Hoge Raad - 21/00241
Hoge Raad - 21/00241 | |
---|---|
Court: | Hoge Raad (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 17 GDPR Article 21 GDPR |
Decided: | 03.12.2021 |
Published: | 03.12.2021 |
Parties: | HOIST FINANCE AB |
National Case Number/Name: | 21/00241 |
European Case Law Identifier: | ECLI:NL:HR:2021:1814 |
Appeal from: | Rechtbank Amsterdam C/13/694440 / KG ZA 20-1118 |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | Jonathan Crabbe |
The Supreme Court concludes that a registration in the BKR's CKI is not based on a legal obligation, Article 6(1)(b), but on a legitimate interest, Article 6(1)(f) GDPR. Consequently, the existence of the rights to be forgotten and right to object in case of CKI registration is confirmed.
English Summary
Facts
This case concerns an interlocutory judgment in the case C/13/694440/KG ZA-20-1118 MvW/JE dated 21 January 2021, in which a number of preliminary questions are put to the Dutch Supreme Court. It concerns the legal basis used to justify a lender's registration with the Stichting Bureau Kredietregistratie (BKR), can this be done on the basis of Art. 6(1)(c) (legal obligation) or (f) (legitimate interest) AVG. The answer to this question must provide clarity on the rights of the borrower and more specifically erasure under Art. 17 AVG or right to object under Art. 21 AVG.
The Supreme Court based its answer to the preliminary questions on the following facts. The data subject had taken out a loan with the controller. After payment arrears had occurred, the controller demanded the credit. In May 2006, in connection with the credit that had been granted, the data subject was entered in the CKI with a special code A. This code indicates that there are delays. Subsequently, the 2-coding was added, which means that there is a claimed debt. On 1 June 2017, a 3-coding was added to indicate that the amount exceeds a certain threshold. On 27 June 2017, a processor of the controller indicated that the entire claim had been settled. In July 2020, following a request made by the data subject, the controller notified that it would have the 3-coding removed from the BKR registration. On 10 September 2020, the data subject made another request for removal of the BKR registration. This request was rejected by the controller. The data subject claimed that the controller should amend the registration.
The following preliminary questions were put to the Supreme Court:
Must the processing of specific personal data by a credit institution, by means of an individual registration in the system of BKR, be assessed in accordance with the provisions of Article 6(1)(c) AVG, or Article 6(1)(f) AVG, or both provisions? 2. Does the answer to Question 1 mean
(a) that the person whose personal data have been recorded is not entitled to invoke the right to erasure provided for in Article 17 of the AVG?
(b) that person is not entitled to a right of objection as referred to in Article 21 of the AVG?
3. If the answer to Question 2b means that, in the case of a BKR registration, there is no right of objection within the meaning of Article 21 of the AVG, does that mean that Article 35 of the UAVG plays no role in the legal proceedings to have that registration removed?
Holding
The first preliminary question led the Supreme Court to examine a possible legal basis that justifies a registration of the data subject with the CKI. The Supreme Court examined Art. 4:32 (1) of the Financial Supervision Act (Wft), which prescribes that a creditor, in this case the controller, participates in the credit registration system. Art. 4:34 of the same Act contains the duty of care to prevent excessive lending and the investigation of the financial position of the data subject. In the Netherlands, the performance of these duties by lenders is translated into registration in the BKR's CKI. The CKI has no legal basis. It is based on self-regulation by the financial sector, which is accepted by the legislator. For example, the rules of the CKI state in Articles 2 and 3 that it is a contractual arrangement that exclusively governs the relationship between the BKR and business customers and that the objective of the BKR is to promote socially responsible financial services, that the BKR wants to protect consumers from excessive lending and other financial problems, and that the BKR wants to contribute to the limitation of financial risks in lending for its business customers and to prevent and combat abuse and fraud. Art. 3 (4) of the CKI rules states that the processing of personal data in the CKI has its lawful basis in Art. 6 (1) (f) of the AVG, because the processing is necessary to serve the legitimate interests of the BKR and its business customers. Although Art. 4:32 and 4:34 Wft do oblige credit providers to participate in and consult a credit registration system, these statutory provisions are not sufficiently clear and precise and their application is not sufficiently predictable for those to whom these statutory provisions apply, as required by Art. 6(3) AVG. It is not specified which personal data must or may be registered in the CKI, what the conditions for such registration are and under what conditions and within what time limits personal data must be deleted. All this is regulated in the CKI regulations, but these regulations have no legal basis. The Court concluded as follows: Art. 6 Paragraph 1 (c) AVG cannot serve as a basis for the processing of personal data in the CKI of the BKR and that this processing must be tested against the provisions in Art. 6 Paragraph 1 (f) AVG. The second question regarding the rights of the data subject under Art. 17 (erasure of data) and Art. 21 (right of retention) can be answered in the affirmative by the analysis of the first question. Both rights are preserved for the data subject. The third question will not be discussed since it is based on the assumption that there is no right of objection (Art. 21 AVG) in the case of a BKR registration.
Comment
The Supreme Court does emphasize the following: It should be noted that the data subject whose personal data have been processed on the basis of Art. 6 (1)(c) AVG does not have the rights to erasure and objection contained in Art. 17 AVG and Art. 21 AVG respectively. This does not mean that the person concerned is deprived of legal protection in this case. For example, he or she may be able to oppose the processing of his or her personal data before the civil courts by invoking Article 6:162 of the Dutch Civil Code, whether or not in conjunction with Article 8 of the ECHR
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Body High Council Date of judgment 03-12-2021 Date of publication 03-12-2021 Case number 21/00241 Formal Relationships Conclusion: ECLI:NL:PHR:2021:831 Jurisdictions Civil rights Special characteristics Preliminary ruling Content indication Preliminary questions (art. 392 DCCP). General Data Protection Regulation (GDPR). Legal basis for the processing of personal data in the credit registration system of the BKR; art. 6 para. 1 lit. c GDPR (legal basis) or Art. 6 para. 1 lit. f GDPR (for the protection of the processor's legitimate interests)? Right to erasure (Art. 17 GDPR); right to object (Art. 21 GDPR)? Locations Rechtspraak.nl Enhanced pronunciation Share pronunciation print Save as PDF Copy link Pronunciation SUPREME COURT OF THE NETHERLANDS CIVIL CHAMBER Number 21/00241 Date December 3, 2021 PRELIMINARY DECISION In the case of [applicant], residing at [residence], Plaintiff at first instance, hereinafter: [applicant], did not appear in the preliminary ruling proceedings, in return for the legal person under Swedish law HOIST FINANCE AB, with its registered office in Amsterdam, DEFENDANT at first instance, hereafter: Hoist, lawyer in the preliminary ruling proceedings: J.W.H. from neighbourhood. 1. The preliminary ruling procedure In the interlocutory judgment in the case C/13/694440 / KG ZA 20-1118 MvW/JE of 21 January 2021, the judge in preliminary relief proceedings in the Amsterdam District Court, on the basis of art. 392 RV referred questions to the Supreme Court for a preliminary ruling. Hoist has written comments as referred to in art. 393 paragraph 1 Rv submitted. The conclusion of the Advocate General E.B. Rank-Berenschot aims to answer the preliminary questions as stated in the conclusion under 3.17, 3.19 and 3.21. Hoist's lawyer responded in writing to that conclusion. 2 Principles and facts 2.1 This preliminary ruling concerns the question to which of the persons referred to in art. 6 General Data Protection Regulation1 (hereinafter: AVG) a registration with the Stichting Bureau Kredietregistratie (hereinafter: the BKR) must be checked. Is registration with the BKR in order to fulfill a legal obligation within the meaning of art. 6 para. 1 lit. c GDPR, or to defend the legitimate interests of the controller or a third party within the meaning of Art. 6 para. 1 lit. f GDPR? The answer to this question is important, among other things, for the borrower's claim to erasure of his personal data pursuant to Art. 17 GDPR, and for the option of the borrower to object to the processing of his personal data pursuant to Art. 21 GDPR. 2.2 In answering the questions referred for a preliminary ruling, the Supreme Court starts from the following facts: (i) The BKR has a Central Credit Information System (hereinafter: the CKI). In this system, payment arrears or other irregularities that arise during the term of a credit agreement are stated with special codes (hereinafter: the BKR registration). (ii) [applicant] has taken out a credit with (a legal predecessor of) Hoist. After payment arrears had arisen, Hoist claimed the credit in July 2006. (iii) In May 2006, the special code 'A' was noted in the CKI in connection with the credit granted under the name of [applicant]. This coding means that there is a backlog. Shortly afterwards, a '2-coding' was added to [applicant]'s BKR registration, which means that there is a claimed claim. (iv) On June 1, 2017, a '3-code' was added to the BKR registration of [applicant], which means that an amount greater than €250 had to be debited from the credit. (v) On June 27, 2017, NDA Incasso, to whom Hoist had handed over the claim and who had agreed a payment arrangement with [applicant], notified [applicant] that the entire claim had been paid. (vi) In July 2020, Hoist notified [applicant], following a request made by [applicant], that she would have the 3 coding in [applicant]'s BKR registration removed. (vii) On September 10, 2020, [applicant] again submitted a request for removal of the BKR registration to Hoist. Hoist rejected this request by email dated September 21, 2020. 2.3 In these preliminary relief proceedings, [applicant] claims that Hoist be ordered to have the BKR registration changed, in the sense that the codes 2 and A are removed after his name. Hoist defended himself against that claim, inter alia by appealing to inadmissibility on the ground that [applicant] did not appeal within six weeks against the rejection decision of 21 September 2020 on his second removal request (see above in 2.2 under (vii)), as prescribed in art. 35 paragraph 2 of the Implementation Act General Data Protection Regulation (hereinafter: UAVG). 2.4 In an interlocutory judgment2 on the basis of art. 392 et seq. Rv submitted the following preliminary questions to the Supreme Court. 1. Should the processing of specific personal data by a credit institution, by means of an individual registration in the BKR system, be tested against the provisions of art. 6 para. 1, preamble and under c GDPR, or to Art. 6 para. 1, preamble and under f GDPR, or to both provisions? 2. Does the answer to question 1 mean a. that the person whose personal data has been registered cannot invoke the right to erasure as referred to in art. 17 GDPR? b. that the person has no right of objection as referred to in art. 21 GDPR? 3. If the answer to question 2b means that with a BKR registration no right of objection as referred to in art. 21 GDPR, does this mean that Art. 35 UAVG does not play a role in the legal proceedings for the removal of that registration? 3 Answer to the questions referred for a preliminary ruling 3.1.1 The first question for a preliminary ruling raises whether the processing of personal data by a credit institution by means of an individual registration in the system of the BKR must be tested against the provisions of art. 6 para. 1, preamble and under c GDPR, or to Art. 6 para. 1, preamble and under f GDPR, or to both provisions. 3.1.2 Protection of personal data is a fundamental right protected by Art. 8 ECHR, which provides for the right to respect for private and family life, Art. 16 paragraph 1 of the Treaty on the Functioning of the European Union and art. 8 paragraph 1 of the Charter of Fundamental Rights of the European Union, which provides that everyone has the right to the protection of his personal data. In its decision of 9 September 2011, the Supreme Court ruled under the now expired Personal Data Protection Act (hereinafter: Wbp) and the now repealed Personal Data Protection Directive3 that, partly in the light of art. 8 ECHR, all data processing must comply with the principles of proportionality and subsidiarity and that this entails that the infringement of the interests of the data subject may not be disproportionate in relation to the purpose to be served with the processing and that this purpose cannot reasonably be can be reached in a different way, which is less detrimental to the data subject.4 This also applies under the GDPR, which has replaced the Personal Data Protection Directive and the Wbp. 3.1.3 art. 6 para. 1 GDPR provides that the processing of personal data is only lawful if and insofar as at least one of the following conditions is met: a) the data subject has consented to the processing of his/her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; c) the processing is necessary for compliance with a legal obligation to which the controller is subject; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the controller; f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the person concerned is a child. The provisions under f do not apply to processing by government authorities in the performance of their duties. These bases for the processing of personal data are not mutually exclusive, as follows from the words "at least" in Art. 6 para. 1 GDPR, so that it is possible that a processing of personal data falls under more than one processing basis. 3.1.4 Pursuant to art. 6 para. 1, preamble and under c GDPR, the controller is entitled to process personal data if this is necessary to comply with a legal obligation to which he is subject. It appears from the explanatory memorandum to the UAVG that the Dutch legislator has interpreted the requirement of necessity to be met if it is not reasonably possible to perform a legal obligation that rests on the controller without processing the personal data.5 3.1.5 art. 6 para. 3 GDPR provides, insofar as it is relevant to answer the questions referred for a preliminary ruling, that the legal obligation referred to in Art. 6(1)(c) of the GDPR must be determined by Union or Member State law to which the controller is subject, whichever Union or Member State law must determine the purpose of the processing. Recital 41 of the GDPR states that when the GDPR refers to a legal basis or a legislative measure, it does not necessarily require a legislative act adopted by a parliament. However, the legal basis or legislative measure must be clear and precise, and its application must be predictable for those to whom it applies, as required by the case law of the Court of Justice of the European Union and the European Court of the Rights of the Man, according to the preamble. Furthermore, recital 45 in the preamble to the GDPR states that the GDPR does not require specific legislation for each individual data processing, but that it is sufficient to provide legislation that serves as the basis for several data processing operations on the basis of a legal obligation incumbent on the controller. 