May 2018

Use of data: balancing added value for

customers and data protection

The digital transformation is one of the key challenges today – also for the financial industry. The Associ-

ation of German Banks is meeting this challenge by, among other things, cooperating with start-ups from

the financial sector, fintechs. The cooperation was institutionalised in the Digital Banking Project Commit-

tee, which is vigorously driving forward the cross-cutting issue of digitisation. The committee is a high-

level body comprising bank Chief Digital Officers (CDOs) and leading figures from the German fintech scene.

The present paper is the result of intensive cooperation between banks and fintechs.

Contacts at the Association of German Banks:

Wulf Hartmann | Legal Affairs | wulf.hartmann@bdb.de

Stephan Mietke | Retail Banking, Banking Technology | stephan.mietke@bdb.de

Tobias Tenner | Digital Banking | tobias.tenner@bdb.de

The Association of German Banks and fintechs

Andreas Krautscheid, Chief Executive

bankenverband

Positions 3

Introduction

The financial services industry is undergoing a sweeping

digital transformation that is affecting retail business in

particular. In the meantime, a host of new providers with

innovative services and a raft of new business models

have entered the marketplace. These include – as befo-

re – companies creating and marketing individual pro-

ducts, but also platforms and entire ecosystems linking

customers, product providers, processors or added-value

service providers with each other.

The Association of German Banks is also facing up to the

digital transformation: it supports cooperation between

banks and fintechs and is instrumental in ensuring that

common positions can be found. This position paper is

based on the perception shared by both groups that the

ever growing amount of data generated by digitisation

needs to be used in the interests of customers without

losing sight of the importance of data protection.

Banks and fintechs are keen to play a proactive role in

shaping the digital transformation. Maintaining custo-

mers’ trust in protection of their data and at the same

time offering state-of-the-art, user-friendly applications

are a key success factor in this respect. This is why both

groups feel it is essential that every customer be enabled

to keep track of and retain control over their data and

handle this data freely and independently.

Starting situation

Digitisation brings many benefits – not only for busines-

ses but particularly also for customers: using data-based

analyses, their user behaviour and thus also their wishes

and needs can be better ‘understood’. This allows busi-

nesses to offer customised products at the right time and

deliver individual added value for every customer.

Yet this potential can only be tapped if users actually see

real added value for themselves and at the same time feel

there is an adequate level of security and trustworthi-

ness. The latter is essential, especially as data protection

law also stipulates that individuals should be able to

consciously and freely determine how their data is used,

whether they receive explanatory information when con-

cluding a contract or whether they sign a declaration of

consent. Particularly in Germany, citizens are rather cau-

tious and sceptical when it comes to the use or disclosure

of data if they fail to see the context or benefit. When

customers are asked if they agree to wider use of their

data, most usually express reservations.

In practical life, the picture is often different, however:

services that are known to be based on intensive use of

customer data but (in this way) offer customers signifi-

cant added value are popular with citizens; that goes for

social networks or messenger services, but also for many

other products from the digital world. This is why – par-

ticularly in view of the current allegations of data misuse

by some players – we believe that informed, conscious

and self-determined data handling by individuals should

be the rule.

The new European General Data Protection Regulation

(GDPR) now further harmonises the framework gover-

ning the use of customer data. To create a real level play-

ing field for all market participants, it must be ensured

that its provisions are implemented and interpreted con-

sistently across the EU.

Yet, looking at its thrust, we take a critical view of the

fact that the GDPR could lead to a further formalisation

and expansion of data protection information for custo-

4 Positions

mers. Not least because of the high risk of penalties, we

are concerned that customer information will be further

‘juridified’, which would be at odds with customer-friend-

ly transparency. It should also be questioned whether,

given the innovative momentum today and the broad

knowledge potential of big data, the (narrow) ‘specific

purpose’ rule in data protection law is really in keeping

with the times or does not instead lead to opportunities

for customers and providers being passed up. Data pro-

tection must also be judged by whether it does not pose

any great obstacles to new business models in a global

digital economy and consequently does not encourage

any escape routes via offshore solutions. A fair balance

between overall economic interests and individual pro-

tection needs must be continually sought and optimised

anew.

bankenverband

Positions 5

Position I – Added value for customers through use of data

Customers can be offered significant added value through use of their data without restricting protection

of their data or their privacy

Digitisation allows new added-value approaches from

which customers can benefit in the form of better, i.e.

higher-quality, quicker, simpler and lower-priced, pro-

ducts and services. Significant added value is created, for

example, by

�� identifying customer needs appropriately,

�� customising products and services,

�� individually protecting customers against financial

losses and

�� enabling banks to manage risks more accurately.

