12

I will shamefully admit that it was only in the year 2021 that I finally built my own bookkeeping system. Yes, I should have done it 10-20 years ago, but I didn't. So now I'm in this situation:

First of all, I logged in to my bank (Nordea in Sweden) and discovered that it now only supported dumping data from not very long ago at all. I think it was just a couple of years, or even months. So I contacted them.

They responded that they "will not" give me any data that is older than 10 years, but that I can exploit a secret bug (yes, they actually said this...) on their website to basically ignore multiple error messages and force their website to keep feeding me data, until it hit 10 years back. That's when it stopped feeding any data, so I dumped the CSV and exported it into my own local database.

So now I have all my bank transactions between the first day of 2009 up until today. (Yes, that "10 year" limit was slightly off, so you clearly cannot trust a single word they or their website claims...)

I also tried to analyze the JSON data blobs and modify the requests to fetch older data, but it just displayed error messages then.

But obviously, the bank does have all my old transactions in their real database. I don't believe for a second that they have actually thrown it away, or that they ever will.

So why won't they give it to me? They didn't state a reason, and I kept asking repeatedly in different ways, but they consistently just told me that data older than 10 years isn't available or some cryptic sentencing like that. They didn't explicitly mention it, but many other companies keep using this stupid "GDPR" nonsense as an excuse to not give me their data, and perhaps this is somehow related to this.

But still. This is my own data. Not the data of somebody else. It's my personal bank account, and I'm logged in securely to prove my identity. I'm not asking for this via e-mail!

Clearly, they are unwilling to hand it out, but is there some way for me to force them to do so against their will? That is, without "going to court".

It really annoys me that I don't have a full transaction history to analyze. Can they be forced/persuaded?

PS: I've even offered to pay them money for it, but even if you pay them, the time limit is still "10 years".

ti7
  • 105
  • 3
H Salvas
  • 147
  • 1
  • 3
  • 20
    Why do you consider this "my own data"? This is the bank's data of transactions that concern your account. – doneal24 Dec 17 '21 at 17:34
  • 29
    Why would they “obviously” have your data more than ten years old? I actually surprised they have that far back. – RBarryYoung Dec 17 '21 at 20:41
  • 12
    @doneal24 Because Europe: "The data subject [i.e., the OP] shall have the right to obtain from the controller [i.e., the bank] confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data". Polygorial helpfully linked to Art. 15 GDPR containing that sentence. "Ownership" is a fuzzy word; "access" (what the OP wants) is pretty clear. – Peter - Reinstate Monica Dec 17 '21 at 20:52
  • 21
    I'm not understanding what's "shameful" about not having your own bookkeeping system. The vast, vast majority of people do not have their own bookkeeping systems with decades of transaction history or ever need to account for how much they spent for lunch on February 3rd, 2002. Focus on creating the system you need to help you make financial decisions going forward, not decades-old transactions. – Zach Lipton Dec 17 '21 at 20:53
  • 11
    It's possible that 10 years is the statutory limit of how long they must keep the data, e.g. for tax or other legal reason (money laundering). I must keep my tax relevant receipts and invoices for 10 years as well, because that's the statute of limitation for tax fraud. But other, conflicting principles like the Datensparsamkeit ("data frugality" -- only store what's strictly necessary) from the Bundesdatenschutzgesetz may apply as well. – Peter - Reinstate Monica Dec 17 '21 at 20:59
  • 1
    Why is it always Nordea? https://money.stackexchange.com/questions/118609/how-can-i-access-basic-nordea-bank-account-data-e-g-balance-after-they-disabl – Bernhard Döbler Dec 17 '21 at 22:42
  • 5
    Consider they may have switched internal systems at some point and only migrated the data up until they met legal demands. This could easily explain the 2009 limit. – Sebastiaan van den Broek Dec 18 '21 at 01:18
  • 2
    frame challenge: do you even actually need more than 10 years worth of transaction-level logs? Assuming there's some yearly paperwork for taxation purposes and year-level aggregate financial statements for companies there. What does the law require out there? – ilkkachu Dec 18 '21 at 09:36
  • 1
    @SebastiaanvandenBroek But this is a law question. The question isn't "is in hard for them to give me the data?", it's "can I use the law to force them to give the data?". – JBentley Dec 18 '21 at 15:56
  • 1
    @JBentley sure, but I think the answers already pointed out well enough that the banks aren’t required to keep that data around forever. Then the seemingly arbitrary 2009 still needs to be explained. – Sebastiaan van den Broek Dec 18 '21 at 16:01
  • 3
    @SebastiaanvandenBroek It makes absolutely no diffeference whether or not the controller is required to keep the data. If they have kept it, then you have the right to access it even if they didn't need to keep it. If they haven't kept it then there is obviously nothing to access, but then that would again not be a question of law. The answers talking about businesses not needing to keep data are not answering the question, correct though those answers may be. Note that in this case, the bank clearly does have data older than 10 years. – JBentley Dec 18 '21 at 16:03
  • This is why they send you an annual statement. The onus is on you to keep a copy of that data, if you require it. – spikey_richie Dec 20 '21 at 16:08
  • @spikey_richie No, the onus is on the data controller to provide a copy of it if they still have it. That's one of the main rights that data subjects have under the GDPR. – JBentley Dec 21 '21 at 01:05
  • @JBentley "if they still have it." That's the key statement. – spikey_richie Dec 21 '21 at 08:13
  • You should ask yourself whether you really need these old data. 3 years ago (2018), I was in a similar situation: I started to improve my financial situation by using a bookkeeping system. And I entered all data I had immediate access to. That is, back to 2015 or 2016. I would have entered more data if I had them, but I didn't.

