On the institute of banking secrecy

1. General rules

1. What banking secrecy protects

Pursuant to Article 38(1) of the Act on Banks, banking secrecy applies to all banking transactions and monetary services of banks, including account balances and deposits.

It is clear from the purpose of banking secrecy and the formulation of exceptions that only bank information from which a bank client can be directly or indirectly identified or the fact that a person is a bank client can be established is protected (see below for the definition of the term bank client, which can be quite broad in this context).

In addition to information on specific banking transactions, banking secrecy protection applies to account balances, as well as any information related to banking transactions or a client’s assets managed by a bank, information about the holder of a payment card issued for the relevant client account, information about a client’s personal situation obtained in the context of the relationship with the client, information about a client’s ID number, if allocated, a client’s financial circumstances, fingerprints and other biometric data, if available to the bank, any video recording of the client (see below) and any other information from which a client of a bank can be directly or indirectly identified or the fact that a person is a client of a bank established.

In addition to the above, it should be noted that if data protected by banking secrecy contain the personal data of natural persons, data protection legislation, in particular the GDPR, also applies in addition to banking secrecy under the Act on Banks (cf. Article 37(2) of the Act on Banks, which regulates the legal title of the processing of personal data for the purposes of banking transactions^[1]). Certain information may also be protected as a trade secret, by contractual agreement, etc. A bank must comply with all related obligations, subject to the proviso that the public law obligation to provide information prevails over any derogating contractual arrangement.

In the case of banks obliged to provide information under the Act on Free Access to Information (especially state-established and controlled banks), the protection of banking secrecy constitutes an additional exemption from the obligation to provide information.^[2]

2. When can a bank disclose data protected by banking secrecy to a third party?

A bank may disclose data protected by banking secrecy to a third party only in cases where the law expressly provides for such disclosure or where the client agrees to such disclosure.

A. Legal exceptions from banking secrecy

Articles 38(2), 38(3), 38(4), 38(5), 38(6), 38(8), 38(9), 38(11), 38(12) and 38b of the Act on Banks define exceptions from banking secrecy, i.e. cases in which the provision of data protected by banking secrecy by a bank without client consent is not a violation of a legal obligation. In particular, this involves the provision of data protected by banking secrecy to a person responsible for banking supervision or supervision of compliance with AML/CFT regulations^[3], to law enforcement authorities in relation to the filing of a criminal complaint, or to certain other public authorities.^[4]

Furthermore, this includes cases of providing certain data protected by banking secrecy for the purpose of enforcement of a decision or to a person who proves that they have suffered damage as a result of their own erroneous disposition to a bank or a branch of a foreign bank, and cases of providing certain data to another payment service provider as part of the prevention of payment fraud.

A bank is also not in violation of the law if it provides information protected by banking secrecy because it is obliged to do so under the laws of another state where it does business (in effect, this exception may be broader than an exception within the Czech Republic; equivalence of the foreign legal regulation is not required for the exception to apply).

The Act on Banks also regulates an exception from banking secrecy for the purposes of supervision on a consolidated basis or supplementary supervision, and for the purposes of compliance with prudential rules (see Article 38b of the Act on Banks); such an exception also applies in relation to the transfer of information protected by banking secrecy to members of a bank’s group for these purposes.

Although the list of exceptions from the Act on Banks should be exhaustive, legal regulation in other acts cannot be completely excluded if they clearly regulate a bank’s obligation to provide certain data or the authority of the competent authority to request data protected by banking secrecy. Such additional exception from banking secrecy is, for example represented, by the Act on International Cooperation in Tax Administration in Article 13k, or the Act on Personal Data Processing in Article 58(1).

A specific case of an exception from banking secrecy is further set out in Article 3(2)(o) of the Act on the Register of Contracts, pursuant to which a disclosure obligation applies in the case of a contract between a bank and a person referred to in Article 2(1) of the Act on the Register of Contracts that concerns the use of public funds. This does not exclude that some information contained in such a contract is nevertheless not disclosed in the register for reasons pursuant to Article 3(1) of the Act on the Register of Contracts (e.g. for the protection of trade secrets within the meaning of Article 504 of the Civil Code).^[5] 

Another specific exception case is transfer to another person through which a bank carries out an activity that the bank would otherwise provide itself (outsourcing) (see below).

In relation to the specific purpose (protection of the health or life of the population in emergencies), the authorization for certain authorities to issue emergency measures in the event of an epidemic and the risk of its occurrence can be considered another exception.^[6] However, this always depends on the formulation of the specific measure and the specific request to the bank.

A bank may also disclose information subject to banking secrecy to the extent necessary to a court in legal proceedings related to the exercise of its right to judicial protection. A bank may use not only data about a person who is a party to the proceedings, but also data about other persons, if this is useful in the context of evidentiary proceedings.^[7]

B. Client’s consent to the transfer of data protected by banking secrecy

General

Article 38(1) of the Act on Banks expressly provides that a bank may disclose client data subject to banking secrecy upon the client’s request or with the client’s consent.^[8] If a client consents to the provision of data held about them, nothing prevents a bank from granting such a request.^[9]

Client consent may be given in general, for all cases of a certain kind (for example, for the purpose of assigning a claim against the client if the client defaults on an obligation), or it may relate only to a particular case (for example, for the purpose of a specific request by a police authority under Article 8(1) - not Article 8(2) - of the Criminal Code).^[10]

A client may present their consent directly to a bank; however, a client’s consent may also be presented to a bank by a third party. However, if a bank insists on the client’s consent being presented by the client himself or herself, this is not in violation of the Act on Banks. Within the limits of the contract with a client, it is a bank’s right to assess what procedure it considers sufficiently prudent in terms of documenting consent (Article 12 of the Act on Banks), and a bank cannot be reproached for being more prudent from the perspective of the Act on Banks.

Form of consent

The Act on Banks does not regulate the form or other details of a client’s consent to the disclosure of their data protected by banking secrecy to a third party. A client’s consent must always meet the general requirements for legal acts set out in the Civil Code (i.e., the requirements for freedom of will, seriousness, certainty and clarity of the legal act).^[11] The client’s consent must clearly indicate to whom the data will be transferred, the scope of the data transferred and the purpose for which the data will be processed by the third party.^[12] It can be considered prudent within the meaning of Article 12 (1) of the Act on Banks that the consent is in writing and where there is no doubt as to its authenticity, i.e. it is usually associated with reliable identification of the client.

The client’s consent may take the form of a unilateral legal act. It may also be part of the contractual arrangement between a client and a bank, and its inclusion in the terms and conditions is not entirely excluded. In such a case, however, it must not constitute a “surprise clause” within the meaning of Article 1753of the Civil Code. For example, it might be a surprise to the client if the consent entitles the bank to broad or even unlimited use of their data.

Other conditions for proper consent may arise from the GDPR, where it should be noted that the client’s consent to the disclosure of their data subject to banking secrecy to a third party should be distinguished from consent as a title for processing personal data under the GDPR; however, it is not excluded that in practice a client’s consent to the disclosure of their data subject to banking secrecy to a third party under the Act on Banks will also meet the conditions of consent under the GDPR.

If the client’s consent to the disclosure of information subject to banking secrecy were contained in a contract of adhesion pursuant to Article 1798 of the Civil Code, the requirements for contracts of adhesion, including the requirement for the protection of the weaker party regarding legibility and clarity pursuant to Article 1800(1) of the Civil Code, would also apply. The issue of clarity in contracts concluded in an adhesive manner with consumers has also been addressed in the past by the Constitutional Court, which explicitly touched upon the issue of sufficient legibility, clarity and logical arrangement of the text of consumer contracts. According to the Constitutional Court, the arrangement of the text is an expression of the principle of fairness, stating: “contractual clauses must be of sufficient font size, must not be significantly smaller than the surrounding text, and must not be placed in sections that give the impression of being irrelevant”.^[13] Banks must comply with legal requirements and case law conclusions when including a client’s consent to the disclosure of client data protected by banking secrecy in contracts of adhesion. 

3. What persons can be considered bank clients for the purposes of banking secrecy?

In the context of the banking secrecy rules, a bank client is anyone who

1. has, or has had in the past, a business relationship (i.e., in principle a contract, whether written, oral or implied) with a bank, including counterparties in the interbank market; and
2. who conducts or has conducted negotiations with a bank on the establishment of a business relationship (conclusion of a contract), regardless of whether the business relationship was eventually established.

Information about other persons with whom a client has a personal or business relationship will typically be protected under such client's information.^[14] 

Pursuant to Article 38(1) of the Act on Banks, banking secrecy applies, inter alia, to all banking transactions. Article 38(2) et seq. of the Act on Banks lists the exceptions from banking secrecy. In view of the meaning of banking secrecy, which consists in protecting the legitimate interests of persons providing banks with information about themselves, their business or their assets (i.e., in particular the interest that such information not be disclosed by the bank to other entities), it is necessary to interpret the term “client” in a broader sense than just as the designation of a person who currently has a business relationship with the bank and/or uses its services. The protection necessarily also applies to persons who have already terminated their business relationship with the bank or are still negotiating or have negotiated its conclusion.

Clients also include agents of account holders at the relevant bank authorised to dispose of the funds on the account, even if they are not a party to the relevant account agreement.

A client, i.e., a person who has or has had a business relationship with the bank or a person who is conducting or has conducted negotiations with the bank to establish a business relationship, is not only a debtor, but also, for example, a guarantor. The moment a guarantee is established, a legal relationship arises between the bank and the guarantor, in which the bank collects data subject to banking secrecy pursuant to Article 37(2) of the Act on Banks. Furthermore, it is irrelevant whether the business relationship arose directly or, for example, based on the assignment of a claim, even in the case of claims assigned to the bank in the context of factoring.

Banking secrecy applies to a bank even if a person who has an account with another bank, since such a person is also a client of the money service provided by the bank operating the ATM. uses one of its ATMs.

For the purposes of protecting banking secrecy, a client is generally also considered an heir who is entitled to a right against the bank for banking secrecy relating to the deceased, a beneficiary of guarantees or a beneficial owner whose data is processed by the bank.

