In a recent ruling by the Supreme Administrative Court (NSA) in Warsaw, the position of the President of the Personal Data Protection Office (UODO) regarding the unauthorized processing of personal data by Bank Millennium was confirmed. The court dismissed the bank’s cassation complaint, which challenged an earlier verdict by the Provincial Administrative Court in Warsaw (WSA).
The case involved allegations of processing the personal data of former bank customers after they had withdrawn their consent to process their data for marketing purposes. Bank Millennium argued that the data were processed to defend against potential future claims, which would constitute a “legitimate interest” under Article 6(1)(f) of the General Data Protection Regulation (GDPR).
However, the President of UODO and both court instances found that the bank had not demonstrated the existence of a specific dispute or the current necessity to process data in the context of potential claims. Under GDPR, processing data to protect against hypothetical future claims cannot be considered sufficient justification.
The NSA pointed out that according to the accountability principle, the burden of proof regarding the legality of data processing rests on the data controller—in this case, the bank. The court emphasized that the bank should be able to present concrete evidence that it adheres to data processing principles, especially when there is a dispute with the data subject or with the supervisory authority.
Ultimately, the bank’s argument for the need to process data “just in case” found no justification in legal practice, setting an important precedent for other financial institutions and highlighting the importance of strictly adhering to GDPR rules. This decision sheds light on the necessity of thoughtful and responsible management of personal data by business entities, which must balance their operational interests with legal requirements for personal data protection.
Source: ManagerPlus