Processing of personal data in the Bank and Payment Accounts Register as well as in the aggregating application
Basis for processing personal data
The processing of personal data is based on the Act on the Bank and Payment Accounts Control System (571/2019).
- Act on the Bank and Payment Accounts Control System, sections 4–6 and 7 a.
Purpose of processing personal data
The purpose of the Act on the Bank and Payment Accounts Control System is to improve the authorities’ access to electronic information on bank and payment accounts and to ensure a more accurate targeting of enquiries by authorities e.g. in preventing, uncovering and investigating serious crime. Only the competent authorities referred to in the Act can use the Bank and Payment Accounts Control System if it is necessary for carrying out their tasks and if the authority has the right provided elsewhere in law to obtain the data referred to in the Act on the Bank and Payment Accounts Control System. The competent authorities and the purposes for which the data can be used are listed under Regular disclosures of personal data.
Customs is the data controller of the Bank and Payment Accounts Register, that maintains the register and is responsible for submitting the information stored in the register to the competent authorities via the aggregating application. The purpose of the Bank and Payment Accounts Register is to receive and store as well as to disclose data stored in the Accounts Register as referred to in the Act.
The aggregating application is an automated technical solution maintained by Customs, which transmits the information requests by competent authorities e.g. to the Bank and Payment Accounts Register and transmits the data received from it in accordance with the information request to the competent authority. The data in question are listed under Categories of personal data.
Sources of personal data
Bank and Payment Accounts Register
Data for the Bank and Payment Accounts Register are provided by payment institutions, electronic money institutions, virtual currency providers and credit institutions that have been granted an exemption by the Financial Supervisory Authority. These parties are responsible for the accuracy of the data they submit for storage to the Bank and Payment Accounts Register, and for rectifying data without undue delay. New data and notifications of any changes to existing data must be submitted to the Bank and Payment Accounts Register no later than on the following banking day. Data are disclosed notwithstanding secrecy provisions and other restrictions on access to information.
Regular disclosures of personal data
Customs is entrusted with disclosing data from the Bank and Payment Accounts Register to the competent authorities via the aggregating application. Data can be disclosed notwithstanding the provisions of Article 18(1)(a) of the General Data Protection Regulation (EU 2016/679) on the right of the data subject to obtain from the controller restriction of processing.
The information requests transmitted via the aggregating application and the contents of the responses to the requests are considered confidential.
The following competent authorities have the right to obtain information from the Bank and Payment Accounts Control System, if it is necessary for carrying out the following tasks, and the authority has the right provided elsewhere in law to obtain the abovementioned information:
- the Police, the Financial Intelligence Unit, Customs and the Border Guard for the prevention, detection and investigation of offences under Annex I to the Europol Regulation (Regulation (EU) 2016/794 of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA);
- The Tax Administration (a) for the purpose of allocating the obligation to provide information laid down in section 19 of the Tax Procedure Act (1558/1995) (b) for the purposes of section 3 of the Act on the national implementation and application of the provisions of the Council Directive on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC (185/2013);
- Customs for the purpose of allocating the duty to provide information laid down in section 102(2) of the Customs Act (304/2016) for the purpose of carrying out a duty of taxation or tax control as well as for preliminary investigation and for the purpose of preventing and detecting customs offences referred to in Chapter 1, section 2(3 and 4) of the Act on Crime Prevention by Customs (623/2015);
- The Enforcement Authority for the enforcement referred to in the Enforcement Code (705/2007);
- The Financial Supervisory Authority, the National Police Board, the Finnish Patent and Registration Office, the Regional State Administrative Agency and the Finnish Bar Association in order to carry out a control task referred to in the Act on Preventing Money Laundering and Terrorist Financing (444/2017, later “the Anti-Money Laundering Act”);
- The Financial Intelligence Unit for carrying out tasks in accordance with section 2 subsection 1(1–4, 7 and 8) of the Act on the Financial Intelligence Unit (445/2017);
- The Police and the Border Guard for the prevention, detection, investigation as well as prosecution of offences and maintenance of national security, the Police for the performance of the task of supervising fundraising referred to in the Money Collection Act (863/2019) as well as information needed in a police investigation referred to in Chapter 6 of the Police Act (872/2011) if an important public or private interest so requires;
- The Defence Forces for the prevention, detection and investigation of offences referred to in the Act on Military Discipline and Combating Crime in the Defence Forces (255/2014) as well as in accordance with section 104 of the Act on Military Intelligence (590/2019);
- The Financial Supervisory Authority for carrying out tasks in accordance with section 3 of the Act on the Financial Supervisory Authority (878/2008).
