Asmens duomenų apsaugos iššūkiai finansų įstaigose: mokslo studija

LTRemiantis įvairiais teisės aktais finansų įstaigos yra įpareigotos rinkti ir tvarkyti savo klientų (fizinių asmenų, taip pat ir juridinių asmenų naudos gavėjų) asmens duomenis. Vykdydamos šias pareigas, minėtos įstaigos privalo laikytis Bendrojo duomenų apsaugos reglamento nuostatų ir asmens duomenis rinkti bei tvarkyti tik jame apibrėžtais pagrindais. Šioje mokslo studijoje nagrinėjami reguliaciniai įpareigojimai finansų įstaigoms rinkti ir tvarkyti klientų ir kitų asmenų asmens duomenis ir jų suderinamumas su asmens duomenų tvarkymo taisyklėmis.

ENFinancial institutions do not collect and process personal data on their own initiative, but are obliged to do so by law. In particular, this is done in order to identify potential customers of the institution, to ensure the prevention of money laundering and terrorist financing, to manage the risks of the financial institution, to provide payment services in accordance with the Second Payment Services Directive (the provisions of which have been transposed into the Law on Payments of the Republic of Lithuania), and to fulfill other legal obligations. The collection and processing of personal data in financial institutions is subject to various challenges, such as how to reconcile the requirements governing the activities of financial institutions with the requirements for the protection of personal data under GDPR. Financial institutions collect personal data for a variety of purposes, which also depends on the type of financial institution. Some requirements apply to banks, others to insurance companies or companies providing investment services. Thus, in each case, both the purpose and the legal basis for the processing of personal data by financial institutions are different. This study analysis the requirements for financial institutions to collect and process personal data in financial institutions providing payment services, and assesses the compliance of such requirements with personal data protection requirements. It seeks to highlight the challenges faced by financial institutions and provides a reasoned reflection on how to address them. This study is divided into four main parts. The first part provides an overview and systematises the need for the protection of personal data in financial institutions. The second part examines the obligations for financial institutions arising from the GDPR requirements.The third part provides an in-depth analysis of the need for financial institutions to collect and process personal data, with a separate focus on the collection of personal data for the purpose of AML/CFT, including the collection of personal data for the purpose of identifying the identity of the natural and legal persons of customers and the beneficiaries of customers, the assessment of the purpose and the intended nature of the business relationship, as well as the management and assessment of the AML/CFT risks identified by the financial institution and required by law, as well as the analysis of the legal basis of the processing of personal data obtained in the implementation of the provisions of the Law on the prevention of money laundering and the financing of terrorism. In addition to the requirements related to the prevention of money laundering and terrorism financing, the third part of this paper deals with the requirements for financial institutions regarding the processing and transfer of personal data to third parties in accordance with the payment services regulations, separately discussing payment initiation and account information services, the information to be provided to data subjects, the legal basis for the processing of personal data where the data is collected and processed in accordance with the obligations under the payment services regulations, and the need for, and the legal basis for, the processing of the personal data of persons who do not have a contractual relationship with a payment institution. Finally, this part of the work briefly discusses other regulatory requirements for the collection and processing of personal data in financial institutions (requirements arising from the transfer of funds between different financial institutions, requirements related to the prevention of tax evasion, etc.).The fourth part of the study deals with other obligations of financial institutions in relation to the protection pf personal data (personal data protection impact assessment, ensuring the right of the data subject request the erasure of personal data and the transfer of personal data to third parties).