UODO (Poland) - DKE.523.10.2021
UODO (Poland) - DKE.523.10.2021 | |
---|---|
Authority: | UODO (Poland) |
Jurisdiction: | Poland |
Relevant Law: | Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 12(2) Personal Data Protection Act (1997) Article 22 Personal Data Protection Act (1997) Article 23(1)(2) Personal Data Protection Act (1997) Article 160(1) Personal Data Protection Act (2018) Article 160(2) Personal Data Protection Act (2018) Article 105a (4) Banking Law Article 105a (5) Banking Law Article 105 (4) Banking Law |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 15.04.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | DKE.523.10.2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Polish |
Original Source: | Decyzje Prezesa Urzędu Ochrony Danych Osobowych (in PL) |
Initial Contributor: | Agnieszka Rapcewicz |
The Polish DPA held that explanations of a bank and printouts from its IT system cannot be evidence of proper notification of a data subject about intention to process his personal data, constituting banking secrecy, for the purposes of creditworthiness assessment and credit risk analysis also after expiry of the credit obligation. In the absence of proof of posting the letter at the postal operator's office, as well as the lack of confirmation of its receipt or its return to the sender because it was not taken by the addressee, it is impossible to conclude that the bank fulfilled its obligation. Thus, in the opinion of the President of the Office for Personal Data Protection, the processing of the Complainant's personal data after the expiry of the credit obligations was not supported by the applicable provisions of law.
English Summary
Facts
The Bank obtained the Complainant's personal data in connection with the conclusion of an agreement between the aforementioned parties, for the purposes of creditworthiness assessment and risk analysis. The processing of personal data took place even before the entry into force of the GDPR, as it was necessary for the exercise of a right or fulfilment of an obligation arising from a legal provision. After the entry into force of the GDPR, the processing of the applicant's personal data by the bank took place on the basis of Article 6 (1)(b) GDPR and Article 6 (1)(c) GDPR. The Bank transferred the Complainant's personal data to the entity keeping the register of liabilities, on the basis of the Complainant's consent, in accordance with the provisions of the Banking Law. The Bank processed the Complainant's personal data in the credit information bureau for the purposes of creditworthiness assessment and credit risk analysis. In view of the Complainant's failure to meet his obligations under the agreements concluded by the Complainant with the bank on time, the Complainant's personal data were also processed without his consent after the expiry of the obligation in question.
The Bank - in accordance with its explanations submitted in these proceedings - indicated that it is currently processing the Complainant's personal data resulting from the aforementioned agreement on the basis of Article 6 (1)(f) GDPR, for the purposes related to the assertion of claims and defence against possible claims related to the performance of agreements concluded by the Complainant with the Bank.
The Complainant argued that the Bank had no legal basis for processing his personal data without the complainant's consent, as the Bank had not lawfully informed him of its intention to process his personal data, which constituted bank secrets, after the expiry of credit obligations without his consent.
Dispute
Holding
The President of the Office for Personal Data Protection refused to grant the request to order the Bank to restore the lawful state of affairs by ordering the Bank to cease processing the Complainant's personal data in third parties (credit information bureaus). At the time the case was resolved, the Bank was already processing the Complainant's personal data only for evidential purposes, resulting from the limitation period for claims. Thus, the basis for processing of the Complainant's personal data by the Bank is currently Article 6(1)(f) GDPR.
The President of the Office for Personal Data Protection found that the transfer of the Complainant's personal data by the Bank to third parties took place in 2012 - to the extent resulting from the Applicant's obligation, and thus still during the period in which the previous legal regulation in the field of personal data protection was in force. Making the Complainant's data available to B. was supported by the prerequisite listed in Article 23 par. 1 point 2 of the Personal Data Protection Act of 1997, and for the legality of that making available, in accordance with Article 105 par. 4 of the Banking Law, the Complainant's consent was not required.
