Cassation appeal against the judgement of the WSA on the processing of data of a bank customer

In the opinion of the Personal Data Protection Office, the position taken in the judgment of the Voivodeship Administrative Court (WSA) in Warsaw on the processing of personal data of a bank customer undermines the independence and autonomy of the supervisory authority.

In one of the cases conducted at the Personal Data Protection Office, a bank customer lodged a complaint with the Office for ordering the erasure of his personal data processed by the bank and a financial institution established under the Banking Law, i.e. the Credit Information Bureau, in connection with his credit enquiries. The bank's client argued that the processing of his data was unauthorised, as no agreement with the bank had been concluded. The President of the Personal Data Protection Office, after having conducted administrative proceedings, agreed with the bank's client, stating that there were no legal grounds for the processing of his personal data by the above entities, and issued an administrative decision ordering the erasure of the data.

Meanwhile, the WSA, in its judgment of 28 September 2021, ref. II SA/Wa 474/21, while repealing the aforementioned decision, recognised that in the case there was a failure to address the Polish Financial Supervision Authority as the competent authority in matters related to, i.a., creditworthiness assessment and credit risk analysis, as well as construction of scoring models (creditworthiness assessment method), which in its opinion was absolutely necessary.

The Personal Data Protection Office is concerned about the dangerous direction in which administrative court’s assessment of the application of the provisions of the Code of Administrative Procedure in the context of resolving personal data protection cases by the supervisory authority is heading. The Personal Data Protection Office assumes that such direction is inconsistent with the content and purpose of the provisions of the European Union law, which are the provisions of the GDPR. Therefore, a cassation appeal to the Supreme Administrative Court was filed against this judgment.

The view presented by the WSA of the necessity for the supervisory authority to request an opinion from the Financial Supervision Authority in of the case related to personal data protection, falling within its exclusive jurisdiction, undermines the independence and autonomy of this authority, guaranteed to it by the provisions of the GDPR, according to which each supervisory authority shall act with complete independence in performing its tasks and exercising its powers.

The requirement of independence relates to performing of the tasks and powers of the supervisory authority. Independence should imply the absence of organisational subordination, protection from influence or pressure from other authorities, and freedom to make supervisory decisions. One of the requirements to guarantee the independence of the supervisory authority is that it should not be subject to external influences and that it shall neither seek nor take instructions from other entities.

The view presented by the WSA therefore contradicts the idea of the GDPR in terms of the mentioned fundamental principle of independence of the supervisory authority.