The associated ideas and approaches call for more in-

tensive use of data – in terms of collecting, linking and

enriching such data, as well as sharing it with third par-

ties – than in the past, however.

If a financial services provider collects a customer’s data,

it may, for example, be important and sensible to look

beyond pure financial transactions and consider con-

tracts of sale and other contract data, specific interests

or location data as well. Such additional data would

make it easier to realise cost savings potential, to ob-

tain better financial terms and conditions or to detect

account misuse earlier than in the past.

It would also be ideal if financial services providers could

link their own financial data to third-party data instead

of having to collect it anew in isolated data silos. After

all, much of the data mentioned by way of example is al-

ready available at other service providers, some of which

are outside the financial sector.

This expanded, collated and enriched data is more of a

guarantee that consumers’ actual interests and needs

will be catered to. According to a representative survey

in January 2018, three-quarters of citizens believe that

consumers are often unable to cope today when it co-

mes to making decisions on purchases. More strongly

data-based decision-making tools or recommendations

could provide better guidance in this area.

1 Representative GfK survey “Verbraucherschutz aus Bürgersicht” (“Consumer protection from a citizen’s perspective”) on behalf of the Association of German Banks, January 2018

6 Positions

�� Proactive budget and liquidity monitoring

By analysing payment transaction data, banks can automatically offer help to customers whose fi-

nancial situation has deteriorated or threatens to deteriorate as a result of drastic changes in their

personal circumstances (e.g. change in their family environment or unemployment). For example,

it is possible that in such a case customers would proactively receive updated budget and liquidity

management planning. In this way, they would be advised as early as possible, drawing on the best

possible database. This would also be in line with the objectives of current regulatory efforts.

Such a service is frequently thwarted today by the fact that automated personalised reading of the

reason for a payment transaction is only allowed with the customer’s explicit consent (cf. Art. 94 (2)

PSD2 and Art. 6 (1) (a) GDPR) and that, because of poor transparency and uncertainty about how data

is used, customers are reluctant to actively agree to this.

�� Opening accounts/custody accounts digitally in a seamless process

If a user wants to open an account online, they can complete the account-opening process within a

few minutes. To retain the data already actively entered in the online form if the connection cuts off

or if it is deliberately interrupted, the website used temporarily saves the customer data, e.g. for a pe-

riod of seven days. If the user calls up the account-opening process again within this period, the data

they have already entered will be automatically uploaded and they can continue entering data from

where they left off, i.e. they don’t have to start all over again. There is the danger that these conve-

nience aspects will be lost sight of in the European ePrivacy Regulation currently under discussion.

�� Use of data from account information services

If a customer authorises their bank under the new PSD2 arrangements to aggregate other accounts

with other banks on its online banking platform (through an account information service), the addi-

tional data acquired in this way can be used by the bank to create various kinds of added value for

the customer.

However, in many cases it is not yet clear today exactly what services will be created as a result. As the

customer has to deliberately opt for account aggregation, it is likely that new declarations of consent

will be additionally required in the future and that the customer will thus face constantly amended

or expanded general terms and conditions and data privacy statements.

Examples

bankenverband

Positions 7

�� ‘Data minimisation’ and ‘purpose limitation’ principles under data protection law:

only the data required to achieve a specific purpose may be used. However, a feature of modern servi-

ces – also triggered by PSD2 – is that they cater comprehensively to users’ needs, so that the purpose

focus is becoming increasingly blurred.

�� Lack of transparency or knowledge by the customer about how their data is used:

controllers are required to provide the customer/data subject with detailed information on the

processing of their data. However, comprehensive data privacy statements tend to quickly produce

information ‘overkill’ among customers. The degree of detail introduced by the GDPR as well as the

‘juridification’ of its language to avoid the risk of penalties diminish clarity and comprehensibility for

the customer, thus undermining the original purpose.

