A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm).
The draft act contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.
Particular controversy has been caused by the government’s proposal to limit the scope of data on which the credit risk scoring may be based, to only those categories of data which are expressly indicated in the draft act. In its current version, the proposed data catalogue is limited solely to identification data, data concerning marital status and matrimonial regime, information about financial and work situation, as well as credit history.
Importantly, such limitation of the data catalogue excludes the possibility of using behavioral data (e.g. Internet habits, including behavior in social media) in credit scoring, which to date has been widely used.
At the same time, the current wording of the draft act excludes (but not expressly) the possibility of broadening the data catalogue, even with the credit applicant’s consent.
According to unofficial information gathered from the participants of the parliamentary commission’s debate, the government side is reluctant to agree to any revisions of the draft. If this information is confirmed, many banks and loan companies may be required to significantly modify their model of granting credits and loans. These changes may also affect other entities in the fintech industry.
The draft act is currently under first reading (out of three) in Sejm. Before adoption the draft act must be accepted by the upper house of the Parliament (Senat) and subsequently by the President.