3.1.6 art. 4:32(1) of the Financial Supervision Act (hereinafter: Wft) prescribes that a credit provider participates in a credit registration system. art. 4:34(1) of the Wft contains a duty of care to prevent excessive lending and obliges a credit provider to obtain information in the interest of the consumer about its financial position and to assess whether the lending is justified. The duty of care arising from this article is further elaborated in art. 114 of the Decree on the Supervision of the Conduct of Financial Undertakings Wft (hereinafter: BGfo). This stipulates that a credit provider must, prior to granting a credit of more than €250, consult the credit registration system about credits already granted to the consumer. art. In short, 4:34 paragraph 2 Wft provides that a credit provider will not grant credit if this is irresponsible with a view to excessive lending to the consumer. This refusal obligation is further elaborated in art. 113 paragraph 1 BGfo. This stipulates that a credit provider will not grant a consumer credit of more than €1,000 if the provider does not have sufficient information about the consumer's financial position to be able to assess, in order to prevent excessive lending, whether of the agreement is responsible. 3.1.7 The duty of care to prevent excessive lending is partly based on Directive 2008/48/EC6 (hereinafter: Consumer Credit Directive). art. 8(1) of the Consumer Credit Directive provides that Member States shall ensure that the creditor assesses the consumer's creditworthiness before concluding the credit agreement on the basis of sufficient information obtained, where appropriate, from the consumer and, where necessary, on the basis of a consultation of the relevant database. art. 9 paragraph 1 Consumer Credit Directive provides that each Member State shall ensure that creditors from other Member States have access to the data files used in the Member State in question to assess the creditworthiness of the consumer and that the access conditions may not be discriminatory. art. 9 paragraph 4 Consumer Credit Directive in connection with art. 94 para. 2 GDPR provides that Art. 9 Consumer Credit Directive does not affect the application of the GDPR. 3.1.8 In the Netherlands, the system of credit registration in which credit providers participate in compliance with the legislation and regulations referred to in 3.1.6 above and which they consult for its implementation is formed by the CKI of the BKR. The CKI has no legal basis. It is based on self-regulation by the financial sector, which the legislator has accepted.7 The BKR has established the General CKI Regulations (hereinafter: CKI Regulations).8 According to art. 2 paragraph 1 CKI regulations, this concerns a contractual arrangement that exclusively regulates the relationship between the BKR and its business customers. art. 3 paragraph 1 CKI regulations state that the objective of the BKR is to promote socially responsible financial services, that the BKR wants to protect consumers from excessive credit and other financial problems and that the BKR wants to contribute to its business customers limiting financial risks in lending and preventing and combating abuse and fraud. This purpose of the registration and consultation of personal data in the CKI of the BKR has also been mentioned in legislative history in the context of the duty of care of credit providers.9 Art. 3 paragraph 2 CKI regulations stipulate that the BKR pursues this goal by, among other things, collecting, recording, organizing and providing its business customers with personal data relevant for this purpose. art. 3 paragraph 4 CKI regulations determine that the processing of personal data in the CKI finds its lawful basis in art. 6 para. 1 lit. f GDPR, because the processing is necessary for the protection of the legitimate interests of the BKR and its business customers. 3.1.9 art. 4:32 paragraph 1 Wft and art. 4:34 paragraph 1 Wft, as further elaborated in art. 114 BGfo, while obliging credit providers to participate in and consult a system of credit registration, these legal provisions are not sufficiently clear and precise and their application is not sufficiently predictable for those to whom these legal provisions apply, such as Art. 6 para. 3 GDPR (see 3.1.5). After all, it is not clear from those legal provisions which personal data must or may be registered in the CKI, what the conditions are for such registration and under what conditions and within what periods the personal data must be deleted. This is regulated in the CKI regulations, but those regulations are not based on a legal basis; the registration of personal data in the CKI takes place on the basis of an agreement between the BKR and credit providers (see 3.1.8). 