    Of course, I could have asked the banks to really give me all they had, but why? I cannot change the past, I only can improve my financial behaviour. And that's what I achieved.

     – glglgl Dec 21 '21 at 09:29
  • @spikey_richie No, it's not the key statement, because this is a law question. If they don't have it, then there is no question of law. Implicit in the question is the presumption that we're talking about a controller who has the data. E.g. if you ask "Is it illegal to murder someone"?, the answer in law is "yes", not "it depends whether you murdered someone". – JBentley Dec 21 '21 at 15:53

4 Answers4

43

Businesses only keep transaction data for as long as they have to

For a live loan account they will keep transactions while the account is live and then for as long as local law dictates (it varies but 7 years is typical). For transaction accounts it will generally be only for as long as required by law - typically what is required by tax law (again 7 years is typical) or as long as you can sue them under statues of limitations (2-5 years). Banks (and other businesses) do not keep records indefinitely.

10 years seems more than necessary.

Dale M
  • 208,266
  • 17
  • 237
  • 460
  • 2
    I agree that this is probably the answer, except that it's missing the actual answer part, i.e. saying "They probably don't have it". I think it would improve the post to state that explicitly. (Just my opinion) – David Z Dec 17 '21 at 22:33
  • 4
    Your answer is not wrong but it's only a half truth. Business do what they require and what is necessary to keep clients. In Germany banks offer minimum because the competitors are as miserable as them, but in Poland, my bank offers me full history for free because others offer the same. Being worse equals loosing clients. –  Dec 17 '21 at 22:40
  • 1
    Keeping data and keeping it in a way that is easily extracted are two different things. The historical records are most likely stored in incremental archives and getting at them would only happen if necessary. – Nelson Dec 18 '21 at 05:03
  • 3
    Now what profit-maximizing entity will discard a massive database? They have the data, they just can't be bothered to fetch it for their client, but they will know how to fetch it if they suddenly find a profit in it. – PatrickT Dec 18 '21 at 06:03
  • 4
    @PatrickT database are both assets and liabilities. the storage costs is minimal but from time to time, hackers illicitly obtain copies of databases. At some point after that, the victim organization will have to "do something" like pay for "credit monitoring" for the affected individuals. It the old data has minimal value (can knowledge of my shopping decisions over 10 years ago really be monetized) then it makes business sense to discard old data. – emory Dec 18 '21 at 15:09
  • 11
    @PatrickT OP is in a GDPR jurisdiction. In order to process data (which includes keeping data), you need oen of the 6 lawful bases in Article 6(1). Many of thoses bases will increasingly begin to expire as time goes on. Most businesses will find they need to discard data at some point under the GDPR. Finding a lawful basis for 10 year old data, in the absence of consent, is likely to be challenging. – JBentley Dec 18 '21 at 15:54
  • 1
    It’s quite possible that they switched to a different core (database) around 10 years ago and the older transactions were never in the new system. They would have to get older transactions from the old system if it’s still online. If by exploiting the “bug” you’re able to get exactly ten years of history it’s more likely they’re purging data older than ten years for the reasons stated above. Having worked on such systems I would say it’s more likely they can’t / don’t know how to access the data. – Patrick McElhaney Dec 20 '21 at 00:18
18

