The Supreme Administrative Court confirmed: a bank cannot process data “just in case"

Potential future claims from a former client do not justify the processing of personal data by a bank when there is no longer a contractual relationship between the parties, the Supreme Administrative Court in Warsaw ruled. The Court upheld the position of the President of the Personal Data Protection Office and dismissed Bank Millennium's cassation complaint against the earlier judgment of the Voivodeship Administrative Court in Warsaw.

In its ruling on January 8, 2025 (case no. III OSK 4868/21), and previously by the Voivodeship Administrative Court in Warsaw (case no. II SA/Wa 607/20), the court agreed with the President of the Personal Data Protection Office that a bank cannot process personal data under Article 6(1)(f) of the GDPR to defend itself against potential claims from former clients. This stance was included in the supervisory authority's administrative decision, which ordered Bank Millennium to delete the data of a couple who had lodged a complaint with the President of the Personal Data Protection Office against the bank.

The President of the Personal Data Protection Office established that the bank continued processing its former clients personal data despite their accounts being closed and their expressed objection to their data being processed for marketing purposes. The bank's continued processing of their data came to light when it sent them marketing correspondence.

The controller justified the continued processing of data by citing potential future claims from clients, relying on the legitimate interest of the data controller as its basis (Article 6(1)(f) GDPR).

However, the President of the Personal Data Protection Office determined that the bank’s rationale applies only to existing situations where the goal resulting from legitimate intrests pursued by the controller is to prove, pursue, or defend against an actual claim. It does not extend to cases where data is processed purely as a precaution against potential and uncertain future claims. The supervisory authority concluded that the bank was processing the complainants’ data “just in case” to preemptively safeguard against hypothetical and indefinite claims. The President of the Personal Data Protection Office emphasised in its decision that processing personal data to avoid negative outcomes from a potential, unspecified future claim could result in permanent data processing without any obligation to delete it.

The President of the Personal Data Protection Office also found that the bank had failed to demonstrate any ongoing dispute with the individuals concerned that would justify the data processing under Article 6(1)(f) GDPR.

The Supreme Administrative Court upheld these arguments, noting that data processing based on a legitimate interest under Article 6(1)(f) GDPR is permissible only if three conditions are cumulatively met:

1. The controller has specific purposes for which the processing of personal data is necessary.
2. These purposes stem from “legitimate interests” pursued by the controller.
3. The legitimate interests of the controller outweigh the interests or fundamental rights and freedoms of the data subject.

In its justification, the Supreme Administrative Court stated that in this case, the bank’s claimed purpose for processing—safeguarding its interests against potential claims by the complainants—was not substantiated, as no claims had been filed by the complainants.

The Supreme Administrative Court also reminded that, under the accountability principle, it is the responsibility of the data controller to provide the legal basis for processing personal data, as the burden of proof regarding compliance with data processing principles rests on the controller.

“In the event of a dispute with the data subject or the supervisory authority, the controller must be able to provide evidence of compliance with the principles,” the Supreme Administrative Court emphasized in its ruling. The court found that the bank had failed to demonstrate any valid grounds for processing the personal data of former clients after they had withdrawn their consent.