Datatilsynet (Norway) - PVN-2023-01: Difference between revisions
No edit summary |
No edit summary |
||
Line 61: | Line 61: | ||
}} | }} | ||
The Norwegian Privacy Appeals Board found that | The Norwegian Privacy Appeals Board found that a car rental platform had a legal basis under [[Article 6 GDPR|Article 6(1)(f) GDPR]] to credit assess a data subject in order to reduce the company's financial risk. | ||
== English Summary == | == English Summary == |
Revision as of 12:46, 15 May 2023
Datatilsynet - PVN-2023-01 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(f) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 25.04.2023 |
Published: | |
Fine: | n/a |
Parties: | Getaround Norway AS (formerly Nabobil.no AS) |
National Case Number/Name: | PVN-2023-01 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian |
Original Source: | Personvernnemnda (Norway) (in NO) |
Initial Contributor: | n/a |
The Norwegian Privacy Appeals Board found that a car rental platform had a legal basis under Article 6(1)(f) GDPR to credit assess a data subject in order to reduce the company's financial risk.
English Summary
Facts
After the Norwegian DPA rejected a data subject’s complaint, the case was forwarded to the Norwegian Privacy Appeals Board (PAB) for an assessment.
The data subject complained about the fact that a company (the controller) had credit assessed them when the data subject wanted to rent a car through the company's car-sharing platform. The car-sharing platform connects users wanting to rent out their car, and users who want to rent someone else's car.
The controller has committed to cover any possible expenses to the car owner, as well as, possible deductibles to the insurance company in cases of damage. Such expenses may include tolls, extra kilometers driven, parking fees, deductibles and compensations. The controller then claims the expenses form the renter. The controller considered a deposit inadequate, as a deposit that would be enough to cover the financial risks would make the rental price unacceptably high.
In light of the above, the controller argued it is necessary to credit assess renters. The controller carried out a credit assessment of the data subject when they wanted to rent a car. Due to a payment notice, the data subject was prohibited to rent a car through the platform. The controller relied on legitimate interests under Article 6(1)(f) GDPR when processed personal data for credit assessment purposes.
Holding
The PAB took the view that the controller assumes a considerable financial responsibility when a rental agreement is entered into through its platform, and that therefore, the controller depends on a renter having ability to cover possible expenses.
The PAB took in consideration that the controller had stated that the liability has caused the company large expenses as a result of non-payment. Additionally, the PAB did not disagree with the controller regarding the deposit, and took the view that a deposit is not an equally suitable measure. The PAB agreed that it is necessary for the controller to credit assess its renters in order to reduce the company's financial risk.
The PAB found that the controller had a legal basis in accordance with Article 6(1)(f) GDPR to process credit information about the data subject.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The Norwegian Privacy Board's decision on 25 April 2023 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin, Malin Tønseth) The case concerns a complaint from A against the Norwegian Data Protection Authority's decision on 21 February 2022, where the Norwegian Data Protection Authority concluded that Getaround (formerly Nabobil.no) had a legal basis to credit assess A when he was to rent a car via the company's car-sharing platform, cf. the privacy regulation article 6 no. 1 letter f . Background of the case Nabobil.no is a platform that connects users who want to rent out their car, and users who want to rent someone else's car. Nabobil is not itself a party to the agreement between landlord and tenant, but mediates the payment from the tenant to the landlord. As payment for its services, Nabobil deducts a fee from the rental price. The tenancy is paid in advance. The tenant must register their payment card when renting a car via Nabobil, and Nabobil reserves the right to charge the payment card for all outstanding amounts the tenant is responsible for. In addition to rent, this can, for example, concern tolls, parking fees, deductibles and compensation. The latter expenses are expenses that arise during the tenancy, and which are not paid in advance. Nabobil offers its users insurance through If Skadeforsikring for potential damage that can be caused to the car and third parties during the rental relationship. Neighbor car is responsible under the insurance conditions. The hirer is not the policyholder in accordance with the insurance terms, but is obliged to pay a deductible to Nabobil as part of the agreement for use of the service. In an insurance case, Nabobil pays the deductible to If Skadeforsikring, and then claims this cover from the renter. Nabobil carried out a credit assessment of A when he wanted to rent a car via Nabobil's services in November 2019. Due to a payment notice, A could not enter into a rental agreement with Nabobil.no. A complained about the case to the Norwegian Data Protection Authority on 24 November 2019 and reported what he perceived as an illegal credit check from Nabobil. The Norwegian Data Protection Authority wrote to Nabobil on 3 November 2020 and