51 Amendments of Ville NIINISTÖ related to 2023/0205(COD)
Amendment 173 #
Proposal for a regulation
Recital 10
Recital 10
(10) The sharing of the customer data in the scope of this Regulation should be based on the permission of the customer. The legal obligation on data holders to share customer data should be triggered once the customer has requested their data to be shared with a data user. This request can be submitted by a data user acting on behalf of the customer. Where the processing of personal data is involved, a data user should be able to demostrate they have a valid lawful basis for processing under article 6(1)(a) or (b) of Regulation (EU) 2016/679. The customers data can be processed for the agreed purposes in the context of the service provided. The processing of personal data must respect the principles of personal data protection, including lawfulness, fairness and transparency, purpose limitation and data minimisation. A customer has the right to withdraw the permission given to a data user at any time. When data processing is necessary for the performance of a contract, a customer should be able to withdraw permissions according to the contractual obligations to which the data subject is party. When personal data processing is based on consent, a data subject has the right to withdraw his or her consent at any time, as provided for in Regulation (EU) 2016/679.
Amendment 191 #
Proposal for a regulation
Recital 22
Recital 22
(22) The permission dashboard should display the permissions given by a customer, including when personal data are shared based on consent or are necessary for the performance of a contract. The permission dashboard should warn a customer in a standard way of the risk of possible contractual consequences of the withdrawal of a permission, but the customer should remain responsible for managing such risk. should not encourage or influence the consumer to grant access in a way that materially distorts or impairs their ability to make a free and informed decision, as the customer should remain responsible for managing such risk. It is essential that consumers know exactly what they are giving their permission for and that their rights under the GDPR apply. This information should be provided to consumers in clear and understandable language. To allow consumers to effectively stay in control of their data, the deployment of dark patterns and pre- ticketed boxes in dashboards are prohibited for the purpose of providing permissions to data sharing.The permission dashboard should be used to manage existing permissions. Data holders should inform data users in real-time of any withdrawal of a permission. The permission dashboard should include a record of permissions that have been withdrawn or have expired for a period of up to two years to allow the customer to keep track of their permissions in an informed and impartial manner. Data users should inform data holders in real-time of new and re-established permissions granted by customers, including the duration of validity of the permission and a short summary of the purpose of the permission. The information provided on the permission dashboard is without prejudice to the information requirements under Regulation (EU) 2016/679.
Amendment 203 #
Proposal for a regulation
Recital 25
Recital 25
(25) In order to enable the contractual and technical interaction necessary for implementing data access between multiple financial institutions, data holders and data users should be required to be part of financial data sharing schemes. These schemes should develop data and interface standards, joint standardised contractual frameworks governing access to specific datasets, and governance rules related to data sharing. In order to ensure that schemes function effectively, it is necessary to establish general principles for the governance of these schemes, including rules on inclusive governance and participation of data holders, data users and customers (to ensure balanced representation in schemes), transparency requirements, and a well-functioning appeal and review procedure (notably around the decision-making of schemes). Financial data sharing schemes must comply with Union rules in the area of consumer protection and data protection, privacy, and competition. The participants in such schemes are also encouraged to draw up codes of conduct similar toin accordance with those prepared by controllers and processors under Article 40 of Regulation (EU) 2016/679. While such schemes may build upon existing market initiatives, the requirements set out in this Regulation should be specific to financial data sharing schemes or parts thereof which market participants use to fulfil their obligations under this Regulation after the data of application of these obligations.
Amendment 214 #
Proposal for a regulation
Recital 33
Recital 33
(33) In order to enable effective supervision and to eliminate the possibility of evading or circumventing supervision, financial information service providers must be either legally incorporated in the Union or in case they are incorporated in a third country appoint a legal representative in the Union. An effective supervision by the competent authorities is necessary for the enforcement of requirements under this Regulation to ensure integrity and stability of the financial system and to protect consumers. The requirement of legal incorporation of financial information service providers in the Union or the appointment of a legal representative in the Union does not amount to data localisation since this Regulation does not entail any further requirement on data processing including storage to be undertaken in Union.
