36 Amendments of Eero HEINÄLUOMA related to 2023/0205(COD)
Amendment 190 #
Proposal for a regulation
Recital 19
Recital 19
(19) The data use perimeter thus established in this Regulation and in the accompanying guidelines (‘the guidelines’)regulatory technical standards to be developed by the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) should provide a proportionate framework on how personal data related to a consumer that falls within the scope of this Regulation should be used. The data use perimeter ensures consistency between the scope of this Regulation, which excludes data that forms part of a creditworthiness assessment of a consumer as well as data related to life, health and sickness insurance of a consumer, and the scope of the guidelines,regulatory technical standards which set recommendations on how types of data originating from other areas of the financial sector that are in scope of this Regulation can be used to provide these products and services. The guideline The regulatory technical standards developed by the EBA should set out how other types of data that are in scope of this Regulation can be used to assess the credit score of a consumer. The guidelineregulatory technical standards developed by EIOPA should set out how data in scope of this Regulation can be used in products and services related to risk assessment and pricing in the case of life, health and sickness insurance products. The guidelineregulatory technical standards should be developed in a manner that is aligned to the needs of the consumer and proportionate to the provision of such products and services. The regulatory technical standards developed by EIOPA and the EBA should also elaborate on the limits for combining ‘customer data’ with other types of personal data, such as personal data obtained from third party sources, such as from social media networks or from data brokers.
Amendment 223 #
Proposal for a regulation
Recital 48
Recital 48
(48) Regulation (EU) 2016/679 applies when personal data are processed. ItProcessing of personal data in the context of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, as well as, where applicable, with the ePrivacy Directive. Regulation (EU) 2016/679 provides for the rights of a data subject, including the right of access and right to port personal data. This Regulation is without prejudice to the rights of a data subject provided under Regulation (EU) 2016/679, including the right of access and right to data portability. This Regulation creates a legal obligation to share customer personal and non- personal data upon customer’s request and mandates the technical feasibility of access and sharing for all types of data within the scope of this Regulation. The granting of permission by a customer is without prejudice to the obligations of data users under Article 6 of Regulation (EU) 2016/679. Permission should not be construed as ‘consent’ or ‘explicit consent’ or ‘necessity for the performance of a contract’ as defined in Regulation (EU) 2016/679. Personal data that are made available and shared with a data user should only be processed for services provided by a data user where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, when applicable, where the requirements of Article 9 of that Regulation on the processing of special categories of data are met.
Amendment 271 #
Proposal for a regulation
Article 2 – paragraph 3
Article 2 – paragraph 3
3. This Regulation shall not apply to the entities referred to in Article 2(3), points (a) to (e), of Regulation (EU) 2022/2554. Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925, shall not be an eligible data user for the purposes of this Regulation. .
Amendment 278 #
Proposal for a regulation
Article 2 – paragraph 3 a (new)
Article 2 – paragraph 3 a (new)
3 a. 3a. This Regulation shall not apply to special categories of data referred to in Article 9(1) of Regulation (EU) 2016/679.
Amendment 282 #
Proposal for a regulation
Article 2 – paragraph 3 b (new)
Article 2 – paragraph 3 b (new)
3 b. This regulation shall not apply to collectively concluded products such as products resulted from social partners bargaining, trade unions or products procured by non-profit organisations on behalf of their members.
Amendment 305 #
Proposal for a regulation
Article 3 – paragraph 1 – point 3
Article 3 – paragraph 1 – point 3
(3) ‘customer data’ means personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business with customers which covers both data provided by a customer and data generated as a result of customer interaction with the financial institution and shall exclude data created as a result of profiling as per Article 4(4) of Regulation (EU) 2016/679;
Amendment 312 #
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
(5) ‘data holder’ means a financial institution other than an account information service provider that collects, stores and otherwise processes the data listed in Article 2(1) ;
Amendment 327 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7 a (new)
Article 3 – paragraph 1 – point 7 a (new)
(7 a) ‘financial information service’ means an online service providing consolidated information on one or more financial services products listed under Article 2(1) of this Regulation with a view to providing a customer with an overall view of their financial situation immediately at any given moment;
Amendment 353 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The data holder shall, upon explicit request from a customer submitted by electronic means, make available to a data user the customer data listed in Article 2(1) for the purposes for which the customer has granted permission to the data user. The customer data shall be made available to the data user without undue delay, continuously and in real-time.
Amendment 371 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
2. A data user shall only request and access customer data made available under Article 5(1) that is adequate, relevant and necessary for the purposes and under the conditions for which the customer has granted its permission. A data user shall delete customer data when it is no longer necessary for the purposes for which the permission has been granted by a customer.