At the same time, however, the supervisory authority indicated that the Complainant was right in claiming that the Bank unlawfully processed the Complainant's personal data resulting from the obligations in question in those institutions after the expiry of those obligations. On the basis of the evidence gathered in this case, including in particular the Bank's explanations, it is impossible to conclude unambiguously that the Bank duly notified the Complainant of its intention to process his personal data, constituting banking secrecy, for the purposes of creditworthiness assessment and credit risk analysis also after expiry of the credit obligation.
Printouts from the bank's IT system presented by the Bank certainly cannot be evidence of proper transmission of the above information. In the absence of proof of posting the letter at the postal operator's office, as well as the lack of confirmation of its receipt or its return to the sender because it was not taken by the addressee, it is impossible to conclude that the Bank fulfilled its obligation. Thus, in the opinion of the President of the Office for Personal Data Protection, the processing of the Applicant's personal data after the expiry of the aforementioned obligations was not supported by the applicable provisions of law.
Irrespective of the above, however, it should be explained that at present - in view of the lapse of 5 years from the expiry of the above-mentioned obligations and the correction made by the Bank in B. in the form of the fact that the information concerning the above-mentioned agreement is no longer presented in the reports used for credit risk assessment - the fact of failure to comply with the information obligation towards the Applicant pursuant to Article 105a(3) of the Banking Law should be regarded as irrelevant in this case. Although the Bank's actions actually violated the provisions on personal data protection in this respect, on the basis of the evidence collected in the case, it should be concluded that the state of incompatibility of personal data processing with the law has been removed and is no longer continued.
Comment
Pursuant to Article 105a(3) of the Banking Law, banks may process information constituting bank secrecy relating to natural persons after the expiry of an obligation under an agreement concluded with the bank, without the consent of the person to whom the information relates, where that person has failed to perform an obligation or has been in default for more than 60 days in performing a benefit under an agreement concluded with the bank and, after the occurrence of those circumstances, at least 30 days have elapsed since the bank informed that person of its intention to process information relating to him or her, without his or her consent.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
THE CHAIRMAN OF PERSONAL DATA Warsaw, day 15 April 2021 DECISION DKE.523.10.2021 Based on Article. 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended) and pursuant to Art. 160 sec. 1 and 2 of the Personal Data Protection Act of May 10, 2018 (Journal of Laws of 2019, item 1781) and art. 12 point 2, art. 22, art. 23 sec. 1 point 2 of the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2016, item 922, as amended), in connection with Art. 6 sec. 1 lit. c) and lit. f) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (Journal UE L 119 of 04/05/2016, p. 1 and EU Official Journal L 127 of 23/05/2018, p. 2), in connection with Art. 105 paragraph. 4 and art. 105a paragraph. 4 and 5 of the Act of August 29, 1997 Banking Law (Journal of Laws of 2020, item 1896, as amended), after administrative proceedings regarding the complaint of Mr. M. D., against the processing of his personal data by A. S.A. and their disclosure to B. and Z., the President of the Personal Data Protection Office refuses to accept the request Substantiation The Office of the Inspector General for Personal Data Protection received a complaint from Mr. MD, hereinafter also referred to as: "Complainants", represented by the attorney of Mr. DO (Kancelaria [...]), against the processing of his personal data by ASA, hereinafter referred to as "the Bank" and disclosure of them to B. , hereinafter referred to as "B" and Z., hereinafter referred to as "Z". The Complainant's attorney indicated that the Bank processed the personal data of Mr. M. D. without a legal basis, ie without his consent, in the scope relating to the contract [...] of [...] July 2009, because the Bank failed to meet the condition set out in Art. 105a paragraph. 