Amendment 220 #
Proposal for a regulation
Recital 48
Recital 48
(48) Regulation (EU) 2016/679 applies when personal data are processed. It provides for the rights of a data subject, including the right of access and right to port personal data. This Regulation is without prejudice to the rights of a data subject provided under Regulation (EU) 2016/679, including the right of access and right to data portability. This Regulation creates a legal obligation to share customer personal and non-personal data upon customer’s request and mandates the technical feasibility of access and sharing for all types of data within the scope of this Regulation. The granting of permission by a customer is without prejudice to the obligations of data users under Article 6 of(1)(a) or (b) of Regulation (EU) 2016/679. Permission should not be construed as ‘consent’ or ‘explicit consent’ or ‘necessity for the performance of a contract’ as defined in Regulation (EU) 2016/679. Personal data that are made available and shared with a data user should only be processed for services provided by a data user where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, when applicable, where the requirements of Article 9 of that Regulation on the processing of special categories of data are met. Processing of personal data in the context of this Regulation should be carried out in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, as well as, where applicable, with the ePrivacy Directive. In case of mixed datasets, where personal and non- personal data are inextricably linked, the protections in EU data protection legislation and in this Regulation concerning personal data shall be fully applicable.
Amendment 225 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
This Regulation is without prejudice to Regulation (EU) 2016/679, Regulation (EU) 2018/1725, Directive 2002/58/EC, Directive (EU) 2019/2161, Directive 93/13/EEC, and Directive 2011/83. In the event of a conflict between this Regulation and Union law on the protection of personal data or privacy, or national legislation adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data or privacy shall prevail.
Amendment 226 #
Proposal for a regulation
Article 1 – paragraph 2 b (new)
Article 1 – paragraph 2 b (new)
This Regulation is without prejudice to Directive (EU) 2023/2225, Directive 2014/17/EU, Directive 2014/65/EU and Directive (EU) 2016/97.
Amendment 227 #
Proposal for a regulation
Article 1 – paragraph 2 c (new)
Article 1 – paragraph 2 c (new)
This Regulation shall not affect the right of a customer to receive financial services and/or products without any additional costs from providers listed in article 2(2), shall they not avail themselves to the permission dashboard of article 8, or otherwise enable financial data sharing under the proposal. For the purposes of the implementation of this paragraph, the burden of proof shall lie with the data user.
Amendment 254 #
Proposal for a regulation
Article 2 – paragraph 1 – point f
Article 2 – paragraph 1 – point f
(f) data which forms part of a creditworthiness assessment of a firm which is collected as part of a loan application process or a request for a credit rating. Data collected as part of a creditworthiness assessment of consumers shall be excluded.
Amendment 272 #
Proposal for a regulation
Article 2 – paragraph 3
Article 2 – paragraph 3
3. This Regulation shall not apply to the entities referred to in Article 2(3), points (a) to (e), of Regulation (EU) 2022/2554. Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925, shall not be an eligible data user for the purposes of this Regulation.
Amendment 285 #
Proposal for a regulation
Article 2 – paragraph 4 a (new)
Article 2 – paragraph 4 a (new)
4 a. Only financially relevant information and data from the categories mentioned above shall be processed for the purposes of this Regulation. Special categories of data, under article 9(1) of Regulation (EU) 2016/679 shall not be processed for the purposes of this Regulation, unless it is strictly necessary to fulfil the service requested by the customer. Data that has been derived or inferred from data provided by a customer as a result of profiling shall not be processed for the categories of this Regulation. For the purposes of the implementation of this paragraph the burden of proof shall lie with the data user.
