GDRP right to erasure / be forgotten & banks 6/7 year silo term

[bluesy]

Hope y'all well

When I close a bank account I'm in the habit of requesting a a) data subject access request (DSAR) and b) right to erasure / be forgotten (RTE) - both under GDPR

The DSAR is no issue

The RTE is more of an issue because most/all banks say they must keep data for 6/7 years for legal reasons. I have no legal knowledge so can't really contest this.

Does anyone (i.e. legal or not) have any info they'd be able/willing to share on this topic?

I've planned to follow up with banks after 6/7 years for the past decade but keep forgetting (6-7 years is a long time to remember but I suppose I should be more organised since it's easy to set a reminder somewhere )

 

[bluesyeddie]

@bluesy Yes, banks are legally required to keep some information on you, along with companies that deal with things like insurance etc. - another example is past employers also need to keep data on you, for a while.

Almost all of these are doing so because they have to be able to prove 'compliance'. They have to be able to prove they aren't/weren't breaking rules or regulations they were supposed to be following (e.g. right to work in the UK for an employer). For banks etc. those regulations have been developed over the years to help combat fraud and other financial crime.

The GDPR rite to erasure isn't a catch-all 'you can't know anything about me anymore' - it just means companies need to have a justifiable reason to keep information about you, and that they need to do so in ways that means only appropriate people can access that data.

 

[bluesy]

@bluesyeddie