asked for an explanation. The company explained its practice in a letter on 10 December 2020. Nabobil.no AS changed its name to Getaround Norway AS in November 2021. The company is hereinafter referred to as Nabobil, which was the name of the company at the time of letting in 2019. The Norwegian Data Protection Authority concluded in a decision on 21 February 2022 that Nabobil had a legal basis for credit rating A when he was to rent a car via the company, cf. the Personal Protection Regulation article 6 no. 1 letter f. A timely complained about the Norwegian Data Protection Authority's decision on 15 March 2022. The Norwegian Data Protection Authority assessed the complaint, but found no grounds for changing its decision. The case was forwarded to the Personal Protection Board on 5 January 2023. The parties were informed about the case in a letter from the board on 13 January 2023 and were given the opportunity to make comments. Neither party has submitted comments. The case was dealt with at the board's meeting on 25 April 2023. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin and Malin Tønseth. Secretariat manager Anette Klem Funderud was also present. The Norwegian Data Protection Authority's assessment in general The Danish Data Protection Authority assesses whether Nabobil has grounds for processing its collection of credit information about A in the Personal Protection Regulation Article 6 no. 1 letter f. The provision requires that processing of personal data is "necessary" to safeguard a "legitimate interest" which, after a balance of interests, outweighs the consideration to the individual's privacy. The inspection concludes that Nabobil's financial interest in protecting itself against losses in connection with the rental of a car constitutes a legitimate interest. The authority considers that it was necessary for Nabobil to credit assess A so that the company could make sure that he, as a tenant, had the financial ability to pay expenses that may arise during the tenancy. The Norwegian Data Protection Authority then carries out a concrete balancing of interests and comes to the conclusion that Nabobil's legitimate interest outweighs A's privacy. Although a credit assessment involves a major intrusion into the individual's rights and freedoms, in this case the supervisory authority attaches decisive importance to Nabobil's weighty interest in lowering the financial risk. The Norwegian Data Protection Authority concludes that Nabobil had a legal basis under Article 6 no. 1 letter f to credit assess A in connection with the rental of a car. As's view of the case in brief The Norwegian Data Protection Authority's decision appears completely unreasonable because it is at odds with other insurance conditions. The argument that this is to be considered a credit relationship falls on its own unreasonableness. As a customer, he was supposed to pay the rent in advance in cash together with a deposit for a fixed-term service that includes car insurance that is required by law. As a car owner, you are obliged to have insurance, and an insurance company cannot refuse you to take out insurance. By paying in advance as here, you have actually already paid for the product. The deductible is part of the insurance agreement, and there is no greater risk here than for other insurance agreements. The argument about credit element is therefore invalid. A deposit amount would also have been paid here that covers more than 50% of the excess in the event of damage. When the company has also reserved the right to charge a debit card, which in most cases is linked to a salary account, the arguments around credit conditions become even more unreasonable. A payment notice does not provide any information about how much is in the account. There is no need for credit related to tolls in a rental relationship that lasts for 4 hours when you have given the company access to withdraw this from the account. The insurance also had a low deductible of NOK 4,000. The company could demand a deposit corresponding to the excess as a reservation on the card. It would be easy to manage. It is therefore not correct that the company had no other options. Today, 261,000 Norwegians have payment notices or 7.6% of all those with active credit. Credit checks cannot be used to deny people necessary services when they pay in advance. In his case, he had settled all claims and had over NOK 300,000 in his current account, but he had a payment notice due to an error with a debt collection agency. It cost him dearly that he could not rent from Nabobil because he then had to use a moving agency instead. The moving agency sent an invoice and did not carry out a credit assessment. There is no factual reason for a credit assessment here, and the use appears to be discriminatory. He is therefore asking for the matter to be dealt with by a tribunal. Nabobil's view on the matter in brief Processing of credit information is necessary to safeguard Nabobil's legitimate interests, and has a legal basis in Article 6 no. 1 letter f. Nabobil assumes a great deal of responsibility when a rental agreement is entered into via the platform, both by committing to cover and collect expenses for tolls, extra kilometers driven, fuel, etc. to the lessor and by paying and collecting any excess to the insurance company in the event of damage. The total deductible for one claim can exceed NOK 12,000. If the tenant does not pay the claim, it will be a loss for Nabobil. Nabobil depends on the tenants having a certain ability to pay to ensure