Well, banks need this to prove their are not fixing price rates (e.g. as the Libor Scandal about 10y ago), and that they did their part in KYC and prevention of AML for the client, or that they not miss-sold a product in case of a legal procedure or claim.
So everything is recorded, encrypted, some is monitored in near RT by engines, and only accessed by human employees when necessary. A full log of who accessed what is kept.
This falls under Fair Use (not sure about the exact term) under GDPR, as is a sensible way for the bank to uphold their legal obligations.
> This falls under Fair Use (not sure about the exact term) under GDPR, as is a sensible way for the bank to uphold their legal obligations.
The term you're likely looking for is "Legitimate Interest", but that's not quite the same. You're looking for the bigger picture.
Full disclosure: I was the DPO of a gambling company and had to interpret the cross-regulation conflicts quite routinely. One of the big things with GDPR is that it can not overrule industry or domain-specific regulations. It will certainly influence how the data may be accessed, but as far as internal collection and storage goes, GDPR changes nothing material in finance.
Banks and trading shops are required to record and store all work-related communications. No exceptions, no excuses. The reasons are as you stated. To prove (or disprove) cases of insider trading, collusion, price fixing, front running, and all the other forms of fraud/abuse that would allow the financial outfits and/or their traders to break the rules and fleece their customers and/or counterparties. (They still manage, but at least it's not as blatant.)
The main impact of GDPR is that the financial industry has one additional reason to purge old records once the statute of limitations has expired.
So everything is recorded, encrypted, some is monitored in near RT by engines, and only accessed by human employees when necessary. A full log of who accessed what is kept.
This falls under Fair Use (not sure about the exact term) under GDPR, as is a sensible way for the bank to uphold their legal obligations.