Persónuvernd - 2020010634

From GDPRhub
Revision as of 09:50, 3 March 2021 by Mh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020010634
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6(1)(a) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: 2020010634
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) has ruled that the complainant's consent to Creditinfo's use of additional information in the preparation of reports on the complainant's credit rating has fulfilled the conditions according to Article 10. Act no. 90/2018 and thus Creditinfo was authorized to make a credit rating about it.

The DPA also concluded that Creditinfo was authorized to use information on obsolete claims and information on the complainant's debt position when making a credit rating of the complainant, as he himself had approved such processing.

English Summary

Facts

The DPA received a complaint from about the processing of personal information about him by Creditinfo Lánstrausti hf. (Creditinfo) in connection with the preparation of reports on its creditworthiness. The complainant had to agree to certain criteria for obtaining Creditinfo 'information in order to be able to view his own credit rating on the company's website, ie. mitt.creditinfo.is. The complainant considered that the information gathering by Creditinfo is too extensive.

Secondly, the complainant pointed out that Creditinfo used information on obsolete claims and information from the company's debt position system when calculating the complainant's credit rating, including information on his bankruptcy that was already deregistered.

Thirdly, the complainant claimed that he had not received an explanation of his credit rating from Creditinfo and any information about changes in his credit rating during his communication with the company.

Dispute

Holding

The DPA stated that is clear in this case that the preparation of reports on the complainant's credit rating by Creditinfo did not take place in connection with a loan or facility of any kind, but through the complainant himself. More specifically, the case file shows that the complainant logged in to the Creditinfo website, ie. mitt.creditinfo.is, approved the general terms of use and additional terms of the company during the period in question and received its credit rating. It is clear that the complainant agreed to the company's general terms of use on 6 December 2018 and on the same day he agreed to the additional terms of Creditinfo. F According to the DPA, the method used by Creditinfo to offer the complainant acceptance of the additional terms in question has been in an understandable, identifiable and accessible form. Creditinfo was able to show that the consent had been granted and the complainant was able to withdraw his consent at any time, in addition to which the assessment was recalculated according to the terms so that no additional information was used in the calculation. In view of the above, the DPA concluded that Creditinfo's processing of information about the complainant's bankruptcy when making a credit rating about him was in accordance with Act no. 90/2018.

Finally, the DPA assessed that the complainant's right to information according to Art. of the Regulation (EU) was respected when he was provided with information on his credit rating. The processing was therefore in accordance with the second paragraph. Article 17 Act no. 90/2018 and Article 15 of the GDPR.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Processing of Creditinfo Lánstraust hf. in connection with the preparation of credit reports
Case no. 2020010634
8.2.2021
The Data Protection Authority has ruled that the complainant's consent to Creditinfo's use of additional information in the preparation of reports on the complainant's credit rating has fulfilled the conditions according to Article 10. Act no. 90/2018 and thus Creditinfo was authorized to make a credit rating about it. It is also concluded that Creditinfo was authorized to use information on obsolete claims when making a credit rating of the complainant. Creditinfo was also authorized to use information on the complainant's debt position when making a credit rating of him, as he himself had approved such processing. Finally, it is concluded that Creditinfo respected the complainant's right to information when he was provided with information on his credit rating.  

Ruling

On January 28, 2021, the Data Protection Authority issued a ruling in case no. 2020010634 (formerly 2019051072):

I.
Procedure

1.
Beginning of case and correspondence
On 19 May 2019, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about the processing of personal information about him by Creditinfo Lánstrausti hf. (Creditinfo) in connection with the preparation of reports on its creditworthiness.

By letter dated On August 30, 2019, Creditinfo was invited to comment on the complaint. The answer was by letter dated. September 24 By letter dated On 23 October this year, the complainant was invited to comment on the content of Creditinfo's reply letter. The complainant's reply letter was received by the Data Protection Authority on 12 November. By letter dated On 23 June 2020, the Data Protection Authority requested specific explanations from the complainant. The complainant's reply letter was received by the Data Protection Authority on 31 July. By letter dated October 27, s.á. The Data Protection Authority requested further information from Creditinfo. Creditinfo's response was received by the Data Protection Authority on 5 November. By e-mail 19 cm and a phone call the next day, the Data Protection Authority requested further explanations from Creditinfo. Creditinfo's replies were received by e - mail 19, 20 and 23 cm. By e - mail 27 cm, the Data Protection Authority requested further explanations from Creditinfo. Creditinfo's replies were received by e - mail 28 cm and 1.

In resolving the case, all of the above documents have been taken into account, although not all of them are specifically described in the following ruling.

The handling of this case has been delayed due to heavy work at the Data Protection Authority.

2.
The complainant's views
Firstly, the complaint relates to the fact that the complainant had to agree to certain criteria for obtaining Creditinfo 'information in order to be able to view his own credit rating on the company's website, ie. mitt.creditinfo.is. The complainant considers that the information gathering by Creditinfo is too extensive.

