Tietosuojavaltuutetun toimisto (Finland) - 834/532/18: Difference between revisions
No edit summary |
No edit summary |
||
(5 intermediate revisions by the same user not shown) | |||
Line 23: | Line 23: | ||
|Currency= | |Currency= | ||
|GDPR_Article_1=Article | |||
|GDPR_Article_Link_1=Article | |GDPR_Article_1=Article 5(1)(a) GDPR | ||
|GDPR_Article_2=Article | |GDPR_Article_Link_1=Article 5 GDPR#1a | ||
|GDPR_Article_Link_2=Article | |GDPR_Article_2=Article 25(1) GDPR | ||
|GDPR_Article_Link_2=Article 25 GDPR#1 | |||
|GDPR_Article_3=Article 58(2)(b) GDPR | |GDPR_Article_3=Article 58(2)(b) GDPR | ||
|GDPR_Article_Link_3=Article 58 GDPR#2b | |GDPR_Article_Link_3=Article 58 GDPR#2b | ||
|GDPR_Article_4=Article 58(2)(d) GDPR | |GDPR_Article_4=Article 58(2)(d) GDPR | ||
|GDPR_Article_Link_4=Article 58 GDPR#2d | |GDPR_Article_Link_4=Article 58 GDPR#2d | ||
|GDPR_Article_5=Article 83 GDPR | |||
|GDPR_Article_Link_5=Article 83 GDPR | |||
Line 61: | Line 64: | ||
=== Facts === | === Facts === | ||
Controller is Suomen Asiakastieto Oy, a company that | Controller is Suomen Asiakastieto Oy, a company that keeps a credit information register. This register gives an overview of the creditworthiness of debtors, whose debts are shown in the register. Suomen Asiakastieto Oy receives information from the Legal Register Centre regarding court cases in which a debtor challenges a payment obligation. [https://gdprhub.eu/index.php%3Ftitle=Tietosuojavaltuutetun_toimisto_(Finland)_-_8211/161/19 Because the Courts and the Legal Register Centre made errors between 2011 and 2017, this information, turned out to be inaccurate and transferred without a legal basis, because it did not fulfil the obligations of Article 6(1) of the (Finnish) Credit Information Act]. Since the controller relied on the information provided by the Legal Register Centre, they also registered inaccurate personal data without a legal basis. | ||
A data subject who was registered in controller's credit register because of four cases, requested the DPA to order controller to delete their personal data from the controller’s credit information register, because it was processed without a legal basis and the controller did not provide clear criteria on which they determined the debtor's creditworthiness. | |||
The controller, however, argued that they carefully assessed each outcome of court cases to determine the creditworthiness of the debtor, that they had a legal basis to process this information (Article 6(1) Credit Information Act), and that they could not establish fixed criteria of this assessment, since this is “''to some extend a matter of human reasoning and consideration''” and must therefore be done on a case-by-case basis. | |||
=== Holding === | === Holding === | ||
First, the DPA noted that, although the issues occurred between 2011 and 2017, the issues had continued since the GDPR entered into force, and therefore, the GDPR applied to this case. | First, the DPA noted that, although the issues occurred between 2011 and 2017, the issues had continued since the GDPR entered into force, and therefore, the GDPR applied to this case. | ||
Line 77: | Line 79: | ||
== Comment == | == Comment == | ||
This decision is closely related to two other DPA decisions ([[Tietosuojavaltuutetun toimisto (Finland) - 4356/532/19|Decision 4356/532/19]] and [[Tietosuojavaltuutetun toimisto (Finland) - 8211/161/19|Decision 8211/161/19]]) and all decisions were published on the same day. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 08:47, 27 January 2022
Tietosuojavaltuutetun toimisto (Finland) - 834/532/18 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 5(1)(a) GDPR Article 25(1) GDPR Article 58(2)(b) GDPR Article 58(2)(d) GDPR Article 83 GDPR Article 6(1) Credit Information Act (527/2007) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.11.2021 |
Published: | |
Fine: | None |
Parties: | Suomen Asiakastieto Oy |
National Case Number/Name: | 834/532/18 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Finnish |
Original Source: | Tietosuojavaltuutettu (in FI) |
Initial Contributor: | Giel Ritzen |
The Finnish DPA ordered Suomen Asiakastieto Oy to delete incorrect entries from their credit information register and change their procedure of the processing information on debtors’ ability or willingness to pay, because this was in violation of Article 25(1) GDPR.