According to GDPR, they are required to delete data when there is no longer a legal reason to keep it. It would be madness to do this manually. There will be automatic processes going through the databases and deleting data when the documentation requirements have expired. Certain information will have to be kept for a very long time, like inactive accounts with a positive balance. Other information has no such requirements.

o.m.
  • 17,538
  • 3
  • 37
  • 64
  • 1
    This is most probably the correct answer. Data older then this year + 10 years are purged from the databases, they are big enough anyway. There are no legal or business requirements to keep them, on the contrary there are som legal requirements to actually remove them. There exists a specific procedure to move inactive accounts with a positive balance to a specific category, but it is quite man-power intensive and possibly not done every year. (Source: working experience from the swedish bank SEB, migth not exactly match Nordea-s proceduren). – ghellquist Dec 18 '21 at 09:22
  • @ghellquist "There are no legal or business requirements to keep them" There is a business reason to keep them, because more data means better machine learning. – nick012000 Dec 18 '21 at 11:51
  • @nick012000 You might of course have a point there. But ponder some millions of salary accounts. Most of the time salary arrives at about the 25:th each month. By the first of the month a large part of the money has left for fixed costs such as rent, utilities, perhaps a bit for the saving account. Mean balance a few hundred dollars. This pattern has not really changed and does not need any great AI system to be deducted. And things are changing, spendings are moving to almost exclusively cards (very little cash used). Add to that: Nordea is a medger of a bunch of banks and updating the IT-s. – ghellquist Dec 18 '21 at 12:47
  • 2
    @nick012000, that's not a valid reason under GDPR unless the customers all gave their informed consent, in writing, to have their financial data used for machine learning specifically. Data bay only be used as required by law, or for the fulfillment of the original business purpose, or as consented by the customer. – o.m. Dec 18 '21 at 13:11
  • 3
    @o.m Your last comment is wrong. Consent is just one of the 6 lawful bases under Article 6(1). You can process data without consent if one of the other bases applies. Furthermore, business reasons is itself one of the lawful bases (the correct name being "legitimate interests") under Article 6(1)(f). Establishing its existence can be tricky (and especially so for 10+ year old data), but it has nothing to do with consent, and its certainly not impossible to establish it, even for old data. Context matters. – JBentley Dec 18 '21 at 16:01
  • 3
    @JBentley, that's what I was trying to tell with the second sentence of my comment. The key here would be the original business purpose -- one cannot simply take old data to mine it for new insights. – o.m. Dec 18 '21 at 16:35
6

But obviously, the bank does have all my old transactions in their real database. I don't believe for a second that they have actually thrown it away, or that they ever will.

"Belief" gets you in trouble! I win in court becuase I am able to view my chances of success dispassionately. I know more than my adversary about my chances of winning - If I won't win, I don't let it become a lawsuit.

You have a losing case here. Your belief that they have all your data forever is not realistic. I bet if you pull your paper statements, which you saved of course, you will see that there was a subtle or not-subtle change in the statement format. That's because they changed systems: Occam's Razor.

And a big part of the system change was the ability to generate the data you are enjoying now.

Typically banks keep data that old in archival storage. Often, offsite storage e.g. at an Iron Mountain facility (commonly an old mine). Getting it out of there would be a huge production in any form, and probably not the format you want.

Expect paper, because that is what satisfies courts. Judges can read paper, they can't read a CSV.

JBentley raises an interesting point about GPDR which likely means the old data has been destroyed utterly. GPDR does indeed require the bank share with you any information they have. This creates a perverse incentive for the bank. They don't need to provide under GPDR any data they don't have.... so it is in their best interest to destroy any data they don't need. So they write a businesswise-reasonable "data retention policy". Companies will keep data forever if it's cheap to do so; that would apply to data in their current system. But for data that lived on a pre-2009 legacy system they're spending millions to maintain, No way. That was taken out of service as soon as it was no longer needed to meet retention windows e.g. if the retention window is 10 years, they had a bonfire in 2019.