3.1.10 In the absence of a legal obligation to process data within the meaning of Art. 6 para. 1, preamble and under c of the GDPR, this provision cannot serve as a basis for the lawful processing of personal data in the CKI of the BKR. Now that data processing is also not based on one of the grounds referred to in Art. 6 para. 1 lit. a, b, d or e GDPR (see above in 3.1.3), the lawfulness of the data processing must be assessed on the basis of the criterion of Art. 6 para. 1, preamble and under f GDPR. 3.1.11 The answer to the first question referred is that Art. 6 paragraph 1, preamble and under c of the GDPR cannot serve as a basis for the processing of personal data in the CKI of the BKR and that this processing must be assessed against the provisions of art. 6 para. 1, preamble and under f GDPR. 3.2.1 The second question referred for a preliminary ruling raises whether the answer to the first question means that the person whose personal data have been registered (a) does not have a right to erasure as referred to in Art. 17 GDPR and (b) that the person has no right of objection within the meaning of Art. 21 GDPR. 3.2.2 art. 21 para. 1 GDPR provides that a data subject has the right to object at any time, on grounds relating to his particular situation, to the processing of personal data concerning him or her on the basis of Art. 6 para. 1, preamble and under e and f of the GDPR and that the controller then ceases the processing of the personal data, unless he invokes compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subject or that are related with the institution, exercise or substantiation of a legal claim. art. 17 (1) preamble and point c of the GDPR means, insofar as it is relevant to answer the questions referred for a preliminary ruling, that the controller is obliged to delete personal data without undue delay at the request of the data subject, including if the data subject is subject to Art. 21 para. 1 GDPR to the processing, and there are no overriding legitimate grounds for the processing. 3.2.3 from art. 17 and art. 21 GDPR, it follows that the data subject whose personal data has been processed on the basis of Art. 6 para. 1, preamble and under f GDPR, has the right to erasure and the right to object. It follows from the answer to the first question referred that Art. 6 para. 1, preamble and under f GDPR forms the basis for the processing by the controller of the personal data of the data subject in the CKI of the BKR. The answer to the second question for a preliminary ruling is therefore that the data subject whose personal data are registered with the BKR (a) has the right to erasure as referred to in Art. 17 GDPR and (b) that the data subject has the right to object pursuant to Art. 21 GDPR. 3.2.4 It should be noted that the data subject whose personal data have been processed on the basis of Art. 6 para. 1, preamble and under c GDPR does not have the data erasure and objection rights set out in Art. 17 GDPR or Art. 21 GDPR. This does not mean that the data subject is deprived of legal protection in that case. For example, he can appeal to the civil court on the basis of art. 6:162 of the Dutch Civil Code, whether or not in conjunction with art. 8 ECHR, oppose the processing of his personal data (cf. what has been considered above in 3.1.2). 3.3 The third question for a preliminary ruling assumes that with a BKR registration no right of objection as referred to in art. 21 GDPR exists. Because it follows from the answer to the second question that such a right of objection does exist with a BKR registration, the Supreme Court did not answer this question. 3 Decision The high Council: - answers the questions in the manner described above in 3.1.11 and 3.2.3; - estimates the costs of this procedure on the basis of art. 393 paragraph 10 DCCP at €1,800 on the part of Hoist and on nil on the part of [applicant]. This decision was made by Vice President M.V. Polak as chairman and councilors C.E. du Perron, M.J. Kroeze, H. M. Wattendorff and G. C. Makkink, and pronounced in public by Counsel H.M. Wattendorff on December 3, 2021. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( General Data Protection Regulation), OJEU 2016, L 119/1. 2 Amsterdam District Court 21 January 2021, ECLI:NL:RBAMS:2021:174. 3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, PbEG 1995, L 281/31. 4 HR 9 September 2011, ECLI:NL:HR:2011:BQ8097 (Santander), para. 3.3. 5 Parliamentary Papers II 2017/18, 34851, no. 3, p. 35. 6 Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC, OJEU 2008, L 133/66. 7 See Parliamentary Papers II 1986/87, 19785, no. 3, p. 14-15; Parliamentary Papers II 1987/88, 19785, no. 7, p. 10-11. 8 Stichting BKR, General Regulations CKI, 1 January 2021, can be consulted via www.bkr.nl. 9 See, for example, Parliamentary Papers II 2003/04, 29507, no. 3, p. 18; Parliamentary Papers II 2009/10, 32339, no. 3, p. 36.