Banks and entities providing mobile applications should prepare for possible inspections by the Personal Data Protection Office (DPA). We present the scope of potential inspections and tips on how to prepare below.

Following the approved sectoral inspections plan, the President of the Personal Data Protection Office intends to perform inspections, primarily in two areas:

  • processing of personal data by banks with respect to profiling personal data of customers and potential customers and the method of informing loan applicants about their creditworthiness assessment, in connection with article 70a of the Banking Law.
  • processing of personal data by entities providing mobile applications in terms of how to secure and share personal data processed in connection with the use of these applications by users.

The DPA stated that the areas of planned inspections are determined based on numerous signals such as complaints, questions and notifications of personal data breaches indicating that data protection laws are in danger of being violated. Moreover, there is an important public interest regarding such problems, which are also important from the point of view of the tasks performed by the supervisory authority.

In order to prepare for a potential inspection by the DPA, we recommend that banks check the following aspects of their personal data profiling operations: the legal basis of processing personal data of customers and potential customers, including the legal basis of automated individual decision-making, the wording of their privacy notice, compliance with the principle of data minimization, and how a data subject’s rights are exercised under article 70a of the Banking Law and article 22 GDPR.

As for the providers of mobile applications, we recommend that they check if technical and organizational measures are appropriate to ensure a level of security appropriate to the risk (article 32 GDPR) and ensure that they are able to present to inspectors measures used in mobile applications. When it comes to sharing personal data with other controllers, the providers should check, in particular, the wording of privacy notices prepared for users, and the legal basis of sharing personal data.