Postfinance: processing of client data

Integrating additional financial instruments into an existing e-banking platform may constitute a change in purpose of data processing, and so requires the consent of the client. Our investigation into the circumstances at Postfinance led to the company agreeing to make several improvements to give the client greater choice.

Postfinance has revised its online banking platform over the past year and so amended the terms and conditions of use. Under the new conditions, an e-cockpit - an instrument that automatically allocates each client transaction to a particular data category - was to be integrated into the online banking interface. They also introduced a tool that shows clients advertising offers from third parties on the basis of the transactions they make. Clients were able to opt out of this third-party advertising, but not from using the e-cockpit.

Having logged into the portal, Postfinance clients were asked to accept the new terms and conditions in order to continue to have access to online banking. We conducted an investigation into the matter, looking in particular at data processing under these new terms and conditions. At the same time we asked Postfinance to continue to give its clients access to e-finance (online banking) once the new terms and conditions had come into force, even if they did not accept them - at least until we had completed our investigation. Subsequent meetings held with Postfinance revealed that clients were given the option of opting out of third-party advertising immediately after logging onto the online banking platform.

Following further meetings with Postfinance, in early April 2015 two further essential improvements were introduced: clients were given the option of deactivating data processing in the e-cockpit and of deleting data that had already been categorised. As regards third-party advertising, Postfinance will reobtain the consent of those clients who originally gave it before the introduction of the new terms and conditions.

In the final report we were able to state that Postfinance meets its obligations under data protection law with these subsequent improvements. In particular, it is now guaranteed that clients are able to opt out of receiving third-party advertising without the risk of losing electronic access to their accounts. We will conduct a follow-up inspection at a later date to review the implementation of the measures.