GDPR - banks holding personal data after account closure

**R0b** · 26th July 2018, 20:21:PM

Hello Hal,

The right to erasure is not a right that you can apply to whatever you want rather it is more restricted.

Strictly speaking refusing to erase your data on grounds that they have a retention policy is not a legitimate ground in itself and Article 17 of the GDPR sets out the exceptions where data processing may be necessary. For example, compliance with a legal obligation (financial for example) and to defend any claims you might bring are both reasons why your data may be held after your account has closed down.

Their retention policy is likely to include these reasons but at the very least, the bank should either provide you with a copy of their retention policy or explain under what circumstances or reasons your data is being retained. Simply referring to the retention policy is not good enough because as I mentioned above, that is not a legitimate ground under the GDPR.

That said, the bank should also consider whether the categories of data they retain is actually necessary or whether certain data could be erased earlier than others. As an example, your ethnicity and religion may not be necessary to retain if for example their purpose of retention is to issue or defend claims so it isn't as straightforward as one would think. However, a retention policy is generally considered a good starting point to retain data as long as that retention policy is clearly communicated to the data subject.

Your best bet is to send a subject access request and find out what data they hold about you and you can then work out what may or may not be deleted. Ultimately, if you are not getting anywhere then it is a case of commencing legal proceedings.

**AnotherLevel** · 26th July 2018, 20:37:PM

If you go to your bank's website and look at their Privacy Policy, it should state the retention period. For example, this is from Natwest (https://personal.natwest.com/content...y-notice.pdf):

Retention periods for records are determined based on the type of record, the nature of the activity, product or service, the country in which the relevant RBS company is located and the applicable local legal or regulatory requirements. We (and other RBS group companies) normally keep customer account records for up to six years after your relationship with the bank ends, whilst other records are retained for shorter periods, for example 90 days for CCTV records or 12 months for call recordings. Retention periods may be changed from time to time based on business or legal and regulatory requirements.

All banks are required to maintain account records for at least 5 years (FCA Regulations) to protect against things like money laundering.

**Hal** · 28th July 2018, 11:55:AM

Thank you both for your response. To be fair, the bank did provide a copy of their 'retention policy' but I'm sure a request under Art 17 GDPR should take precedence over this internal document, allowing me to have my data deleted.
The bank stated: "We'll erase your information in the following scenarios: 1.) If you've withdrawn that consent and we have no other legal basis on which to continue processing that personal information."
I understand the banks should hold data for a certain time as required by FCA rules (FSMA2000), but these, too are subject to the GDPR.
Your thoughts?

**AnotherLevel** · 28th July 2018, 12:25:PM

If you look at Article 23 of GDPR, this overrides your rights because a bank has a legitimate interest to maintain personal data (prevention and investigation of criminal offences/taxation purposes)

I'll give you a very simple example of why this is the case:

A money launderer comes to the UK, opens a bank account with fraudulent documents, receives some international wires of very large sums and immediately sends those sums to another international account. He then closes the account and asks for the bank to delete all personal data under GDPR to remove all traces of his criminal actions.

If the above scenario was allowed, GDPR would be facilitating criminals to break the law and avoid detection/prosecution.

**R0b** · 28th July 2018, 12:54:PM

Article 17(3) says the following:

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing ; or

(e) for the establishment, exercise or defence of legal claims.

(b) and (c) is what the bank would rely on so Art. 17 already carves out certain exceptions where they do not have to comply with the right to erasure. As I mentioned in my first post, contrary to popular belief, there is no unilateral right to be forgotten.

GDPR - banks holding personal data after account closure

GDPR - banks holding personal data after account closure

Comment

Comment

Comment

Comment

Comment

Announcement

Court Claim ?