Categories of personal data
Bank and Payment Accounts Register
The following data shall be stored in the Bank and Payment Accounts Register on a customer of a payment institution, electronic money institution and provider of virtual currency who shall be identified as provided for in Chapter 3 section 2 of the Anti-Money Laundering Act:
- full name, date of birth and Finnish personal identity code or, if lacking, citizenship of the account holder, the person authorised to the account and the customer of a virtual currency provider or, if the account holder or the customer of a virtual currency provider is a legal person, its full name, registration number, date of registration and registration authority as well as all parties authorised to use the account and the information on them referred to above regarding natural persons (7.5.2021/378);
- start and end dates of the customer relationship;
- payment account IBAN or other identifier.
If the Financial Supervisory Authority has exempted a credit institution from the obligation to maintain a data retrieval system as referred to in section 4(1), the following data are to be stored in the Bank and Payment Accounts Register:
- full name, date of birth and Finnish personal identity code or, if lacking, citizenship of the account holder and the person authorised to use the account or, if the account holder is a legal person, its full name, registration number, date of registration and registration authority, start and end date of the customer relationship as well as all parties authorised to use the account and the information on them referred to above regarding natural persons (29.10.2020/730);
- full name, date of birth and Finnish personal identity code or, if lacking, citizenship of beneficial owners referred to in Chapter 1, sections 5–7 of the Anti-Money Laundering Act;
- IBAN or other unique identifier of the bank and payment account, as well as the opening and closing dates of the account;
- full name, date of birth and Finnish personal identity code or, if lacking, nationality of the lessee of the safety deposit box and of the person authorised to use it or, if the lessee is a legal person, the full name, registration number, date and registration authority, as well as the specifying details on the safety deposit box, and the duration of the lease period.
As for reserve accounts administered by an attorney, specific information on the bank or payment account being a reserve account with a client’s assets administered by an attorney and covered by the attorney’s obligation of secrecy must be indicated in connection with such accounts. Information on reserve accounts must not be disclosed via the register, only the information that the account in question is a reserve account with a client’s assets administered by an attorney as well as which attorney’s reserve account is in question.
Via the aggregating application, Customs transmits above-mentioned data stored in the Bank and Payment Accounts Register as well as data from data retrieval systems referred to in section 4 of the Act on the Bank and Payment Accounts Control System to the competent authority that made the information request.
Personal data storage and deletion periods
Personal data stored in the Bank and Payment Accounts Register are deleted after ten years from the expiry of the grounds for entering the data in the Register.
The processing of personal data in the aggregating application is automatic. The data supplied via the aggregating application must be deleted from the application as soon as the data has been supplied.
The log data are kept for the current year and the following five years, except if they are needed for a pending supervisory matter.
The data subject’s right of access
Bank and Payment Accounts Register
The data subject’s right of access covers the data in the Accounts Register database.
The data subject does not have access to data or right of access, when data is processed in the aggregating application.
The exercise of the rights of the data subject via the Data Protection Ombudsman is provided for in section 29 of the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security (1054/2018) and in section 34 of the Data Protection Act (1050/2018). A request for the exercise of the rights must be made to the Data Protection Ombudsman or to Customs in accordance with section 35(2) of the Act on the Processing of Personal Data by Finnish Customs (650/2019). A request made to Customs must be submitted to the Data Protection Ombudsman without delay.
Contact person of the data controller and additional information:
Mr Esko Hirvonen