English Summary
Facts
Controller is Suomen Asiakastieto Oy, a company that keeps a credit information register. This register gives an overview of the creditworthiness of debtors, whose debts are shown in the register. Suomen Asiakastieto Oy receives information from the Legal Register Centre regarding court cases in which a debtor challenges a payment obligation. Because the Courts and the Legal Register Centre made errors between 2011 and 2017, this information, turned out to be inaccurate and transferred without a legal basis, because it did not fulfil the obligations of Article 6(1) of the (Finnish) Credit Information Act. Since the controller relied on the information provided by the Legal Register Centre, they also registered inaccurate personal data without a legal basis.
A data subject who was registered in controller's credit register because of four cases, requested the DPA to order controller to delete their personal data from the controller’s credit information register, because it was processed without a legal basis and the controller did not provide clear criteria on which they determined the debtor's creditworthiness.
The controller, however, argued that they carefully assessed each outcome of court cases to determine the creditworthiness of the debtor, that they had a legal basis to process this information (Article 6(1) Credit Information Act), and that they could not establish fixed criteria of this assessment, since this is “to some extend a matter of human reasoning and consideration” and must therefore be done on a case-by-case basis.
Holding
First, the DPA noted that, although the issues occurred between 2011 and 2017, the issues had continued since the GDPR entered into force, and therefore, the GDPR applied to this case.
Second, the DPA stated that that in each of the four instances, the entries should not have been registered, because these conditions laid down in Article 6(1) Credit Information Act, had not been fulfilled. Hence, the DPA concluded that there was no legal basis to process the personal data, the processed’ personal data was inaccurate, and these entries should have been deleted after the data subject requested the controller to do so.
Third, the DPA considered that the entry of payment information in the credit information register concerns large-scale processing, and has wide-ranging implications for the rights and freedoms of the data subject, since their financial freedom might be severely affected. The DPA found that controller’s structural process of assessing court decisions on a case-by-case basis, without fixed criteria, had led to the processing of personal data without a legal basis. Hence, the controller had lacked to implement appropriate measures to implement the data protection principles, like the principle laid down in Article 5(1)(a) GDPR. The DPA, therefore, concluded that the controller's approach to the processing of payment default data based on final judgments did not comply with Article 25(1) GDPR.
Pursuant to Article 58(2)(b) and Article 58(2)(d) GDPR, the DPA reprimanded the controller for its violations, and ordered the controller to bring their processing operations in compliance with the GDPR. Hence, the controller was ordered to remove all incorrect entries and change its procedure for registering default entries based on final judgements. The DPA noted that an administrative fine pursuant to Article 83 GDPR would not have been proportionate, since the incorrect entries of the Legal Register Centre had a significant impact on this case.