Amendment 375 #
Proposal for a regulation
Article 6 – paragraph 4 – point a a (new)
Article 6 – paragraph 4 – point a a (new)
(a a) not transfer any customer data to any third party without the customer’s explicit permission;
Amendment 381 #
Proposal for a regulation
Article 6 – paragraph 4 – point e
Article 6 – paragraph 4 – point e
(e) not process customer data for advertising purposes, except for direct marketing in accordance with Union and national lawsubject to their prior consent;
Amendment 397 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. In accordance with Article 16 of Regulation (EU) No 1093/2010, tThe European Banking Authority (EBA) shall develop guidelinedraft regulatory technical standards on the implementation of paragraph 1 of this Article for products and services related to the credit score of the consumer, mortgage credit agreements, and payment services.
Amendment 399 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. In accordance with Article 16 of Regulation (EU) No 1094/2010, tThe European Insurance and Occupational Pensions Authority (EIOPA) shall develop guidelinedraft regulatory technical standards on the implementation of paragraph 1 of this Article for products and services related to risk assessment and pricing of a consumer in the case of non- life, life, health and sickness insurance products.To avoid certain consumers becoming unable to access insurance due to overly granular risk assessments by insurers, these regulatory technical standards shall include provisions on how data may be used to avoid excessive granularity that undermines the "risk sharing" principle of insurance.
Amendment 403 #
Proposal for a regulation
Article 7 – paragraph 3 a (new)
Article 7 – paragraph 3 a (new)
3 a. For the purposes of paragraphs (2) and (3) of this article, regulatory technical standards should address: (a) the limits of the combination of ‘customer data’ obtained pursuant to the Proposal with other types of personal data; (b) the explainability, transparency and bias avoidance safeguards needed to be installed when Artificial Intelligence tools and algorithms are being deployed, used or trained for any of the purposes mentioned in paragraphs (2) and (3) of this article; (c) the information provision obligations for financial institutions when a customer is presented with a personalised offer that is based on profiling or other types of automated processing of personal data; (d) how the ‘right to be forgotten’ of cancer survivors shall be applicable in relation to non-credit related insurance policies, including life and health insurance, in line with article 124 of the 2020/2267 (INI) Report of the European Parliament. This shall also be extended to other chronic diseases and mental conditions.
Amendment 407 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. When preparing the guidelineregulatory technical standards referred to in paragraphs 2 and 3 of this Article, EIOPA and EBA shall closely cooperate and seek a formal consultation with the European Data Protection Board established by Regulation (EU) 2016/679. The regulatory technical standards developed by EBA and EIOPA shall also address, where appropriate, limits on the combining of consumer data obtained pursuant to the Proposal with other types of personal data.
Amendment 409 #
Proposal for a regulation
Article 7 – paragraph 4 a (new)
Article 7 – paragraph 4 a (new)
4 a. A consumer cannot be denied access to a financial product if they do not consent to their data being shared or accessed via the framework established by this Regulation. For the purposes of the implementation of this paragraph, the burden of proof shall lie with the data user.
Amendment 412 #
Proposal for a regulation
Article 7 – paragraph 4 b (new)
Article 7 – paragraph 4 b (new)
4 b. Additional financial and human resources shall be provided to the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) for the fulfilment of their tasks under this Regulation.
Amendment 430 #
Proposal for a regulation
Article 8 – paragraph 3 a (new)
Article 8 – paragraph 3 a (new)
3 a. The data holder shall ensure that the permission dashboard is not designed in a way that would encourage or unduly influence the customer to grant or withdraw permissions, including through the use of dark patterns and through the use of pre-tricked boxes. For example, the procedure to withdraw consent cannot be made more difficult than the procedure to grant access. The EBA and EIOPA, in close cooperation with the European Data Protection Board established by Regulation (EU) 2016/679, shall be required to develop guidelines on the implementation of this paragraph.
Amendment 432 #
Proposal for a regulation
Article 8 – paragraph 3 b (new)
Article 8 – paragraph 3 b (new)
3 b. Data holders shall use the European Digital Identity Wallet issued by a Member State as introduced by the proposal amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity for consumers to help identify a customer online and authenticate consent for the provision of consumer permissions via the data access permission dashboards.