3 of the Act of August 29, 1997 Banking Law (Journal of Laws of 2020, item 1896, as amended), hereinafter referred to as: "Banking Law". The complainant (quoted): "denies being informed by any letter from the Bank, within the statutory period delivered to him in such a way that he could become acquainted with it, about the intention to process his personal data, which is the bank's secret, without his consent". The bank was asked several times to provide proof of the Bank's compliance with the above-mentioned information obligation, however, the Bank indicated only the fact of sending an ordinary letter, which was never delivered to the Complainant. The plenipotentiary also pointed out that it is undisputed that under the above contract a debt was caused, which was finally repaid, and therefore the legal relationship between the Bank and the Complainant was terminated by repayment in full. In connection with the above, in the content of the complaint, the representative of the Complainant requested that the Bank be ordered to be restored to the lawful state by ordering the Bank to stop processing the Complainant's personal data in B. and Z. In the course of the investigation conducted in this case, the President of the Personal Data Protection Office established the following facts: The Bank obtained the complainant's personal data in connection with the conclusion between the above-mentioned the parties to the contract […] of […] July 2009 No. […] (liability arising from the conversion of card […] no. […]). The Bank processed the complainant's data to the extent resulting from the above-mentioned contract, pursuant to art. 105a paragraph. 1 of the Banking Law, in order to assess creditworthiness and risk analysis, art. 74 in connection with with art. 71 of the Accounting Act of September 29, 1994 (Journal of Laws of 2021, item 217) and § 49 of the Regulation of the Minister of Finance of October 1, 2010 on detailed accounting principles for banks (Journal of Laws No. 191, item 179). The premise legalizing the processing of the complainant's personal data was art. 23 sec. 1 point 2 of the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2016, item 922, as amended), hereinafter referred to as the "Personal Data Protection Act of 1997", and from May 25 2018, art. 6 sec. 1 lit. b) and c) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC ( general regulation on the protection of personal data) (Journal of Laws UE L 119 of May 4, 2016, p. 1 and Journal of Laws UE L 127 of May 23, 2018, p. 2) hereinafter referred to as "Regulation 2016/679". Based on Article. 105a paragraph. 4 of the Banking Law Act, the Bank transferred the complainant's personal data to B., which took place respectively: in the charge for May and June 2012 - to the extent resulting from obligation No. [...]; in batches from July 2009 to June 2012 - to the extent resulting from commitment No. […]. In the batch for October 2013, information on the removal of the above-mentioned obligations. The Bank also transferred the complainant's personal data to Z. in respect of receivables No. [...] (liability arising after the conversion of the account [...] No. [...]). The notification about the entry in the register of Z. was sent to the Complainant on [...] March 2012, while the entry to the above-mentioned the register was made on [...] June 2012. Pursuant to Art. 105a paragraph. 3 of the Banking Law, the Complainant was in default of more than [...] days in the repayment of the obligee, therefore on [...] January 2012, the Bank sent a letter to the Complainant informing him about the possibility of processing personal data without his consent after the expiry of the obligation. In view of the above, the Bank cannot indicate the date of delivery of this letter to the Complainant. At this point, it should be noted that due to the delay in fulfilling the obligations arising from the concluded contracts, the Bank processed in B., for the purposes of assessing creditworthiness and credit risk analysis, the complainant's personal data without his consent, also after the expiry of the obligation in question. B., in a letter of [...] February 2021, indicated that he was currently processing the Complainant's personal data under the contract [...] of [...] July 2009 No. [...], and that this account now has the status of a closed account and personal data The complainant is processed in order to use internal methods and other methods and models, pursuant to Art. 105a paragraph. 4 and 5 in connection with with art. 105 paragraph. 4 of the Banking Law. The Bank - in accordance with its explanations submitted in these proceedings on [...] June 2020, indicated that it is currently processing the Complainant's personal data resulting from the above-mentioned contracts pursuant to Art. 6 sec. 1 lit. f) Regulation 2016/679, in connection with art. 118 of the Act of 23 April 1964 Civil Code (Journal of Laws of 2020, item 1740, as amended), hereinafter referred to as the "Civil Code", for the purposes of pursuing claims and defending against possible claims related to the implementation of contracts concluded by the Complainant with the Bank. Z., in a letter of [...] June 2020, indicated that he was not currently processing the Complainant's personal data. After analyzing the evidence collected in the case, the President of the Office for Personal Data Protection states as follows. On May 25, 2018, the provisions of the Act of May 10, 2018 on the protection of personal data entered into force (Journal of Laws of 2019, item 1781), hereinafter also: "the