Comment
This decision is closely related to two other DPA decisions (Decision 4356/532/19 and Decision 8211/161/19) and all decisions were published on the same day.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Entry of default information based on final convictions in the credit information register Thing Correction of an error in the credit information register and entry of default information based on final judgments as a default entry in the credit information register Registrar Suomen Asiakastieto Oy Applicant 's requirements The applicant has asked the EDPS to instruct the controller to delete the applicant's data from its credit register. The applicant's claim is for insolvency entries based on the following judgments: Date Explanation Debts XXXX Judgment Creditors 1 XXXX Judgment Creditors 2 XXXX Judgment Creditors 3 XXXX Judgment Creditors 4 Clarification received Statement received from the applicant Based on the report submitted by the applicant, the basis for the default defaults in question is the default information established by the authority pursuant to section 13 (1) (3) of the Credit Information Act (527/2007), which has been established by a final court judgment. On the basis of the report submitted, the controller has refused to delete the data in question. The applicant bases his claim on a systemic error in the Legal Register Center, which has resulted in incorrect entries in defaults, and in his arguments he refers to the decision of the Parliamentary Ombudsman in the case EOAK / 945/2016. According to the applicant, the systemic error has caused a situation in which, between 2011 and 2017, the lawsuits filed in court as a limited or summary summons have almost always resulted in the SVK defaulting debtor for the debtor who lost the case. According to the applicant, the occurrence of a default notice must not depend on whether the creditor has filed a debt challenge extensively or narrowly, since both are treated in the same way in the disputed cases. According to the plaintiff, the debtor should have the right to obtain a court assessment of the obligation to pay without the risk of defaulting, as the fear of defaulting reduces the defendant's chances and desire to defend his case in court. According to the applicant, the Credit Information Act defines the basic criterion for a default payment entry as the fact that the entry must describe the debtor's solvency or willingness to pay. The applicant refers to the Parliamentary Ombudsman, who has stated that in disputed cases these criteria are not met, as they automatically and compulsorily make the debtor insolvent due to the dispute. According to the applicant, it is clear that the criterion of non-payment can only be used in uncontested cases. According to the applicant, the credit information companies have argued that a default note could be imposed because the alleged dispute was not relevant to the resolution of the case. According to the applicant, the credit information companies are wrong, because if the debtor contests the claim with a factual argument related to its claims, the district court will take the matter to normal litigation and the matter must then be considered contentious. In the applicant's view, a situation in which a credit information company would subsequently declare the matter undisputed to a higher authority than the court is unsustainable. According to the applicant, in the case of large-scale litigation, credit information companies have manually reviewed the judgment and based on that they have assessed the debtor's insolvency or unwillingness. According to the applicant, this is an erroneous and misleading practice on the part of the credit information companies, as it is impossible for the operative part of the judgment to give an accurate picture of the debtor's insolvency or unwillingness. According to the applicant, the judgment does not rule on the defendant's ability or willingness to pay, but only on the obligation to pay. Statement received from the controller The registrar was asked to provide information on the applicant's insolvency entries and on the insolvency information processed by the registrar in general based on a final court judgment (Section 13 (1) (3) of the Credit Information Act). The data controller was requested to provide information on the source of information and the basis for disclosure of default data based on final judgments. The controller was also asked which body would determine whether a final judgment described the applicant's solvency or willingness to pay, as well as information on the criteria on the basis of which it might assess these factors. In addition, the controller was asked to clarify the measures taken to ensure that its activities in processing default information based on final judgments meet the condition of equal treatment of data subjects under section 11 of the Credit Information Act. As regards the applicant, a reasoned explanation was requested as to whether, according to the controller, the final judgments on which the insolvency entries are based describe the applicant's ability to pay and willingness to pay. According to the report submitted by the registrar, both the information on the applicant and the most common information on defaults based on final judgments has been provided to him by the Legal Register Center and the basis for disclosure is the National Judicial Information System Act (372/2010). According to the report issued by the registrar, the operative part of the judgment handed over by the Legal Register Center is read by the registry unit, which makes the decision on registration. If necessary, the matter is discussed with the supervisor or the company's legal officer. According to the data controller, the nature of the debt relationship is assessed when registering the information, ie whether it is usually a matter involving a clear performance by the service provider (eg a debit) and a consideration (payment) which cannot normally be disputed. According to the registrar, the Legal Register Center has also carried