When can a bank process a former customer’s data? The Supreme Administrative Court agrees with the President of the Personal Data Protection Office
When a loan agreement expires, a bank may process the data of a defaulting customer, as long as it effectively notifies the customer in advance of its intention to do so and awaits 30 days. The Supreme Administrative Court has confirmed this interpretation of Article 105a(3) of the Banking Law.
The President of the Personal Data Protection Office won all eleven cases. In five of these cases, the Supreme Administrative Court set aside the judgments of the Voivodeship Administrative Court. In the remaining six cases, the Supreme Administrative Court upheld the judgments where the Voivodeship Administrative Court had accepted the President’s arguments.
This means that the dispute over the interpretation of Article 105a(3) of the Banking Law is over.
At issue was the right to process bank secrecy data relating to persons in default to the bank after the expiry of a contractual obligation.
The dispute concerned when a bank (financial institution) can react and, for example, process that person’s data without his or her consent in the Credit Information Bureau. The data will be processed by financial institutions for five years from the date of expiration of the obligation. Processing these data requires access to information covered by bank secrecy.
The law provides that
- After the delay has occurred, the bank must inform the data subject that it intends to process his or her data without his or her consent, and inform him or her of the purpose of the processing.
- And 30 days must pass from that point. During this time, the bank’s former customer can pay off the debt, in which case the bank will not be able to process his or her bank secrecy data.
In a dispute with banks, the President of the Personal Data Protection Office argued that banks must prove that 30 days have passed. They must also show that they informed former customers about processing their data without consent. The bank must prove it fulfilled its duty under Article 105a(3) of the Banking Law. This means showing that it effectively informed customers about processing information covered by bank secrecy after the contract ended.
The bank must clearly show the date when the customer was informed. It’s not enough to assume when the customer might have learned about it. Being 60 days late in payment does not automatically give the bank the right to process data. Another 30 days must pass, starting from the moment the customer is actually informed. During these 30 days, the customer can still settle the debt, and the bank cannot yet label them as unreliable.
The Supreme Administrative Court agreed with the President of the Personal Data Protection Office. It stressed that although the law doesn’t strictly define “inform,” it’s not arbitrary. The law expects informing to be a completed act. The 30-day period starts only after the person is informed, not simply when the bank sends the notice. Informing can happen in person, by mail, through an employee, or electronically—if allowed by the original contract.
Only the date of delivering the notice matters. The sending date or proof of posting is not enough. Banks must provide clear evidence of when the information reached the customer to properly start the 30-day period mentioned in Article 105a(3).
This position was upheld by the Supreme Administrative Court in the cases:
1. Judgment of the Supreme Administrative Court III OSK 1428/24, decision of the President of the Personal Data Protection Office reference no. DS.523.3941.2021
2. Judgment of the Supreme Administrative Court III OSK 1763/24 decision of the President of the Personal Data Protection Office reference no. DS.523.1980.2022
3. III OSK 3059/23, decision of the President of the Personal Data Protection Office reference no. DS.523.2319.2021
4. III OSK 7477/21, decision of the President of the Personal Data Protection Office reference no. ZSPR.440.1590.2019
5. III OSK 2833/22, decision of the President of the Personal Data Protection Office reference no. DS.523.6082.2020
6. III OSK 1575/22, decision of the President of the Personal Data Protection Office reference no. DS.523.3589.2020
7. III OSK 191/23, decision of the President of the Personal Data Protection Office reference no. DS.523.5493.2020
8. III OSK 251/23, decision of the President of the Personal Data Protection Office reference no. DS.523.445.2021
9. III OSK 2672/23, decision of the President of the Personal Data Protection Office reference no. DS.523.945.2022
10. III OSK 2300/23, decision of the President of the Personal Data Protection Office reference no. DS.523.6935.2021
11. III OSK 2714/23, decision of the President of the Personal Data Protection Office reference no. DS.523.4046.2022
