We recommend either bringing your bank into compliance with the GDPR’s requirements or closing all accounts held by any EU resident, in order to avoid the harsh penalties for violations of the GDPR’s requirements.
The GDPR broadly applies outside of the EU; it applies to any business that processes personal data when offering goods or services to any natural person who is located in the EU. It would apply to your bank if you are providing banking services to and processing the personal data of any natural person who resides in the EU.
The GDPR’s requirements are complex and may be cost-prohibitive for your bank to implement, although most larger banks are doing so. Your bank’s decision as to whether to comply with them will depend on a cost-benefit analysis and other factors.
We recognize that some community banks are making business decisions to retain a small number of accounts for persons located in the EU – without complying with the GDPR’s requirements – on the assumption that they are unlikely to be subjected to prosecution in the EU. While this approach is understandable, we do not recommend it. It could take just one incident, such as a data breach or a customer complaint to an EU authority, or a defense in a collection action, to potentially trigger the GDPR’s severe penalties. Such penalties can be calculated up to 4% of a company’s annual gross revenues or 20 million Euros, whichever is greater.
For resources related to our guidance, please see:
- European Commission FAQs, Who does the data protection law apply to? (“The law applies to: . . . (2) a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.”)
- European Commission FAQs, Who does the data protection law apply to? (“Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”)
- GDPR, Regulation (EU) 2016/679, Article 3, Territorial Scope (“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”)
- GDPR, Regulation (EU) 2016/679, Article 3, Territorial Scope (“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. . . .”)
- Regulation (EU) 2016/679 (GDPR), Article 4, Definitions (“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; . . .”)
- GDPR, Regulation (EU) 2016/679, Article 83, Administrative Fines (“4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: . . . 5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: . . .”)
- EUGDPR.org (Unofficial, crowd-sourced portal for GDPR information with a summary)
- Deloitte article, Six Ways to Prepare for the EU’s GDPR