Amendment 308 #
Proposal for a regulation
Article 3 – paragraph 1 – point 3
Article 3 – paragraph 1 – point 3
(3) ‘customer data’ means personal and non-personal data, excluding data resulting from profiling activities, that is collected, stored and otherwise processed by a financial institution as part of their normal course of business with customers which covers both data provided by a customer and data generated as a result of customer interaction with the financial institution;
Amendment 323 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
(7) ‘financial information service provider’ means a data user that is authorised under Article 14 to access the customer data listed in Article 2(1) for the provision of financial information services and within the scope of Article 2(3);
Amendment 328 #
Proposal for a regulation
Article 3 – paragraph 1 – point 7 a (new)
Article 3 – paragraph 1 – point 7 a (new)
(7 a) ‘financial information service’ means an online service providing consolidated information on one or more financial services products listed under Article 2(1) of this Regulation with a view to providing a customer with an overall view of their financial situation immediately at any given moment;
Amendment 340 #
Proposal for a regulation
Article 3 – paragraph 1 – point 29 a (new)
Article 3 – paragraph 1 – point 29 a (new)
(29 a) ‘permission’ means the clear and unambiguous authorisation to a data user to access customer data, provided by customers themselves through a permission dashboard, based on which a data holder is required to make the requested data available for the specified purpose. For the purposes of this Regulation, the criteria of article 4(11) and the conditions in Article 7 of Regulation (EU) 679/2016 shall apply to permissions as well;
Amendment 345 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
The data holder shall, upon request from a customer submitted by electronic means or in an analogue format, make the data listed in Article 2(1) available to the customer without undue delay, free of charge, continuously and in real-time.
Amendment 350 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The data holder shall, upon request from a customer submitted by electronic means, make available to a data user the customer data listed in Article 2(1) for the purposes for which the customer has granted permission to the data user and insofar as the data user demonstrates a valid legal basis under article 6(1)(a) or (b) of Regulation (EU) 2016/679. The customer data shall be made available to the data user without undue delay, continuously and in real-time.
Amendment 361 #
Proposal for a regulation
Article 5 – paragraph 3 – point c
Article 5 – paragraph 3 – point c
(c) request data users to demonstrate that they have a valid legal basis under article 6(1)(a) or (b) of Regulation (EU) 2016/679 and obtained the permission of the customer to access the customer data held by the data holder;
Amendment 370 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
2. A data user shall only accessrequest and access adequate, relevant and necessary customer data made available under Article 5(1) for the purposes and under the conditions for which the customer has granted its permission, and insofar as they demonstrate they have a valid legal basis under article 6(1)(a) or (b) of Regulation (EU) 2016/679. A data user shall delete customer data when it is no longer necessary for the purposes for which the permission has been granted by a customer.
Amendment 374 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
3. A customer mayshall be able to withdraw the permission it has granted to a data user at any time. When processing is necessary for the performance of a contract, a customer may withdraw the permission it has granted to make customer data available to a data user according to the contractual obligations to which it is subject.
Amendment 380 #
Proposal for a regulation
Article 6 – paragraph 4 – point e
Article 6 – paragraph 4 – point e
(e) not process customer data for advertising purposes, except for direct marketing in accordance with Union and national lawsubject to the prior consent of the consumer;
Amendment 391 #
Proposal for a regulation
Article 6 – paragraph 4 a (new)
Article 6 – paragraph 4 a (new)
4 a. Data under this Regulation shall be stored on the territory of the Union.
Amendment 394 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. In accordance with Article 160 of Regulation (EU) No 1093/2010, the European Banking Authority (EBA) shall develop guidelineregulatory technical standards on the implementation of paragraph 1 of this Article for products and services related to the credit score of the consumer, to mortgage credit agreements and to the provision of payment services for submission to the Commission by December 2025. Powers are delegated to the European Commission to adopt and, where necessary, amend regulatory technical standards on the implementation of paragraph 1 of this Aarticle for products and services related to the credit score of the consumer. Those regulatory technical standards shall be adopted in accordance with Articles 10 to 14 of regulation (EU) No 1093/2010.
Amendment 400 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. In accordance with Article 160 of Regulation (EU) No 1094/2010, the European Insurance and Occupational Pensions Authority (EIOPA) shall develop guidelineregulatory technical standards on the implementation of paragraph 1 of this Article for products and services related to risk assessment and pricing of a consumer in the case of life, motor, home, health and sickness and basic insurance products, such as automobile and house or property insurance, for submission to the Commission by December 2025.