Secondly, it is complained that Creditinfo used information on obsolete claims and information from the company's debt position system when calculating the complainant's credit rating. He refers to the fact that he was declared bankrupt [dated] 2016. The bankruptcy proceedings were then registered on Creditinfo's default register but also deregistered in 2018. However, the bankruptcy still had the effect of downgrading the complainant's credit rating just over a year after the legal effect. completed [due to] a two-year limitation period for such claims according to Act no. 21/1991, on bankruptcy proceedings, etc. The complainant considers that an expired claim should have the same legal effect as a paid claim between creditors and debtors. The legal effect of the claim should therefore have ended two years after the complainant was declared bankrupt. Creditinfo has therefore not been authorized to maintain registration of him for four years since the bankruptcy proceedings were first registered in the company's default register. Creditinfo considers itself authorized to keep registration for "up to" four years, cf. what is stated in Creditinfo's e-mail to the complainant from 15 April 2019 that accompanied the complaint. Creditinfo's above explanation proves that the company's conduct is based on a subjective assessment. The complainant points out that if a subjective assessment is to be applied, it must serve a purpose and be legitimate, as well as having legitimate interests behind it. Creditinfo has not shown this and has tried to mislead the complainant, blame others and point him in the wrong direction. The company has not substantiated why it considers it justified to lower its credit rating to four years from the time the bankruptcy proceedings were first registered or two years longer than the legal effect of the initial listing, cf. the aforementioned Act no. 21/1991. The nature of the claims that are time-barred must be considered and it must be examined whether they may have been caused by the complainant, even though they may have been his responsibility. The complainant refers to the collapse of the financial system in 2008 in this connection and considers it wrong for the credit rating to give a correct picture of the efficiency and payment history. The complainant therefore demands that Creditinfo be prohibited from using or estimating anything that may be based on such speculation. The nature of the claims that are time-barred must be considered and it must be examined whether they may have been caused by the complainant, even though they may have been his responsibility. The complainant refers to the collapse of the financial system in 2008 in this connection and considers it wrong for the credit rating to give a correct picture of the efficiency and payment history. The complainant therefore demands that Creditinfo be prohibited from using or estimating anything that may be based on such speculation. The nature of the claims that are time-barred must be considered and it must be examined whether they may have been caused by the complainant, even though they may have been his responsibility. The complainant refers to the collapse of the financial system in 2008 in this connection and considers it wrong for the credit rating to give a correct picture of the efficiency and payment history. The complainant therefore demands that Creditinfo be prohibited from using or estimating anything that may be based on such speculation.

Furthermore, the complainant considers that Creditinfo has received information on obsolete claims against it from financial institutions through a debt position system operated by the company, and used that information in making a credit rating about it. He refers in this connection to the fact that Creditinfo has given the explanation that it was financial institutions that disseminated information to the company and that the company was not responsible for that. The complainant considers this to be incorrect and considers that Creditinfo is the guarantor and in fact information on his debt position has been used in the calculation of his credit rating. It is therefore Creditinfo's responsibility to explain and inform the complainant who discloses information about him if he so requests. The company was therefore not allowed to refuse him his request, which was that the company handed him a list with an overview of those who disseminated information about him in the system, cf. the complainant's e-mail to Creditinfo dated 16 August 2019. Creditinfo should, on its own initiative, verify the accuracy of the information that the company receives, uses in making a credit rating about it and resells. The company is also obliged to act as an intermediary in making corrections to the financial undertaking in question, if requested in a reasoned manner, as the complainant claims to have done.

Thirdly, it is complained that the complainant did not receive an explanation of his credit rating from Creditinfo, in addition to which he comments that he was not informed of any changes in his credit rating during his communication with Creditinfo. The complainant states that he has sought explanations for the assessment since December 2018, but without success. His credit rating was in category D1 at the end of April 2019. It is now listed as C1 but was in D3 until the end of February 2019, or 10 months after the legal effect ended [date]. Creditinfo did not want to disclose on what basis the company bases its assessment, or what interests are behind it, it assesses the factors that concern the complainant's person when calculating the credit rating. He also refers to the fact that no individual assessment has been made of his personal financial capacity, even though he had often asked for it. He owns three apartments, villas, chattels, etc. and therefore there is nothing to indicate that he is not creditworthy.

3.
The views of Creditinfo Lánstraust hf.
Regarding the part of the complaint concerning the preparation of a credit rating of the complainant, Creditinfo refers to the fact that with Art. Act no. 90/2018 on personal protection and the processing of personal information, a credit rating was made, in order to communicate it to others, an operating license was made. On 16 July 2018, Creditinfo had received a license from the Data Protection Authority to process a credit rating (case no. 2018/1229 with the Data Protection Authority). The license was last renewed on 28 June 2019 (case no. 2019/1202). Informed consent of an individual, cf. 1. tölul. Article 9 Act no. 90/2018, must be available when a credit rating is applied for by a lender.

Creditinfo's credit rating assesses the probability of default and registration in the default register over the next twelve months. Statistical predictions about future events must be based on historical information, such as returns and payment history. If information on defaults and payment history in the past does not affect the credit rating, the basis is torn away from the usefulness of the rating. Such an assessment would not satisfy the provisions of Article 5. Act no. 33/2013 on consumer loans and would run counter to comments on Article 10. in the bill that became the law, but it states that credit ratings can be based on, among other things, efficiency and payment history. It has been shown that historical information on arrears, arrears and payment history has a high predictive value for the probability of default in the future. It is clear according to Act no.

The Data Protection Authority considered that it did not involve the unauthorized disclosure of information on default claims that had been submitted, that they affected the conclusion of credit rating reports, within the time limits set by Creditinfo's operating license, the provisions of the Data Protection Act and the processing of personal data no. 90/2018 and the provisions of Regulation no. 246/2001, provided that it is clear that the information itself does not reach the recipients of the assessment. It is referred to that in para. Articles 2.7. Creditinfo's current operating license from 29 December 2017 (case no. 2017/1541), which was renewed on 28 June 2019 (case no. 2019/1202), deals with the deletion of information. It states, among other things, that information on individual debts should be deleted if it is known that they have been returned. Information from the register shall be deleted when it is four years old. The article also states that the company may store information for an additional three years and may use the information to comply with requests from registered individuals for knowledge of the processing of personal information about themselves and to resolve disputes over the validity of registration. A maximum of four years have elapsed since the registration of information on the default register, it may also be used to make a credit rating at the request of the data subject, provided that no information is provided on the claims themselves but only statistical results, cf. Paragraph 2 Articles 2.7. A maximum of four years have elapsed since the registration of information on the default register, it may also be used to make a credit rating at the request of the data subject, provided that no information is provided on the claims themselves but only statistical results, cf. Paragraph 2 Articles 2.7. A maximum of four years have elapsed since the registration of information on the default register, it may also be used to make a credit rating at the request of the data subject, provided that no information is provided on the claims themselves but only statistical results, cf. Paragraph 2 Articles 2.7.

