# GDPR (data disclosure) request from banks



## elacsaplau (26 Jul 2018)

Just wondering whether anyone has done or knows about a GDPR request with a bank.

The sort of thing I'd like to know is what information are you entitled to and specifically whether one has a right to access:
- E-mails
- The bank's file notes
- Drafts of letters

Thanks!


----------



## Mehaul (26 Jul 2018)

This should help

dataprotection.ie/docs/Making-an-Access-Request/1715.htm

Sorry - my forum account doesn't let me post working links


----------



## elacsaplau (27 Jul 2018)

Thanks Mehaul,

My reading - unless I'm mistaken - of the link provided is that it doesn't answer the questions in my post?!


----------



## Mehaul (27 Jul 2018)

I think it does to a large degree:

"The sort of thing I'd like to know is what information are you entitled to and specifically whether one has a right to access:
- E-mails
- The bank's file notes
- Drafts of letters"

"Under Article 15 of the GDPR, you have a right to obtain a copy, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any organisation. All you need to do is write to the organisation and request, under the GDPR, a copy of the personal data it holds in relation to you."

The only one that might be sketchy here is drafts of letters. If those drafts are held in a CRM system under your name, to the letter, I think you'd be entitled to copies. How enforceable / transparent it is that you've been given all the information is a whole other question.

If you scan some of the posts in this section of the forum you'll see some AIB members, whom the bank have said are in scope for compensation having requested copies of their documentation and the banks neglecting to send the critical pages containing clause 3.2 which establishes their right to have been offered a Tracker after the break in their fixed rate agreement. In these cases we all know they've not sent the full document set and know to call the bank out on it. 

How will you know you've been sent your full document set? How thorough will the bank be in trawling their corporate email archives, filing cabinets, document archive stores, CRM systems? And when being thorough could result in them finding documents that work against their commercial interests? 
This is where customers are at a distinct disadvantage. Unfortunately your average (or even above average) customer isn't as diligent as we could be in documenting all interactions in the event of a legal finding that works in our favour years after contracts are signed, if only we have the right supporting evidence.


----------



## elacsaplau (27 Jul 2018)

Thanks Mehaul,

I appreciate the time that you've taken to write.

The issue in question is that the bank has not provided e-mails, file notes and other data that it must have on its system.

Is it ok to complain to data commissioner directly at this stage - rather to explain the "oversight" to the bank in the first instance. [Read: the belief is that the omission is deliberate]


----------



## SaySomething (27 Jul 2018)

The commissioner will only direct you back to the bank to try and resolve it before they investigate. Write to the bank and give them a reasonable amount of working days to forward the missing documents to you. If you have dates/times/sender information that would also assist with the search.
If they haven't provided the information to you within say 10 working days then enter into the formal complaint process.


----------



## elacsaplau (27 Jul 2018)

SaySomething said:


> If you have dates/times/sender information that would also assist with the search.



Thanks SaySomething.

I know that you are being helpful and I know that I can be awkward!! The reason for the data disclosure request is because I want to see all relevant bank records. I suspect that somewhere in this pile, there will be data of interest/benefit to me. It could be, for example, an internal e-mail between two bank colleagues. I have no way of knowing such dates & times & senders. The point being that I am not asking the bank to supply me with specific information - I am asking them to supply all information.

For example, the pack I got had no e-mails - zero, nil. This is simply not credible - as I myself have sent them many e-mails!  My sense is that I should write to the bank and cc the data commissioner. There is a clear issue with the bank's compliance with the GDPR - in my opinion, they have either deliberately not supplied relevant information or they haven't put in place sufficient procedures to ensure that data request are dealt with properly. Either scenario isn't great by the bank - hope the Data Commissioner isn't as rudderless as the CBI in knocking the bank's into shape!!

It will be interesting to see what happens!!


----------



## notabene (27 Jul 2018)

I'd made a data request in 2015 and I've made another one there this evening - I want to see what additional information is being held over the last number of years.


----------



## TrackerThieves (27 Jul 2018)

elacsaplau said:


> Thanks SaySomething.
> 
> I know that you are being helpful and I know that I can be awkward!! The reason for the data disclosure request is because I want to see all relevant bank records. I suspect that somewhere in this pile, there will be data of interest/benefit to me. It could be, for example, an internal e-mail between two bank colleagues. I have no way of knowing such dates & times & senders. The point being that I am not asking the bank to supply me with specific information - I am asking them to supply all information.
> 
> ...


I have done a subject access request on my account and similar to you i wasn't sure exactly what i was looking for. After going through all my documents i was able to piece it all together and figure out exactly what i was looking for. I made further specific requests for phone call recordings, missing documents and copies of internal e-mails. This was with AIB/EBS through their Subject Access Request team(even thought a lot has been missing S.A.R. team have been very quick and helpful). Not sure what bank you are with but worth checking if your bank have a similar department.

They also sent me a list(as they noticed it wasn't in with my data request) of all correspondence including all calls, documents and internal e-mails with dates and times.


----------



## elacsaplau (28 Jul 2018)

Thanks Notabene and TrackerThieves,

TT - different bank and very different approach!

As a matter if interest - which calls were recorded - were these calls to "call centres" or calls to the local branch?

Also - did the internal e-mails at the bank show drafts of letters - i.e. here is a draft of a letter that I propose sending to X, can you review please?

Thanks again


----------



## TrackerThieves (30 Jul 2018)

elacsaplau said:


> Thanks Notabene and TrackerThieves,
> 
> TT - different bank and very different approach!
> 
> ...


all my calls were to or from the arrears support unit, the internal e-mail i received was just a single page there, it was  just a response to a rate query between 2 ebs employees

Taken from the code of conduct on mortgage arrears 2013
RECORDS AND COMPLIANCE 
61. A lender must be able to demonstrate to the Central Bank of Ireland that it is in compliance with the requirements of this Code. 
62. A lender must maintain full records of all the steps taken, and all of the considerations and assessments required by this Code, and must produce all such records to the Central Bank of Ireland upon request. 
63. A lender must maintain records of all communications with borrowers in mortgage arrears and in pre-arrears. Such records must be readily accessible and capable of being reproduced in legible form and in a timely manner. Such records may include contemporaneous notes of meetings.
64. A lender must maintain recordings of all Arrears Support Unit telephone calls made to or from a borrower in relation to his/her arrears or pre-arrears. 
65. All records required by, and demonstrating compliance with this Code, must be retained by the lender for six years. In addition, all records relating to a borrower must be retained for six years from the date the relationship with the borrower ends.


----------



## elacsaplau (30 Jul 2018)

Thanks TT,

Anyone know where I can see guidance notes / details of the data a provider can legitimately not disclose?


----------



## elacsaplau (3 Aug 2018)

Just "bumping" this of the of-chance that someone can answer the question in my previous post!


----------



## stefg (3 Aug 2018)

I think this short [broken link removed] from Helen Dixon ( Data Protection Commissioner for Ireland) may answer some of your questions.


----------



## cmalone (3 Aug 2018)

Similar issue to poster here -made access request (section 4) in 2016 and again in 2017 to Bank of Ireland.  Received letter to say they were closing accounts on receipt of original request in 2016. 

Eventually they provided some bank statements and previous application forms at opening of accounts. Complained to DPC and it’s still there over 8 months later. The bank have not responded to the DPC investigator and the DPC staff appear to be overworked.

Complained to FSPO in 2016 and the bank readily produce items of data that were not provided previously. The bank intentionally is not providing relevant data in an attempt to compromise my FSPO case...


----------

