Demands for Accessibility in the Provision of Financial Services and Processing of Sensitive Personal Data: The Balance of Regulatory Compliance

The internal market is a cornerstone of European collaboration, ensuring the free movement of goods, services, capital, and people. However, to make these freedoms accessible to all, certain actions are required by service providers and the EU has taken significant steps to ensure such accessibility. This article examines the EU’s new legislative act on accessibility, particularly in light of the potential processing of personal data required to comply with the legislation.

1. THE LEGAL LANDSCAPE

In recent years, businesses of all sizes have faced an increasingly complex array of harmonized legal requirements, presented in different kinds of legal documents, that must be integrated into their daily operations. These requirements all necessitate compliance efforts, financial commitments, and competency enhancement measures for employees at all levels.

The financial sector has long been a focal point of regulatory compliance, and this trend shows no signs of abating.

2. THE EUROPEAN ACCESSIBILITY ACT AND THE SWEDISH IMPLEMENTARY

The European Accessibility Act (the ‘Act‘)[1] is a directive aimed at improving the functioning of the internal market for accessible products and services by removing barriers created by divergent national legislation. Through these efforts, the Act seeks to eliminate and prevent any obstacles to free movement.[2]

Consequently, the directive establishes common rules on accessibility within the EU to facilitate cross-border trade and expand the market for accessible products and services.

During the preparation of the Act, the most important products and services for people with disabilities were identified, including banking and financial services aimed at consumers, both physically and digitally provided.

According to the preparatory works of the Act, specific accessibility requirements apply to all products and services covered by the Act, provided that these do not alter the basic nature of such products and services, or impose a disproportionate burden on the operators. For products, the requirements include designing and producing them to maximize their use by people with disabilities, as well as complying with detailed rules on information and instructions, user interface and functionality design, support services, and packaging. For services, the equivalent requirements include providing information about the service, its accessibility features and facilities, making websites and mobile devices easily accessible, and applying practices, policies, and procedures to address the needs of people with disabilities, with specific rules applicable to different services.

Service providers, such as those offering banking and financial services, must design and provide their services in accordance with the Act. They must make available to the public both written and oral information that is easily accessible to people with disabilities, regarding the services they offer and how the accessibility requirements are met. Additionally, they must ensure that procedures are in place to continue conforming with the accessibility requirements and to account for any changes.[3]

As of 28 June 2025, the Swedish legislative act incorporating the Act entered into force, known as the Swedish Accessibility Act (the ‘Swedish Accessibility Act‘)[4]. This legislative act enumerates the banking and financial services covered by the Act as follows:

• credit agreements covered by the Consumer Credit Act (2010:1846),
• the services referred to in Chapter 2, Section 1, items 1, 2, 4 and 5, and Section 2, items 1, 2, 4 and 5 of the Securities Markets Act (2007:528),
• payment services as defined in Chapter 1, Section 2 of the Payment Services Act (2010:751),
• services related to the opening, use and closing of a payment account, including payment services and payment transactions covered by Chapter 1, Section 7, item 1 of the Payment Services Act, as well as overdraft facilities and services that permit the balance on a bank account to be exceeded,
• electronic money as defined in Chapter 1, Section 2, item 2 of the Electronic Money Act (2011:755), and
• payment terminals as defined to enable the execution of payments using payment instruments as referred to in Chapter 1, Section 4 of the Payment Services Act (2010:751) at a physical point of sale, but not in a virtual environment.

3. PROCESSING OF PERSONAL DATA

In Sweden, the primary legal frameworks relevant for the processing of personal data are the General Data Protection Regulation (“GDPR”)[5] and the Swedish Data Protection Act[6]. The latter complements the GDPR by introducing specific Swedish provisions necessary for its interpretation, such as those relating to freedom of expression and within the field of employment.

Under these frameworks, personal data is defined as any information that can directly or indirectly identify a natural person. In addition, certain types of personal data are classified as particularly sensitive – referred to as special categories of personal data under the GDPR. This category includes information that may reveal, for example, an individual’s health status, sexual orientation, or religious beliefs.

The GDPR presents requirements for anyone processing personal data to clearly, and in a manner suitable for the individual who´s personal data is being processed (the “data subject”), inform of their processing activities. This information must include details about said processing activities, such as the purpose, legal basis, and any third parties with whom the personal data is shared.

When considering this legal framework in relation to the obligations under the Act, it becomes evident that there are areas where the requirements overlap and interact.

4. CALCULATING COMPLIANCE – ACCESSIBILITY AND PROCESSING OF PERSONAL DATA

When implementing the Act and the Swedish Accessibility Act within an organisation, while also considering the potential processing of personal data, it is essential to assess the meaning of accessibility in the financial sector. For example, online banking services must be accessible to all users, which requires, among other things, clear and precise information, intuitive navigation, user-friendly interfaces, and adaptable design.

Furthermore, in the context of the financial sector, measures to ensure accessibility in physical environments may include, for example, ramps to facilitate access to ATMs, clear directional signage, and the availability of various hearing aids in meeting rooms for consumers. For digital environments, measures such as ensuring sufficient contrast between text and background and providing audiovisual aids to facilitate access to information should also be considered.

As with many compliance-driven initiatives, considerable effort is devoted to ensuring adequate documentation and providing relevant information to affected parties. However, in addition to implementing policies describing accessibility measures and internal procedures, financial institutions must also assess and ensure compliance throughout their entire supply chain. For example, while primary efforts may focus on marketing and publicly available resources, it is important not to overlook the need for compliance for consumers who are logged in (such as for messaging, internet banking, or making payments).

When considering and implementing these accessibility measures, it is not unlikely that they will involve processing of personal data. For instance, when offering different options in the user interface, consumer preferences will become visible to the service offering financial institution, resulting in the institution processing personal data of the consumer. This is since a consumer’s selection of bold text or hearing aids in its use of the financial institution’s services may, strictly speaking, constitute processing of personal data relating to health, which is classified as a special category of personal data under the GDPR. Consequently, compliance with the Act will also necessitate compliance with the GDPR.

In line with the above, we recommend providers of financial services to take the GDPR into consideration when undertaking compliance projects aimed at improving the accessibility of their services. Where appropriate, they should also prepare or update necessary risk assessments, including impact assessments where relevant, as well as general GDPR documentation, such as privacy policies, data processing agreements, and records of processing activities.

[1] Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services.

[2] See Accessibility of products and services | EUR-Lex.

[3] European accessibility act – European Commission

[4] Sw. Lag (2023:254) om vissa produkters och tjänsters tillgänglighet.

[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[6] Sw. Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning.