Eight basic consumer rights toward a bank, non-bank lender or comparison site. Right of access (art. 15): request a copy of every piece of data the firm holds on you. 30 days to reply. Right to rectification (art. 16): wrong data (address, a BIK delay entry) must be corrected. Right to erasure (art. 17, „right to be forgotten"): request deletion after the contract ends, though not always granted — the bank has a right to retain data for a set period (5 years after loan closure in BIK, 10 years for accounting rules). Right to restriction (art. 18). Right to data portability (art. 20): a structured export you can move to a competitor. Right to object (art. 21): objection to marketing processing — the firm must stop. Right to withdraw consent (art. 7(3)): whatever you agreed to, you can undo any time.
Enforcement in practice. Write an email to the bank stating the specific right and citing the article. The firm has 30 days to reply. Refusal or silence = complaint to the President of UODO (Personal Data Protection Office, uodo.gov.pl). UODO can fine up to 20 million euro or 4% of annual turnover. In practice Polish RODO fines usually sit at 20–500 000 PLN. Between 2018 and 2024 UODO issued about 100 million PLN in fines, mainly in finance and telecoms.
RODO and marketing. A bank may send you marketing only with your explicit, voluntary consent, ticked separately. It cannot bundle the marketing consent with the credit contract consent (an unfair practice UOKiK has fined many times). If marketing arrives without consent, you have grounds for a complaint. Note: a „pre-approved loan" offer on the bank's own site, when you are already a client, does not need separate marketing consent — it is part of the existing client relationship.
Frequently asked questions
Not fully. BIK data is held under a legal obligation (Banking Act), not consent. After a loan closes without delays you have a right to erasure. With delays — 5 years of mandatory retention.
Depends on the purpose. Transaction data: 5 years after contract closure (Banking Act). Accounting documents: 5–10 years (Accounting Act). Marketing: until consent is withdrawn. AML rules: 5 years.
In mode B Kreditano does not collect form-level personal data — only technical data (IP, browser) for statistics. Details in the Privacy Policy.