GDPR: Are our mails and recorded phone calls really going to be erased from bank archives, if requested?
2018.05.10. 08:00 | Hírek
In our 4-part series of articles, we only discussed bank databases concerning the news on GDPR. But what about our paper mails, e-mails or recorded customer service calls, if we request to erase our data? This is the third and final part of our discussion with Bancard Ltd. expert Gabriella Tóth-Haász.
Péter Homa, Bankkártya.hu (BKHU): - I received bank statements with zero balance for months or even a year from another bank account, despite the fact I had terminated all legal relationships with the bank months before. So, no such instance will be expected in future. If a client breaks off contact with the bank, does he/she need to state specifically to allow them to retain the personal data or he/she needs to state the request of erasing the data?
Gabriella Tóth-Haász, Bancard Ltd. (H.G.): - Clients do not need to request it specifically. If the bank does not have the legal claim that allows it to retain these client data, it has to erase them and failing to do so can make it liable to punishment for illegal data management. Therefore, it is not the client’s responsibility to go to a bank and request his/her data to be erased, if the relationship is terminated with the bank.
BKHU: - Does an e-mail address or a phone number count as personal data?
H.G: - Yes.
BKHU: - In this case, what about if a client sent a paper-based letter or an e-mail or has a recorded phone call at the customer service? How does is go? They look through all the paper-based letters and shred them or delete them from all the e-mails and the recorded phone calls from the system?
H.G: - Banks need to look for a legal claim for each data management process that allows them to legally handle the data and if they found one, they don’t have to erase it. The regulation mentions several legal claims here, if, for example a data needs to be handled regarding a statutory basis or compliance to a contract in force, including warranty period, although, it is uncommon at banks, then the data or customer service phone calls can be retained for this period. When the bank has no relationship with the client and no statutory basis requires data management, then it can retain the data only with a data protection ID and only for statistical purposes.
BKHU: - So banks can retain the client’s personal data for tax or accountancy laws?
H.G: - Yes, in addition, it’s not a right but an obligation.
BKHU: - So account data can probably be retained for eight years.
H.G: - Yes, according to the Accountancy Act, analytic and particularized records by which the invoicing to a natural person takes place (e.g. bank charge) must be retained for eight years by anyone who sold the product or service. The client cannot object to this type of data management. This has to be erased after eight years.
BKHU: - What else does the GDPR regulation applies to that is new?
H.G: - The GDPR regulation applies not only to products or providing services or data management stored in IT systems but to data and documents stored in HR systems handling the data of colleagues. That is, data management is also relevant concerning bank employees. This is not primarily a legal issue, despite the fact that those who deal with this, tend to handle GDPR as a legal issue. GDPR, however, is about the interconnection of business processes, IT systems and legal compliance. Furthermore, people should not lay back after May 25th, 2018 in case of GDPR because the constant change of data management processes leads to additional tasks, even if not as many as the preparation did. So, they can’t avoid these tasks in the future either.