The complainant in this case had made a loan application to a bank. The complainant subsequently withdrew the loan application and wrote to the bank stating that they were withdrawing consent to the processing of any personal data held by the bank relating to the loan application and requesting the return of all documents containing the complainant’s personal data. In response, the bank informed the complainant that it had stopped processing all of the complainant’s personal data, with the exception of data contained in records which the bank stated it was required to retain and process under the Central Bank of Ireland’s Consumer Protection Code. The complainant was not satisfied with this response, and argued, in their complaint to this Office, that in circumstances where the bank had obtained the complainant’s personal data on the basis of the complainant’s consent, the bank was not permitted to continue to process these data on a different legal basis (i.e. processing which is necessary for compliance with a legal obligation to which the bank is subject). The complainant also argued that the continued processing by the bank of their personal data was for a purpose which was not compatible with the purpose for which the data were originally obtained, in contravention of data protection legislation.

This office established that the bank was identified as the relevant data controller in relation to the complaint, as it controlled personal data, which the complainant had provided to the bank when making a loan application . The data in question were personal data relating to the complainant (consisting of, amongst other things, a completed loan application form and supporting docu- mentation) as the complainant could be identified from it and the data related to the complainant as an individual . This office was therefore satisfied that the complaint should be investigated to determine if a breach of data protection legislation had occurred.

During the course of the investigation of this complaint, this office reviewed the bank’s loan application form, which provided that, by signing the form, a person consented to the bank storing, using and processing their personal data for a range of purposes, including to process applications for credit or financial services. However, this office noted that the purposes for which the complainant had given their consent did not include processing for the purpose of compliance with the bank’s legal obligations generally, and specifically did not include the processing of the complainant’s personal data for the purpose of compliance with the Consumer Protection Code . Accordingly, this office considered that at the time of collection of the complainant’s personal data the bank did not claim to rely on consent as the legal basis for the collection and processing of the complainant’s personal data in order to comply with its legal obligations. Rather, this office considered that the bank could validly rely on the lawful basis that the processing was necessary in order to take steps at the request of the data subject prior to entering into a contract .

This office noted that where a loan application is subsequently withdrawn or unsuccessful and the bank does not enter into a contract with the applicant, the retention of personal data relating to the loan application can no longer be on the basis that the processing was necessary in order to take steps at the request of the data subject prior to entering into a contract, as there is no longer the possibility of entering into a contract with the data subject . As such, the bank identified a separate legal basis for the retention of the complainant’s personal data relating to the loan application, namely that this processing was necessary for compliance with a legal obligation to which the bank was subject .

This office noted that the Consumer Protection Code obliged regulated entities to retain details of “individual transactions” for six years after the date on which the particular transaction is discontinued or complete . This Office considered, however, that a loan application which is subsequently withdrawn or ultimately unsuccessful is not a ‘transaction’ for the purpose of the Consumer Protection Code. This office then noted that the Consumer Protection Code also obliged regulated entities to retain “all other records” for six years from the date on which the regulated entity ceased to provide any product or service to the consumer, including potential consumer, concerned. However, this office did not consider that records relating to a loan application which is subsequent- ly withdrawn to fall within the scope of this requirement under the Consumer Protection Code either . Accordingly, this office considered that it was not necessary for the bank to retain personal data relating to the complainant’s withdrawn loan application for the purpose of compliance with its legal obligations under the Consumer Protection Code, and considered that the bank had not identified a lawful basis under data protection legislation for the retention of the complainant’s personal data relating to their loan application .