Act on the Protection of Personal Data of 2018 r. ". Pursuant to Art. 160 sec. 1-3 of the Act on the Protection of Personal Data of 2018, proceedings conducted by the Inspector General for Personal Data Protection, initiated and not completed before the date of entry into force of this Act, are conducted by the President of the Personal Data Protection Office on the basis of the Personal Data Protection Act of 1997. in accordance with the principles set out in the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256, as amended). At the same time, the activities performed in the proceedings initiated and not completed before the date of entry into force of the provisions of the Act on the Protection of Personal Data of 2018 remain effective. From May 25, 2018, Regulation 2016/679 also applies. Pursuant to Art. 57 sec. 1 of Regulation 2016/679, without prejudice to other tasks set out under this Regulation, each supervisory authority on its territory shall monitor and enforce the application of this Regulation (point a) and handle complaints brought by the data subject or by an entity, organization or association in accordance with Art. 80, to the extent appropriate, conducts proceedings on these complaints and informs the complainant about the progress and the results of these proceedings within a reasonable time, in particular if it is necessary to continue investigations or coordinate actions with another supervisory authority (point f). It should be noted here that the President of the Personal Data Protection Office, when issuing an administrative decision, is obliged to decide on the basis of the facts existing at the time of issuing this decision. As the doctrine points out, “the public administration body assesses the facts of the case according to the moment of issuing the administrative decision. This rule also applies to the assessment of the legal status of the case, which means that the public administration authority issues an administrative decision on the basis of the provisions of law in force at the time of its issuance (...). Settlement in administrative proceedings consists in applying the applicable law to the established factual state of an administrative case. In this way, the public administration body realizes the goal of administrative proceedings, which is the implementation of the binding legal norm in the field of administrative and legal relations, when such relations require it "(Commentary to the Act of June 14, 1960, Code of Administrative Procedure, M. Jaśkowska, A . Wróbel, Lex., El / 2012). Also the Supreme Administrative Court - in the judgment of May 7, 2008 in case no. Act I OSK 761/07 stated that: "when examining the legality of the processing of personal data, the GIODO is obliged to determine whether the data of a specific entity are processed on the date of issuing the decision on the matter and whether it is done in a legal manner". Thus, the decisive factor for the decision that must be issued in the present case is the fact that the processing of the Complainant's personal data began during the period when the Personal Data Protection Act of 1997 was in force and is currently being continued. Therefore, it should be stated that the relevant provisions in this case are the application of the provisions in force at the time of issuing the decision in the case, i.e. Regulation 2016/679, because the President of the Office must assess whether the questioned process of personal data processing as at the date of issuing the administrative decision is lawful. Regulation 2016/679 constitutes provisions on the protection of natural persons with regard to the processing of personal data and provisions on the free movement of personal data, and protects the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data (Article 1 (1) and (2) of Regulation 2016 / 679). This issue was adequately regulated by Art. 2 clause 1 of the Act on the Protection of Personal Data of 1997. In the light of the provisions of the above-mentioned legal act, the processing of personal data is authorized when any of the conditions listed in Art. 6 sec. 1 of Regulation 2016/679 (previously Article 23 (1) of the Personal Data Protection Act of 1997). These conditions apply to all forms of data processing listed in art. 4 point 2 of Regulation 2016/679 (previously Article 7 point 2 of the Personal Data Protection Act of 1997), including, in particular, their disclosure. These conditions are also equal to each other, which means that for the legality of the data processing process, it is sufficient to meet one of them. However, the legal act regulating in detail the processing of personal data of bank customers is primarily the Banking Law. Therefore, the assessment of the processing of the Complainant's personal data in connection with the contracts linking him with the Bank should be made in conjunction with the provisions of this Act. When examining the legality of the disclosure of the Complainant's personal data by the Bank to B. and Z., in connection with the debt resulting from the contract [...] of [...] July 2009 No. [...] (liability arising after the conversion of the card [...] No. [ ...]), the President of the Personal Data Protection Office indicates that B. and Z. are institutions established pursuant to Art. 105 paragraph. 