the landlord covers expenses during the rental period. Nabobil is directly responsible to the insurance company for the deductible in cases of damage, which can involve significant sums. The liability has caused Nabobil large expenses as a result of non-payment. Nabobil has reserved the right to demand a deposit, but has assessed it in such a way that the deposit will not be able to provide satisfactory security for potential claims the company may have against the tenant, without the price for renting being prohibitively high. Nabobil therefore believes that it is necessary to credit assess its tenants. Although not all leases will result in damages that trigger a deductible, Nabobil cannot know this in advance, and therefore runs a risk with any lease entered into via the platform. The interests of Nabobil and the landlords must outweigh the consideration of the data subjects and their need for protection of information about themselves. For privacy reasons, Nabobil only obtains the credit score, whether there are payment notices and whether there is a credit freeze. It is only when the tenant wants to rent a car that the credit check is carried out. It is voluntary for tenants to use Nabobil. The nature of the service, including its credit element and the risk Nabobil and the lessors take for conditions on the tenant's side, means that it can be expected that Nabobil sets as a condition for the service that the registered person has sufficient ability to pay. The Norwegian Privacy Board's assessment There is no doubt that the collection of credit information constitutes processing of personal data that must have a legal basis to be legal, cf. the Personal Protection Regulation article 6 no. 1. Nabobil is the data controller for the processing, cf. article 4 no. 7. The law's conditions for obtaining credit information In the Personal Protection Regulation article 6 no. 1 letter a to f, alternative legal bases for the processing of personal data are set out. The relevant processing basis for obtaining credit information in this case is Article 6 no. 1 letter f. Basis for processing according to Article 6 no. 1 letter f requires that three cumulative conditions are met. Firstly, there must be a legitimate interest, normally with the data controller, possibly with a third party. When assessing whether there is a legitimate interest, account must be taken of whether the data subject can reasonably expect that the personal data will be used for the purpose in question, etc. cf. point 47 of the regulation, where it is stated, among other things: "[…] It can, for example, such a legitimate interest exists when there is a relevant and appropriate relationship between the data subject and the data controller, e.g. if the data subject is a customer of the data controller or in the person's service. A legitimate interest in all cases requires a careful assessment, including whether a data subject at the time of and in connection with the collection of personal data can reasonably expect that this will be processed for the aforementioned purpose [...]." According to Article 6 no. 1 letter f, secondly, there is a requirement that the processing of the personal data is necessary "for purposes linked to the legitimate interests", and thirdly, a balancing of interests must be carried out between the data subject's interest in privacy on the one hand side and the controller/third party's legitimate interest in processing the personal data on the other. The law's requirement that the processing (the collection of the credit information) must be necessary for purposes linked to the controller's legitimate interest means that the interest safeguarded by the controller must be legally and factually justified. It follows from the Credit Information Act (law-2019-12-20-109) § 14 that credit information can only be given to recipients who have a "factual need for the information in connection with an assessment of creditworthiness". The law entered into force on 1 July 2022 and did not apply when A's credit information was obtained by Nabobil in this case. However, similar conditions (actual need) also followed from the current transitional rules on the processing of personal data in credit reporting activities in regulation 15 December 2000 no. 1265 § 4-3. The tribunal agrees with the Norwegian Data Protection Authority that when it comes to the collection of credit information on natural persons, the requirement of "genuine need" does not represent any additional condition to Article 6 no. 1 letter f of the Personal Data Protection Regulation. The Personal Protection Regulation does not provide national leeway for special regulation of the collection of credit information on natural persons. The assessment of whether the business has a factual need for obtaining credit information is, however, closely related to the assessment according to Article 6 no. 1 letter f. The tribunal therefore agrees with the supervisory authority that previous management practices relating to the requirement of factual need are still relevant when assessing whether the conditions in Article 6 no. 1 letter f is fulfilled. The same applies to statements in the preparations for the Credit Information Act about what is included in the condition of "actual need". In prop. 139 L (2018-2019), the ministry states in the notes to section 14 of the Credit Information Act, among other things: "The actual need for credit information will firstly exist in situations where credit is to be granted, or where the recipient of the information