The complainant had received the answers from Creditinfo that previous registrations had an effect on his credit rating, cf. above, for up to four years from registration. It was also stated in his answers that the effect of previous listings on credit ratings decreases as time passes from their listing. The registrations that affected the complainant's credit rating when the complaint was submitted were all less than four years old. The complainant was also informed that information provided to the debt position system did not affect his credit rating.

Creditinfo subsequently discusses the part of the complaint that concerns the company's debt position system. The company's description is in accordance with the information that the Data Protection Authority has previously received regarding the system for handling other complaints, where issues have been tried in connection with Creditinfo's debt position system, cf. for example, the ruling of the Data Protection Authority, dated 3 April 2020, in case 2020010600, and reference is made to Creditinfo's explanation in section I.3. in that ruling.

The complainant had repeatedly been informed that Creditinfo could not make corrections or changes to information published in the debt position statement, as the information was not registered with the company, but retrieved in real time to participants when an individual authorized a party to retrieve the information or retrieve it himself. on the service website mitt.creditinfo.is. The complainant was also advised that comments on information published on the debt position statement should be communicated to the company, institution or fund in question that disseminated information to the system. The complainant was also pointed out to the ruling of the Data Protection Authority, which confirmed that the responsible party was not permitted to share information there about expired claims.

Creditinfo also discusses the part of the complaint that concerns the complainant's need to approve the company's data collection in order for him to view his credit rating on Creditinfo's website. Does the company refer to the fact that it carries out credit ratings for individuals and companies with reference to Article 15? Act no. 90/2018 on personal data protection and the processing of personal data and the operating license of the Data Protection Authority issued with reference to that article. The companies that enter into a subscription agreement with Creditinfo can apply for a credit rating from individuals if the person in question agrees to such information gathering. In accordance with the provisions of the operating license, the credit rating of the person in question is only communicated to the subscribers and not information on which influencing factors affect the assessment. In accordance with the provisions of the Data Protection Act, the data subject will have free access to all information about the processing, including information on what variables are used as a basis for a credit rating. Privacy information is always accessible to the registered person on the access-controlled service website Creditinfo (mitt.creditinfo.is), in addition to which it is possible to have such information sent to a registered domicile according to the National Registry.

Creditinfo states that the company's credit rating is a product produced at high cost, as it is a complex calculation model that is constantly being developed and maintained by the company's specialists. It cannot be seen that this obligation rests with the financial information office, cf. applicable law, rules or provisions of the operating license, to deliver a product produced in this way free of charge without any restrictions. Creditinfo invites individuals to purchase their credit rating on the service website mitt.creditinfo.is. The assessment now costs ISK 1,790 and it is also possible to buy a credit rating and have it sent to a registered legal domicile according to Art. National Registry.

As it is not permitted to work with positive information when preparing a credit rating without consent, Creditinfo invites individuals to share additional information when preparing the rating. Such information is only used if the individual has given informed and verifiable consent to it on the access-controlled service website mitt.creditinfo.is. The additional information currently used in the preparation of the assessment is information on the number of searches and information on searches and monitoring of the reason for collection in Creditinfo's files. The fact that an individual has not been looked up for collection reasons in the company's files gives a strong indication that he is not in arrears. In such cases, the disclosure of additional information can therefore have a positive effect on the assessment of the probability of default and the entry of information in the default register for the next twelve months. If an individual agrees to provide additional information when preparing a credit rating, Creditinfo will offer free access to the rating. Consent to the use of additional information can easily be revoked on the service website mitt.creditinfo.is and then the assessment is recalculated based on previous assumptions within less than an hour.

With reference to the above, Creditinfo considers that it has complied with the provisions of the operating license issued by the Data Protection Authority, the Act on Personal Data Protection and the Processing of Personal Data, as well as rules set on the basis of that Act.

4.
Case data and survey by the Data Protection Authority
According to information from Creditinfo and an independent survey by the Data Protection Authority regarding the collection of information by Creditinfo when logging in to the website mitt.creditinfo.is, it is clear that Creditinfo's customers are offered to accept the company's additional terms when logging on to its website. In addition, the consent of users is requested for certain general terms of use, but as things stand here, there is no reason to trace them further. The Additional Terms authorize Creditinfo to use certain additional information when calculating the person's credit rating. More specifically, the assessment is based on data that Creditinfo considers itself authorized to work with in accordance with the company's operating license, as well as the information that the user in question agreed that it could be used in preparing reports on his credit rating.