4 of the Banking Law, which stipulates that banks may, together with banking chambers of commerce, establish institutions for the collection, processing and sharing of, among others, banks - information constituting banking secrecy to the extent that this information is needed in connection with the performance of activities bank, and also other institutions legally authorized to grant loans - information on receivables and on the turnover and balances of bank accounts to the extent that this information is necessary in connection with granting loans, cash loans, bank guarantees and sureties. Pursuant to Art. 105a paragraph. 3 of the Banking Law, the institutions referred to in para. 1, may process information constituting banking secrecy regarding natural persons after the expiry of the obligation resulting from the agreement concluded with the bank or other institution authorized by law to grant loans, without the consent of the person to whom the information relates, when the person has not fulfilled the obligation or has been delayed for more than 60 days. in the performance of the service resulting from an agreement concluded with a bank or other institution legally authorized to grant loans, and after these circumstances, at least 30 days have elapsed since the bank or other institution authorized to grant loans informed the person about the intention to process confidential information concerning him banking without her consent. As determined by the President of the Office for Personal Data Protection, the transfer of the Complainant's personal data by the Bank to B. and to Z. took place in 2012 - to the extent resulting from obligation No. [...], and therefore still during the period of the previous legal regulation on data protection personal. The disclosure of the Complainant's data to B. was based on the premise mentioned in Art. 23 sec. 1 point 2 of the Act on the Protection of Personal Data of 1997, and for the legality of this disclosure, pursuant to Art. 105 paragraph. 4 of the Banking Law, the consent of the Complainant was not required. At the same time, however, the supervisory authority points out that the Complainant is right in stating that the Bank processed in B. his personal data resulting from the obligations in question, after their expiry, in an unlawful manner. On the basis of the evidence gathered in this case, including in particular the explanations of the Bank, it is not possible to state unequivocally that the Bank duly notified the Complainant about the intention to process his personal data, constituting banking secrecy, for the purposes of assessing creditworthiness and analyzing credit risk also after the expiry of the credit obligation. However, the Bank's practice described above does not fall within the provisions of Art. 105a paragraph. 3 of the Banking Law, because the Bank failed to notify the Complainant of its intention to process data in this manner. Such an obligation was imposed on the Bank as the administrator of personal data, pursuant to the wording of Art. 105a paragraph. 3 of the Banking Law. Pursuant to the regulation referred to here, banks may process information constituting banking secrecy regarding natural persons after the expiry of the obligation resulting from the contract concluded with the bank, without the consent of the person the information relates to, when the person has not fulfilled the obligation or has been delayed by more than 60 days in fulfilling benefits resulting from an agreement concluded with the bank, and after these circumstances, at least 30 days have elapsed since the bank informed the person about the intention to process this information without their consent. Unless it is in doubt that the Complainant was in default of debt under the contract [...] of [...] November 2008, contract [...] of [...] November 2008 and contract [...] with [...] November 2008 - he did not deny this circumstance during the proceedings - so it cannot be concluded that the Complainant received information about the planned continuation of the processing of his personal data after the Bank's claims against the Complainant had been settled. Evidence of the proper transfer of the above-mentioned information, it is certainly not possible for the Bank to provide printouts from the bank's IT system. In the absence of proof of posting the letter at the postal operator's office, and no confirmation of its receipt or return to the sender, due to the addressee's failure to collect it - it is impossible to conclude that the Bank has fulfilled its obligation. Thus, in the opinion of the President of the Personal Data Protection Office, the processing of the Complainant's personal data after the expiry of the above-mentioned obligations, found no basis in applicable law. Regardless of the above, however, it should be clarified that at present - due to the lapse of 5 years from the expiry of the above-mentioned liabilities and the Bank's correction in B. consisting in the fact that the information on the above-mentioned contracts are no longer presented in the reports serving the assessment of credit risk - the fact that the Complainant did not comply with the information obligation under Art. 105a paragraph. 