Banks, insurance companies and other financial institutions gather a lot of information about their clients. But do they only gather the information they need? And is this data protected well enough against possible misuse? In this week's edition of Economic Report, Vladimir Tax talks to the head of the Office for Personal Data Protection, Karel Neuwirt about how banks, insurance companies and other financial institutions handle their clients' personal data.
A law on protection of personal data - Act No. 101/2000 - came into force in the Czech Republic on June 1, 2000, introducing European standards to the handling of personal data by both the authorities and private companies. Enforcement of the law was entrusted to an independent supervisory authority, the Office for Personal Data Protection, whose seven inspectors started carrying out inspections in the financial sector in June this year.
Even during the relatively short period, they found some serious malpractice in the way banks and financial institutions handle their clients' data. I spoke about the issue to Karel Neuwirt, the chairman of the Office for Personal Data Protection.
"In general, I must say that financial institutions have many problems and difficulties with harmonisation of their activities with the law. We observe some problems in the contracting procedure, excessive amounts of collected personal data, illegal transferring of personal data among companies and some other problems. Some specific issues are concerning accuracy of data, the length of time of keeping this data, there is now effort to collect as much clients' personal data as possible. It is impossible, because the purpose of collecting and processing these data shall be specific and data could be collected only for this specific purpose. For example, if the purpose is a loan, only data for loan activities can be collected and processed."
Have you conducted any investigation, have you found any case when banks misuse the information they gather or use it for other purposes than they gathered it for?
"Yes. Our supervisory activity in the financing and banking sector has just started but we have observed many cases of bad practice, as I have already said. For example, a big financing institution collected and processed personal data for banking purpose and then this personal data has been transferred to a daughter company for leasing or travel purposes. It is absolutely illegal as this new purpose is incompatible with the original purpose."
Banks try to get around the law by making clients sign a contract which contains a clause allowing them to possess such data and pass it onto third persons. However, as Mr. Neuwirt pointed out, such contracts are invalid because in the Czech legal system, a client's consent is not above the law.
"Our inspectors repeatedly criticised contract clauses between institution and client. A specific problem is consent of clients for collection and processing of personal data. We observe bad practice also in creating of contract clauses and this practice shall be changed."
What can clients of banks or insurance companies do when their bank requires them to provide information apparently unrelated to the service it provides? How can they defend themselves, because banks sometimes threaten to terminate a contract...
"This is a problem, because you as a client of a bank have not effective measures to change this practice. I think that you can only contact our office and describe this practice in bank you contacted and only our office can start some process to change the bad practice."
There have been discussions about a registry of debtors banks and other financial institutions would set up to exchange information on clients. Are these practices connected with the effort to set up such a registry?
"Yes. Registries of debtors, defaults, a credit reference registry, are a very sensitive problem. At this moment, there are some activities in the Czech Republic to create a national debt registry, a default registry. The problem is illegal combinations of personal data among different institutions. The proposal is that the national registry will collect personal data about defaults from the banking sector, leasing companies, insurance companies, telecommunication providers etc. It is absolutely illegal in this moment. The main problem is the non-existence of a special law for such an activity and some legal rules and regulations for collecting of personal data and operating this registry. I must say that activities to create a big registry of debtors is illegal."
Does your office have any indications that banks already exchange information on their clients in this way?
"No, because banks can exchange personal data mutually according to the banking law, this is correct. We have not observed any exchange of data from banks outside the banking sector. But for example leasing companies have not such provisions and cannot exchange data with banks or insurance companies, such an activity is illegal. But exchange [of data] only among banks is legal."
The Office for Personal Data Protection can impose a fine up to 10 million CZK, an equivalent of roughly 250,000 USD for violating the law or twice as much in case of repeated offence.
Unfortunately, there is not much an ordinary bank client can do to protect himself against malpractice except for reporting such cases to the Office for Personal Data Protection. But inspectors of the office advise clients to read the small print carefully before signing any legal document.