Harper - Reinstate Monica
  • 19,563
  • 2
  • 27
  • 81
  • 1
    I suspect you are not within a GDPR-applicable jurisidction. In such jurisdictions, if the data controller has the data, then you have the right to it. Unless an exemption applies to the controller then you have a pretty straight forward case. E.g. in England you can complain to the ICO which has the power to make a binding order, or, you can obtain a compliance order under s 167 of the Data Protoection Act 2018. It's hard to lose such a case, because there are usually no complicated points of law or clever defence arguments. – JBentley Dec 18 '21 at 15:41
  • 2
    If the controller still ignores the request after an ICO or court order, then (judging by historical cases) they are likely to face crippling fines. In the EU version of the GDPR, those can be up to the higher of 20,000,000 EUR or 4% of turnover, under Article 83(5). Obtaining a box out of an offsite storage facility might start to look like quite an attractive proposition at that point. – JBentley Dec 18 '21 at 15:44
  • 2
    @JBentley the problem is, a) the bank doesn't have it in a format that would satisfy OP. And b) you don't understand unintended consequences. If they make a rule that says "you must share all data you have", then people respond by deleting all data they don't need. Any old data they might have had in obsolete and expensive-to-access formats (like microfiche) would be intentionally destroyed ASAP. – Harper - Reinstate Monica Dec 19 '21 at 23:52
  • This is 100% the right answer. I have done a lot of data transfers/conversions over the years. If you don't have a business reason to transfer the old stuff, you don't. In the case of a banking system, it is quite possible they transferred only 1 year of data - sometimes even less! Then you maintain "old and new" in parallel - with old being basically read-only - until enough time (e.g., 7 years) have passed and then get rid of the old system. All of a sudden you go from (making up dates) having data from 1990 - 2008 + 2009 - present (say 2016 at the time) to only having 2009 - 2016. And then – manassehkatz-Moving 2 Codidact Dec 20 '21 at 02:24
  • 2
    the database keeps growing. The last time someone asked was in 2019 so the answer was "10 years". Now it is 2021 so it is really 12 years, but the person answering the question doesn't even realize it isn't "10 years with automatic delete of old stuff" but rather "2009 to present, until we switch systems again". For those not in the IT world, the issue is not (for many years) storage space. It is maintenance cost of old systems - old hardware and OS that may not be easily replaceable, security issues (especially in banking), compatibility with new technologies (e.g., Zelle, PayPal, etc.). – manassehkatz-Moving 2 Codidact Dec 20 '21 at 02:27
  • This answer is right - companies are indeed best off deleting old data. This is intentional. In a hypothetical lawsuit, the bank will have no problems with "missing data". It was destroyed per EU guidance. – MSalters Dec 20 '21 at 10:23
-3

Make them an offer they can't refuse

They may indeed have the data, but it will unlikely be handy. It will be buried in some archives like Amazon Glacier, and exhuming it for you would be a one-off bespoke job their IT stars would have to perform. Normally they would only bother when there is a court order. They're a bank, not a Lost and Found.

Yes it's your data, but that doesn't mean they are obliged to serve it to you any time/place you realize you've lost it again.

So, you just have to ask them nicely and offer enough $$$ motivatation.

Greendrake
  • 27,460
  • 4
  • 63
  • 126
  • 10
    If they do have the personal data and GDPR applies, then they have a legal obligation to provide a copy of this data upon request, at zero cost. The GDPR has no “but it's too much effort” exception. It is up to data controllers to manage their data in a manner that allows them to handle requests efficiently. – amon Dec 17 '21 at 13:55
  • @amon That's why a court order would compel them, but the question requires an answer 'without "going to court"'. – Greendrake Dec 17 '21 at 13:58
  • 2
    Companies are normally expected to comply with a GDPR subject access request and have good data management systems but they are allowed to refuse "if the request is manifestly unfounded or excessive". More details here. – Stuart F Dec 17 '21 at 14:36
  • 7
    @amon And this is exactly why they are unlikely to have it. The one sure exception to GDPR (and other legal/court mandates) is “we don’t have it”. Implemented properly (as a retention policy) this costs them nothing th answer such requests. Which is why they do it. – RBarryYoung Dec 17 '21 at 20:46
  • 2
    @amon I agree that your reasoning is likely to apply to the OP's case, but it's not correct that the GDPR prevents charging money for "too much effort" cases. Article 12(5) forsees doing exactly that where the request is "manifestly unfounded or excessive". It's a high threshold to cross, but it's available to controllers. – JBentley Dec 18 '21 at 15:49
  • 1
    @amon But that law has a side-effect of encouraging companies to delete data they don't really need. It's a tax designed to deter Big Data and a corporate surveillance 'state' of deep tracking of individuals. If they must deal with GDPR requests for that data, it makes them think twice about what they put in those dossiers. – Harper - Reinstate Monica Dec 20 '21 at 03:46