otherwise considers taking on a financial risk by entering into an agreement with the data subject. The ministry refers here to the Personal Protection Board's opinion in PVN-2006-03, where the board stated that it "will not always be sufficient that there is a credit element if the business-related risk is low, and conversely, a credit element will not always be necessary if the business-related risk risk is high'. This statement provides a good basis for concrete assessments of the factual need for credit information in the individual situation. The regulations do not set a lower amount limit for when there may be a factual need, nor are there any restrictions on the type of services the credit can be linked to. It will therefore be up to the creditor and the credit reporting agency to assess whether the risk the creditor assumes is of such a nature that it indicates the need for a credit assessment. Good credit ratings can be of great importance to both creditor and debtor. For the creditor, it is of great importance that the debtor can service the financial obligations he assumes, so that the creditor avoids losses. For the debtor, it may also be important that the creditor carries out a good credit assessment, and possibly advises against or refuses the debtor a credit that he or she will probably not be able to service. The provision shall facilitate that potential creditors have access to necessary and correct information as a basis for their credit assessments. At the same time, the provision should help to prevent the unnecessary dissemination of information that most registered users perceive as worthy of protection. Requirement of factual need will therefore help to prevent snooping on financial information." The tribunal uses this legal basis for its assessment. Whether the conditions for obtaining credit information are met in this case The tribunal assumes that the tenant may incur expenses during the tenancy that have not been paid in advance. There may be expenses for tolls, extra kilometers driven, parking fees, deductibles and any compensation. Nabobil therefore undoubtedly assumes a not inconsiderable financial responsibility when a rental agreement is entered into via the platform. Even if insurance is taken out, it is Nabobil that is responsible under the insurance conditions. The renter is not the policyholder, but is obliged to pay a deductible to Nabobil as part of the agreement for use of the service. Nabobil pays the excess to the insurance company, and will then demand this cover from the tenant. Nabobil therefore depends on the tenants having a certain ability to pay to ensure the landlord covers expenses during the rental period. Although a credit assessment of a potential tenant will not eliminate all forms of financial risk, the tribunal assumes that such a credit assessment will undoubtedly reduce it. According to the tribunal's assessment, it was foreseeable for A that he would be subject to a credit check if he chose to submit the request for car hire. Both in Nabobil's application and on the website it appears that: "Nabobil reserves the right to carry out a credit assessment of you when you send a request for car hire. To be able to rent a car, your credit rating must be satisfactory." The tribunal then agrees with the Norwegian Data Protection Authority that Nabobil's financial interest in protecting itself against losses in connection with the rental of a car constitutes a legitimate interest, as is also apparent from Nabobil's terms of agreement. It is also a requirement that the relevant processing of the personal data is necessary for purposes linked to the legitimate interest. The tribunal has concluded that this condition has also been met. It is Nabobil that is directly responsible for incurred expenses vis-à-vis the car owner and vis-à-vis the insurance company for deductibles in cases of damage. This can involve significant amounts. It is stated that the liability has caused Nabobil large expenses as a result of non-payment and the tribunal takes this as a basis. Although Nabobil has reserved the right to collect a deposit in the terms of the agreement, the tribunal understands that this is not an equally suitable measure as it is difficult to calculate the size of such expenses in advance. Nor will it provide satisfactory security for potential claims the company may have against the tenant, without the price for rent being deterrently high. The tribunal therefore agrees that it is necessary for Nabobil to credit assess its tenants in order to reduce the company's financial risk. The tribunal also agrees with the Norwegian Data Protection Authority's balancing of interests and assumes that Nabobil's legitimate interests in this case outweigh consideration of A's desire to protect the information. Nabobil has taken measures to limit the privacy disadvantages by ensuring that information about the tenant's credit score is not available to the landlord or visible to others on the platform. This is in accordance with the principle of data minimization in the personal protection regulation article 5 no. 1 letter c. The tribunal's conclusion is, after this, that Nabobil's collection of credit information about A in connection with his request to rent a car via Nabobil's digital platform was legal, cf. the personal protection regulation article 6 no. 1 letter f. A is not successful in the appeal. Conclusion The Norwegian Data Protection Authority's decision is upheld. The decision is unanimous. Oslo, 25 April 2023 Mari Bø Haugstad Manager