The Data Protection Authority requested information from Creditinfo as to whether the complainant had agreed to the company's additional terms and, if so, what additional terms he had agreed to. According to the information received from Creditinfo regarding the above, it is clear that the complainant agreed to certain additional terms in December 2018. At the beginning of the terms he agreed to, there was a description of the nature of Creditinfo's credit rating and what information the assessment was based on. The authority of individuals to accept Creditinfo's access to additional information and the authority of the company to use it in calculating credit ratings were discussed in more detail. It was also pointed out that the use of additional information could, as the case may be, lead to an increase or decrease in the credit rating. The exact nature of the consent in question was discussed, for what purpose the additional information would be used, ie. to make a credit rating, and that such a credit rating would be communicated to Creditinfo's customers who downloaded and used credit ratings of individuals with their informed consent. It was reviewed what information was not shared and how long the consent was kept. The user was also authorized to revoke the relevant consent at any time and to save such revocation. It was pointed out that after the withdrawal of approval for the use of additional information had been received, the credit rating was based on information that Creditinfo had access to at any given time and could be used in the processing of the assessment. Subsequently, an explanation was found of the additional information that could be used in making the credit rating of the person in question, and when specifying each type of information processing, there was a box that the user in question had to check himself. The additional information in question was information on which parties had monitored the user's ID number and had monitored it for the past four years and information on which parties had looked it up during the same period. There was also information on the user's debt position that was downloaded from Creditinfo's debt collection system and information on his payment behavior that was downloaded from Reiknistofa bankanna's claims pool. For each type of information processing, a more detailed explanation and specification was found of the information that was processed and the time limits for its use. The additional information in question was information on which parties had monitored the user's ID number and had monitored it for the past four years and information on which parties had looked it up during the same period. There was also information on the user's debt position that was downloaded from Creditinfo's debt collection system and information on his payment behavior that was downloaded from Reiknistofa bankanna's claims pool. For each type of information processing, a more detailed explanation and specification was found of the information that was processed and the time limits for its use. The additional information in question was information on which parties had monitored the user's ID number and had monitored it for the past four years and information on which parties had looked it up during the same period. There was also information on the user's debt position that was downloaded from Creditinfo's debt collection system and information on his payment behavior that was downloaded from Reiknistofa bankanna's claims pool. For each type of information processing, a more detailed explanation and specification was found of the information that was processed and the time limits for its use. It also included information on the user's debt position that was downloaded from Creditinfo's debt position system and information on his payment behavior that was downloaded from Reiknistofa bankanna's claims pool. For each type of information processing, a more detailed explanation and specification was found of the information that was processed and the time limits for its use. There was also information on the user's debt position that was downloaded from Creditinfo's debt collection system and information on his payment behavior that was downloaded from Reiknistofa bankanna's claims pool. For each type of information processing, a more detailed explanation and specification was found of the information that was processed and the time limits for its use.

The case file also shows the information that the complainant received from Creditinfo following his inquiry about further information about his credit rating. The information that the complainant received from Creditinfo was provided by e-mail on 7 December 2018. In the e-mail, Creditinfo referred to the fact that the company operates on the basis of operating licenses from the Data Protection Authority, cf. Article 15 Act no. 90/2018, and attached was a link that referred directly to the company's current operating license. Creditinfo also referred to a license for Creditinfo for the processing of personal information for the purpose of making a credit rating, and there was an attached link that referred directly to that license. The company subsequently reviewed the obligations of lenders according to Act no. 33/2013 on consumer loans to assess the creditworthiness of consumers before concluding an agreement on consumer loans. It was pointed out that Creditinfo's credit rating was a statistical model that would meet the probability of default and registration in the VOG default register for the next twelve months. Risk categories were published on a scale of AE, as A had a relatively lower probability of default than E had the highest. Within each credit rating category, there were scales from 1-3 that showed a position within the risk category and the company referred to a link that contained further information about the company's credit rating on its website. The complainant was also informed that one of the factors influencing the downgrade was a previous listing on the default register, and the company then referred to Article 2.7. in the operating license which authorizes the use of such information for three years from delisting but not longer than four years from registration. Creditinfo instructed the complainant that he could see his credit rating on the company's service website and attached was a link that referred directly to the website mitt.creditinfo.is. There he could see which factors influenced his assessment and if there were previous registrations he could see when they had been registered. In addition to the above, information was found on the nature and function of Creditinfo's debt position system and information that the company was a processor of information in the system, while the participants were responsible. The company could therefore not make corrections or changes to information published in the debt position statement, as such information would be retrieved to participants in real time. The complainant was therefore instructed to submit comments on the information published in the debt position statement to the relevant company, institution or fund that provided the system. Finally, Creditinfo referred to the fact that individuals could object to the processing of personal information if they did not consider the processing in accordance with laws, rules and authorizations in the operating license from the Data Protection Authority that Creditinfo operated according to. The company responded to objections no later than fourteen days after receipt of the objection and if the objection was not accepted, the complainant was instructed that he could complain to the Data Protection Authority.

The complainant's communication with Creditinfo, which accompanied the complaint, shows that he then again commented on his credit rating by e-mail to Creditinfo on 13 April 2019. The complainant's Creditinfo replied by e-mail 15 cm, referring to the company's previous answers, ie. those he had received by e-mail on December 7, 2018. In addition, he was informed that information on the debt position would not affect his credit rating. In Creditinfo's reply, he was also informed of the authorization to use additional information in the preparation of a credit rating and was instructed that he could approve such processing and withdraw it from mitt.creditinfo.is. Some communication took place after this, but there is no reason to trace them further here. It should be noted, however, that a screenshot of the complainant's website on mitt.creditinfo.is, which accompanied his comments 13.

The Data Protection Authority's survey also shows that mitt.creditinfo.is contains a more detailed discussion of what determines a credit rating, how it is possible to improve its credit rating as well as information on when a credit rating is updated.

II.
Assumptions and conclusion

1.
Scope - Responsible party
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an operation or series of operations in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns the processing of personal information about the complainant in the preparation of reports on his credit rating with Creditinfo and on his access to information for that processing. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation.

Creditinfo has information systems on financial matters and creditworthiness and processes information in them in order to disseminate them to subscribers. This processing is the responsibility of Creditinfo and the company is therefore considered to be responsible for the processing that involved the use of the complainant's information, which had been recorded there, for the preparation of the company's reports on the complainant's credit rating. In addition to the above, Creditinfo is considered to be responsible for issues in connection with the complainant's access to its credit rating on the company's website, as well as information on it, after requesting further explanations.

Regarding who is considered the responsible party for the processing that takes place in Creditinfo's debt position system, it is clear that it is the subscriber in question who disseminates information to the system that is considered responsible for that processing. The Data Protection Authority considers Creditinfo to be a processor of information in the debt position system, cf. 7. tölul. Article 3 Act no. 90/2018, and process personal information in the system on behalf of the subscribers.

2.
The operating license of Creditinfo Lánstraust hf.
The operation of a financial information office and the processing of information concerning the financial affairs and creditworthiness of individuals and legal entities, including default registration and the preparation of credit ratings, in order to communicate them to others, shall be subject to the permission of the Data Protection Authority, cf. Article 15 Act no. 90/2018. Creditinfo's operations are to a large extent covered by the above provision and the Data Protection Authority has granted the company an operating license in accordance with that, cf. now in the case of individuals regarding Creditinfo's operating license for the processing of information on financial matters and creditworthiness, dated. 29 December 2017 (case no. 2017/1541), and a temporary operating license for the processing of personal information for the purpose of making a credit rating, dated 23 August 2018 (case no. 2018/1229).

In view of this, the obligation to obtain an operating license due to the preparation of a credit rating according to Art. Act no. 90/2018 is an innovation and it was not found in a comparable provision of Act no. 77/2000 on personal protection and handling of personal information. However, the current temporary operating license does not contain provisions that entail changes from the implementation that has been formed in the Data Protection Authority's decisions regarding credit ratings. As before, Creditinfo must ensure that the information recorded on the basis of operating licenses granted by the Data Protection Authority may not be used for the purpose of making a credit rating in such a way as to violate issued licenses or applicable law in general.

3.
Legality of processing
3.1.
Approval of the additional terms of Creditinfo Lánstraust hf. when logging on to the company's website
All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. The sources that are particularly relevant here are that the data subject has given his consent for the processing of personal information about himself for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 of the Act, or that the processing was necessary due to legitimate interests that the guarantor or a third party could pursue, but the interests and fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh, cf. 6. tölul. the same provision.

In addition to the authorization according to the above, the processing of personal data must comply with the principles of the first paragraph. Article 8 Act no. 90/2018. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); that they shall be reliable and updated as necessary (paragraph 4); and that they shall be prepared in such a way as to ensure their appropriate safety (point 6).

The Data Protection Authority has considered the provisions of point 6. Article 9 apply to the processing of personal information that takes place in Creditinfo's information systems in connection with the preparation of reports on the creditworthiness of individuals, when this is done on behalf of the person in question in connection with a loan or facility of some kind, cf. for example, the ruling of the Data Protection Authority, dated 31 May 2018, in case no. 2017/537. In the ruling, the Data Protection Authority referred to the fact that it was clear when looking at Act no. 33/2013 on consumer loans, that it was obligatory to assess the borrower's creditworthiness before a loan was granted and therefore the complainant in the case could not avoid it being assessed. The existence of an individual's actual choice is a condition for the fulfillment of the requirements for approval, and the Agency considered that in the circumstances in question this was not the case. With reference to this, the processing could not have taken place on the basis of an authorization according to point 1. Article 9 of the Act.

However, it is clear in this case that the preparation of reports on the complainant's credit rating by Creditinfo did not take place in connection with a loan or facility of any kind, but through the complainant himself. More specifically, the case file shows that the complainant logged in to the Creditinfo website, ie. mitt.creditinfo.is, approved the general terms of use and additional terms of the company during the period in question and received its credit rating.

In this connection, reference is made to an overview from Creditinfo of the complainant's logins on the company's website, as well as what terms he agreed to and when he withdrew his consent. It is clear that the complainant agreed to the company's general terms of use on 6 December 2018 and on the same day he agreed to the additional terms of Creditinfo. From the period from December 2018 - May 2019, he interacted with Creditinfo where he commented on his credit rating. The approval was then withdrawn on 15 October 2019.

With reference to the above, it is tested here whether Creditinfo's authorization to make a credit rating of the complainant in question could have been based on point 1. Article 9 of the Act, cf. Article 6 (a) of the Regulation.

Consent is defined as an unforced, specific, informed and unequivocal declaration of intent by the data subject that he consents, by declaration or unequivocal confirmation, to the processing of personal information about himself, cf. 8. tölul. Article 3 of the Act. When processing is based on consent, the responsible party must be able to demonstrate that a registered individual has agreed to the processing of his personal data in accordance with further conditions in Articles 7 and 8. of the Regulation, cf. Paragraph 1 Article 10 of the Act. Then it says in the 2nd paragraph. the same provision that if the data subject gives his consent by a written statement which also concerns other matters, the request for consent shall be presented in such a way that it is identifiable from the other matters, in an understandable and accessible form and in a clear and simple language. Then it says in the 3rd paragraph. of the provision that a registered individual has the right to withdraw his consent at any time. Withdrawal of consent should not affect the legitimacy of processing on the basis of consent until revocation. In the 4th paragraph. states that when assessing whether consent is given voluntarily and voluntarily, the utmost consideration shall be given to whether it is a condition for the implementation of a contract that consent is given for the processing of personal data that is not necessary for the contract. In the comments on Article 10 in the bill that became Act no. 90/2018 states that in order for consent to be considered informed, the registered individual must know the identity of at least the responsible party and be aware of the purpose of the processing that the personal information is intended to serve. shall take the utmost account of whether it is a condition for the implementation of the agreement that consent is given for the processing of personal data that is not necessary for the agreement. In the comments on Article 10 in the bill that became Act no. 90/2018 states that in order for consent to be considered informed, the registered individual must know the identity of at least the responsible party and be aware of the purpose of the processing that the personal information is intended to serve. shall take the utmost account of whether it is a condition for the implementation of the agreement that consent is given for the processing of personal data that is not necessary for the agreement. In the comments on Article 10 in the bill that became Act no. 90/2018 states that in order for consent to be considered informed, the registered individual must know the identity of at least the responsible party and be aware of the purpose of the processing that the personal information is intended to serve.

