The Office for Personal Data Protection handled the case of a bank customer who had submitted credit inquiries to a branch. The customer claimed that the processing of his data by the bank was unauthorized because no contract had been concluded with the financial institution.
The President of the Office for Harmonization in the Internal Market conducted administrative proceedings and found that there were no legal grounds for processing the client’s personal data and issued an administrative decision ordering the data to be deleted. The Voivodship Administrative Court, in its verdict of 28 September 2021, overturned the decision of the OFODO, indicating that in the case it had neglected to address the Polish Financial Supervision Authority as the competent authority in matters related to, among others, creditworthiness assessment and credit risk analysis, which according to the Voivodship Administrative Court was absolutely necessary. According to the GDPR, each supervisory authority acts independently when fulfilling its tasks and exercising its powers, and the Voivodship Administrative Court’s view compromises the independence and autonomy of the OFP.
The Office for Personal Data Protection expressed concern about the direction of the administrative court’s assessment of the application of the provisions of the Code of Administrative Procedure. A cassation appeal against the judgment of the Voivodship Administrative Court was filed with the Supreme Administrative Court.