RODO / GDPR

Definition. RODO (Rozporządzenie Ogólne o Ochronie Danych) is the Polish name for the EU GDPR (Regulation 2016/679), governing the processing of personal data of EU citizens from 25 May 2018. In Poland it is supplemented by the Personal Data Protection Act of 10 May 2018. It imposes duties on companies and rights on consumers.

Eight basic consumer rights toward a bank, non-bank lender or comparison site. Right of access (art. 15): request a copy of every piece of data the firm holds on you. 30 days to reply. Right to rectification (art. 16): wrong data (address, a BIK delay entry) must be corrected. Right to erasure (art. 17, „right to be forgotten"): request deletion after the contract ends, though not always granted — the bank has a right to retain data for a set period (5 years after loan closure in BIK, 10 years for accounting rules). Right to restriction (art. 18). Right to data portability (art. 20): a structured export you can move to a competitor. Right to object (art. 21): objection to marketing processing — the firm must stop. Right to withdraw consent (art. 7(3)): whatever you agreed to, you can undo any time.

Enforcement in practice. Write an email to the bank stating the specific right and citing the article. The firm has 30 days to reply. Refusal or silence = complaint to the President of UODO (Personal Data Protection Office, uodo.gov.pl). UODO can fine up to 20 million euro or 4% of annual turnover. In practice Polish RODO fines usually sit at 20–500 000 PLN. Between 2018 and 2024 UODO issued about 100 million PLN in fines, mainly in finance and telecoms.

RODO and marketing. A bank may send you marketing only with your explicit, voluntary consent, ticked separately. It cannot bundle the marketing consent with the credit contract consent (an unfair practice UOKiK has fined many times). If marketing arrives without consent, you have grounds for a complaint. Note: a „pre-approved loan" offer on the bank's own site, when you are already a client, does not need separate marketing consent — it is part of the existing client relationship.

Frequently asked questions

Can I erase myself from BIK under RODO?+

Not fully. BIK data is held under a legal obligation (Banking Act), not consent. After a loan closes without delays you have a right to erasure. With delays — 5 years of mandatory retention.

How long does the bank keep my data?+

Depends on the purpose. Transaction data: 5 years after contract closure (Banking Act). Accounting documents: 5–10 years (Accounting Act). Marketing: until consent is withdrawn. AML rules: 5 years.

Does Kreditano keep my data?+

In mode B Kreditano does not collect form-level personal data — only technical data (IP, browser) for statistics. Details in the Privacy Policy.