Ikonka home dla okruszków News and events
photo
15.07.2025

Banks cannot process data of former and would-have-been customers

Banks cannot process data of former and would-have-been customers – Supreme Administrative Court confirms

The Supreme Administrative Court upheld two cassation appeals lodged by the President of the Personal Data Protection Office. In one of them, it stated that any future claims by a former bank customer did not justify the processing of his or her personal data. In the other, it stated that both the bank and the Credit Information Bureau (BIK) are obliged to cease processing personal data relating to credit inquiries that did not result in the conclusion of a contract.

Future claims by a former customer do not justify the processing of his or her data.

In the first case (ref. no. III OSK 1594/22), the Supreme Administrative Court upheld the arguments of the President of the Personal Data Protection Office, who ordered the removal of the data of a former customer of Santander Consumer Bank. In its judgment of 10 July 2025, the Court agreed with the supervisory authority that the controller cannot invoke a legitimate interest (Article 6(1)(f) of the GDPR) and process the data of a person with whom it no longer has a contract.

In this case, the bank sold the customer's debt to another entity. It considered the basis for processing  of his or her data to be a legitimate interest related to possible claims, e.g. by the customer against the bank.

The Supreme Administrative Court, when considering the appeal of the President of the Personal Data Protection Office against the judgment of the Voivodeship Administrative Court - found that the supervisory authority had correctly assessed that the bank had not indicated the existence of claims that it was seeking to satisfy from the Complainant and the purchaser of the debt, nor had it demonstrated that the purchaser of the debt or the Complainant was seeking to satisfy the claims from the bank. The Supreme Administrative Court shared the position of the President of the Personal Data Protection Office that possible and uncertain claims that could hypothetically arise in the future are not a sufficient ground for processing such data. And since there is no purpose that would justify the processing of the former customer's personal data, those data should be deleted.

Decision of the President of the Personal Data Protection Office (UODO) referred to in the Supreme Administrative Court’s judgement: DS.440.197.2019

The bank may not process personal data relating to credit inquiries that did not result in the conclusion of a contract

On 10 July 2025, the Supreme Administrative Court (ref. no. III OSK 165/22) also upheld another cassation appeal by the President of the Personal Data Protection Office against the judgment of the lower court. The supervisory authority requested that the contested judgment of the Voivodeship Administrative Court in Warsaw be overturned in its entirety and that the complaint of ING Bank Śląski and Credit Information Bureau (Biuro Informacji Kredytowej S.A.) be dismissed. In its judgment, the Supreme Administrative Court upheld the cassation appeal and overturned the judgment of the Provincial Administrative Court. It thus found that the supervisory authority had rightly ordered ING Bank Śląski and the Credit Information Bureau to delete the data of a would-have-been bank customer concerning his or her credit inquiry.

In its judgement, the Supreme Administrative Court confirmed the position of the President of the Personal Data Protection Office that the Credit Information Bureau and the bank are obliged to cease processing personal data relating to credit inquiries that did not result in the conclusion of a credit agreement. In such cases, the purpose of processing, i.e. creditworthiness assessment, ceases to exist.

It is worth noting that the Supreme Administrative Court agreed with the argument of the President of the Personal Data Protection Office that the processing of data of a would-have-been customer with reference to the grounds set out in Article 105a of the Banking Law is inappropriate. This concerns the processing of information covered by banking secrecy in the period before the obligation arose, during its duration and after its expiry. However, in this case, no agreement was concluded between the bank and the complainant and no obligation arose, which, pursuant to Article 105a(1)-(6) of the Banking Law, would provide a basis for further processing of the complainant's personal data.

Decision of the President of the Personal Data Protection Office referred to in the Supreme Administrative Court’s judgement: DS.523.70.2020

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.