AKI (Estonia) - 2.1.-1/21/129: Difference between revisions

Revision as of 09:35, 15 June 2022

AKI - 2.1.-1/21/129

Authority:	AKI (Estonia)
Jurisdiction:	Estonia
Relevant Law:	Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 15 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	19.01.2022
Published:	19.01.2022
Fine:	n/a
Parties:	n/a
National Case Number/Name:	2.1.-1/21/129
European Case Law Identifier:	EDPBI:EE:OSS:D:2022:319
Appeal:	Not appealed
Original Language(s):	English
Original Source:	EDPB (in EN)
Initial Contributor:	Alexander Smith

The Estonian DPA held that the legal basis for transferring a data subject's debt data to a third party was legitimate interest, not contractual necessity. The DPA also reprimanded the controller for failing to reply to an access request within one month.

English Summary

Facts

The data subject found out that the controller had included his information regarding the generation of a debt of €2,706.41 in a transfer and listing with ASNEF (a credit default register).

The data subject then requested information regarding the generation of the debt and communication of the payment request. The controller did not respond, and the data subject filed a complaint with the Data Protection Inspectorate (Andmekaitse Inspektsioon - AKI).

The AKI sent an enquiry to the controller with the following questions:

What was the legal basis for the processing?
Was a transfer made to ASNEF? If so, when and under what legal basis?
Were there documents relating to the data subject's debt, and if so, have these been received by the controller?
Was the insolvency file's accuracy verified before transfer?
Was the data subject informed of the transfer, and if so, how?
Why hadn't the controller replied to the data subject's access request?

The controller responded to the AKI, claiming that the legal basis for this processing was Article 6(1)(b) GDPR (neccessary for the performance of a contract). The controller's contract with the data subject stipulated that the controller had the right to make such a transfer following overdue payment or default. The controller claimed the purpose of this provision was to allow the data subject the opportunity to monitor his debts and to give others the opportunity to process the subject's data on the basis of legitimate interest to assess his creditworthiness. The controller also claimed the data subject had known of this right to transfer since it was included in the contract.

Holding

The AKI disagreed with the controller about the legal basis for the transfer because it was not necessary for the completion of the contract. Instead, the AKI held that the correct basis was legitimate interest (subject to a legitimate interests test).

The AKI found that the controller did not comply with Article 12(3) GDPR as it did not reply to the data subject's request within one month or provide reasons for its failure to reply.

The AKI reminded the defendant of its obligation under Article 13 GDPR and Article 14 GDPR to inform the data subject in a concise, clear, comprehensible, and easily accessible form using clear and simple language. It noted this information should also be provided in such form if requested in accordance with Articles 15 to 22 and 34 GDPR.

Comment

This was a decision made under Article 60 GDPR. The complaint was referred from the data subject's own Member State to the Republic of Estonia's Data Protection Inspectorate. Per Article 60(7) GDPR this decision was notified to the EDPB.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

FOR DATA PRIVACY AND FREEDOM OF INFORMATION

Dear Your: 08/02/2021
Member of the Management Board
Our: 19/01/2022 No. 2.1.-1/21/129

Reprimand and notice of termination of the proceedings in a case concerning the
protection of personal data

Through the cross-border proceedings system IMI, the Estonian Data Protection Inspectorate
(the Inspectorate) received a complaint from pursuant to which he
learned on 02/09/2020 about the inclusion intoASNEF insolvency file of an alleged debt owed
to amounting to 2.706,41 EUR. On 14/09/2020 the claimant contacted

customer support, in order to request all the information regarding the generation of the
abovementioned debt, as well as the reliable communications of the payment request, without
receiving any answer to the whole of the raised questions. The claimant stated that he kept on
asking for the preventive cancellation of the debt inscription, but got no satisfactory reply.

Based on the above, we have initiated supervision proceedings on the basis of clause 56 (3) 8)
of the Personal Data ProtectionAct.

Throughout the supervision proceedings, we submitted an enquiry to in which we
asked the following:

1. What is the legal basis (show the specific legal provision) for processing
thepersonal data ofthecomplainant? If theprocessing is necessary for theperformance

of a contract to which the data subject is party, then they should send a copy of the
contract concluded with the claimant.
2. Has transferred the claimant’s data to the Asociación Nacional de
Establecimientos Financieros de Crédito (ASNEF) and when? If they have, we asked
them to indicate the legal basis and purpose of the transfer.
3. Are there any documents proving the claimant’s debt? Has the complainant received the
documents?

