Skip to main content
Entire section Custom print Text Only Rich Text Print

Article (22) Data Privacy and Consent for the Use of Personal Data

  1.  An Open Finance Provider must not Process any Personal Data for the provision of its services unless it has the explicit consent of the User to do so. Article 22 of this Regulation is subject to the prohibitions on Processing Sensitive Data set out in Article 4(1)(5) and in Article 16(3)(2) of this Regulation.

  2. A User’s consent must:

    2.1be specific to the purpose for which it is provided, informed, unambiguous, and freely given;
    2.2be given using a clear, objective and affirmative statement or action to signify agreement to the Processing of Personal Data of that User;
    2.3if the Processing is intended to cover multiple purposes, be obtained for each purpose in a manner that is clearly distinguishable;
    2.4in case of a recurring Transaction, specify the period for which the consent is valid, up to a maximum period of twelve (12) months; and
    2.5be able to be withdrawn by the User at any time and for any reason, upon notice to the Open Finance Provider.
  3. An Open Finance Provider must inform the User of this right to withdraw consent and how to exercise that right at the time the consent is obtained. Withdrawing consent should not require undue effort on the part of the User and should be at least as simple, quick and easy as the process of giving consent. Withdrawal of consent does not affect the lawfulness of Processing carried out before the date of withdrawal and shall not prevent the Open Finance Provider from retaining Personal Data required for compliance with Article 13 of this Regulation or applicable laws.

  4.  In the case of Service Initiation, a User’s consent must be obtained in relation to each Transaction to be Initiated by the Service Initiation Provider or, in the case of a recurring Transaction, a User’s consent must be obtained at the time that the User first establishes the recurring Transaction, and its parameters. A User’s consent in the case of Service Initiation must include details, as relevant, of:

    4.1The relevant Account(s) or Product(s) to which the Transaction(s) relates;
    4.2The nature of the relevant Transaction(s) to be Initiated (including whether it is a recurring Transaction);
    4.3The value(s) of the relevant Transaction(s);
    4.4The beneficiary(ies) of the relevant Transaction(s); and
    4.5The value date(s) of the relevant Transaction(s).
  5. A User’s consent will not be considered valid in circumstances where the Open Finance Provider has obtained that User’s consent to Process Personal Data which includes Personal Data that is not relevant or not limited to what is necessary for the relevant purpose for which it is provided.
  6. If User Data contains Personal Data of natural persons other than the User, Open Finance Providers must anonymise such Personal Data of these other natural persons, or ensure that the consent of such natural persons to whom the Personal Data relates, is obtained prior to Processing such Personal Data in accordance with this Regulation (unless the Processing of that Personal Data is otherwise permissible under applicable laws concerning the protection of Personal Data).
  7. Nothing in this Regulation derogates from the obligations of a Licensee under all other applicable laws and regulations relating to protection of Personal Data including other Regulations.
  8. Open Finance Providers must comply with all other applicable laws and regulations relating to the protection of Personal Data.

  9. Without prejudice to Articles 22(7) and (8) of this Regulation, Personal Data Processed by a Licensee or an Open Finance Provider relating to Open Finance Services must be:

    9.1Processed lawfully, fairly and in a transparent manner;
    9.2collected for specified, explicit and legitimate purposes and not Processed at any time, in a manner that is incompatible with those purposes;
    9.3adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed;
    9.4accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified without delay; and
    9.5Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  10. Open Finance Providers must destroy User Data that is Personal Data which allows for the identification of the User, after the purpose of its provision to the Open Finance Provider has been completed, subject to the record retention requirements in Article 13 of this Regulation and any mandatory data retention requirements under applicable laws, including AML Laws.

  11. Open Finance Providers must store all data relating to Open Finance Services within the State and are not permitted to maintain copies of the data they obtain through Open Finance Services outside of the State, unless the Open Finance Provider has obtained:

    11.1approval from the Central Bank and additional approvals from any other relevant competent authority, as necessary;
    11.2prior written consent from the User. For the purpose of obtaining such consent from a User, the User must be informed of the following, prior to or at the time of being asked to give consent:
     11.2.1where the User Data will be stored;
     11.2.2why it will be stored outside the State; and
     11.2.3that consent is sought only for the purpose which has been approved by the Central Bank; and
    11.3written acknowledgement from the User that his/her User Data may be accessed under legal proceedings outside the State in such circumstances.
  12. Subject to Central Bank approval, and in accordance with relevant laws and Regulations, licensed branches of foreign banks may store data relating to Open Finance Services outside of the State, provided a copy of the Master System of Record, updated on at least a daily basis, is stored in the State.