Etihad Law

Facebook X-twitter Linkedin Instagram Icon-mail

Data Privacy and Banking Secrecy for Digital Banks in Iraq

Data Privacy and Banking Secrecy: The Two Overlapping Legal Frameworks Every Digital Bank Must Navigate

A digital bank generates more personal data per customer per day than almost any other type of financial institution. Every login, every transaction, every failed authentication attempt, every navigation path through the mobile application creates a data record. Managing this data legally and using it responsibly requires simultaneous compliance with two distinct but overlapping legal frameworks: the established principle of banking secrecy grounded in Iraqi banking legislation, and the data protection principles that govern how personal information may be collected, stored, processed, used, and protected.

These two frameworks are complementary but not identical. Banking secrecy governs what information may be disclosed to third parties. Data protection principles govern how information may be used internally and externally across its full lifecycle. A bank that satisfies one without the other remains legally exposed.

 

1. Banking Secrecy: The Foundational Legal Obligation

Banking secrecy is one of the most established principles in Iraqi banking law. It prohibits the digital bank from disclosing any information relating to its customers, their identity, their account details, their transaction history, their financial position, or any other information obtained in the course of the banking relationship to any third party, without the customer’s express written consent.

Four specific exceptions to this prohibition are recognized under Iraqi law:

  • A court order issued by a competent Iraqi court in the context of criminal or civil judicial proceedings that specifically identifies the information required
  • A supervisory request from the Central Bank of Iraq in the exercise of its statutory oversight powers including requests made in the course of a regulatory examination or investigation
  • A request from the competent anti-money laundering authority in the context of a formal AML/CFT investigation including requests related to suspicious transaction reports already filed by the bank
  • Disclosure for the purpose of authorized external audit by the bank’s CBI-approved external auditor, limited to the information necessary for the audit

Any disclosure outside these four exceptions regardless of the requestor’s identity or the apparent legitimacy of the purpose constitutes a serious violation of banking secrecy. This violation creates both civil liability to the affected customer for any harm caused by the disclosure, and regulatory liability to the CBI.

 

2. Six Principles of Lawful Data Processing

Alongside banking secrecy, the digital bank must comply with the following data protection principles in all its processing of personal data. These principles govern how data is used not just whether it can be disclosed:

  • Lawfulness and transparency: personal data may be processed only when there is a legitimate legal basis for doing so, the principal bases being the customer’s explicit consent, performance of the contract between the bank and the customer, compliance with a legal obligation, or a legitimate interest of the bank that is proportionate to the privacy intrusion and does not override the customer’s fundamental interests
  • Purpose limitation: data collected for specified, explicit, and declared purposes may not subsequently be used for undisclosed secondary purposes using account transaction data to train a credit scoring model that was not disclosed to the customer at the time of data collection, for example, requires a fresh legal basis
  • Data minimisation: the bank may collect only the minimum personal data necessary for the stated purpose collecting extensive lifestyle, behavioral, or social data beyond what is required for banking operations requires specific justification
  • Accuracy: personal data must be kept accurate and up to date; inaccuracies must be corrected without undue delay, a bank that maintains demonstrably incorrect customer data and allows decisions to be made on that basis incurs liability for any resulting harm
  • Storage limitation: personal data must not be retained for longer than is necessary for the purpose for which it was collected, or for longer than required by applicable law indefinite retention of inactive customer data without a legal basis is a data protection violation
  • Integrity and confidentiality: appropriate technical and organizational measures must be implemented to protect personal data against unauthorized access, accidental loss, destruction, or damage the standard of protection required is proportionate to the sensitivity of the data and the potential harm from its compromise

 

3. Customer Rights Over Their Personal Data

Every customer has the following rights with respect to their personal data held by the bank, and the bank must have operational mechanisms to respond to the exercise of these rights within a reasonable timeframe:

  • The right of access: to obtain confirmation that the bank processes their personal data and to receive a copy of that data in a comprehensible format
  • The right of rectification: to request correction of inaccurate personal data without undue delay
  • The right to object: to object to the processing of their personal data in certain circumstances including processing for direct marketing purposes, where the objection is absolute
  • The right to restriction: to request that the bank restricts its processing of their data in defined circumstances, for example, while the accuracy of the data is being contested
  • The right to data portability: to receive their personal data in a structured, machine-readable format for the purpose of transferring it to another institution, this right is particularly significant in the banking context and directly supports competition

 

4. Data Classification and Iraq-Based Data Sovereignty

The CBI’s Standards Booklet (Standard B7) imposes a mandatory tiered data classification system that overlays the general data protection principles with sector-specific technical requirements. Customer identity data, authentication credentials, account identifiers, and transaction data are classified at the highest sensitivity level and require mandatory encryption both at rest and in transit, with multi-layer access controls restricting access to authorized personnel only.

The data sovereignty requirement is absolute: all data centres and servers used by the digital bank must be located within Iraq. Cloud hosting of core banking data outside Iraq is not permitted. This requirement directly limits the bank’s vendor choices and must be a primary criterion in any technology procurement decision.

 

5. Data Breach Notification: Immediate CBI Notification Required

Upon discovering a security incident that results in unauthorized access to, loss of, or destruction of personal customer data, the bank must:

  • Notify the CBI immediately before any public statement or customer communication with an initial assessment of the nature and scope of the breach
  • Notify affected customers as soon as practicable with the nature of the data involved, the potential consequences of the breach, and the steps the bank is taking in response and that customers themselves should take to protect their interests
  • Constitute a technical incident response team and implement a documented remediation plan
  • Submit a comprehensive post-incident report to the CBI within the prescribed timeframe, documenting the causes of the breach, its full scope, the remediation actions taken, and the measures implemented to prevent recurrence

 

Tagged , , , ,