4. Was the accuracy of the insolvency file verified before it was transferred to ASNEF?
5. Whether and how was the complainant informed of the right to transfer data and the
actual transfer of data. If the notice was given, we asked to provide proof
of notification.
6. Why hasn’t replied to the claimant’s questions? If they have answered, we
asked to send a copy of the answer to the inspectorate.

In their response to the enquiry of the Data Protection Inspectorate, said the
following:, FOR DATA PRIVACY AND FREEDOM OF INFORMATION

has transferred the complainant’s data to ASNEF payment default register as of
09.03.2020 and the legal basis for the transfer of data is the performance of the contract on the
basis of Article 6 (1) (b) of the GDPR (see also clause 13.11 of the Agreement):

13.1. Following a payment overdue or default under the Loan Agreement, the Lender shall have

a right, in each case pursuant to the applicable law, to notify the Borrower thereof and send the
following information to the chosen Payment Default Register:
1) given name and surname of the Borrower;
2) national identification number of the Borrower;
3) commencement and end date of the payment default;
4) the total amount of the payment default; and
5) data concerning the nature of the contractual relationship from which the arrears arise.

The Payment Default Register shall have the right to communicate the aforementioned data on
the basis of a contract entered into for an indefinite period to other credit providers and other
persons who have a legitimate interest concerning the creditworthiness of the persons entered
in the register and collect a charge therefor. The Payment Default Register shall have a right
to communicate the following data concerning the person who is an object of the inquiry to the
other persons with a legitimate interest:

1) commencement and end dates of the payment default;
2) the total amount of the payment default; and
3) the business sector from where the payment default arose.

The Borrower shall have the right to submit a claim to the Payment Default Register pursuant
to the procedure published on the webpage of the Payment Default Register and demand
deletion of a payment default entry from the Payment Default Register. The purpose of

processing the data mentioned herein is to allow the Borrower to monitor his/her payment
defaults and allow other persons with legitimate interest concerning the creditworthiness of the
Borrower to rely on the disclosed information upon making credit decisions with respect to the
Borrower.

The purposes of the processing are:

1) performance of the contract;
2) giving the complainant the opportunity to monitor his / her debts to (in addition to
other notifications and the complainant’s portal account); and
3) giving others the opportunity to process the complainant’s data on the basis of a legitimate
interest in order to assess the complainant’s creditworthiness.

Please note that these purposes and grounds have also been assessed separately for

by the Spanish Supreme Court, which has confirmed the lawfulness of the processing of
customer data for such purposes and grounds.

Thecomplainantreceivedinformationabouthisdebtfromhisportalaccount,fromnotifications
sent by and from notifications sent by the Spanish default register. According to
the complainant has been aware of all these sources of information, i.e. he has visited
the portal account repeatedly, the notifications have been received (including opened) and the

data included the Spanish payment default register is also known to the complainant., FOR DATA PRIVACY AND FREEDOM OF INFORMATION

verifies the accuracy of the debt data through a technical solution that notifies the
system of the loan amount on the due date. Verifiability is ensured by checking the
payment deadline and the receipt of the loan repayment from bank account.

The Appellant was at the earliest aware of the right to transfer data when concluding the

contract. This right arises from clause 13.1 of the contract. repeatedly informed the
complainant by e-mail (ie 04.02.2020, 08.02.2020, 17.02.2020 and 02.03.2020) before sending
the defaults to the Spanish default register. In order to prove this, we also included a list of
outgoing notifications, the fourth box of which also shows that the complainant has also opened
these three notifications. In addition, the payment default register itself informed the
complainant of the publication of the payment default.

PursuanttoClause13.1ofthecontract,thecomplainanthasexercisedhisrighttocommunicate
with the Spanish default register in connection with the cancellation of the default himself. The
complainant has exercised this right twice.

