Czasopisma logo

Monitor Prawniczy

no. 11/2024

Processing personal data without consent of the borrower in light of the Banking Law

Mariusz Kotulski
Autor jest doktorem nauk prawnych i adiunktem w Katedrze Prawa Administracyjnego UJ
Abstract

The processing of customers’ personal data by banks and other financial institutions is necessary to ensure protection of their proper functioning, but also for their customers, because each loan fraud or default affects the financial condition of credit institutions and, consequently, the availability of loans and the cost for other borrowers Pursuant to Art. 105a.3 of the Banking Law, banks, institutions and entities conducting business in the field of granting consumer loans may process information constituting banking secrecy and information made available by the lending institutions and entities referred to in Art. 59d of the Act on Consumer Credit, in relation to natural persons after the expiry of the obligation, without the consent of these persons, if the obligation has not been fulfilled or there has been a delay in fulfillment of the performance under the contract exceeding 60 days. Moreover, at least 30 days have passed since the intention to process the customer’s data without their consent was notified.
The legislator did not in any way indicate or limit the methods and forms of fulfilling the information obligation referred to in this provision. However, in each case, the method of fulfilling this obligation should make it possible to verify the fact and date of informing the bank customer about intended processing of personal data without their consent. At the same time, taking into account the ratio legis of Art. 105a.3 of the Banking Law, the obligation to inform provided for therein means creating real conditions enabling the borrower to become familiar with the information contained in the notification, and not merely by the fact that the notification has been personally received. A bank, institution or another entity conducting business in the field of granting consumer loans that has made every effort to provide information to the addressee cannot bear the negative consequences of their failure to collect the correspondence, as long as it has been sent to the mailing address provided and there is proof that attempts have been made to deliver it.

Keywords
Credit Information Bureau, personal data processing, obligation to inform, GDPR
Literature
M. Czerniawski, Prawo do ochrony danych osobowych jako prawo podstawowe - podsumowanie [w:] Ochrona danych osobowych, pod red. D. Lubasza, 2020; Słownik języka polskiego. T. II, pod red. M. Szymczaka, Warszawa 1988.