Amendment 404 #
Proposal for a regulation
Article 7 – paragraph 3 a (new)
Article 7 – paragraph 3 a (new)
3 a. In accordance with Article 10 of Regulation (EU) No 1094/2010, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority shall develop regulatory technical standards on the implementation of paragraph 1 of this Article for products and services related to the suitability and appropriateness assessment required under Article 25 of Directive (EU) 2014/65/EU, Article 30 of Directive (EU) 2015/97, and Article 81(1) of Regulation (EU) 2023/1114 of a consumer for submission to the Commission by December 2025.
Amendment 405 #
Proposal for a regulation
Article 7 – paragraph 3 b (new)
Article 7 – paragraph 3 b (new)
3 b. Powers are delegated to the European Commission to adopt regulatory technical standards on the implementation of paragraph 2, 3 and 3a.
Amendment 406 #
Proposal for a regulation
Article 7 – paragraph 3 c (new)
Article 7 – paragraph 3 c (new)
3 c. For the purposes of paragraphs (2) and (3) of this article, regulatory technical standards shall address: (a) the limits of the combination of ‘customer data’ obtained pursuant to this Regulation with other types of personal data; (b) the explainability, transparency and bias avoidance safeguards needed to be installed when Artificial Intelligence tools and algorithms are being deployed, used or trained for any of the purposes mentioned in paragraphs (2), (3) and (3a) of this article; (c) the information provision obligations for financial institutions when a customer is presented with a personalised offer that is based on profiling or other types of automated processing of personal data; (d) how the ‘right to be forgotten’ of cancer survivors shall be applicable in relation to non-credit related insurance policies, including life and health insurance, in line with article 124 of the 2020/2267 (INI) Report of the European Parliament.This shall also be extended to other chronic diseases and conditions; (e) how data may be used to avoid excessive granularity that undermines the ‘risk sharing’ principle of insurance.
Amendment 408 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. When preparing the guidelineregulatory technical standards referred to in paragraphs 2, 3 and 3a of this Article, EIOPA, ESMA, and EBA shall closely cooperate withformally consult the European Data Protection Board established by Regulation (EU) 2016/679.
Amendment 410 #
Proposal for a regulation
Article 7 – paragraph 4 a (new)
Article 7 – paragraph 4 a (new)
4 a. Additional financial and human resources shall be provided to the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) for the fulfilment of their tasks under this Regulation.
Amendment 417 #
Proposal for a regulation
Article 8 – paragraph 2 – point a – introductory part
Article 8 – paragraph 2 – point a – introductory part
(a) provide the customer with an overview of each ongoing permission given to data users, in a format that is easy to understand, including:
Amendment 419 #
Proposal for a regulation
Article 8 – paragraph 2 – point a – point i
Article 8 – paragraph 2 – point a – point i
(i) the name and details of the data user to which access has been granted
Amendment 420 #
Proposal for a regulation
Article 8 – paragraph 2 – point a – point iii
Article 8 – paragraph 2 – point a – point iii
(iii) a detailed description of the purpose of the permission;
Amendment 421 #
Proposal for a regulation
Article 8 – paragraph 2 – point a – point iv
Article 8 – paragraph 2 – point a – point iv
(iv) the specific categories of data being shared;
Amendment 425 #
Proposal for a regulation
Article 8 – paragraph 2 – point b
Article 8 – paragraph 2 – point b
(b) allow the customer to withdraw a permission given to a data user at any time;
Amendment 427 #
Proposal for a regulation
Article 8 – paragraph 2 – point c
Article 8 – paragraph 2 – point c
(c) allow the customer to re-establish any permission withdrawn at any time;
Amendment 428 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
3. The data holder shall ensure that the permission dashboard is easy to find in its user interface and that information displayed on the dashboard is clear, accurate and easily understandable for the customer and is in line with the European data protection and consumer legislative frameworks, notably Regulation (EU) 2016/679, Directive (EU) 2019/2161, Directive 93/13/EEC, and Directive 2011/83 EU.
Amendment 429 #
Proposal for a regulation
Article 8 – paragraph 3 a (new)
Article 8 – paragraph 3 a (new)
3 a. The data holder shall ensure that the permission dashboard is not designed in a way that would encourage or unduly influence the customer to grant or withdraw permissions.This includes: (a) the procedure to withdraw consent shall not be made more difficult than the procedure to grant access; (b) providers of the dashboards shall not design, organise or operate their interfaces in a way that deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions.