The first notification of the complainant to the default register took place on 18.09.2020 (at that
time was not aware of the out-of-court settlement of the default and we confirmed to
the default register on 23.09.2020 that the data had been duly disclosed).

received the complainant’s letter by post on 06.10.2020. The second notification of
the Applicant to the payment default register took place on 29.10.2020. At that moment,
also became aware of the out-of-court settlement and requested that the payment
e deleted from the default register on 04.11.2020 (incl. Further notifications were
blocked).

We add that the deadline for replying to the complainant’s letter was 06.11.2020, but as the
situation related to the complainant was resolved through the payment default register (incl. it
was used as a communication channel), the complainant was not notified separately. The
complainant received the relevant information with the payment default register and the
situation was resolved.

On 10 February, the SpanishAgency for Data Protection replied that the claim had been settled
because the data of theAppellant had been removed from the payment default register pursuant
to an out-of-court settlement. The SpanishAgency for Data Protection added that theAppellant
had been informed of the possibility of being entered to the payment default register in the
contract and also before the payment default was entered.

POSITION OF THE DATA PROTECTION INSPECTORATE

1. Lawfulness of the processing of personal data

In its reply, stated that it had transmitted the personal data of the Appellant to
ASNEF under Article 6 (1) (b) of the GDPR. The Data Protection Inspectorate does not agree
with this, as the transfer of the debt data of the Appellant to the payment default register is not

an act that has to perform in order to fulfil its contract with the Appellant. The
legal basis for providing the debt data of the Appellant to a third party can be derived from
Article 6 (1) (f) oftheGDPR, i.e. a legitimateinterest. Relyingon this legal basis, the controller
is obliged to carry out a detailed assessment of the legitimate interest and to consider whether, FOR DATA PRIVACY AND FREEDOM OF INFORMATION

or not the processing of the data is permissible in a particular case. If the assessment shows that
the processing of the data is not permissible, it must be stopped. Otherwise, the controller must
prove to the data subject that there are legitimate reasons to continue processing the data.

2. Release of personal data

On 14 September 2020, the Appellant sent a request to to issue to him all the
necessary documents regarding the debt, including the contract concluded between the
Appellant and and documents regarding how the principal debt, interest, service
fees, etc. have arisen. received the letter of the Appellant by post on
6 October 2020. Aperson ocuments or, for example, a citation of contract clauses,

goes beyond the scope of the GDPR. However, a person may request a copy of personal data
collected about them pursuant to Article 15 (1) and (3) of the GDPR, in which case it is not
prohibited for a copy of personal data to be issued as a copy of a document.An entry or extract
from a database that reflects, inter alia, the name of the person, the components of the claim
against them (principal, interest, recovery costs, etc.) constitutes personal data, and is thus the
scope of the GDPR.

In accordance with recital 59 of the GDPR, the controller should be obliged to respond to
requests from the data subject without undue delay and at the latest within one month and to
give reasons where the controller does not intend to comply with any such requests.
Article 12 (3) of the GDPR lays down the same deadline for replying to the request of the
Appellant. In its reply, explained that since the deadline for replying to the
Appellant was 6 October 2020 but before that, the Appellant had entered into an out-of-court
settlement, of which became aware on 29 October 2020, the debt claims against

theAppellant were deleted from the payment default register on 4 November 2020. In addition,
the request of the Appellant for the release of his debt data was settled through the payment
default register. As the payment defaults had been cleared before the deadline for replying to
the Appellant and the Appellant had received information of interest to him through ASNEF,
did not consider it necessary to provide the Appellant with documents and other
information relating to his debt.

The Data Protection Inspectorate finds that the conduct of was not lawful because,
pursuant to Article 12 (3) of the GDPR, was obliged to reply to the Appellant within
one month or to provide reasons for not providing theAppellant with the requested documents
and/orinformation (see GDPR recital 59,Article 12 (4)), even ifthe claim oftheAppellant falls
outside the scope of the GDPR. Therefore, should have provided theAppellant with a
copy of the personal data he had requested (if theAppellant had requested it) or explained in its

reply why this was not done or if theAppellant had requested specific documents,
should have justified why it was not possible to submit the documents on the basis ofArticle 15
of the GDPR.