These conclusions are important from the point of view of client confidence in the institution of banking secrecy, but also from the point of view of sharing data on the creditworthiness and trustworthiness of clients in credit registers (Article 38a(1) and (2) of the Act on Banks). The temporary storage and sharing of data on the payment discipline of clients even after the end of the business relationship, e.g., after the repayment of a loan, is desirable not only as a warning regarding the problematic payment history of some clients, but also for credit risk management for clients with a positive repayment history who may obtain credit on more favourable terms in the future. The temporary storage and sharing of information about clients who are negotiating with the bank to establish a business relationship is important in particular to prevent the applicant from becoming over-indebted, to prevent an increase in lender credit risk in the event of a successful loan application entitling the applicant to subsequently take out loans from several banks at the same time, and to prevent credit fraud. For clients with unsuccessful loan applications, the temporary storage of their data may be important as a warning concerning their creditworthiness or trustworthiness. This interpretation is also in accordance with the purpose of Article 38a(1) and 38a(2) of the Act on Banks, which grants exceptions from banking secrecy in order that the prudential requirements of banks are met.^[15]

Conversely, a person who has simply entered into a contract with a bank (e.g., a software supplier) without it being related to a banking transaction or the provision of monetary services within the meaning of Article 38(1), first sentence, of the Act on Banks, cannot be considered a client of the bank.

II. On individual exceptions from banking secrecy

4. Can a bank supplement client data in the context of disclosures to law enforcement authorities when filing a criminal complaint?

It follows from the Act on Banks that a bank is entitled to disclose information protected by banking secrecy to law enforcement authorities when filing a criminal complaint. It may also supplement information provided in a criminal complaint during the criminal proceedings.

The conditions for a lawful exception from banking secrecy in the event of a bank filing a criminal complaint are regulated by Article 38(2) of the Act on Banks, which provides: “It is also not a violation of the banking secrecy obligation to disclose information about a client and their transactions when filing a criminal complaint...” Similarly, Article 38a(6) of the Act on Banks also grants exceptions from banking secrecy, providing: “Notification by a bank or a branch of a foreign bank to the public prosecutor, police or other competent authorities of the suspicion that a crime or offence has been committed cannot be regarded as a violation of Article 38.” If a bank’s notification meets the conditions for an exception from banking secrecy set out in the Act on Banks, the bank will not be in violation of its obligation to protect banking secrecy by submitting it.

The above provisions are a response to the fact that criminal activity against a bank may pose a risk of loss to the bank and a threat to its financial stability. A bank’s ability to report suspected criminal activity by a client to law enforcement authorities enables it to reduce this risk (if a crime is successfully detected in criminal proceedings and the perpetrator is punished, the bank can also claim damages and thus reduce its loss). In some cases, a special law also expressly requires anyone who has credible knowledge of a criminal act, and therefore also a bank, to prevent or report that act.^[16]

For the above reasons, it would therefore make no sense that a bank could not disclose to law enforcement authorities all information relating to alleged criminal conduct by a client, including information protected by banking secrecy, and supplement and clarify this information if necessary, and that it would have to wait for law enforcement authorities to request it to provide the information in question in accordance with Article 38(3)(b) of the Act on Banks in conjunction with Article 8(2) of the Criminal Code. Without such additional information, law enforcement authorities may not have grounds to make such a request. In addition, the Criminal Procedure Code explicitly provides in some cases that the informant provides information beyond the scope of the criminal complaint itself (Article 59(4) of the Criminal Procedure Code  for oral complaints) and a criminal complaint is not a document with specific, limited formalities.

In this case, the law gives priority to the public interest in combating crime and to the bank’s interest in investigating the conduct in question over the - in this situation hardly justifiable - interest of the client suspected of having broken the law in keeping their transactions secret.

5. Is the client’s consent required for the transfer of data protected by banking secrecy to a person entrusted by the bank to perform some of its activities (outsourcing)?

A bank may transfer information protected by banking secrecy to a person who performs certain activities for the bank in the context of outsourcing, if this is necessary for the performance of those activities. The client’s consent is not required for this. However, the bank is not relieved of its obligation to protect the information transferred.

Legislation does not prevent a bank from outsourcing certain activities to another person. However, managing the associated risks and complying with other related obligations is essential.

By its nature, outsourcing may involve the transfer of data protected by banking secrecy to the outsourcing provider. However, a bank may only provide the outsourcing provider with data covered by banking secrecy for the purpose of ensuring the performance of its own activities which are the subject of the outsourcing, i.e., within the scope of the activities for the bank and within the limits of the bank’s business. In this respect, the transfer of data to an outsourcing provider differs from the exceptions from banking secrecy referred to in Articles 38(2), 38(3), 38(4), 38(5), 38(6), 38(8), 38(9), 38(11), 38(12) and 38(b) of the Act on Banks, where protected data are provided or disclosed to fulfil a statutory purpose other than the performance of the banking business of the bank concerned.

This conclusion is confirmed by point 17 of Annex 7 to the Decree No. 163/2014 Coll., which states: “The use of outsourcing does not relieve the obliged person of its obligations and responsibilities towards the competent supervisory authorities and other persons for the activities it carries out in this way, in particular its obligations..., (b) to protect personal data¹⁶⁾ and other information subject to protection, in particular trade secrets, banking secrets...” 

Also, point 19 of Annex 7 to the Decree No. 163/2014 Coll. provides: “... the obliged person shall take all appropriate measures to prevent any deficiency or damage during outsourcing as a result of a violation of its obligations, in particular shall avoid the unauthorised disclosure or use of any information relating to the client and subject to protection which is available to the outsourcing provider.”

