Does the IBA have any guidance on the EU’s expanded General Data Protection Regulation (“GDPR”) and its potential compliance impact on community banks? While I’m fairly certain that the majority of community banks don’t operate in the EU, most probably do have a handful of customers who reside there and could be covered by the GDPR.

You are correct that any community bank with customers residing in the European Union (EU) would likely be covered by the GDPR. The GDPR applies to businesses outside of the EU that process personal data when offering goods or services to a natural person who is located in the EU. This is a very broad standard of application that would cover any community bank which provides services to a natural person located in the EU and processes that person’s personal data.

The GDPR’s requirements are complex and may be cost-prohibitive for a community bank to implement, although most larger banks are doing so. A community bank’s decision as to whether to comply with the requirements will depend on a cost-benefit analysis and other factors. In some cases, it may make sense for a community to bank to close all accounts held by any EU resident, to avoid the harsh penalties for violations of the GDPR’s requirements.

We recognize that some community banks are making business decisions to retain a small number of accounts for persons located in the EU — without complying with the GDPR’s requirements — on the assumption that they are unlikely to be subjected to prosecution in the EU. While this approach is understandable, we do not recommend it. It could take just one incident, such as a data breach or a customer complaint to an EU authority, or a defense in a collection action, to potentially trigger the GDPR’s severe penalties. Such penalties can be calculated up to 4% of a company’s annual gross revenues or 20 million Euros, whichever is greater.

For resources related to our guidance, please see:

  • European Commission FAQs, Who does the data protection law apply to? (“The law applies to: . . . (2) a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.”)
  • European Commission FAQs, Who does the data protection law apply to? (“Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”)
  • Regulation (EU) 2016/679 (GDPR), Article 3, Territorial Scope (“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”)
  • Regulation (EU) 2016/679 (GDPR), Article 3, Territorial Scope (“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. . . .”)
  • Regulation (EU) 2016/679 (GDPR), Article 4, Definitions (“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; . . .”)
  • Regulation (EU) 2016/679 (GDPR), Article 4, Definitions (“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; . . .”)
     
  • GDPR, Regulation (EU) 2016/679, Article 83, Administrative Fines (“4.  Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: . . . 5.   Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: . . .”)