The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Disclosure to a bank by a credit referencing agency – adequacy of information supplied by the bank when making enquiry – how the credit referencing agency dealt with the enquiry

A data subject made an access request to a credit referencing agency. The material provided to her in response to this access request indicated that details of her credit standing had been accessed by a financial institution with which she had never had any dealings. She complained against that financial institution to me.

My investigation established that the financial institution had made an enquiry to the credit referencing agency about an individual seeking a loan who had a name and address similar to those of the complainant. When the credit referencing agency gets such enquiries, it searches its database for people with names and addresses similar to those of the person about whom the enquiry has been made. It has been suggested to me in the past that, because people do not always use the same forms of their name and address, this practice is necessary to give an adequate response to lenders who use their service.

However, in this particular case I found that the institution making the enquiry had given very specific details (including the date of birth) in respect of the person in whom they had a legitimate interest. This should have been enough to establish that the woman who complained to me could not have been the same person in respect of whom an enquiry was properly made. While this case has not yet been finalised I am likely to conclude that that there has been a contravention of the Act not, as the complainant has alleged, by the financial institution that obtained information about her but by the credit referencing agency. The relevant provision of the Act is section 2 (1) (c) (ii) - data shall not be used or disclosed in any manner incompatible with the purpose or purposes for which they are kept.