Furthermore, pursuant to point 37(d) of Annex 7 to the Decree No. 163/2014 Coll., the contract between the bank and the outsourcing provider must also contain “the terms and conditions for the security of the protected information, in particular if the outsourcing provider comes into contact with confidential or other protected information about the obliged person or its clients, including the clear obligation of the outsourcing provider to handle the protected information appropriately.”

Furthermore, pursuant to Article 40(1) of the Decree No. 163/2014 Coll.: “An obligated person shall implement and maintain policies and procedures to evaluate and influence the level of operational risk undertaken, including model risk and outsourcing risk and including the consideration of significant but infrequent events...”

For the above reasons, client consents are not required for the transfer of data under “outsourcing”.^[17] However, the bank is contractually obliged to ensure the outsourcing provider provides the same, or to the maximum extent possible comparable, level of confidentiality as it is obliged to provide, and is also responsible for the result - for the protection of client data protected by banking secrecy, both in private and public law.^[18]

6. Can a bank transfer its clients’ data to another business for the purpose of offering its products (i.e., not the bank’s products)?

No, except where the client gives consent.

A bank may only transfer data protected by banking secrecy to another business for the purpose of offering its products with the client’s consent. This conclusion applies generally in relation to any third party and its products and services. See above for the form of consent.

7. Is banking secrecy an obstacle to the assignment of a bank’s claim against a client?

The assignment of a claim against a client is not a violation of banking secrecy if the information is disclosed in the assignment for the purpose of fulfilling prudential requirements or with the client's consent. If a bank does not have sufficient prudential reasons or the client’s consent, the assignment must be performed in such a way that data protected by banking secrecy are not disclosed during the assignment.

As regards the situations in which a bank commits a violation of banking secrecy when assigning a claim, Article 38b of the Act on Banks is of key importance, stating, inter alia, that “information that is otherwise subject to banking secrecy may be disclosed by a bank if it is necessary... for the purposes of complying with prudential business rules.” Therefore, the disclosure of data protected by banking secrecy is permissible if a bank has reasons for doing so based, inter alia, on the duty to act prudently (Article 12(1) of the Act on Banks).^[19] Such reasons may include, for example, managing the bank’s liquidity and reducing or eliminating the risk of default or recovery costs. Whether the assigned claim is already overdue or has not been duly paid is not a condition.^[20] Prudential reasons may relate to a specific claim or to a portfolio of claims.

However, in view of the fact that the banking relationship is a specific business relationship, a bank cannot assign claims in such a way that it discloses information protected by banking secrecy without any limits (it is not relevant whether the disclosure is to another bank, a non-banking assignee or another person). Cf. the commentary to Article 38 of the Act on Banks: “In this context, however, the view that a bank is essentially unrestricted in the handling of its claims against its clients cannot be unquestioningly endorsed; we consider that in all cases it will be necessary that the bank’s actions should not be contrary to the legitimate expectations of a rational client, and that there should not be a violation of the relationship of mutual trust and confidence as established”.^[21] Without the client’s consent, data protected by banking secrecy may only be disclosed in connection with assignments of claims where there are sufficiently clear prudential reasons for their assignment.

It should be added that neither the Act on Banks nor other regulations link the assignment of a bank’s claim under a loan agreement that results in a violation of banking secrecy with the sanction of the invalidity of such assignment. The Supreme Court confirms this: “[From] the point of view of possible considerations of the consequences of an unauthorised violation of banking secrecy through a contractual assignment of a claim, it is clear that the remedy for that situation is not the sanction of the invalidity of the contract for the assignment of the claim. Where such a situation arises, it is therefore fully justified to consider liability issues rather than to override the validity of successor contracts.”^[22] German case law comes to a similar conclusion.^[23] A violation of banking secrecy does not therefore affect the validity of the assignment of a claim; however, it may meet the characteristics of an offence and at the same time be grounds for compensation for damage.

8. Is a bank obliged to comply with a request from an authorised person pursuant to Article 38(3) of the Act on Banks to provide information about the bank’s clients defined only by geographical determination?

A bank is obliged to provide information to authorised public authorities about client matters defined in other than a nominal way, e.g., by geographical designation, if

• a special regulation does not require otherwise (e.g., when disclosing information in the context of execution proceedings, the obliged person must be identified); and
• requesting authority specifies the clients concerned with sufficient specificity so that they can be reliably identified (e.g., as a specific legal person established at a specific address).

At the same time, the definition of the subject matter of the request for information should comply with the general fundamentals and principles expressed in the regulations under which the public authority is requesting the information.

Pursuant to Article 38(3) of the Act on Banks in fine, a written request from a public authority must contain information enabling the bank to identify the matter in question, but identification by client name or company name or otherwise individualized identification is not required. It is therefore possible for a public authority to define the matter in question, e.g., by reference to a particular territory. In practice, the bank will always be able to trace the data on clients (account holders) on the basis of geographic identification, as it is obliged to ascertain the registered office or domicile as part of the identification pursuant to Article 41c(3) of the Act on Banks and Article 7 AMLA.

The above conclusions can be applied, for example, in the framework of Article 38(3)(c) of the Act on Banks, which implies that the bank will provide a report on the client’s affairs subject to banking secrecy to tax administrators even without the client’s consent upon written request and under the conditions of Article 57 of the Tax Code (for completeness, we note that Article 57(3) of the Tax Code defines the scope of data that a tax administrator is entitled to request from a bank in its capacity as a third party pursuant to Article 22 of the Tax Code^[24]; Article 5 of the Tax Code^[25] is also applicable). Therefore, a bank is obliged to provide data about a client at the request of a tax administrator even if the tax administrator defines the data geographically, if this definition is sufficiently certain. However, if the request was, e.g., for information “on all clients from [a particular municipality]”, it is not clear who exactly the applicant has in mind. Such a request would probably not meet the requirement of certainty, and the bank should therefore ask the requesting authority to specify the identification of the client base with sufficient certainty.