Reference is also made to the conditions for approval in several sections of the preamble to Regulation (EU) 2016/679. Paragraph 32 states that consent shall be given by clear confirmation, such as a written declaration, including by electronic means, or an oral declaration, of the existence of an unrestricted, demarcated, informed and unequivocal declaration of intent by the data subject to consent to processing. personal information concerning him. An example of this could be, for example, checking a box when accessing an online website or an act that clearly indicates in this context that a registered individual agrees to the proposed processing of personal data. It is pointed out that silence, boxes that have already been checked or inactivity should not be subject to approval. The said section of the preface also states that approval should cover all processing activities carried out for the benefit of the same objective, one or more. When processing is for a variety of purposes, consent should be given to each and every one of them. In the case of approval of an electronic request, the request must be clear and unambiguous and the unnecessary use of the service for which the consent is provided must not be disrupted. Point 42 of the preamble to Regulation (EU) 2016/679 states that consent shall not be deemed to have been given voluntarily and voluntarily if the data subject does not have a real choice or free choice or cannot refuse or withdraw consent without of being harmed. Then it says in 43.

In assessing whether the complainant's approval of Creditinfo's additional terms has fulfilled the above requirements for approval according to Act no. 90/2018 and thus Regulation (EU) 2016/679 must take into account the processing method used by the company in obtaining the complainant's consent and the content of the additional terms he agreed to, cf. discussed in Chapter I.4. As is the case in this connection, the Data Protection Authority considers that the method used by Creditinfo to offer the complainant acceptance of the additional terms in question has been in an understandable, identifiable and accessible form. Creditinfo was able to show that the consent had been granted and the complainant was able to withdraw his consent at any time, in addition to which the assessment was recalculated according to the terms so that no additional information was used in the calculation.

The Data Protection Authority agrees with Creditinfo's views that it is not unreasonable to require registered individuals to pay for access to the company's credit rating, which is a product produced by it at some cost. It is then based on a new, updated assessment that is created when the data subject searches for it and not information that was already available, so that the 5th paragraph applies. Article 12 of Regulation (EU) 2016/679, to the effect that requests from the data subject for, among other things, access to personal information about themselves, cf. Article 15 of the Regulation, shall be processed free of charge. It is also considered that registered individuals always have the opportunity to see what information the company uses when making a credit rating.

With reference to the above, the Data Protection Authority considers that the complainant's consent has fulfilled the conditions according to Article 10. Act no. 90/2018 and that thus Creditinfo was authorized according to point 1. Article 9 of the Act for the preparation of reports on the complainant's credit rating. The Data Protection Authority also considers that the processing was in accordance with the principles of Article 8. of the Act.

In view of the above, the conclusion of the Data Protection Authority is that the processing of Creditinfo, which consisted of preparing a credit rating for the complainant on the basis of his consent, was in accordance with Act no. 90/2018, on personal protection and processing of personal information.

On the other hand, it also examines whether Creditinfo was allowed to use information on depreciated claims and Creditinfo's debt position system when preparing reports on the complainant's credit rating. Information on time-barred claims was not part of the additional information that the complainant agreed to be used in the calculation of his credit rating, cf. above. The Data Protection Authority therefore considers that Creditinfo has not been able to base the processing of the information in question on the authority of point 1. Article 9 of the Act on Approval as a Processing Authorization. Creditinfo's authorizations to register and use this information in the preparation of reports on the complainant's credit rating will therefore be assessed here.

3.2.
Use of information on obsolete claims and from Creditinfo's debt position system when preparing a credit rating
As has been stated before, the complainant comments that claims that are time-barred because their two-year limitation period has expired according to the second paragraph. Article 165 Act no. 21/1991 on Bankruptcy etc., affect the calculation of the credit rating for it for four years from their listing on the default register. The authorization that is particularly attempted in this connection is that the processing was necessary due to legitimate interests that the responsible party or a third party could pursue, but the interests and fundamental rights and freedoms of the data subject, which require the protection of personal information, outweigh, cf. 6. tölul. Article 9 Act no. 90/2018.

In light of the above, it should be taken into account that Creditinfo is authorized to record information on the creation of bankruptcy proceedings, cf. Number 4 in Article 2.2.2. in the company's operating license (case no. 2017/1541). In the second paragraph. Articles 2.1. states that if information that measures the data subject's creditworthiness has reached the age of four, it may not be disclosed. Then it says in the 1st paragraph. in Article 2.7. in Creditinfo's current operating license to delete information on individual debts if it is known that they have been returned, as well as information that has become four years old. However, it is also stated that information may be stored for an additional three years if it is subject to strict access restrictions and care is taken to ensure that no one else has access to it other than those Creditinfo employees who need it for their necessary work. After that time, the information shall be deleted. It says, among other things, in the second paragraph. in Article 2.7. in the operating license that information may be used for the purpose of making a credit rating at the request of the data subject up to a maximum of four years after the registration of the information and provided that no information is provided about the requirements themselves but only statistical results.