out this assessment and will only provide information on decisions that are estimated to be debts in nature. The controller further states that it considers it impossible to establish “criteria” which as such could always be met. According to the registrar, this is to some extent a matter of reasoning and judgment by a person. The registrar considers the procedure to be lawful, as given the wording of the Credit Information Act, the legislator has clearly meant that court decisions on non-unilateral judgments may also be registered as a default note. According to the registrar, one of the clear criteria is that decisions relating to matters between family or family members are not, in principle, registered. If the judgment concerns only costs and interest, these have not been entered in the register. The criterion is that there must be no unpaid capital and the judgment focuses on the repayment of capital. According to the registrar, when the creditor is a natural person (without legal assistance), the case is examined particularly closely, as there may be a higher risk between natural persons that the rights and obligations of the parties are not fully clear. The controller considers it impossible to be able to write completely complete and unambiguous rules on the criteria used. According to the controller, the staff involved in data processing are experienced. They are guided and advised at work and have the opportunity to move decision-making up the organization. According to the registrar, all cases of the slightest ambiguity are dealt with together, and if the persons who handled the judgment have not been able to decide whether to enter the entry in the register, it will be decided at the special meeting whether or not the entry will be entered in the register. With regard to the applicant's defaulting entries, the controller states that the decision on which the defaulting entries are based concerns the financial credits that the applicant has failed to pay. According to the registrar, the debt claims have not been treated as an aggregate dispute and a judgment has been handed down which has become final. Based on the content of the operative part of the decision, the data controller considers that it has been demonstrated that the default notes describe the applicant's solvency or willingness to pay within the meaning of the Credit Information Act. According to the registrar, the facts presented by the applicant have not been given such weight in the handling of the cases that the cases should be considered controversial so that the default data could not have been registered or deleted. In the report, the controller also states that it has not been provided with information that the receivables have been paid. Statement received from the registrar, Bisnode Finland Oy and the Legal Register Center Simultaneously with the case in question, the Data Protection Commissioner clarified the procedures of Bisnode Finland Oy (Bisnode) and the Legal Register Center in processing default information based on final judgments. As part of the investigation, the EDPS requested each of the three parties to provide the EDPS with information that the Legal Register Center has provided to credit information companies at a certain point in time. The Center for Legal Registration was requested to provide the Office of the Data Protection Supervisor with the first 20 court decisions, which it handed over to credit information companies as of 5 November 2019 as default information based on final judgments. Binsnode and the registrar were asked to submit the first 20 court decisions, which were provided to them by the Center for Legal Registers as of 5 November 2019 as default information based on final judgments. In addition, the first 5 court decisions were requested, which Bisnode and the registrar have screened out of the payment default information that caused the entry in the personal credit information register since 5 November 2019. The registrar submitted the requested court decisions, which according to the report provided by the Legal Register Center on 6 November 2019. In all the judgments, the defendant has upheld the action. With regard to screened court decisions, the controller stated that the decisions will be transmitted to the Office of the Data Protection Officer as soon as such cases occur, as they are rare. According to the report, an estimated 10 judgments on default information provided by the Legal Register Center are not registered each year. The controller was further asked to clarify its explanation. The registrar was asked whether it had screened any information out of or after the information provided by the Legal Register Center on 5 November 2019. In addition, it was requested that any Screened Data be submitted to the Office of the Data Protection Officer. In response to the request, the registrar confirmed that the decisions screened after 5 November 2019 have not appeared, with the Legal Register Center being so accurate in its own screening that such judgments are hardly handed over to the registrar. Registrar 's reply The Data Protection Commissioner asked the registrar to comment on six solutions, which, based on the information received from the Legal Register Center, Bisnode and the registrar, have been handed over by the Legal Register Center to credit information companies for entry in the credit information register. According to the registrar, on the basis of the three solutions specified in the request for defense, a default note has been registered in the credit information register in accordance with the operative part. With regard to the three solutions specified in the defense, the controller states that they have not been entered in the credit information register. Applicant's reply to the statement provided by the controller In his defense, the applicant draws attention to the fact that the controller does not intervene in a word about the decision of the Parliamentary Ombudsman EOAK / 945/2016 and that the arguments presented in the report contradict the decision of the Ombudsman. The applicant is puzzled by the controller's argument that the matters in question should not be considered uncontested, as that assessment is made by the court in determining whether the case should be treated as a broad dispute. According to the applicant, the controller gives the impression in his report that the debt proceedings are simple and clear, but no unambiguous rules could be established for ordering a default. The applicant, for his part, considers that the proceedings may be very complex, but that the contested action should never lead to a default. According to the applicant, it is interesting that, unlike the controller, Bisnode has not, at its discretion, entered a default note for one of the applicants' debt judgment. In that regard, the applicant points out that, in all the cases in respect of which both credit information companies are the subject of an adjustment, the dispute has always concerned debt capital and not therefore only its derivatives, such as recovery costs or interest. According to the applicant, the controller marks insolvency entries based on final judgments on esoteric criteria for which no information has been disclosed to debtors. According to the applicant, the default note should indicate the behavior of the debtor - not the credit information company. According to the applicant, the only consistent procedure for the protection of the individual would be that a judgment given in a disputed case cannot be followed by a default notice, but could only be entered if the enforcement of a final judgment order fails. According to the applicant, despite the solution code currently used in the Tuomas system to correct a system error, the credit information register must contain at least hundreds, if not thousands, of incorrect entries. According to the applicant, incorrect entries are removed from the register on a daily basis, as a result of which it is advantageous for credit reporting companies to delay the case, as victims of incorrect entries cannot seek redress for the loss of evidence. Applicable law The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The Data Protection Regulation contains a national margin of maneuver on the basis of which national law can supplement and clarify matters specifically defined in the Regulation. The general data protection regulation is specified in the National Data Protection Act (1050/2018), which has been applicable since 1 January 2019, and in the present case the central credit information law. It should be noted that the principle of legal certainty is central to EU law. A number of rulings by the European Court of Justice have led to a ban on the application of retroactive legislation. According to that prohibition, acts of European Union law do not, in principle, have retroactive effect. In that regard, the case - law has identified two types of retroactivity: de facto retroactivity and material retroactivity. Effective retroactivity refers to the application of new legislation to a fact that has fully materialized during the old legislation. In the case law of the European Court of Justice, such de facto retroactivity is in principle prohibited. Substantive retroactivity refers to the application of new legislation with future effects in a situation that arose when the previous legislation was in force, and legally relevant activities will continue during the new legislation. The European Court of Justice has accepted such material retroactivity. The Court has ruled that EU law must be considered to have legal effect when it enters into force, even when the new legislation defines the consequences of circumstances which began during the old legislation. The Court has also drawn attention to the need for legal protection for individuals when assessing the permissibility of retroactive legislation. In the present case, the legally relevant activity under appeal has continued since the entry into force and application of the General Data Protection Regulation, with the result that the General Data Protection Regulation applies in addition to the Credit Information Act. Legal question The case is pending concerning the rectification of data stored in the credit register, in which the general practice of the controller with regard to the registration of default entries based on final judgments has also been assessed. The matter must be resolved: 1. whether the insolvency entries concerning the applicant deposited in the credit information register are incorrect for the interpretation of section 13 (1) (3) and section 6 (1) (3) of the Credit Information Act (527/2007) within the meaning of section 31 of the Act; 2. whether the controller has complied with Article 25 (1) of the General Data Protection Regulation and with Section 5 (1) (3) of the Credit Information Act when processing default data based on final court judgments, and 3. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations in line with the provisions of the General Data Protection Regulation. The EDPS must also assess whether other remedial powers should be exercised in accordance with Article 58 of the General Data Protection Regulation. Decision and justification of the EDPS 1. Compliance with the conditions for insolvency marking in respect of the applicant's insolvency marking Pursuant to section 35 of the Credit Information Act, the registrar is ordered to correct the information in the credit information register for all payment default entries that are the subject of the applicant's request for correction. Reasoning Marking a final judgment in a dispute as an entry for default Section 13 (1) (3) of the Credit Information Act provides for personal credit information which may be stored in the credit information register as payment default information established by an authority. This information referred to in this paragraph includes, but is not limited to, information on non-payment of a judgment established by a final or unilateral judgment of a court. In order for a final judgment to be entered in the credit information register as a default, it must also meet the conditions for the quality of credit information set out in section 6 (1) of the Credit Information Act, according to which only information In decision EOAK / 945/2016, the Parliamentary Ombudsman has taken a position on insolvency entries caused by final judgments. According to the Parliamentary Ombudsman, in cases where the obligation to pay has been reasonably challenged in such a way that it may have an effect, the Ombudsman does not, in the Ombudsman's view, satisfy the condition that the entry must prove the data subject's insolvency or insolvency. The above-mentioned decision describes the statement issued by the Ministry of Justice in the case, which concerns, among other things, the handling of summary cases in courts. According to the judgment, if the defendant relies in the application for recovery only on a ground which clearly has no bearing on the outcome of the case, the application for recovery will be rejected. In that case, a new unilateral judgment will be given. If, on the other hand, the defendant responds to the application and contests the uncontested action on the ground that it may have an effect on the outcome of the case, the case will be referred immediately to the ordinary civil procedure. The Data Protection Commissioner shares the views of the Parliamentary Ombudsman regarding cases where the obligation to pay has been reasonably contested and considers that in such cases there is no legal basis for registering a default note. The EDPS considers that the data subject should be able to settle the debt without the threat of default after receiving a judgment in a disputed case. Assessment of the legality of the applicant 's default entries Section 31 of the Credit Information Act provides for the data subject's right to correct an error. On the basis of the information received in the case, the applicant has submitted a request to the data controller to delete the four default entries concerning him from the credit information register. On the basis of the explanation received, the data controller has refused to delete the data in question because, based on the content of the operative parts of the judgments, the data controller considers that the default notes describe the applicant's solvency or willingness to pay within the meaning of the Credit Information Act. According to the registrar, the facts presented by the applicant have not been given such weight in the handling of the cases that the cases should be considered controversial so that the default data could not have been registered or deleted. In the following, the Data Protection Supervisor will assess, for each applicant's default note, whether the conditions set out in the Credit Information Act are met. Date Explanation of Debts XXXX Judgment Creditors 1 This is a receivable based on a debt relationship. In the present case, the applicant has objected to the action, alleging, inter alia, that the debt is time - barred and that the applicant has no right of access. Date Explanation of Debts XXXX Judgment Creditors 2 This is a receivable based on a debt relationship. In the case, the applicant objected to the action, claiming that he had paid the debt in full and the relevant recovery costs before the case was brought before the court. Date Explanation of Debts XXXX Judgment Creditors 3 This is a receivable based on a debt relationship. In the case, the applicant has objected to the action, claiming, inter alia, that the debt is time-barred, illegal recovery costs and disputing the amount of the debt. Date Explanation of Debts XXXX Judgment Creditors 4 This is a receivable based on a debt relationship. In the present case, the applicant has objected to the action, claiming, inter alia, that the debt is time - barred. In all cases on which the applicant's insolvency entries are based, the applicant has responded to the claim by contesting his obligation to pay on the grounds set out above and the cases have been dealt with in ordinary court proceedings. Since the transfer of the case to ordinary civil proceedings presupposes that the action has been challenged on a ground which the district court considers may have an effect on the outcome of the case, the judgment does not satisfy the condition that the entry be insolvent or insolvent. paragraph 1). As the conditions for default entry under the Credit Information Act have not been met for the judgments in question, the judgments should not have been entered in the credit register as a default and the entries should have been deleted as a result of the applicant's request for rectification. 2. Implementation of built-in data protection and good credit practice by the controller The EDPS considers that the data controller's approach to the processing of default data based on final judgments does not comply with Article 25 (1) of the General Data Protection Regulation and Article 5 (1) (3) of the Credit Information Act. Reasoning Applicable law According to Article 5 (1) (a) of the General Data Protection Regulation, personal data must be processed lawfully, properly and transparently for the data subject ("lawfulness, reasonableness and transparency"). According to Article 25 (1) of the General Data Protection Regulation, taking into account state-of-the-art technology and implementation costs, as well as risks to the rights and freedoms of natural persons appropriate technical and organizational measures to ensure that they are incorporated into the processing and that the processing complies with the requirements of this Regulation and that the rights of data subjects are protected. Pursuant to Section 5 (1) (3) of the Credit Information Act, a credit information provider, a user of credit information and a person who otherwise processes credit information must exercise due diligence and ensure that the data subjects' right to be assessed on the basis of correct and relevant information is not compromised. Pursuant to section 11 of the Credit Information Act, a credit information provider shall ensure that data subjects are treated equally in the processing of credit information entered in and entered in the credit information register and in the performance of credit information activities. The risk to the data subject of processing a default judgment based on a final judgment The EDPS considers that the entry of default data in the credit register in the credit information register from the national information system of the judicial administration constitutes a large-scale processing of personal data which has a significant impact on the data subject's rights and freedoms. The data is handed over from the national information system via the technical interface to the relevant national credit information controller on a daily basis for entry in the credit information register. The default due to a transfer typically has significant and far-reaching implications for the data subject's rights and freedoms. Due to a default, for example, a registered credit card may be required to be returned and access to new credit, rental housing and home insurance is likely to become more difficult. Access to employment can also be made more difficult if the job involves financial responsibility. The effects of a default on the data subject on the data subject are so extensive that any default on the defendant resulting from a final judgment may reduce the defendant's chances and desire to defend his case in court. The possibility of obtaining a court's assessment of the obligation to pay in a dispute may be jeopardized if a possible judgment may result in a default. Assessment of the legality of the controller 's conduct On the basis of the report provided by the registrar, upon receipt of the default information based on a final judgment from the Legal Register Center, it shall make a decision on whether the information shall be entered in the credit information register as a default. The decision is based on an assessment by the controller's staff as to whether the operative part of the judgment describes the person's ability to pay or unwillingness to pay. The controller has some criteria to consider in the assessment. When registering the information, the nature of the debt relationship and whether the matter can be considered controversial on the basis of the operative part of the judgment so that the default entry could not be registered will be assessed. The controller considers it impossible to use completely complete and unambiguous rules applicable to the assessment, which is why the assessment is always to some extent a human case-by-case consideration. The obligation to implement privacy by design under Article 25 (1) of the General Data Protection Regulation requires that effective compliance with each of the principles under Article 5 of the General Data Protection Regulation and the consequent protection of rights and freedoms be included in the measures and safeguards chosen by the controller. . The obligation does not require the adoption of any specific measures, but that the measures and safeguards chosen must be appropriate to the implementation of the data protection principles in the proceedings in question. Whether the measures are effective is always determined by the particular processing connection. The EDPS considers that, for the conduct in question, the controller has failed to implement the principle of lawfulness under Article 5 (1) (a) of the General Data Protection Regulation as required by the data protection obligation. In accordance with the principle of lawfulness, the controller must determine a valid legal basis for the processing of personal data and ensure that an appropriate legal basis for the processing of personal data under Article 6 of the General Data Protection Regulation can be found at all stages of the processing. The method chosen by the registrar to assess the fulfillment of the conditions for insolvency entry on a case-by-case basis on the basis of the operative part of the judgments has resulted in entries in the credit register. In the case of such default entries, the controller has processed personal data without a legal basis for processing in accordance with Article 6 of the General Data Protection Regulation, as the conditions for default entry set out in the Credit Information Act have not been met. Since, according to the information received in the case, the occurrence of incorrect entries was due to the systematic behavior of the controller, the case cannot be considered to be limited to errors concerning an individual data subject. When the conditions provided for by law for the subscription of a payment default subscription leave room for the registrar, the registrar shall take into account the obligation of good credit information practice pursuant to section 5 of the Credit Information Act. Good credit information requires, inter alia, that the credit information provider ensure that the right of data subjects to be assessed on the basis of correct and relevant information is not compromised. (Section 5 (1) (3) of the Act). According to the preliminary work of the Credit Information Act, good credit information would include, among other things, taking care of the factors that are important for the legal security of a credit information subject. In addition, it is intended to guide credit information providers and other credit information processors to develop their activities and to choose from a variety of options the one that best promotes the purpose of the law. In addition, the provision is also intended to act as a general guide to the application of the law, for example when resolving a claim for the correction of an error. According to the preliminary work of the Credit Information Act, the protection of data subjects who are at a disadvantage vis-à-vis credit information providers and companies engaged in lending as a business is considered to be one of the objectives of the law. The EDPS considers that the controller has not acted in accordance with good credit practice. If a default judgment entry based on a final judgment is based on case-by-case considerations, the grounds for the