The Swedish Data Protection Board (“DPB”) has investigated the Swedish banks’ compliance with the provisions of the Swedish Personal Data Act (“PDA”) following complaints from the public about the processing of excerpts from the banks following requests from registered persons. The result of the investigation has been published in the Data Protection Board Report 2004:3 (the “Report”).
The basic principle is that data controllers are, upon request from a natural person, obliged to provide a processing excerpt with information of whether personal data is processed or not. Even though the PDA states that such requests must be made in writing and be signed by the person making the request, some banks accepted requests made by e-mail. The processing excerpt should contain written information about which information is processed and for what purpose, where the information has been collected and to whom it has been disclosed. The information shall be provided within one month, or if there are special reasons for doing so, not later than four months from the request.
30 banks doing business in Sweden were investigated by being asked to answer a questionnaire of which 29 banks provided their answers. More than half of the banks stated that they had not received any requests for processing excerpts during the year 2002 and only five banks had received more than twenty requests during that same time. The bank having received the most requests received 370 requests in total.
In the Report the DPB among other things makes an in-depth explanation of how the provisions in the PDA are to be interpreted in the relationship between banks and their customers. According to the Report, approximately half of the banks made digital recordings of the telephone calls between the bank and the customer but only half of those banks informed the customer about such recordings in the processing excerpt. The DPA clearly stated that recordings made digitally should be included in the processing excerpt. Also if the customer requests a copy of the recording such a copy should be provided by the bank. It is not clear from the Report which provision in the PDA the DPB refers to when it imposes the obligation on the banks to produce a written copy of recorded telephone conversations to the customer.