The Data Protection Authority has several times before taken the position that Creditinfo was permitted to use information on previous entries in the default register when preparing credit ratings for individuals. Reference is made most recently to the ruling of the Data Protection Authority, dated 11 September 2020, in case no. 2020010592. In that ruling, the Data Protection Authority concludes that Creditinfo may use information on the entry in the company's default register when preparing reports on the complainant's credit rating, for a maximum of four years from the registration of that information, cf. provisions in the operating license of Creditinfo. Regarding the reasoning of the Data Protection Authority in this regard, reference is made to the above-mentioned ruling of the Agency, but the Data Protection Authority considers the same points of view as apply in the case to be resolved here.

Regarding the complainant's comments that a different time limit should be used for claims due to bankruptcy proceedings when making a credit rating, it is to be considered that the consequences of the claim becoming time-barred or being settled are the same, ie. it is not possible to collect them after that deadline. It is also clear that the reason behind the registration of information in the default register is also the same regardless of the origin of the claims behind it, ie. the debtor could not repay the debt. It cannot therefore be considered that there is any reason to believe that Creditinfo should have used a different time limit for using information on the complainant's previous defaults due to the bankruptcy proceedings than those laid down in the operating license.

In view of the above, the conclusion of the Data Protection Authority is that Creditinfo's processing of information about the complainant's bankruptcy when making a credit rating about him was in accordance with Act no. 90/2018, on personal protection and processing of personal information.

The complainant also comments that Creditinfo rejected his request for an overview of those who provided the company with information on expired claims on his ID number, cf. his e-mail to Creditinfo on 16 April 2019. It seems that part of the complaint is based on the fact that Creditinfo has obtained information from financial institutions about obsolete claims against the complainant through Creditinfo's debt position system, and has used that information in preparing a report on his credit rating. As previously stated, the case file contains a screenshot of the complainant's website at Creditinfo in his e-mail to the company on 13 April 2019. It contained information that the complainant's debt situation and payment behavior did not affect his credit rating.

At the same time, it is clear that the complainant approved Creditinfo's use of such information, cf. what is stated in section I.4., and it must therefore be considered that Creditinfo was authorized according to point 1. Article 9 to use such information in making a credit rating of the complainant. If information provided to Creditinfo has been incorrect or incomplete, it is the responsibility of the creditor in question, but he is considered the responsible party for the dissemination of the information, cf. what has been said before. As has also been stated before, information on previous entries in the default register was the one that had the greatest effect on the reduction and it was not retrieved from Creditinfo's debt position system. It has not been stated that they were prepared in such a way as to contravene the company's operating license (case no. 2017/1541), cf. in particular the second paragraph. in Article 2.7. in the license.

Regarding the complainant's comment that he did not receive a list with an overview of those who provided information about him in Creditinfo's debt position system, it appears that the complainant has gained access to the company's website, where this information can be found and he could therefore have downloaded it himself. then it's. As is the case here, it will therefore not be considered that Creditinfo should have provided the complainant with such a list, cf. the exemption from the data subject's right to information on the basis of Article 15. of the Regulation, cf. further discussion in Chapter II.3.3. below, which is laid down in the 5th paragraph. Article 12 her. That provision states, among other things, that if requests from a registered individual are manifestly unfounded or disproportionate, the responsible party may refuse to accede to the request, cf. point b of the provision. The same provision states that the responsible party must demonstrate that the request is unreasonable or excessive. In this connection, it appears that Creditinfo had informed the complainant that he could access this information on his website at the company, cf. including an e-mail from Creditinfo to the complainant, 29 April 2019. In light of this and the circumstances of the case in other respects, the Data Protection Authority considers that Creditinfo did not have an obligation to provide him with the list in question.

3.3.
Use of Property Information - Access and Information Rights
Regarding the complainant's comment that Creditinfo has not corrected or made an individual assessment of his financial capacity, as he owns three apartments, villas, chattels, etc., it appears that the Data Protection Authority has previously ruled in a case where whether Creditinfo was obliged to consider the income and assets of listed individuals when assessing creditworthiness, cf. ruling, dated 22 June 2020, in case no. 2020010678. In the case, the Data Protection Authority came to the conclusion that the law did not require that Creditinfo should take such information into account when preparing reports on the creditworthiness of individuals. It was rather the responsibility of the lender in question to take such information into account when examining the borrower's solvency in connection with the preparation of a payment assessment.