3 of the Banking Law. Although the Bank's operation actually violated the provisions on the protection of personal data in this respect, however, based on the evidence gathered in the case, it should be concluded that the state of non-compliance with the law of personal data processing has been removed and is no longer continued. As is clear from the factual findings, B. is currently processing the complainant's personal data resulting from the above-mentioned of the contract only for the purpose of using internal statistical methods, to which he is entitled pursuant to art. 105a paragraph. 4 of the Banking Law, pursuant to which the Banks and institutions referred to in Art. 105 paragraph. 4, may process information constituting banking secrecy concerning natural persons after the expiry of the obligation resulting from the agreement concluded with the bank or other institution authorized by law to grant loans, without the consent of the person to whom the information relates, for the purposes of applying internal methods and other methods and models, o referred to in the third part of Regulation No 575/2013. At the same time, as is clear from the wording of Art. 105a paragraph. 5 of the Banking Law, such processing may be performed for a period not longer than 12 years from the date of expiry of the obligation - in the case of B. and not longer than 5 years from the date of expiry of the obligation - in the case of the Bank. As for the Bank, it processes the Complainant's personal data only for evidence purposes, resulting from the limitation period for claims. Thus, the basis for the processing of the Complainant's personal data by the Bank is currently Art. 6 sec. 1 letter f) of Regulation 2016/679 in connection with art. 118 of the Civil Code. However, Z. does not process the Complainant's personal data at all. In connection with the findings, it should be noted that the continuation of administrative proceedings by the President of Personal Data Protection, initiated by a complaint about irregularities in the processing of the complainant's personal data by the Bank, aimed at issuing an administrative decision pursuant to Art. 18 sec. 1 of the 1997 Act is unfounded. According to the wording of the above-mentioned of the provision, in the event of a breach of the provisions on the protection of personal data, the President of the Personal Data Protection Office ex officio or at the request of the person concerned, by way of an administrative decision, orders the restoration of the lawful state, in particular: removal of deficiencies (1), supplementing, updating, rectifying, disclosing or failure to provide personal data (2), application of additional security measures for the collected personal data (3), suspension of the transfer of personal data to a third country (4), data protection or transfer to other entities (5) or deletion of personal data (6). From the wording of Art. 18 sec. 1 of the 1997 Act, and at the same time from the definition of an administrative decision - as an act decisive in a ruling manner about the rights and obligations of the parties to the proceedings in the factual and legal status established and up-to-date at the time of its issuance - it follows that the personal data protection authority does not assess past events, no continued at the time of adjudication. The decision of the President of the Personal Data Protection Office (UODO) is an instrument used to restore lawfulness in the data processing process carried out at the time of issuing the decision. Considering the above, it should be concluded that there was no reason for the President of the Personal Data Protection Office to issue a decision ordering the restoration of the lawful state, therefore it is not justified to issue any of the orders referred to in Art. 18 of the Personal Data Protection Act of 1997. In this factual and legal state, the President of the Personal Data Protection Office resolved as in the sentence. Based on Article. 127 § 3 of the Code of Civil Procedure of the decision, the party has the right to submit an application for reconsideration of the case within 14 days from the date of its delivery to the party. If a party does not want to exercise the right to submit an application for reconsideration, he has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw within 30 days from the date of its delivery to the party. The complaint is lodged through the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warsaw). The entry fee for the complaint is PLN 200. The party has the right to apply for the right to assistance, including exemption from court costs. 2021-05-13