In the UK if I take out a loan, for example, they check my credit history with a credit reference agency. Similarly, they will pass data to the credit reference agency (CRA).
I can see that there is a lawful basis for my creditor to have my personal data for the purpose of ensuring I repay my loan etc., but I have no relationship with the CRA and therefore I don't think that there is a lawful basis for them to have my data on file.
I think that the way that GDPR handles cookies should be instructive for this, since you are not allowed to refuse service on the basis of rejecting non-essential cookies. Similarly, I don't think that refusing to have your data stored by the CRA should be valid reasons for a refusal of service.
Furthermore, while this data transfer will be written into the T&Cs of the loan, this feels about as legally valid as the EULA on many products. Am I really giving informed consent? On top of that, am I being coerced into giving up my data in a non-essential manner in order to access a (potentially crucial) service?
I would love to hear what people think of this? Am I wrong in thinking that this is a class-action (equivalent) lawsuit waiting to happen?
For reference, I found this piece in the FT which is relevant [1].
[1]: https://www.ft.com/content/afef327a-e291-11e8-8e70-5e22a430c1ad
