Given the growing emphasis on sustainability and responsible business practices, obligations in the field of ESG are becoming increasingly significant. The banking sector is emerging as one of the key players in this transformation, with evolving regulatory frameworks influencing its operations.
Perhaps in response to these developments, banks are increasingly engaging in initiatives aimed at raising awareness of environmental and social responsibility and long-term sustainability. One such initiative could involve processing personal data for carbon footprint estimation within mobile banking applications. This would rely on data from executed payment transactions to provide clients with insights into their estimated environmental impact. However, since binding regulations do not require this type of activity, it raises the question of whether such proactive data processing aligns with other regulatory requirements, particularly in personal data protection.
As key institutions in the financial sector, banks process a wide range of personal data relating to their clients. This is hardly surprising, as functioning in today’s digital economy without a bank account would be highly challenging. The largest banking groups in the Czech Republic reported over 4 million clients in 2023. Given this, banks are subject to strict legal obligations regarding the lawful processing of personal data. The legal framework for payment services, contractual documentation (especially payment services agreements and electronic banking agreements), and regulatory obligations serve as the primary legal bases for processing client data.
Banks could process data for carbon footprint estimation in two ways. The first option involves using additional information, which would require explicit consent. The second approach would involve processing existing transaction data that the bank already lawfully handles for payment processing, thus attempting to rely on an existing legal basis without obtaining separate consent. In this case, the bank would apply a methodology to estimate the carbon impact of each payment transaction based on parameters such as merchant category codes (MCC), transaction amount, location, time, and other relevant payment details. The estimated carbon footprint would then be displayed to clients within their mobile banking interface.
However, such data processing must be assessed against GDPR’s purpose limitation principle (Article 5(1)(b) GDPR) and requirements for lawful processing under Article 6 GDPR. Banks are undoubtedly authorized to process payment transaction data under Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(c) GDPR (compliance with legal obligations). Without such processing, they would be unable to provide payment services or meet statutory obligations under financial regulations, particularly the Payment Services Act and Anti-Money Laundering Act. Nevertheless, whether using transaction data for carbon footprint estimation can be considered necessary for fulfilling contractual or legal obligations remains questionable.
Another key consideration is whether Article 6(1)(f) GDPR (legitimate interest) could justify this type of processing. Before relying on this basis, a legitimate interest assessment (LIA) must be conducted to demonstrate that the data processing is necessary for the bank’s legitimate interests and does not override the rights and freedoms of data subjects. Under Article 5(2) GDPR (accountability principle), the bank must document and be able to substantiate this assessment. There is a reasonable argument that processing transaction data for carbon footprint estimation does not qualify as processing based on legitimate interest, as it is neither directly related to the core banking activities provided to clients nor constitutes a marketing activity promoting banking services.
Furthermore, under Article 6(4) GDPR, processing personal data for a new purpose different from the original purpose for which it was collected is permitted only if the new purpose is deemed compatible with the original purpose. The GDPR outlines specific circumstances where compatibility may be presumed, particularly when the processing serves important public interest objectives. However, in all other cases, the data controller must conduct a compatibility assessment and provide evidence supporting its conclusions.
When comparing the use of transaction data for carbon footprint estimation with its original purpose, primarily the execution of payment services, it appears unlikely that the compatibility test would be satisfied. The absence of a direct link between these two processing purposes suggests that a new legal basis is required. In this scenario, obtaining client consent would be the most appropriate approach. A practical implementation method could involve integrating a consent mechanism within mobile banking applications, enabling clients to actively opt in to this service.
Nevertheless, it will be interesting to observe how this issue evolves and whether similar initiatives gain broader acceptance within the banking sector. Additionally, it remains to be seen whether regulatory guidance will be issued to clarify the conditions under which banks can lawfully engage in ESG-related data processing. Until such guidance is provided, the safest approach remains obtaining explicit consent from clients before processing their data for carbon footprint estimation.
By Jaroslav Tajbr, Partner, Eversheds Sutherland