FEBIS

Data Protection & GDPR

General Data Protection Regulation and its implications for business information services

Overview

The General Data Protection Regulation (GDPR), effective since 25 May 2018, replaced the Data Protection Directive 95/46/EC and harmonises data protection laws across the EU. It grants individuals enhanced rights over their personal data — including access, rectification, erasure ('right to be forgotten'), data portability, and the right to object to processing. The GDPR establishes fundamental principles: transparency, lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. It applies not only to EU organisations but also to any entity outside the EU processing personal data of EU residents.

Key Points

  • 1The GDPR grants data subjects rights including access, rectification, erasure, data portability, and the right to object to processing.
  • 2Organisations must have a legal basis for processing; legitimate interest is a key ground for B2B credit information services.
  • 3The GDPR applies to organisations outside the EU that process personal data of EU residents in connection with goods, services, or monitoring behaviour.
  • 4Consent must be obtained in clear, plain language with explicit disclosure of purpose and scope of data processing.
  • 5Some legislative trends promote more open data (Open Data policies, PSI revision, Capital Markets Union) while GDPR restricts access, particularly for sole traders.
  • 6Clarification is needed: natural persons acting in a business capacity should be treated equally to legal persons in all relevant legislation.

FEBIS Position

Business information providers are committed to supporting the GDPR evaluation. FEBIS strongly recommends a clarification based on the capacity under which a natural person interacts with creditors and financial institutions: natural persons acting in a business capacity should be considered equal to legal persons in all relevant legislation. It is the capacity in which an individual interacts that should determine data access — private for private capacity, available for legitimate re-use for business capacity. While FEBIS values GDPR's role in fostering trust in digital transactions, we stress that GDPR considerably restricts data access for sole traders, creating tension with other legislative trends promoting open data and a Digital Single Market.

Implications for Members

  • Legal requirements for processing personal data are mandatory; compliance is non-negotiable for all members.
  • Legitimate interest remains a valid and essential legal basis for B2B credit information processing, subject to balancing tests.
  • The treatment of sole traders and natural persons acting in a business capacity requires ongoing monitoring and advocacy.
  • International data transfer mechanisms need regular review given regulatory developments including post-Schrems II requirements.
  • Coherence between GDPR and other data legislation (Open Data, Capital Markets Union, PSI revision) must be maintained.
  • Staff training on data protection obligations should be regular and comprehensive across all member organisations.

Legitimate Interest in Practice

For business information providers, legitimate interest represents a crucial legal basis for processing. The three-part test requires:

1

Purpose Test

Identify the legitimate interest being pursued by the controller or third party.

2

Necessity Test

Assess whether processing is necessary to achieve the legitimate interest.

3

Balancing Test

Balance the interest against the data subject's rights and freedoms.

Key Dates

25 May 2018

GDPR application date

16 July 2020

Schrems II judgment

June 2021

New SCCs adopted

Ongoing

Regulatory guidance updates

Related Links

European Data Protection BoardEUR-Lex GDPR TextACCIS Data Protection Resources