Data must not be kept longer than needed

Your ‘right to be forgotten’ and how it applies to banks

Central to what some call the ‘right to be forgotten’ is the idea that personal information should not be kept for longer than needed. It also recognises that an individual has the right to request that their personal information is erased. The holder must then either erase it or provide them with a good reason why this won’t happen.

What counts as a good enough reason? One example is that the information is needed to supply a service that a customer still wants or needs. For example, it’s not possible to provide a banking service for a person and at the same time erase all their personal information from the bank’s systems. Another is that the holder may be required by laws or regulations to keep personal information for a set period before it’s erased. This is the case for banks – there are strict rules about the records banks must keep.

For example, banks must hold financial records to help fight crimes such as fraud, money laundering, or terrorism. In connection with banks it’s misleading to think of a simple ‘right to be forgotten’. You have a right to request personal information to be erased, and for this to be carried out, or to be given a satisfactory reason why it can’t be.

Our privacy notice


This sets out how we protect your privacy. It covers the personal information that we have, where we get it, how we use it and who we share it with.

View full privacy notice