Need for consent

Data processing can be based on consent (art. 6 paragraph 1 lett. a GDPR) or "when processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;" (art. 6 paragraph 1 lett. b GDPR).

Filling the form of the bank in order to open a bank account is among the necessary steps to enter into a contract, therefore the Bank can process your personal data. Of course, data can be processed only for contractual related activities, the bank needs your consent to process your data for other reason as marketing or profiling.

Consider also that the bank doesn't need your consent when "processing is necessary for compliance with a legal obligation to which the controller is subject" (art. 6 paragraph 1 lett. c GDPR) I.e, in the execution of anti-fraud, anti-laundering, anti-terrorism regulations.

Here you can find more information about the legal basis for processing data:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

hanks for your response, I am now clear that if any form of contract or agreement signed between controller and data subject, it does not require specific consent. Specially if bank has signed account opening forms or product and services forms, then specific consent is not required. 

1 - With this understanding I have another question, is Bank allowed to share/process data via third parties without specifically mentioning in the form/contract at the time of customer on-boarding, to fulfill the contract? Or bank can share a privacy notice on their website that bank will process your data via third parties?

2 - Is it mandatory for the organization/bank to mention the name/region of third-party data processor specially if it is a non-EU state? 

3 - Can any organization mention term "we may share your data to third-party service providers" or it has to be specific by mentioning the service outsourced, name and region of the service provider? And where it has to be clarified at the time of contract or via privacy notice?

Thanks and looking forward for your expert opinion

"Thanks for your response, I am now clear that if any form of contract or agreement signed between controller and data subject, it does not require specific consent. Specially if bank has signed account opening forms or product and services forms, then specific consent is not required.1 - With this understanding I have another question, is Bank allowed to share/process data via third parties without specifically mentioning in the form/contract at the time of customer on-boarding, to fulfill the contract? Or bank can share a privacy notice on their website that bank will process your data via third parties?

The bank can share data with third-party processors, but in the privacy notice the bank should mention that data will be shared and for what purpose. The privacy notice should be given with the contract because the data subject should be able to know what data will be processed and how in the contract relationship.

2 - Is it mandatory for the organization/bank to mention the name/region of third-party data processor specially if it is a non-EU state?

The bank should declare if data will be transferred outside the EU and what are the legal basis of data transfers and the destination of data. If the destination is several countries they should write to contact them to know the exact list of countries and the safeguards implemented.

3 - Can any organization mention term "we may share your data to third-party service providers" or it has to be specific by mentioning the service outsourced, name and region of the service provider? And where it has to be clarified at the time of contract or via privacy notice?Thanks and looking forward for your expert opinion"

The privacy notice is the document where all this information should be given. The controller doesn’t need to be specific if third-party processors are different (they may also change), but the data subject is allowed to contact the controller to know who are the processors.