union or the appointment of a legal representative in the Union does not amount to data localisation since this Regulation does not entail any further requirement on data processing including storage to be undertaken in Union.
Amendment 222 #
Proposal for a regulation
Recital 48
Recital 48
(48) Regulation (EU) 2016/679 applies when personal data are processed. ItProcessing of personal data in the context of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, as well as, where applicable, with Directive 2002/58/EC of the European Parliament and of the Council1a (ePrivacy Directive). Regulation (EU) 2016/679 provides for the rights of a data subject, including the right of access and right to port personal data. This Regulation is without prejudice to the rights of a data subject provided under Regulation (EU) 2016/679, including the right of access and right to data portability. This Regulation creates a legal obligation to shareprovide access to and enable re-use of customer personal and non-personal data upon customer’s request and mandates the technical feasibility of access and sharing for all types of data within the scope of this Regulation. The granting of permission by a customer is without prejudice to the obligations of data users under Article 6 of Regulation (EU) 2016/679. Permission should not be construed as ‘consent’ or ‘necessity for the performance of a contract’ as defined in Regulation (EU) 2016/679. Personal data that are made available and shared withto a data user should only be processed for services provided by a data user where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, when applicable, where the requirements of Article 9 of that Regulation on the processing of special categories of data are met.
Amendment 237 #
Proposal for a regulation
Article 2 – paragraph 1 – point b
Article 2 – paragraph 1 – point b
(b) savings, investments in financial instruments, insurance-based investment products, crypto-assets, real estate and other related financial assets as well as the economic benefits derived from such assets; including data collected for the purposes of carrying out an assessment of suitability and appropriateness in accordance with Article 25 of Directive 2014/65/EU of the European Parliament and of the Council32; and with Article 30 of Directive (EU) 2016/97; _________________ 32 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (recast) (OJ L 173, 12.6.2014, p. 349).
Amendment 239 #
Proposal for a regulation
Article 2 – paragraph 1 – point c
Article 2 – paragraph 1 – point c
Amendment 243 #
Proposal for a regulation
Article 2 – paragraph 1 – point d
Article 2 – paragraph 1 – point d
Amendment 246 #
Proposal for a regulation
Article 2 – paragraph 1 – point e
Article 2 – paragraph 1 – point e
Amendment 287 #
Proposal for a regulation
Article 2 – paragraph 4 a (new)
Article 2 – paragraph 4 a (new)
4 a. Customer data referred to in paragraph 1, do not include: - sensitive data regarding a person's race or ethnicity, political opinions, religious or philosophical beliefs or union memberships, as well as genetic information and information about health and sexual orientation/practices; - proprietary data that the financial institution has generated, analysed or enriched, including trade secrets and business-sensitive information.
Amendment 290 #
Proposal for a regulation
Article 2 – paragraph 4 b (new)
Article 2 – paragraph 4 b (new)
4 b. This Regulation shall apply to contracts that have been entered into force from the date of application of the present Regulation onwards.
Amendment 299 #
Proposal for a regulation
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
(2) ‘customer’ means a natural or a legal person who makes use of financial products and services or purchases insurance products;
Amendment 306 #
Proposal for a regulation
Article 3 – paragraph 1 – point 3
Article 3 – paragraph 1 – point 3
(3) ‘customer data’ means personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business with customers which covers both data provided by a customer and data generated as a result of customer interaction with the financial institution, excluding sensitive data and proprietary data as referred in Article 2, par. 5;
Amendment 313 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
(5) ‘data holder’ means a financial institution other than an accountr a financial information service provider holding one of the categories of data under Art. 2(1), that collects, stores and otherwise processes the data listed in Article 2(1) ;
Amendment 338 #
Proposal for a regulation
Article 3 – paragraph 1 – point 29
Article 3 – paragraph 1 – point 29
Amendment 356 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
1 a. Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925, shall not be an eligible data user under this Regulation.
Amendment 358 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. A data holder may claim compensation from a data user for making customer data available pursuant to paragraph 1 only if the customer data is made available to a data user in accordance with the rules and modalities of a financial data sharing scheme, as provided in Articles 9 and 10, or if it is made available pursuant to Article 11. This Regulation is without prejudice to accessing, sharing and using data on a purely contractual basis without making use of the data access obligations established by this Regulation.
