Following an unsuccessful application for a credit card, the data subject in this case sought to have their personal data erased under Article 17 of the General Data Protection Regulation (GDPR). When the erasure request was refused by the data controller, the data subject raised concerns with the DPC that their personal data was being unlawfully retained. The DPC engaged with the data controller in order to assess the reasoning for such refusal.

In response to the data subject’s initial erasure request, the data controller stated in line with provision 11 .6 of the Consumer Protection Code 2012 and their Privacy Policy and Cookies Statement they had a legal obligation to retain the information provided . The data controller went further to explain that the personal data provided in the application would be retained for a period of six years from the date on which the service was provided .

As part of its examination, the DPC engaged with the data controller and requested a response to the complaint. The data controller stated that they were relying on Article 6(1)(c) of the GDPR to retain the personal data whereby processing is necessary for compliance with a legal obligation to which the data controller is subject . The data controller in this case was also subject to the Consumer Protection Code 2012 (CPC) . On this basis, the data controller relied on this lawful basis for the refusal of the erasure request . Under Article 17(3)(b) of the GDPR, a data subject’s right to erasure does not apply and may be restricted where the processing is necessary for compliance with a legal obligation.

For reference, the CPC is a set of rules and principles that all regulated financial services firms must follow when providing financial products and services to consumers and was published by the Central Bank of Ireland in compliance with section 117 of the Central Bank Act 1989 . Under section 117(4) of the Central Bank Act 1989, it is an offence for a regulated financial firm to fail to provide the Central Bank with information to demonstrate compliance with the CPC.

Provisions 11 .5 and 11 .6 of the CPC require data controllers to retain the records of a consumer for six years after the date on which a particular transaction is dis- continued or completed . The required records include but are not limited to: all documents required for consumer identification; the consumer’s contact details; all corre- spondence with the consumer; all documents completed or signed by the consumer . The data subject contested this reliance as no service was provided, therefore they were of the view they were not a consumer and as such felt the data controller had no legal right to maintain the personal data. The CPC defines a consumer and includes where appropriate, a potential consumer . In addition to this, the data controller stated when the data subject applied for a credit card, the consideration of the application and subsequent decision was deemed a service.

Under section 109(5)(c) of the 2018 Act, the DPC advised the data subject that within the meaning of the CPC they were classified as a potential consumer. As a result the data controller is legally obliged to retain the personal data for a period of six years . The DPC did not consider any further action necessary at the time of issuing the outcome .