When assessing the complainant's rights, it is necessary to first discuss the process behind the preparation of credit rating reports by Creditinfo. The Data Protection Authority has previously discussed the information and access rights of registered individuals in connection with that assessment. Refer to it for a ruling, dated. 11 September 2020, in case no. 2020010592. The ruling reviews information on Creditinfo's credit rating on the company's website, stating what it is based on, its purpose and how it is rated. It has been concluded that Creditinfo's processing of personal information in connection with the preparation of reports on credit ratings of individuals involves the preparation of a personal profile within the meaning of point 10. Article 3 Act no. 90/2018. It is pointed out that such processing can be burdensome for the data subject, especially when he or she is denied products or services on the basis of the personal profile. In such circumstances, special attention must be paid to the provisions of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 of the Regulation (EU), cf. also the rights guaranteed by the complainant in III. section of Act no. 90/2018, Coll. III. Chapter of Regulation (EU) 2016/679. The above rights can be exercised by the data subject vis-à-vis the responsible party who creates the personal profile, ie. Creditinfo, and, as the case may be, the guarantor who makes the decision on the basis of such information from Creditinfo. In the case tried in a similar way as in this case only Creditinfo's obligations in that connection as the responsible party for the processing complained about, i.e. whether Creditinfo had provided the complainant with adequate information on his credit rating when he requested it. also the rights guaranteed by the complainant in III. section of Act no. 90/2018, Coll. III. Chapter of Regulation (EU) 2016/679. The above rights can be exercised by the data subject vis-à-vis the responsible party who creates the personal profile, ie. Creditinfo, and, as the case may be, the guarantor who makes the decision on the basis of such information from Creditinfo. In the case tried in a similar way as in this case only Creditinfo's obligations in that connection as the responsible party for the processing complained about, i.e. whether Creditinfo had provided the complainant with adequate information on his credit rating when he requested it. also the rights guaranteed by the complainant in III. section of Act no. 90/2018, Coll. III. Chapter of Regulation (EU) 2016/679. The above rights can be exercised by the data subject vis-à-vis the responsible party who creates the personal profile, ie. Creditinfo, and, as the case may be, the guarantor who makes the decision on the basis of such information from Creditinfo. In the case tried in a similar way as in this case only Creditinfo's obligations in this connection as the responsible party for the processing complained about, i.e. whether Creditinfo had provided the complainant with adequate information on his credit rating when he requested it. and, as the case may be, the guarantor who makes the decision on the basis of such information from Creditinfo. In the case tried in a similar way as in this case only Creditinfo's obligations in that connection as the responsible party for the processing complained about, i.e. whether Creditinfo had provided the complainant with adequate information on his credit rating when he requested it. and, as the case may be, the guarantor who makes the decision on the basis of such information from Creditinfo. In the case tried in a similar way as in this case only Creditinfo's obligations in that connection as the responsible party for the processing complained about, i.e. whether Creditinfo had provided the complainant with adequate information on his credit rating when he requested it.

The Data Protection Authority considers the same points of view as above to apply in the case that is currently being resolved and the complainant's right to information and access will therefore be assessed on the basis of the above points of view in the following.

According to para. Article 17 Act no. 90/2018, a registered individual has the right to access personal information about himself according to the instructions of 13-15. gr. Regulation (EU) 2016/679. As stated before, it is clear that the complainant requested information about his credit rating when it was available from Creditinfo. The data subject's right to access information is governed by Article 15. of the Regulation on the right of a registered individual to access information. That provision stipulates, inter alia, that a registered individual shall have the right to receive confirmation from the responsible party as to whether personal information concerning himself is processed and, if so, the right to access information on, among other things, the following matters: the purpose of the processing (a -item); the relevant categories of personal data (point (b)); if possible, how long it is planned to keep the personal information or, if this is not possible, the criteria used to determine it (point (d)); that there is a right to request the responsible party to have personal information corrected, deleted or restricted in its processing with regard to the data subject or to object to processing (item e); if personal data are not obtained from the data subject, all available information on their origin (point g); and whether automatic decision-making takes place, including the creation of a personal profile and then significant information about the arguments behind it and also about the significance of the planned processing for the data subject (item h). delete them or restrict their processing in respect of the data subject or to oppose processing (point (e)); if personal data are not obtained from the data subject, all available information on their origin (point (g)); and whether automatic decision-making takes place, including the creation of a personal profile and then significant information about the arguments behind it and also about the significance of the planned processing for the data subject (item h). delete them or restrict their processing in respect of the data subject or to oppose processing (point (e)); if personal data are not obtained from the data subject, all available information on their origin (point (g)); and whether automatic decision-making takes place, including the creation of a personal profile and then significant information about the arguments behind it and also about the significance of the planned processing for the data subject (item h).

It must be assessed whether the information that the complainant received by e-mail from Creditinfo on 7 December 2018 and 15 April 2019, cf. a further investigation by the Data Protection Authority as described in Section I.4, fulfilled the above conditions according to Article 15. Regulation (EU) 2016/679.

Point 63 of the preamble to the Regulation refers, inter alia, to the fact that every registered person should have the right to be informed and informed of the purpose of the processing of personal data, the processing period of the data if possible, their recipients, the reasons behind the automatic processing of personal data and on the consequences of such processing, especially when it is based on the type of profile. It also states that the responsible party should provide the data subject with remote access to a secure system that gives him direct access to personal information about himself. It then refers to the fact that this right should not, however, have a negative effect on the rights or freedoms of others, including trade secrets or intellectual property rights, and in particular the copyright to the software.

It is clear that Creditinfo provided the complainant with all the information that the company is obliged to provide according to Article 15. of Regulation (EU) 2016/679, cf. also point 63 of the preamble to the regulation, both by e-mail to him and with the information referred to him, in the Creditinfo service area. It will not be seen that this obligation rests on Creditinfo according to Article 15. or other provisions of the Privacy Act to inform the complainant, and thus all users of the company's website, of any changes that may occur in the assessment, at any time. It should also be noted that the Data Protection Authority considers the 5th paragraph. Article 12 of Regulation (EU) 2016 / EU, have been relevant when the complainant requested a list of those who disseminated information about him in Creditinfo's debt position system, cf. the discussion in Chapter II.3.2. above.

In view of the above, the conclusion of the Data Protection Authority is that the complainant's right to information according to Art. of the Regulation (EU) was respected when he was provided with information on his credit rating. The processing was therefore in accordance with the second paragraph. Article 17 Act no. 90/2018, on personal protection and the processing of personal information, cf. Article 15 Regulation (EU) 2016/679.


Ú r s k u r ð a r o r ð:
Processing of Creditinfo Lánstraust hf. on personal information about [A] due to a report on his credit rating and the company's information gathering for this purpose in accordance with Act no. 90/2018, on personal protection and processing of personal information.

Creditinfo Lánstraust hf. on [A]'s request for access to information on how the processing of personal data about him took place was in accordance with Act no. 90/2018 and Regulation (EU) 2016/679.

In Privacy, January 28, 2021


Ólafur Garðarsson
chairman


Björn Geirsson


Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson