The Supreme Administrative Court (NSA) has confirmed that banks and the Credit Information Bureau (BIK) have no legal right to process the personal data of individuals who applied for a loan but ultimately did not sign a credit agreement. The rulings (case numbers III OSK 1552/22 and III OSK 1877/22) conclude a multi-year dispute between financial institutions and the President of the Personal Data Protection Office (UODO), who had previously declared such practices unlawful.
Dispute Over Data of Rejected Applicants
The cases involved SKOK Stefczyka and Alior Bank, both of which refused to delete applicants’ data from their systems after rejecting their credit applications. In each instance, the banks had obtained data from BIK to assess creditworthiness but continued to store it after no agreement was signed.
The UODO President determined that once the creditworthiness assessment process ends, there is no longer a legal basis for further data processing. Although the banks and BIK appealed these decisions, the NSA fully upheld UODO’s position.
NSA: No Legal Basis After Loan Denial
Alior Bank argued that data processing was justified under Articles 70, 105(4), and 105a(1) of the Banking Law, but the court ruled that these provisions only apply before, during, and after the execution of a credit agreement—not when no agreement is concluded.
“When a credit agreement is not concluded, there are no legal grounds for further processing of the applicant’s personal data,” the NSA stated.
The court emphasized that exceptions to data protection rules must be interpreted strictly and proportionally to their purpose. In this case, the sole purpose was assessing creditworthiness, which ends once the application process is complete.
GDPR Does Not Allow Data Storage “Just in Case”
Financial institutions also invoked Article 6(1)(f) of the GDPR, which allows data processing based on a “legitimate interest” of the controller, such as protecting against potential legal claims.
However, the NSA confirmed that this justification applies only to real, existing situations—not hypothetical ones. Data cannot be stored “for the future” without a clear, lawful purpose.
“Under the GDPR, it is impermissible to continue processing an applicant’s personal data for future or unrelated purposes when no explicit legal basis for such actions exists,” the court reasoned.
BIK Cannot Use Non-Client Data for Scoring Models
The court also rejected BIK’s argument that retaining such data was necessary for developing credit scoring models used to assess risk. The NSA ruled that allowing this practice would undermine the intent of Article 105a of the Banking Law, which explicitly regulates data retention for actual clients with signed agreements.
“Obtaining data at the loan application stage does not entitle a credit union or bank to store it after a loan has been denied,” the court concluded.
Implications: A Clear Message to the Financial Sector
The ruling establishes a clear precedent: financial institutions cannot build or maintain databases containing information about individuals who never became clients. Such data can only be processed during the credit assessment process and must be deleted immediately once the procedure ends.
For banks and credit unions (SKOKs), the decision means they must review their data processing policies and revise their cooperation practices with BIK. It may also impact credit scoring models across the financial sector, which until now may have relied on data from unsuccessful loan applicants.