If a request is made in a very general manner, this may also raise concerns that it is an inadmissible “fishing expedition”, which has been adjudicated by Czech and EU courts at least for some areas with reference to the general principles of the rule of law.^[26] However, in individual cases it would be necessary to assess this issue in the light of the specific application and its circumstances.^[27]

9. Is information contained in CCTV footage that shows a specific person at a bank workplace or at an ATM during a transaction protected as banking secrecy?

Information in footage that captures a client at a bank workplace or at an ATM during a transaction is protected by banking secrecy.

However, there are specific cases where the relationship of a specific person to the bank is not clear from the footage. Examples include footage of a passer-by illegally taking a forgotten amount of cash or the unauthorised use of a means of payment. Such footage - to the extent that it does not obviously record the provision of services to clients - is not protected by banking secrecy.

CCTV footage may originate from a bank’s premises or from the premises of an ATM. CCTV footage from the premises of a bank (e.g., when a specific person communicates with employees at the workplace) may enable the determination of whether the person in question is negotiating or concluding a banking transaction or already has a business relationship with the bank.

Generally, a bank is not entitled to disclose whether a particular person is its client without a relevant exception from banking secrecy, and therefore the provision of CCTV footage from which a client relationship could be inferred, must be protected. Information contained in CCTV footage that captures a client at a bank workplace is therefore subject to banking secrecy.

However, persons who enter a bank’s premises or approach an ATM without the intention of using banking services, but to commit illegal activities, cannot be considered clients. In obvious cases that do not simultaneously depict other clients, the relevant part of the footage can be shared without meeting the conditions for an exception from banking secrecy. However, if there is any doubt as to whether the footage is protected by banking secrecy, it is appropriate to apply the conditions of banking secrecy.

CCTV footage that captures a specific person at an ATM making a transaction is another matter. Withdrawing money from an ATM or depositing money into an ATM operated by a bank is a monetary service and all circumstances surrounding the provision of such services are protected by banking secrecy. CCTV footage of a person using a payment card issued by a payment service provider other than the bank operating the ATM used is also subject to banking secrecy. Thus, it can be concluded that the information contained in CCTV footage that captures a client at an ATM operated by a bank during a transaction is subject to banking secrecy.

The aforementioned CCTV footage is subject to the protection of banking secrecy, and therefore the bank is not entitled to hand over such CCTV footage to law enforcement authorities without meeting the legal conditions (in this case, the conditions pursuant to Article 8(2) of the Criminal Procedure Code and Article 38(3)(b) of the Act on Banks). A bank may further transfer such data in connection with a criminal complaint filed by the bank itself.

If it is technically feasible and the matter cannot be delayed, CCTV footage from a bank’s premises or an ATM can be edited, or a segment may be made from it that does not show (other) bank clients, and the edited footage can be shared without meeting the conditions for an exception from banking secrecy (for example, in situations where a crime is committed on the bank’s premises and it is necessary to immediately obtain a recording of the perpetrator’s image for the purposes of the investigation).  

On the other hand, CCTV footage of the theft of forgotten money from an ATM by an unspecified person is not protected by banking secrecy since the mere fact that someone finds forgotten money at an ATM does not say anything about his or her relationship with the bank. Therefore, in such a case, the bank can provide footage of the finding (or theft) of money without violating banking secrecy. The bank would be obliged to provide such footage even if, for example, it knew from an earlier part of the footage that the person who stole the found money was its client, since the subsequent part of the footage does not in itself meet the conditions for protection of banking secrecy. If the exception conditions for filing criminal complaints are met^[28], the footage can be submitted in this mode as well.

10. In connection with a request from a public authority, can a bank provide - without the client’s consent - information beyond the scope of the request?

No. By disclosing information subject to banking secrecy beyond the scope of a request from an authority or person pursuant to Article 38(2), 38(3), 38(4), 38(5), 38(6) and 38(11) of the Act on Banks, or Article 38b of the Act on Banks, a bank commits a violation of the obligation to maintain banking secrecy if it does not obtain the client’s consent for such disclosure of information beyond the scope of the request or if another of the statutory exceptions from banking secrecy does not apply.

If a public authority or a person pursuant to Article 38(2), 38(3), 38(4), 38(5), 38(6) and 38(11) of the Act on Banks requested information about a client’s bank accounts, e.g., from the period from 2005 to 2015, but the bank provides information about the client’s accounts that the client opened only in 2016, this would not be a disclosure of information on the basis of a request from the relevant authority or person. The bank would therefore be acting in violation of the law.

Yet there are exceptions. One example of an exception to this rule is the supplementation of a criminal complaint by the bank (see above).

11. What are the deadlines for dealing with requests from public authorities?

As a rule, the deadlines for the processing of requests from public authorities are set by the relevant special laws establishing the right of a particular public authority to request information from a bank. The deadline may also be set in the actual calls for information. If no binding deadline is set, the deadline is generally deemed to be ‘without undue delay’.