Amendment 367 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
1 a. Any undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper under Article 3 of Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) shall not be an eligible third party for the purposes of data-sharing and therefore cannot request or be granted access to customers’ data.
Amendment 378 #
Proposal for a regulation
Article 6 – paragraph 4 – point b a (new)
Article 6 – paragraph 4 – point b a (new)
(b a) respect the data protection rights of data subject and the level of protection guaranteed by General Data Protection Regulation.
Amendment 382 #
Proposal for a regulation
Article 6 – paragraph 4 – point e a (new)
Article 6 – paragraph 4 – point e a (new)
(e a) not make the data it receives available to an undertaking designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925;
Amendment 386 #
Proposal for a regulation
Article 6 – paragraph 4 – point f a (new)
Article 6 – paragraph 4 – point f a (new)
(f a) not use the data it receives to develop a product that competes with the product from which the accessed data originate or share the data with another third party for that purpose.
Amendment 389 #
Proposal for a regulation
Article 6 – paragraph 4 a (new)
Article 6 – paragraph 4 a (new)
4 a. Once the data user collects, stores and processes data as per the definition in Article 3(5), it should be considered as a data holder and therefore subject to the obligations on data holders in Article 5.
Amendment 401 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. In accordance with Article 16 of Regulation (EU) No 1094/2010, the European Insurance and Occupational Pensions Authority (EIOPA) shall develop guidelines on the implementation of paragraph 1 of this Article for products and services related to risk assessment and pricing of a consumer in the case of life, health and sickness insuranceinsurance products different from insurance-based investment products.
Amendment 437 #
Proposal for a regulation
Article 8 – paragraph 4 – point b a (new)
Article 8 – paragraph 4 – point b a (new)
(b a) The data holder must be in control of the identity and access management of both the customer and any data user, as well as the permission dashboard through which any request is submitted.
Amendment 443 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Within 18 months from the entry into force of this Regulation, data holders and data users shall become members of a financial data sharing scheme governing access to the customer data in compliance with Article 10Data holders and data users shall become members of a financial data sharing scheme governing access to the customer data in compliance with Article 10 according to the following timeline: i) 36 months from the entry into force of this Regulation for the first tier of customer data relating accounts (except payment accounts), savings (except structured deposits); ii) 48 months from the entry into force of this Regulation for the second tier of customer data relating loans, mortgage credits, crypto assets (provided that the bank knowingly holds the assets in custody on behalf of the customer); iii) 60 months from the entry into force of this Regulation for the third tier of customer data relating investments in financial instruments, structured deposits, insurance based investment products, other related financial assets (provided that the bank knowingly holding the assets in custody on behalf of the customer), non- life insurance products, occupational pension schemes, pan European private pension schemes. This measure should be implemented only after an adequate testing and assessment phase in order to check the benefits for the customers and their interests.
Amendment 475 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point h – introductory part
Article 10 – paragraph 1 – subparagraph 1 – point h – introductory part
(h) a financial data sharing scheme shall establish a model to determine the maximumreasonable compensation that a data holder is entitled tocan charge for making data available through an appropriate technical interface for data sharing with data users in line with the common standards developed under point (g). The model shall be based on the following principles:
Amendment 478 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point h – point i
Article 10 – paragraph 1 – subparagraph 1 – point h – point i
(i) it should be limited to reasonable compensation directly relatany compensation - including the costs incurred toin making the data available to the data user and which is attributable to the requestand the investment in the collection and production of data, as well as a margin - agreed between a data holder and a data user for making data available shall be reasonable;
Amendment 481 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point h – point ii
Article 10 – paragraph 1 – subparagraph 1 – point h – point ii
(ii) it should be based on an objective, transparent and non-discriminatory methodology agreed by the scheme members and may include a margin and respect the provisions of Art. 9(1) of the Data Act (Regulation (EU) XX);
Amendment 483 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point h – point v
Article 10 – paragraph 1 – subparagraph 1 – point h – point v
Amendment 550 #
Proposal for a regulation
Article 20 – paragraph 3 – point a
Article 20 – paragraph 3 – point a
Amendment 582 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
It shall apply from [OP please insert the date = 248 months after the date of entry into force of this Regulation]. However, Articles 9 to 13 shall apply from [OP please insert the date = 1836, 48 60 months after the date of entry into force of this Regulation].