Amendment 436 #
Proposal for a regulation
Article 8 – paragraph 4 – point b – point iii a (new)
Article 8 – paragraph 4 – point b – point iii a (new)
(iii a) the legal basis under Article 6(1) GDPR and, where relevant, the exception under Article 9(2) GDPR that they would rely on to access personal data contained in the customer dataset;
Amendment 459 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point a – point i
Article 10 – paragraph 1 – subparagraph 1 – point a – point i
(i) data holders and data users representing a significant proportion of the market of the product or service concerned, with each side having fair and equal representation in the internal decision- making processes of the scheme as well as equal weight in any voting procedures; where a member is both a data holder and data user, its membership shall be counted equally towards both sides;
Amendment 464 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point a a (new)
Article 10 – paragraph 1 – subparagraph 1 – point a a (new)
(a a) each of the parties listed in paragraph (a) above shall have fair and equal representation in the internal decision-making processes of the scheme as well as equal weight in any voting procedures; where a member is both a data holder and data user, its membership shall be counted equally towards both sides;
Amendment 466 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point e
Article 10 – paragraph 1 – subparagraph 1 – point e
(e) a financial data sharing scheme shall include a mechanism through which its rules can be amended, following an impact analysis and the agreement of the majority of each community of data holders and, data users and consumer organisations respectively;
Amendment 471 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point g a (new)
Article 10 – paragraph 1 – subparagraph 1 – point g a (new)
(g a) a financial data sharing scheme shall also establish minimum technical and organisational measures to ensure an appropriate level of security for the exchange of personal data;
Amendment 480 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point h – point i
Article 10 – paragraph 1 – subparagraph 1 – point h – point i
(i) it should be limited to reasonable compensation directly related to the costs incurred in making the data available to the data user and which is attributable to the request;
Amendment 496 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
Within 1 month of receipt of the notification pursuant to paragraph 4, the competent authority shall assess whether the financial data sharing scheme’s governance modalities and characteristics are in compliance with paragraph 1. When assessing the compliance of the financial data sharing scheme with paragraph 1, the competent authority mayshall consult other competent authoritiesrelevant supervisory authorities under Regulation (EU) 2016/679.
Amendment 500 #
Proposal for a regulation
Article 10 – paragraph 6 a (new)
Article 10 – paragraph 6 a (new)
6 a. Competent authorities shall undertake regular comprehensive reviews of data sharing schemes’ governance arrangements set out in Article 10(1). These reviews shall include a thorough and documented assessment whether the schemes’ arrangements are appropriate and credible for the purposes of ensuring the responsible treatment of customer data.
Amendment 505 #
Proposal for a regulation
Article 11 – paragraph 1 – introductory part
Article 11 – paragraph 1 – introductory part
In the event that a financial data sharing scheme is not developed for one or more categories of customer data listed in Article 2(1) and there is no realistic prospect of such a scheme being set up within a reasonable amount of time, the Commission is empowered, in consultation with the European Data Protection Board, to adopt a delegated act in accordance with Article 30 to supplement this Regulation by specifying the following modalities under which a data holder shall make available customer data pursuant to Article 5(1) for that category of data:
Amendment 529 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
1. The competent authority shall grant an authorisation if the information and evidence accompanying the application complies with of the requirements laid down in Article 11(1) and (2). Before granting an authorisation, the competent authority may, wshall, consult othere relevant, consult other relevant public authorities public authorities, in particular relevant supervisory authorities under Regulation (EU) 2016/679.
Amendment 536 #
Proposal for a regulation
Article 14 – paragraph 7 – subparagraph 1 – point c a (new)
Article 14 – paragraph 7 – subparagraph 1 – point c a (new)
(c a) if a supervisory authority under Regulation (EU) 2016/679 establishes that a financial information service provider has breached its obligations under EU data protection laws;
Amendment 552 #
Proposal for a regulation
Article 20 – paragraph 3 – point f
Article 20 – paragraph 3 – point f
(f) in the case of a natural person, maximum administrative fines of up to EUR 250 000 per infringement and up to a total of EUR 2500 000 per year, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency of that Member State on ... [OP please insert the date of entry into force of this Regulation]. .
Amendment 554 #
Proposal for a regulation
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) up to EUR 50 000 per infringement and up to a total of EUR 5 000 000 per year, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency of that Member State on ... [OP please insert the date of entry into force of this Regulation];
Amendment 556 #
Proposal for a regulation
Article 20 – paragraph 4 – subparagraph 1 – point b
Article 20 – paragraph 4 – subparagraph 1 – point b
(b) 210% of the total annual turnover of the legal person according to the last available financial statements approved by the management body;
Amendment 573 #
Proposal for a regulation
Article 31 – paragraph 1 – point e a (new)
Article 31 – paragraph 1 – point e a (new)
(e a) the impact of the regulation on financial exclusion.
Amendment 577 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2