entry are not as predictable and precise as may be required, taking into account the effects of the default entry on the credit register on the data subject. As stated above, the possibility of obtaining a court assessment of liability in a dispute may be jeopardized if there is a risk of default. The registration of a default note on the basis of a case-by-case assessment is also liable to jeopardize the fulfillment of the condition concerning equal treatment of data subjects pursuant to section 11 of the Credit Information Act. The EDPS notes that, as indicated above, the Court will assess the grounds put forward by the defendant after he has applied for recovery or to contest the uncontested action (see also EOAK / 945/2016). Consequently, the controller should no longer have to assess the merits of the case separately on the basis of the operative part of the judgment. If the defendant has challenged his obligation to pay and the court has considered it appropriate to refer the matter to ordinary civil proceedings, the defendant should be able to have his case heard without the risk of default. The EDPS considers that a judgment given in such a case does not fulfill the condition for making a default entry that the entry must indicate the insolvency or unwillingness of the data subject and should not be entered in the credit register as a default entry. The EDPS considers that the controller should have paid more attention to the implementation of good credit practice and built-in data protection when defining the procedures according to which default information based on a final judgment is entered in the credit register as a default. 3. Consideration of sanctions The EDPS shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation and an order in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing operations in line with the provisions of the General Data Protection Regulation. The Data Protection Officer shall instruct the controller to remove from the credit information register the erroneous default entries resulting from its procedure and to change the procedure for the registration of default entries based on final judgments. The Data Protection Officer shall leave the determination of the appropriate measures to the discretion of the controller, but shall provide a report on the measures taken, including the number of default entries removed from the credit register, by 31 January 2022, unless it appeals against this decision. Reasoning In this case, the EDPS has considered that the incorrect entries in the applicant's request for rectification were the result of a behavior by the controller which does not meet the conditions set by the data protection rules. The EDPS has considered it appropriate to instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing operations in line with the provisions of the General Data Protection Regulation. In making the sanction assessment, the Data Protection Supervisor has considered referring the matter to the Sanctions Chamber of the Data Protection Supervisor's Office referred to in section 24 of the Data Protection Act, which decides on the imposition of an administrative sanction fee under Article 83 of the General Data Protection Regulation. In making this assessment, the EDPS has taken into account the large-scale processing of the personal data in question and the implications for the data subject's rights and freedoms. The EDPS has considered that the controller should have opted for a procedure which poses a lower risk to the data subject's rights and freedoms, which would justify the referral to the Sanctions Chamber. However, the EDPS considers that the imposition of an administrative penalty fee would not be proportionate as required by Article 83 (1) of the General Data Protection Regulation, as compliance with the conditions for a default judgment is somewhat difficult to interpret under the provisions of the Credit Information Act. In addition, the EDPS has taken into account in his / her discretion the impact on the activities of the controller of the procedures of the Legal Register Center, which were assessed as deficient in case 8211/161/19 (attached). The EDPS considers that the incomplete disclosure practices of the Registry have had a significant impact on the whole case, which would make it disproportionate to consider imposing an administrative penalty fee. In view of the above, the EDPS considers that a remark under Article 58 (2) (b) of the General Data Protection Regulation is a sufficient sanction. Finally, the EDPS notes that there is a contradiction in the explanation provided by the controller. In his report, the controller stated that the information provided to it by the Legal Registry Center rarely contained the information to be screened and that such information was not included in the period for which the information was requested to be provided to the EDPS. However, in its reply to the inquiry concerning the Center for Legal Registers and Bisnode, the controller stated that it had not entered a default entry in the credit register for the three solutions specified in the request for reply. According to Article 31 of the General Data Protection Regulation, the controller shall, upon request, cooperate with the supervisory authority in the performance of its tasks. The degree of cooperation with the Authority is also one of the factors influencing the imposition and amount of an administrative sanction (Article 83 (2) (f) of the General Data Protection Regulation). The EDPS considers that the inconsistencies revealed in the investigation could be a factor in the amount of the sanction to be imposed on the controller. In the present case, however, that fact does not in itself constitute a ground for infringement of Article 31 which would allow the matter to be referred to the Sanctions Chamber of the EDPS. The EDPS will pay special attention to this in the future. Applicable law Mentioned in the explanatory memorandum. Appeal According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is made to the administrative court.