�� The actually right ‘privacy by default’ rule leads in practice to providers not recognising their users in

the digital world and being unable to proactively personalise their service. From the ‘analog’ world, e.g.

bank branches, we know, however, that customers would in fact like to be recognised and personally

looked after.

Lawmakers and data protection supervisors are called upon to create a framework fostering the use of

data while at the same time ensuring data protection:

1. Qualifying the ‘data minimisation’ principle, e.g. by generally allowing the use of publicly available data

(with and without reference to persons).

2. Freeing the ‘purpose limitation’ principle from an overly tight framework:

�� enabling the customer to accept various processing purposes, possibly through one step in the basic

settings or at the start of use of a comprehensive service (with scope for subsequent adjustment

where required);

�� moving in the medium term away from the outdated, since non-operationalisable, ‘purpose limitati-

on’ rule towards inclusion of (and user consent for) certain application classes, providers, regions or

other specifically designated types of data use that the user can understand.

Existing barriers

Petitions

8 Positions

3. Accepting two-level information communication approaches, i.e. brief and concise information to

provide an overview (level 1) and further detailed information upon request (level 2) – see also Position

II below.

�� Encouraging customer acceptance by communicating more clearly the benefits of expanded and aggre-

gated use of data for the customer. Obvious use cases are better customer advice drawing on a broader

database, improving forward-looking financial scenarios, preventing fraud, and much more.

�� Indicating means of standardisation to strengthen customer confidence. Such means are appropriate

guidelines, a code of conduct or ‘bank secrecy 2.0’ adapted to the digital world.

Accompanying measure(s) by banks/fintechs

bankenverband

Positions 9

Position II – User-friendly transparency on the use of data

Ensuring transparency on the use of data geared to the customer’s needs is the right approach to

strengthen the customer’s data sovereignty and create trust in disclosing data for innovative products.

Any framework to foster the use of data in the customer’s

interests must ensure the user’s data sovereignty and pri-

vacy. To this end, practical transparency approaches and

control tools need to be developed and implemented.

At present, the risk of penalties under the GDPR means

that the providers’ focus is on legal protection, which is

why a data privacy statement is usually a lengthy docu-

ment worded in turgid legalese. While this document

provides maximum (legal) transparency, the actual pur-

pose – comprehensibility for the user – frequently takes

a back seat.

What is thus needed is a transparency approach that not

only has legal precision in mind but also accommodates

the customer by answering the following key questions

briefly and concisely so that a legal layman can under-

stand:

�� Who uses the data (provider, third party)?

�� What data is used (by category of data)?

�� For what purposes is the data used?

�� Is the data sold on?

�� Where is the data stored/processed?

�� ‘Traffic light’ food labelling system: the ‘traffic light’ food label shows the way:

it is designed to protect consumers where they don’t have enough prior knowledge or information

to be able to reliably assess what is in a food product. A simple, easy-to-understand label is inten-

ded to show at a glance whether the product exceeds certain nutrient levels and thus contributes

to an unhealthy diet.

�� As regards data privacy statements, it is often also the case that, without any specific basic – in this

case, legal – knowledge, it is virtually impossible for the customer to gain an idea of how their per-

sonal data will be processed. This is where an easy-to-understand, uniform symbol code could help.

The first page of a data privacy statement should contain an overview of the symbols along with a

sentence explaining how data will be used in connection with the service the user is interested in.

Examples

10 Positions

�� Impracticality of the strongly formalised information requirements under data protection law in terms

of both their length and the legal language used.

�� Lack of transparency standards for data privacy statements: these are provider-specific and thus make it

difficult for the customer to compare them across providers.

We call for a number of measures with a view to simplifying data privacy statements while at the same

time improving acceptance by users. These are:

4. Requiring lawmakers and data protection supervisors to foster and accept a modified transparency

approach that comprises two levels:

�� stressing the comprehensibility aspect in consumer information on the use of data, e.g. by way of

symbols or icons;

�� providing detailed, legally binding information and explanation of the symbols or icons upon re-

quest or centrally via a contact point or website.

5. Fostering a specific, uniform standard for simplified presentation of information and ‘messages’

(e.g. icons, keywords, one-pagers).

6. Requiring the competent data protection authorities to constructively accompany/support any

additional sector-specific standards.

�� Developing a transparency approach as an aid to, or even best practice for, members/banks. This ap-

proach should be designed to show customers the scope and limits of use of their data in simple, easy-

to-understand form so that they can grasp the implications of consent to use of their data (e.g. under a

contract or by a separate declaration of consent). At the same time, the approach could set data protec-

tion and data security standards within the existing legal framework and in this way help to harmonise

the application and interpretation of data protection rules.

�� Compiling a sector-specific data protection glossary explaining to users in plain language the terms

most frequently encountered in connection with financial services.

Existing barriers

Petitions

Accompanying measure(s) by banks/fintechs

bankenverband

Positions 11

Position III – Easy-to-control data use via a data dashboard

Customers should be able to control and track use of their data by providers more easily and conveni-

ently than in the past. They should in this way be empowered to exercise control over their data con-

sciously and independently.

The condition for this is that customers have sufficient

transparency about how the provider or, as the case may

be, third parties intend to use their data (see, for examp-

le, Position II above).

Legal basis for data processing

Customers are in principle to be in a position to con-

trol use of their data – for example, under a contractu-

al relationship or on a consensual basis – by means of

a single declaration of intent. In some cases, however,

data may be legitimately processed on the basis of sta-

tutory provisions (keywords: responsible lending, fraud

prevention) or after a balancing of interests (keywords:

dialogue with credit information agencies, use of data

for advertising purposes). In such cases, notification to

this effect must suffice – where a balancing of interests

takes place, with an opt-out option. Separate customer

consent to use of data under a contractual relationship

is superfluous: if the contract cannot be performed with-

out using/processing that data, a consensual approach

would be misleading.

In the case of a contractual declaration relating to data

processing or separate consent to data processing, a sim-

ple confirmation, e.g. by way of a mouse click, should be

possible for the data subject. Particularly when it comes

to online processes, checkboxes containing a variety of

options are known to lead to high abort rates, as they

are not only time-consuming for customers but call in

some cases for decisions that may well overwhelm them.

Instead of checkboxes, concise information on the use

of data (see Position II) and, if required, a link to additio-

nal terms and conditions and guidance may be advisable

to inform customers better about the terms on which

they consent to use of their data

Controllability through a data dashboard

The guiding data protection principle is that data sub-

jects should generally be able to decide for themselves

(on a consensual basis or by contractual agreement)

who may process their data, what for and to what ex-

tent. This includes their right to information, rectifica-

tion or erasure, to restriction of processing, or the right

to object to processing, as well as the right to data por-

tability. In practice, however, the large number of coun-

terparties and different types of contract that individuals

face often make it virtually impossible for them to keep

track of and effectively exercise control over their data.

Better results could be achieved by a user-friendly data

dashboard allowing users to recognise and – where pos-

sible – control at a glance what data is used by what pro-

viders for what purpose and to what extent. Users could

also stipulate via the dashboard what online companies

they disclose full personal data to and whom they would

only like to deal with using a pseudonym. Authorisati-

on to access data could also be subsequently altered or

withdrawn; for this, there should be an access protocol.

The dashboard should offer customers – in standardised

form if necessary – a simple and clear overview.

A dashboard solution could be made available, on the

one hand, by data-processing companies within the user

profile but, on the other hand, also by trusted third-party

providers that bring together data and identity manage-

ment – like the personal finance management services

aggregating bank accounts – in one place. Similar to

the social login functionality we know from Facebook,

Google, LinkedIn, Xing or Twitter, this data and identi-

ty management service would inform customers prior

to any access to customer data by a provider what data

12 Positions

�� Data/identity management platform

The data dashboard could be put in place on a central data/identity management platform. This

platform would offer its users a single sign-on key for various services. The disclosure of user data

can be managed and controlled via a permission centre: users can set the data disclosure settings

individually where a link to a new service is established. When doing so, they decide what data may

be disclosed to whom and in what situations it may be used. The data can be adapted and erased

at any time. Users can also set the desired degree of convenience to determine for the respective

services whether contact data, bank data or dispatch data is automatically disclosed.

