Personal data protection /

NSA confirms: Bank may not process data of former customers who are in arrears without a legal basis

The Supreme Administrative Court (NSA), shared the opinion of the President of the Office for the Protection of Personal Data (President of the UODO). According to this position, once a credit agreement expires, a bank may continue to process the data of a customer in arrears only if specific legal conditions are fulfilled.

Bank secrecy vs. creditor’s interest – when can a debtor’s data go to the BIK without their consent?

The concluded dispute concerned the bank’s authority to process data covered by banking secrecy relating to persons who have not settled their obligations after the expiry of the contract.

In particular, the subject of the dispute was whether and under what conditions a bank or other financial institution may – without obtaining the prior consent of the client – transfer the client’s data to the Credit Information Bureau (BIK) or other debtor registers. Whether the processing of such data after the termination of the contractual relationship does not violate the right to privacy and the duty of banking secrecy was in dispute.

Can a bank register you in a debtors’ register without your knowledge?

In the event of a delay in repayment, the bank is obliged to inform the person of its intention to process his or her personal data without having to obtain consent It must also clearly specify the purpose for which the data will be used. Such notice must be given in an effective way, i.e. in a form that allows the person to be aware of its contents.

From the moment the notification is served, a 30-day period begins during which the customer has the opportunity to pay the outstanding debt. If he or she settles the arrears within this period, the bank loses the right to further process his or her data covered by banking secrecy, which means that it cannot go into registers such as the BIK without his or her express consent

President of the UODO: Proof of effective delivery lies with the bank

In the dispute with the banks, the President of the Personal Data Protection Office argued that the burden of proof lies with the bank. The bank must prove that 30 days have passed since it informed the customer of its intention to process their data without consent.

In the opinion of the President of the UODO, it is for the financial institution to prove that it effectively communicated to the former client the information about the intended processing of bank-secret data after the expiry of the obligation.

A delay in repayment of an obligation of more than 60 days does not give the bank an automatic right to process the customer’s data under the terms of Article 105a(3) of the Banking Law.

A delay in repayment of an obligation of more than 60 days does not give the bank an automatic right to process the customer's data under the terms of Article 105a(3) of the Banking Law.

Before this is possible, the bank must effectively inform the customer of its intention to process his or her personal data without consent. The 30-day period starts only from the moment the information is actually delivered. It depends on the customer truly receiving the notice—not on the assumption that they could have read the letter.

The President of the DPA emphasises that it is crucial to establish the specific date of service of this information. During these 30 days, the customer may settle the arrears, which will prevent the bank from further processing their data, including reporting them to debtor databases.

What does the correct notification of the customer look like according to the Supreme Administrative Court?

The NSA, agreeing with the President of the UODO, noted that Article 105a(3) of the Banking Law does not define the term “informing” or outline formal requirements. However, this does not allow unlimited interpretation. According to the NSA, the law refers to “informing” as a completed action, not just the process of providing information.This can take place in person, by letter, by a bank employee or electronically, if provided for in the contract.

It is crucial that the bank is able to indicate the date when it actually delivered the relevant information to the customer, and not just the date on which the correspondence was sent. Only then does the 30-day period begin to run, after which the bank can process the customer’s data if the customer does not pay the arrears.

It is crucial that the bank is able to indicate the date when it actually delivered the relevant information to the customer, and not just the date on which the correspondence was sent. Only then does the 30-day period begin to run, after which the bank can process the customer's data if the customer does not pay the arrears.

The Supreme Administrative Court confirmed the position in as many as 11 judgments

A uniform line of jurisprudence has been confirmed in 11 judgments of the NSA, which gives financial institutions and customers clear guidelines on data processing after the termination of a loan agreement.

If you suspect that your personal data may have been compromised, please contact our data protection lawyers.

Author team leader DKP Legal Dominika Kozińska
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Dominika Kozińska

Contact us

Flaga Polski.POZNANPOLAND
pl. W. Andersa 3
61-894 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]
Flaga Włoch.MILANITALY
Via F. Sforza 15
20122 Milan
+48 61 853 56 48[email protected]
See all local services