# FSPO complaint - GDPR non compliance by bank



## cmalone (3 Dec 2018)

came across scenario where complaint lodged to FSPO and bank provides evidence from their files, that was not released / denied existed under Data Protection Act Request. 

How would the FSPO determine such a case ?


----------



## WhiteCoat (4 Dec 2018)

Hi cmalone,

I'm sorry I can't help with your specific query but it does seem a common enough theme for banks to have "lost" key correspondence or not provided all details under data disclosure. Personally, I am highly suspicious that this is just a coincidence.

I have two disputed loans - one of which has gone through the FSPO process, the other is still in the oven. Whilst I "won" the completed one, I found the FSPO staff well intended but weak.


----------



## cmalone (4 Dec 2018)

Agree with that analysis. Similar weaknesses with Data Protection Commissioner’s Office due to backlog of cases ... the bank’s know to ‘play the game’ and they can say what they want.. 

in this instance the bank’s management claimed to DPC that important documentation/ notes on file regarding customer instructions were temporary in nature (post its/ verbal messages) and were not available ... 

Fortunately the customer was able to show that the call centre staff actually sent emails to relevant departments per recorded calls and did not use post-it’s!


----------



## Metatron (28 Oct 2019)

cmalone said:


> Agree with that analysis. Similar weaknesses with Data Protection Commissioner’s Office due to backlog of cases ... the bank’s know to ‘play the game’ and they can say what they want..
> 
> in this instance the bank’s management claimed to DPC that important documentation/ notes on file regarding customer instructions were temporary in nature (post its/ verbal messages) and were not available ...
> 
> Fortunately the customer was able to show that the call centre staff actually sent emails to relevant departments per recorded calls and did not use post-it’s!



Hi cmalone,

What happened next, did the Bank get sanctioned?


----------



## cmalone (3 Nov 2019)

The process with ODPC and FSPO takes years. They are slow to act - possibly due this the large fees that pay their salaries from the banks. At each occasion when bank is proven to have intentionally misled the investigation, they simply claim that now the bank has corrected the error. Fortunately - one learns to be persistent


----------



## Metatron (3 Nov 2019)

cmalone said:


> The process with ODPC and FSPO takes years. They are slow to act - possibly due this the large fees that pay their salaries from the banks. At each occasion when bank is proven to have intentionally misled the investigation, they simply claim that now the bank has corrected the error. Fortunately - one learns to be persistent



Hi CMalone,
are are kidding me; it could not take years for the FSPO to adjudicate on a complaint, could it?


----------



## Leo (12 Nov 2019)

cmalone said:


> Fortunately the customer was able to show that the call centre staff actually sent emails to relevant departments per recorded calls and did not use post-it’s!



Just playing devil's advocate, but an audio recording stating an email was sent does not mean that record of that email still exists. How long ago are you talking about? Most companies will delete emails after the mandatory retention period unless they are explicitly archived.


----------



## cmalone (26 Nov 2019)

The requests for data were made in 2016 and follow up requests in 2017 , 2018 and 2019. The Data Protection Commissioner has been actively investigating case with bank since 2017 to present and can only obtain data on a piecemeal basis. The bank would have an internal communication system to communicate with staff regarding phone call follow up. This would typically be by internal system email etc.


----------



## Leo (10 Dec 2019)

cmalone said:


> This would typically be by internal system email etc.



I know in our place, most of that data gets wiped after the  retention period, but you'd be well within that only going back to 2016.


----------



## cmalone (19 Dec 2019)

The bank denied most data even existed. That’s the main issue


----------



## DeeKie (20 Dec 2019)

cmalone said:


> The bank denied most data even existed. That’s the main issue


What has the DPC done? You can now sue for failure to comply with data protection law without having to prove damages


----------



## cmalone (20 Dec 2019)

The ODPC are very slow. Maybe they are busy. The get replies from bank and send to me for comment. I comment and they send to bank. I get ‘drip fed’ with additional data - which the bank originally denied existed and then was ‘found’. I think the commissioner’s office is reluctant to investigate as the bank pay a big registration fee. I complained to ODPC and the case starts ab initio.


----------



## Thinktank (28 Feb 2020)

cmalone said:


> The ODPC are very slow. Maybe they are busy. The get replies from bank and send to me for comment. I comment and they send to bank. I get ‘drip fed’ with additional data - which the bank originally denied existed and then was ‘found’. I think the commissioner’s office is reluctant to investigate as the bank pay a big registration fee. I complained to ODPC and the case starts ab initio.


Any more happening  here?


----------



## cmalone (29 Feb 2020)

No progress with ODPC. They appear to be very busy. The bank already advised me of this and expect they are happy ... the ODPC refuse to treat all the requests as linked - the only reason I submitted additional new requests was based on the original request not being complied with. If the bank wants to hide data - it appears they can as evidenced from this and similar complaints to the ODPC.


----------



## Thinktank (2 Mar 2020)

Cheers


----------



## cmalone (2 Mar 2020)

By the time the FSPO considers my complaint - the relevant data- withheld-  will have been deleted in accordance with their retention policy. Handy


----------



## Thinktank (2 Mar 2020)

Wondering more about the release of information to third party received when making complaint to fpso?


----------



## Silverhillie (19 Apr 2020)

Anybody got an idea of how longs banks are obliged to retain documents


----------



## cmalone (2 May 2020)

Varies depending on financial product / service - typical 6 years.  -

it will be published in their particular privacy statement / data retention policy - but they can intentionally  not release some incriminating data as part of a gdpr / data protection request..,

when you pursue complaint via the ODPC of Fspo you might  be waiting forever before any case gets determined .,, and data may be actually destroyed / deleted or amended by bank during the period .. essentially bank can deny the record actually ever existed and tie you up in noughts


----------