�� Lack of clarity on interpretation of data protection law and threat of consequences in the event of an

infringement, particularly where cross-provider platform solutions are concerned. The obligation to

produce proof of the required legal basis for processing personal data lies in cases of doubt/dispute

with the provider, creating incentives to obtain explicit customer consent that, in turn, diminishes

customer convenience.

�� High complexity/considerable time and effort involved in designing and implementing such a data

dashboard.

Examples

Existing barriers

needs to be accessed and will therefore be disclosed.

This would put users behind the steering wheel.

Initial efforts by some US platform providers are aimed

at giving users the right to determine their ‘privacy set-

tings’. These efforts do not go far enough, however, in

our view. Though users are allowed to edit and erase the

data recorded and stored about their online behaviour,

transparent individual scope for disclosing data prior to

its use is missing.

bankenverband

Positions 13

7. Accepting a structured information and management platform, particularly from a data protection

law/competition law perspective.

8. For cases where consent is required under data protection law:

�� adopting practical consent-based solutions that are easy to use and easy to understand for users. For

this purpose, legislators need to specify such solutions and embed them in a suitable legal frame-

work;

�� allowing simple – as far as possible, blanket – consent by the customer without the need for separa-

te, explicit consent for individual aspects of use of data;

�� the principle of ‘freely given consent’ (in accordance with Art. 7 GDPR) should be satisfied if the data

subject has an opt-out option in the event that use of their data goes beyond contract performance.

�� Identifying existing standards applicable to a data dashboard.

�� Assessing potential implementation by the financial industry.

Petitions

Accompanying measure(s) by banks/fintechs

14 Positions

Annex: Overview of petitions

1. Qualifying the ‘data minimisation’ principle, e.g. by generally allowing the use of publicly available data (with and

without reference to persons).

2. Freeing the ‘purpose limitation’ principle from an overly tight framework:

�� enabling the customer to accept various processing purposes, possibly through one step in the basic settings or at

the start of use of a comprehensive service (with scope for subsequent adjustment where required);

�� moving in the medium term away from the outdated, since non-operationalisable, ‘purpose limitation’ rule to-

wards inclusion of (and user consent for) certain application classes, providers, regions or other specifically desig-

nated types of data use that the user can understand.

3. Accepting two-level information communication approaches, i.e. brief and concise information to provide an over-

view (level 1) and further detailed information upon request (level 2) – see also Position II below.

Position I – Added value for customers through use of data

4. Requiring lawmakers and data protection supervisors to foster and accept a modified transparency approach that

comprises two levels:

�� stressing the comprehensibility aspect in consumer information on the use of data, e.g. by way of symbols or icons;

�� providing detailed, legally binding information and explanation of the symbols or icons upon request or centrally

via a contact point or website.

5. Fostering a specific, uniform standard for simplified presentation of information and ‘messages’ (e.g. icons, keywords,

one-pagers).

6. Requiring the competent data protection authorities to constructively accompany/support any additional sector-

specific standards.

Position II – User-friendly transparency on the use of data

7. Accepting a structured information and management platform, particularly from a data protection law/competition

law perspective.

8. For cases where consent is required under data protection law:

�� adopting practical consent-based solutions that are easy to use and easy to understand for users. For this purpose,

legislators need to specify such solutions and embed them in a suitable legal framework;

�� allowing simple – as far as possible, blanket – consent by the customer without the need for separate, explicit

consent in regard to individual aspects of use of data;

�� the principle of ‘freely given consent’ (in accordance with Art. 7 GDPR) should be satisfied if the data subject has

an opt-out option in the event that use of their data goes beyond contract performance.

Position III – Easy-to-control data use via a data dashboard

bankenverband

Positions 15

Publishing details | Publisher: Bundesverband deutscher Banken e. V., Postfach 040307, 10062 Berlin | Legally responsible: Oliver Santen bankenverband.de | Photo: fotolia kras99 | May 2018

The Association of German Banks can be contacted

by post:

Bundesverband deutscher Banken

P.O. Box 040307,

10062 Berlin

Germany

by email:

bankenverband@bdb.de

online:

bankenverband.de

by phone:

+49 30 1663-0