Ikonka home dla okruszków News and events
photo
13.03.2025

When can a bank process a former customer's data?

When can a bank process a former customer's data? The Supreme Administrative Court agrees with the President of the Personal Data Protection Office

When a loan agreement expires, a bank may process the data of a defaulting customer, as long as it effectively notifies the customer in advance of its intention to do so and awaits 30 days. The Supreme Administrative Court has confirmed this interpretation of Article 105a(3) of the Banking Law.

This happened in eleven cases - the President of the Personal Data Protection Office won them all, with the Supreme Administrative Court setting aside five judgements of the Voivodeship Administrative Court. On the other hand, it upheld six judgments of the Voivodeship Administrative Court in which the arguments of the President of Personal Data Protection Office were recognised.

This means that the dispute over the interpretation of Article 105a(3) of the Banking Law is over.

At issue was the right to process bank secrecy data relating to persons in default to the bank after the expiry of a contractual obligation.

The dispute concerned when a bank (financial institution) can react and, for example, process that person's data without his or her consent in the Credit Information Bureau. The data will be processed by financial institutions for five years from the date of expiration of the obligation. Processing these data requires access to information covered by bank secrecy.

The law provides that

  • After the delay has occurred, the bank must inform the data subject that it intends to process his or her data without his or her consent, and inform him or her of the purpose of the processing.
  • And 30 days must pass from that point. During this time, the bank's former customer can pay off the debt, in which case the bank will not be able to process his or her bank secrecy data.

In the dispute with the banks, the President of the Personal Data Protection Office has argued that the burden of proving that 30 days have passed is on the bank. So it must prove that it informed the former customer of its intention to process his or her data without his or her consent. And it must prove that it has fulfilled the obligation to the customer set forth in Article 105a(3) of the Banking Law, i.e. that it effectively informed him or her of its intention to process information concerning him or her that constitutes bank secrecy, without his or her consent, after the expiration of the obligation under the contract.

Thus, the bank must be able to establish the date on which the data subject was informed of its intention to process his or her personal data after the expiration of the obligation, without his or her consent, rather than the date on which, hypothetically, the data subject could have become aware of the above information.

Merely being at least 60 days late in fulfilling an obligation does not entitle the bank to process the data under the terms of Article 105a(3) of the Banking Law. An additional 30 days must still pass, and this period does not run automatically (ex lege), but only from the moment the consumer will be effectively informed of the intention to process his or her data. The President of the Personal Data Protection Office stresses the necessity of setting a date here. During this 30-day period of time, the customer can pay off the debt and the bank will not be able to process the customer's data by entering them, for example, into a database of unreliable customers.

Agreeing with the arguments of the President of the Personal Data Protection Office, the Supreme Administrative Court stressed that although the legislator did not define the term “inform” used in Article 105a(3) of the Banking Law or create any specific formal requirements in this regard, there is no question of total arbitrariness.

First of all, the law provides for “informing” meaning a completed action. The effect specified in the law (the right to process data without consent) is to occur after “30 days after the bank informs that person,” not after, for example, sending him or her the information. Such “informing” may take place, for example, in person at a branch, by delivery by mail or by an employee of the bank or other authorised entity, and the possibility of directing such information by electronic means cannot be excluded either (provided that the parties in the concluded contract provided for such a form of correspondence, and the bank acted with an external entity in this regard).

Only the indication of the date of delivery of the mail containing the relevant information makes it possible to correctly indicate the beginning of the 30-day period referred to in Article 105a(3) of the Banking Law (since it is not the statement of the date of sending the correspondence with a copy of the letter, nor even the date resulting from the mailing of the letter by registered mail).


This position was upheld by the Supreme Administrative Court in the cases:

 

1. Judgment of the Supreme Administrative Court III OSK 1428/24, decision of the President of the Personal Data Protection Office reference no. DS.523.3941.2021

2. Judgment of the Supreme Administrative Court III OSK 1763/24 decision of the President of the Personal Data Protection Office reference no. DS.523.1980.2022

3. III OSK 3059/23, decision of the President of the Personal Data Protection Office reference no. DS.523.2319.2021

4. III OSK 7477/21, decision of the President of the Personal Data Protection Office reference no. ZSPR.440.1590.2019

5. III OSK 2833/22, decision of the President of the Personal Data Protection Office reference no. DS.523.6082.2020

6. III OSK 1575/22, decision of the President of the Personal Data Protection Office reference no. DS.523.3589.2020

7. III OSK 191/23, decision of the President of the Personal Data Protection Office reference no. DS.523.5493.2020

8. III OSK 251/23, decision of the President of the Personal Data Protection Office reference no. DS.523.445.2021

9. III OSK 2672/23, decision of the President of the Personal Data Protection Office reference no. DS.523.945.2022

10. III OSK 2300/23, decision of the President of the Personal Data Protection Office reference no. DS.523.6935.2021

11. III OSK 2714/23, decision of the President of the Personal Data Protection Office reference no. DS.523.4046.2022

 

 

[i] Official Journal 2024.0.1646 - Law of 29 August 1997 - Banking Law

Art. 105a. Para. 3

Banks, institutions and entities referred to in paragraph 1 may process information constituting banking secrecy and information provided by loan institutions and entities referred to in Article 59d of the Law of May 12, 2011 on consumer credit, concerning natural persons after the expiration of an obligation under an agreement concluded with a bank, other institution statutorily authorized to grant credit, loan institution or entity referred to in Article 59d of the Law of May 12, 2011 on consumer credit, without the consent of the person to whom the information pertains, when that person has failed to perform an obligation or has been in default for more than 60 days in the performance of an obligation under an agreement concluded with a bank, another institution statutorily authorized to grant credit, a lending institution or an entity referred to in Article 59d of the Act of May 12, 2011. on consumer credit, and after the occurrence of these circumstances, at least 30 days have elapsed since the bank, other institution statutorily authorized to grant credit, loan institution or entity referred to in Article 59d of the Law of May 12, 2011 on consumer credit informed the person of its intention to process information concerning him/her, without his/her consent.

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stawki 2, 00-193 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.