The Information Commissioner’s Office, the UK regulator for data protection has made it very clear that data protection is not an excuse when tackling scams and fraud, and it has called for companies to share personal information responsibly to protect customers from scams and fraud.
Companies often mis-understand GDPR and it’s used extensively by companies to try to restrict what the public can do (e.g. “you can’t take photos from public land”), or in the case of fraud and scams, refusing to provide information that would let a victim take action.
We have seen a company refusing a Subject Access Request for login information for an account created under a person’s name and with access to their sensitive personal data after being told it was fraudulent, in order to protect the personal data (IP address, etc.) of the fraudster.
More at:
https://wapi.org/ico-dpa-does-not-stop-sharing-data-to-assist-fraud-investigations
English 
Română