No credit agreement concluded? The bank must delete your data
On October 1, 2025, the Supreme Administrative Court (NSA) issued two rulings upholding the previous position of the President of the Personal Data Protection Office (UODO) regarding the processing of data of prospective bank clients. The President of UODO maintained that if a credit agreement is not concluded between the bank and the applicant, there is no legal basis for processing personal data contained in credit applications. This position was contested by the financial institutions filing complaints.
What does the bank do with our data?
Both cases concerned the processing of personal data of bank and credit institution clients related to the assessment of creditworthiness. While this is undoubtedly a necessary element of any credit process, the legality of further processing data of prospective clients when a credit agreement is not actually concluded remained disputed. The President of UODO took the position that if no agreement is concluded, there is no basis for continuing to process the data. The entities appealing the UODO decision argued that they have the right to legally continue processing such data.
Processing based on legal provisions?
The financial institutions (SKOK, Alior Bank, and BIK) argued that the legal basis for processing data stemmed from Article 70 of the Banking Law and the authority to obtain data from the credit information bureau (BIK) pursuant to Articles 105(4) and 105a(1) of the Banking Law. However, in its reasoning, the NSA noted that these provisions relate to the processing of data before a liability arises, during its term, and after its expiration. If a credit agreement is not actually concluded, there is no basis for further processing of the data of the person applying for credit.
The NSA emphasized the need for a strict and functional interpretation of legal provisions that limit personal data protection. While there is no doubt about processing data necessary to assess creditworthiness, the failure to conclude a credit agreement results in the absence of statutory grounds legitimizing further data processing.
What about the legitimate interest of the controller?
The financial institutions also claimed a legal basis for processing the data of prospective borrowers under Article 6(1)(f) of the GDPR, i.e., the legitimate interest of the data controller, which in this case would include potential claims arising from banking activities or other obligations under generally applicable law.
The NSA also disagreed with this position, emphasizing the clear trend in case law that such a legal basis applies only to situations that have already occurred, not to hypothetical, potential claims. Processing data “for the future” for purposes different from those for which they were collected cannot be considered permissible under the GDPR.
A warning for the entire market
The cited NSA rulings once again highlight the need to limit the scope of processed data and precisely define the purpose of its use by data controllers. They send a clear signal to institutions involved in the credit process to review their procedures regarding the processing of personal data, especially data from credit applications that did not result in a signed agreement. While the NSA’s position concerns entities in the financial sector, the conclusions drawn from the interpretation by the President of UODO and the NSA have universal applicability for any data controller – legal provisions limiting personal data protection must be interpreted strictly, and “future” data processing for purposes other than those for which the data was collected is permissible only when there is a clear legal basis.