Amendment 465 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point a a (new)
Article 10 – paragraph 1 – subparagraph 1 – point a a (new)
(a a) each of the parties listed in paragraph (a) above shall have fair and equal representation in the internal decision-making processes of the scheme as well as equal weight in any voting procedures; where a member is both a data holder and data user, its membership shall be counted equally towards both sides.
Amendment 467 #
Proposal for a regulation
Article 10 – paragraph 1 – subparagraph 1 – point e
Article 10 – paragraph 1 – subparagraph 1 – point e
(e) a financial data sharing scheme shall include a mechanism through which its rules can be amended, following an impact analysis and the agreement of the majority of each community of data holders and, data users and consumer associations respectively;
Amendment 499 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 2 a (new)
Article 10 – paragraph 6 – subparagraph 2 a (new)
Competent authorities shall undertake regular comprehensive reviews of data sharing schemes’ governance arrangements set out in Article 10(1). These reviews shall include a thorough and documented assessment whether the schemes’ arrangements are appropriate and credible for the purposes of ensuring the responsible treatment of customer data.
Amendment 537 #
Proposal for a regulation
Article 14 – paragraph 7 – subparagraph 1 – point d a (new)
Article 14 – paragraph 7 – subparagraph 1 – point d a (new)
(d a) would be found in breach of Regulation (EU) 2016/679. Supervisory authorities established under article 51 of the same Regulation shall be the ones to notify that an infringement has been established.
Amendment 539 #
Proposal for a regulation
Article 14 – paragraph 7 a (new)
Article 14 – paragraph 7 a (new)
7 a. An appropriate remuneration scheme shall be put in place in the financial data sharing schemes to enable consumer participation in their governance.
Amendment 549 #
Proposal for a regulation
Article 18 a (new)
Article 18 a (new)
Article 18a Complaints Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant, collectively, with the competent authorities of article 17 of this Regulation related to the provisions of this Regulation. Where the complaint concerns the rights of natural persons pursuant to Regulation (EU) 2016/679 the competent authority shall transmit the complaint to the supervisory authorities under Regulation (EU) 2016/679 and shall consult and cooperate with them in the handling of such complaints.
Amendment 551 #
Proposal for a regulation
Article 20 – paragraph 3 – point f
Article 20 – paragraph 3 – point f
(f) in the case of a natural person, maximum administrative fines of up to EUR 25 000 per infringement and up to a total of EUR 250 000 per year, or, in the Member States whose official currency is not the euro, the corresponding value in the official currency of that Member State on ... [OP please insert the date of entry into force of this Regulation].
Amendment 553 #
Proposal for a regulation
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
Amendment 555 #
Proposal for a regulation
Article 20 – paragraph 4 – subparagraph 1 – point b
Article 20 – paragraph 4 – subparagraph 1 – point b
(b) 210% of the total worldwide annual turnover of the legal person of the preceding financial year, according to the last available financial statements approved by the management body;
Amendment 557 #
Proposal for a regulation
Article 22 – paragraph 1 – point a
Article 22 – paragraph 1 – point a
(a) the nature, gravity and the duration of the breach taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
Amendment 558 #
Proposal for a regulation
Article 22 – paragraph 1 – point f a (new)
Article 22 – paragraph 1 – point f a (new)
(f a) the categories of personal data affected by the infringement;
Amendment 559 #
Proposal for a regulation
Article 22 – paragraph 1 – point k a (new)
Article 22 – paragraph 1 – point k a (new)
(k a) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
Amendment 572 #
Proposal for a regulation
Article 31 – paragraph 1 – point e a (new)
Article 31 – paragraph 1 – point e a (new)
(e a) the impact the Regulation has had on financial inclusion and financial product and services simplicity;
Amendment 576 #
Proposal for a regulation
Article 31 – paragraph 1 – point e b (new)
Article 31 – paragraph 1 – point e b (new)
(e b) the impact of this Regulation on sustainable finance.