The deadlines for the processing of a request by a public authority for information protected by banking secrecy within the meaning of Article 38 of the Act on Banks are not regulated by the Act on Banks yet may be set through relevant special laws establishing the right of a particular public authority to request information from a bank (e.g., pursuant to Article 8(1) of the Criminal Procedure Code, public authorities, legal persons and natural persons are obliged to comply without undue delay with requests from public authorities in the performance of their tasks; a similar deadline is required for the provision of cooperation by third parties pursuant to Article 34(2) of the Enforcement Code, however e.g., Article 24g(5) of the Act on Consumer Protection assumes the immediate provision of information by a bank). The deadline may also be set in the actual calls for information. If no binding deadline is set, the deadline is generally deemed to be ‘without undue delay’.

Although the deadline ‘without undue delay’ does not directly determine the specific point in time at which action is to be taken, it is clear that any delay in action that does occur must be examined to determine whether it is necessary, taking into account the particular circumstances of the case.^[29]

In order to avoid the need for the cooperation provider/bank to carry out a documented analysis of the time needed to process each request from public authorities, it may be considered reasonable to require internal standardisation of those operations where this is applicable, including in terms of the deadlines for their execution.

At the same time, a bank should regulate the procedures and processes for providing cooperation to the competent authorities in relation to granting exceptions from banking secrecy in its internal regulations. At the same time, it should ensure the maintenance of efficiently set up records containing accurate data (in particular the identification of the requesting authorities, the date of receipt of requests, the deadlines for processing and the deadlines for fulfilling requests) - automatic processing (based on the evaluation of “keywords” in incoming requests) is appropriate. Furthermore, if records are processed manually, the four-eyes principle should be introduced. The system should verify that deadlines are met. The system should alert an employee when the relevant internal deadline is about to expire.^[30]

The area of compliance with internally established deadlines, as well as the whole area of providing cooperation to the competent authorities involving granting exceptions from banking secrecy, should be subject to regular audits to confirm that the bank in question has set up the entire process for processing requests from public authorities accordingly. It should be noted that failure to submit a report on client matters (or to submit one in less than the required scope) that are subject to banking secrecy upon written request from authorities and persons pursuant to Article 38(3) to 38(6) and 38(8) of the Act on Banks is an offence within the scope of authority of the CNB (in addition to the possibility of sanction under regulations governing the procedures of the recipient of the information, e.g., in the form of a fine imposed on the bank by a law enforcement agency pursuant to Article 66 of the Criminal Procedure Code).

12. What data can a bank provide to a tax administrator?^[31]

The scope of data that a bank may provide to a tax administrator depends on its status under the Tax Code. However, it is always necessary to comply with the principle of proportionality pursuant to Article 5 of the Tax Code when providing information.

Pursuant to Article 38(3)(c) of the Act on Banks, a bank is obliged to provide information covered by banking secrecy to a tax administrator “under the conditions provided for in the Tax Code”. The conditions provided for in the Tax Code vary depending on whether the bank is a third party pursuant to Article 22 of the Tax Code^[32], or a taxpayer pursuant to Article 20 of the Tax Code^[33].

If a bank has the status of a third party pursuant to Article 22 of the Tax Code, the Tax Code sets out the conditions for such provision in Article 57(3) of the Tax Code, and the bank may thus provide a tax administrator only with the data listed exhaustively in this provision.^[34] In addition, the bank, as a third party pursuant to Article 22 of the Tax Code and as an obliged person pursuant to Article 57a AMLA, is also obliged to provide the tax administrator, upon request, with the information concerning a specific client listed exhaustively herein.^[35]

If a bank has the status of a tax subject, there is no similar exhaustive limitation^[36], however the conditions for the provision of information result, inter alia, from Article 5 of the Tax Code. The provision of information covered by banking secrecy impacts clients’ rights to the protection of their information by banking secrecy, and the clients are thus in the position of a third party pursuant to Article 22 of the Tax Code. According to the principle of proportionality expressed in Article 5(3) of the Tax Code, a tax administrator is obliged to protect the rights and legally protected interests of third parties (in this case, the bank’s clients). Banks with the status of a tax subject should, when providing information to a tax administrator, minimize any impacts on the interests of clients protected by banking secrecy.^[37] In this context, it thus seems appropriate that when requesting information about a wider range of clients, only the minimum necessary information should be provided (e.g. using anonymisation) and more detailed information on selected clients should be provided to the tax administrator following a more targeted request.^[38] It is also good practice to define a control sample, etc.

For the sake of completeness, it may be added that information that is not covered by banking secrecy, such as information on a bank’s own management or internal procedures (see Part 1 of the Opinion), is disclosed by the bank under the conditions of the Tax Code, outside the regime of banking secrecy under the Act on Banks.

---------

[1] Article 37(2) of the Act on Banks, first sentence, requires banks to obtain and process data on persons, which in the case of clients who are natural persons are also personal data, for the purposes of banking transactions. Banks therefore derive the legal title for the processing of the personal data directly from the Act on Banks, while banks must comply with the general legal regulation (GDPR) when processing these personal data.

[2] Cf. e.g. decision of the Municipal Court in Prague No 6 A 84/2012 - 43 or points 9 and 11 of the explanatory memorandum to Act No 222/2015 Coll., amending the Act on Free Access to Information.

[3] Measures against money laundering and the financing of terrorism (Anti-Money-Laundering / Countering the Financing of Terrorism).

[4] Article 38(3) of the Act on Banks thus obliges a bank to provide such data to, for example, a court for the purposes of civil proceedings, law enforcement authorities under the conditions provided for by a specific law, tax administrators under the conditions provided for in the Tax Code, and a financial arbitrator deciding a dispute under a special legal regulation.

[5] Article 3(1) of the Act on the Register of Contracts: “Information that cannot be provided under a procedure pursuant to the regulations governing free access to information will not be disclosed through the register of contracts.”

[6] Article 69(1)(i) and (2) of Act No 258/2000 Coll., on the protection of public health and on amendments to certain related laws, as amended (authorisation to “order certain other activities to eradicate an epidemic or the risk of its occurrence”, and only “to the extent strictly necessary”).

[7]   Smutný, A., Pihera, V., Sýkora, P., Cuník, T. Zákon o bankách [Act on Banks]. 2nd edition. Prague: C. H. Beck, 2019, p. 740, states with regard to Article 38 “(an)other case will be situations where disclosure of information subject to banking secrecy is necessary to protect the legitimate interests of the bank. This will be the case not only when the bank asserts its rights against a client (for example through a lawsuit), but also in practice relatively frequent cases - the assignment of an overdue claim against a client for the purpose of its recovery by a third party.”

[8] On exceptions from confidentiality pursuant to Article 38(3) of the Act on Banks (in its wording before the amendment through Act No 338/2020 Coll.), e.g. Liška P., Dřevínek K., Elek Š., Kotáb P., Rýdl T., Zákon o bankách. Komentář [Act on Banks. Commentary], Prague: Wolters Kluwer ČR, a. s., 2016, on page 517 states: “The condition without which the provisions of this paragraph cannot be applied (condicio sine qua non) is the absence of the client’s consent to the disclosure of the data. If the client consents to the disclosure of a report concerning their affairs, this will relieve the bank of its obligation to observe banking secrecy in this matter. The effects of the client’s consent can only be applied to a matter concerning the client; if the requested data exceed this scope, part of the request will have to be refused.”

[9] The amendment to the Act on Banks and Act No 87/1995 Coll., on Credit unions and certain related measures and on the amendment of Act of the Czech National Council Act no. 586/1992 Coll., on Income Taxes, as amended (Act No 338/2020 Coll.) with effect from 1. October 2020 made it clear that a bank may submit a report on matters concerning a client that are subject to banking secrecy upon the client’s request or with the client’s consent.

[10] Article 8(2) of the Criminal Code provides for a special procedure for requesting information subject to banking secrecy in criminal proceedings, i.e., a procedure for information protected by banking secrecy. Information provided by a bank at the request or with the consent of a bank client are equivalent to information provided by the client himself or herself in terms of protection by banking secrecy.

[11] See Article 551, Article 552 and Article 553 of the Civil Code. 

[12] E.g., point 37 of decision by the CNB Bank Board on appeal No 2019/70086/CNB/110 of 20 June 2019, available in Czech here: “If Articles 38(2) to 38(4) and 38(6) of the Act on Banks indicate to whom the bank will disclose information subject to banking secrecy without the client’s consent and for what purpose (i.e., such information cannot be disclosed to anyone other than the entities specified therein), then it is logical that a similar approach must be applied in the case of the client’s consent to the disclosure of data subject to banking secrecy, since the client, as the directly affected entity, has the right to know to whom and what data concerning their person are to be disclosed with their consent.”

[13] Point 29 of ruling I. ÚS 3512/11 of 11 November 2013

[14] In the case of natural persons also based on Article 37(2), but Article 38(1) is more general and applies to all information on banking transactions, including related information on legal persons (e.g., a person controlling an applicant for a loan).

[15] Other aspects related to credit registers are a separate issue (e.g., the period for which credit registry administrators can store and share information on completed or uncompleted business relationships). Their assessment is primarily the responsibility of the Office for Personal Data Protection.

[16] See Article 367 of the Criminal Code [failure to prevent a crime] and Article 368 of the Criminal Code [failure to report a crime].

[17] See also CNB Decision No 2019/33039/570 of 22 March 2019, available in Czech here.

[18] Article 20(5) of Act No 250/2016 Coll., on Liability for Minor Offences and their Proceedings, Article 2914 of the Civil Code.

[19] The issue of conflict between the bank’s duty to observe banking secrecy and the bank’s duty to act prudently is also raised by the Supreme Court in the judgment, file No 29 Odo 1613/2005: “The Act on Banks also requires banks to act prudently and to protect the assets of all their clients (cf. in particular Part Four of this Act). When fulfilling this obligation, a bank cannot be deprived of the possibility to rid itself of a risky claim in the interest of its other clients in a situation where the debtor is in exception of the obligation to repay the claim just to protect the individual interest of such debtor through the institution of banking secrecy.”

[20] Smutný, A., Pihera, V., Sýkora, P., Cuník, T. Zákon o bankách [Act on Banks]. 2nd edition. Prague: C. H. Beck, 2019, p. 766, cites as examples of the fulfilment of Article 38b “if the bank assigns a threatened or non-threatened claim where this is necessary for the management of the bank’s liquidity.” Commentary Liška P., Dřevínek K., Elek Š., Kotáb P., Rýdl T., Zákon o bankách. Komentář [Act on Banks. Commentary], Prague: Wolters Kluwer ČR, a. s., 2016, on page 530 states along the same lines, only more generally, that Article 38(b) “permits a rather expansive interpretation.”