I would like to explain that it is obligation of the controller to make sure that data is being
processed in compliance with the GDPR. However, disregarded the explicit
request of theAppellant to provide him with documents relating to his debt and did not explain

to the Appellant why it could not do so. In view of the above, violated the
requirements set out in the GDPR. However, based on the fact that the Appellant received the
information requested by him through the payment default register and his debt details have
been deleted from the payment default register as a result of an out-of-court settlement,, FOR DATA PRIVACY AND FREEDOM OF INFORMATION

I reprimand underArticle 58 (2) (b) of the GDPR and draw attention to the
following:

1. The legal basis for the transmission of debt data to a payment default register is the
existence of a legitimate interest (Article 6 (1) (f) of the GDPR).

is obliged to carry out a detailed assessment of the legitimate interest and
to consider whether or not the processing of the data is permissible in every particular
case. If the assessment shows that the processing of the data is not permissible, it must
be stopped. Otherwise, the controller must prove to the data subject that there are
legitimate reasons to continue processing the data.

2. The controller shall take appropriate measures to provide the data subject with the
information referred to in Articles 13 and 14 and to inform them of the processing of
personal data in accordance with Articles 15 to 22 and 34 in a concise, clear,
comprehensible, and easily accessible form using clear and simple language. This
information is provided in writing or by other means, including, where appropriate,
electronically. If the data subject so requests, the information may be provided orally,
provided that the identity of the data subject is established by other means

(Article 12 (1) of the GDPR).

3. The controller has the obligation to submit a copy of the personal data concerning the
data subject at the request of the data subject (Article 15 (3) of the GDPR).

If the data subject wants personal data about themselves, must do
everything in its power to ensure that all personal data is released. If personal data are

not released, it must be made very clear which type of data and for what reason cannot
be released.

4. The controller provides information on action taken on a request underArticles 15 to 22
of the GDPR to the data subject without undue delay and in any event within one month
of receipt of the request. This period may be extended by two months, if necessary,

taking into account the complexity and volume of the request. The controller informs
the data subject of any such extension within one month of receipt of the request,
together with the reasons for the delay (Article 12 (3) of the GDPR).

Thus, if a person requests a copy of personal data concerning them, the copy must be
provided within one month or, if justified, the deadline for replying may be extended
within that month. In accordance with theGDPR, themaximum legal term forproviding

data can be three months.

5. If the controller does not take action on the request of the data subject, the controller
shall inform the data subject without delay and at the latest within one month of receipt
of the request of the reasons for not taking action and on the possibility of lodging a
complaint with a supervisory authority and seeking a judicial remedy (Article 12 (4) of
the GDPR).

Thus, if considers that it has reasonable grounds for not releasing data, this
must be justified to the data subject within one month., FOR DATA PRIVACY AND FREEDOM OF INFORMATION

In view of the above and the fact that the Appellant, received the

informationconcerninghimthroughthepaymentdefaultregisterASNEF, Iwillterminate
the supervision proceedings.

I further note that in a situation where the improper practice of processing personal data in this

way continues, the Data Protection Inspectorate has the right to issue a precept to
(and, if necessary, impose a penalty payment) or hold the controller liable in a misdemeanour.
A legal person may be fined up to 20,000,000 euros or up to 4% of its total annual worldwide
turnover for the previous financial year, whichever is greater.

This administrative act can be disputed within 30 days by:
- submitting a challenge to the Director General of the Data Protection Inspectorate pursuant to
theAdministrative ProcedureAct or 1

- filing a 2etition with an administrative court pursuant to the Code of Administrative Court
Procedure (in this case, anychallenges submitted in the same case can no longer be processed).

Respectfully

/signed digitally/

Lawyer
Authorised by the Director General

1https://www.riigiteataja.ee/en/eli/527032019002/consolide
2https://www.riigiteataja.ee/en/eli/512122019007/consolide

@@ Line 72: / Line 72: @@
 === Facts ===
-The data subject learned that the controller had included his information regarding the generation of a debt €2,706.41 in a transfer and listing with ASNEF (a credit default register).
+The data subject found out that the controller had included his information regarding the generation of a debt of €2,706.41 in a transfer and listing with ASNEF (a credit default register).
 The data subject then requested information regarding the generation of the debt and communication of the payment request. The controller did not respond, and the data subject filed a complaint with the Data Protection Inspectorate (''Andmekaitse Inspektsioon - AKI).''