[21] Smutný, A., Pihera, V., Sýkora, P., Cuník, T. Zákon o bankách [Act on Banks]. 2nd edition. Prague: C. H. Beck, 2019, p. 748.

[22] Judgment of the Supreme Court, file No 29 Odo 1613/2005.

[23] The Federal Court of Justice, in its judgment of 27 February 2007, file No: XI ZR 195/05, states: “Der wirksamen Abtretung von Darlehensforderungen eines Kreditinstituts stehen weder das Bankgeheimnis noch das Bundesdatenschutzgesetz oder das Recht auf informationelle Selbstbestimmung entgegen” (translation: Banking secrecy, the Federal Data Protection Act and the right to informational self-determination do not prevent the effective assignment of claims by a credit institution).

[24] See also judgment of the Supreme Administrative Court (SAC) 4 Afs 177/2016 - 35, in which the SAC states, inter alia, that “a tax administrator has the right to provide only information expressly listed in Article 57(3) of the Tax Code.”

[25] See Article 5 of the Tax Code: “A tax administrator exercises its authority only for those purposes for which it has been entrusted to it by law or on the basis of the law, and within the scope in which it has been entrusted... A tax administrator shall protect the rights and legally protected interests of taxpayers and third parties ...”

[26] Among others, decisions of the Court of Justice of the European Union (or its predecessor) Dow Benelux NV v Commission, Case 85/87, and HeidelbergCement v Commission, C-247/14.

[27] Among others, decision of the Supreme Administrative Court, file No 3 As 252/2016: “if the supervision is carried out at a stage when the administrative authority is only ascertaining indications as to whether a violation of the law is taking place at all, it usually has no knowledge of a specific violation of the law (and, as explained above, it does not necessarily have to have any), then it is logically impossible for it to communicate to the subject from whom it requests cooperation the specific suspicions that are the subject of its interest.”

[28] Article 38(2), third sentence of the Act on Banks (“The disclosure of information about a client and their transactions when filing a criminal complaint is also not a violation of the duty of banking secrecy”). See also question 4 above.

[29] Judgments have been consistently issued for various areas of law – for substantive private law, e.g., Constitutional Court, file No IV. ÚS 314/05, or Supreme Court, file No 32 Cdo 2484/2012, for public procedural law e.g., Supreme Court, file No 30 Cdo 530/2014 or Supreme Administrative Court 9 Afs 22/2010, etc.

[30] The rules set out here follow on from the general requirements in Article 10(3)(a) of the Decree (“For the purposes of fulfilling the presumption of good administration and management through the application of sound procedures, the obliged person shall always (a) comply with in its activities and incorporate in its internal regulations 1. legal obligations and...”).

[31] The above interpretation is without prejudice to explicit obligations to provide certain information to a tax administrator, see e.g., the above obligation pursuant to Article 13k of the Act on International Cooperation in Tax Administration.

[32] I.e., “persons, other than tax subjects, who have rights and obligations in the administration of taxes or whose rights and obligations are affected by the administration of taxes”.

[33] It is irrelevant whether they are actually a tax subject or have this status on the basis of a fiction (e.g., Article 13f of the Act on International Cooperation in Tax Administration: “A reporting Czech financial institution and a non-reporting Czech financial institution have the status of a tax subject for the purposes of this Act.”).

[34] See the above-quoted judgment of the Supreme Administrative Court 4 Afs 177/2016 - 35.

[35] Article 57a of the Tax Code is a transposition provision implementing Council Directive (EU) 2016/2258 of 6 December 2016 amending Directive 2011/16/EU as regards access to anti-money-laundering information by tax authorities (DAC 5).

[36] See the commentary literature on the scope of Article 57(3) of the Civil Code – MATYÁŠOVÁ, Lenka. Daňový řád: s komentářem a judikaturou: podle stavu k 1.8.2015 [Tax Code: with commentary and case law: as at 1 August 2015]. 2nd updated and supplemented edition. Prague: Leges, 2015. Commentator. ISBN 978-80-7502-081-9, or KOBÍK, Jaroslav and Alena KOHOUTKOVÁ. Daňový řád s komentářem [Tax Code with commentary]. Olomouc: ANAG, [2013]. Taxes (ANAG). ISBN 978-80-7263-769-0.

[37] In principle, a tax administrator’s call should represent the implementation of a specific task in tax administration for which the data is necessary for tax administration. Pursuant to Article 58(3) of the Tax Code, the tax administrator should request information from third parties only if it cannot be obtained from the official records kept by it or cannot be obtained from another public authority. Article 58(2) of the Tax Code also allows for the scope and manner of data provision to be agreed between the data provider and the tax administrator in the interest of efficiency and to ensure adequate data protection. Data obtained by the tax administrator are protected by a strict duty of confidentiality, for the implementation of which the tax administrator is obliged to systematically create conditions, the violation of which is an offence under Article 246 of the Tax Code.

[38] This is also consistent with the general principle of interpretation that exceptions to a rule, which include the exception from Article 38(3)(c) of the Act on Banks, are to be interpreted restrictively. See point 8 of Supreme Administrative Court judgment 10 As 115/2020 - 44.