Persónuvernd (Iceland) - no. 2020020909
Persónuvernd (Iceland) - no. 2020020909 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5(1) GDPR Article 6(1)(f) GDPR Article 58(2)(g) GDPR Data Protection Act no. 90/2018 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 04.10.2021 |
Published: | |
Fine: | None |
Parties: | Creditinfo |
National Case Number/Name: | no. 2020020909 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Icelandic |
Original Source: | Icelandic DPA (in IS) |
Initial Contributor: | Florence D'Ath |
The Icelandic DPA ruled that a credit scoring company had violated the GDPR by assigning a credit score to an individual on the basis of information that was more then 4 years old. The Icelandic DPA therefore ordered the controller to delete the personal data in question.
English Summary
Facts
Creditinfo is an Icelandic company assigning credit scores to individuals and companies, based on verifiable information entered by creditors or third-parties in Creditinfo's default register. According to the operating license granted to Creditinfo, Creditinfo is not allowed to assign credit scores on the basis of information which is older than 4 years old.
In this context, a data subject (the Complainant) was recognized in default of payment in a judgment of the Icelandic Supreme Court following legal proceedings opposing the Complainant to a creditor, Landsbankinn hf (hereafter, the Bank). The Bank however registered this information in Creditinfo's default register only two years after the judgment was rendered. Based on this entry, Creditinfo assigned a negative credit score to the Complainant.
In January 2020, the Complainant sent an email to Creditinfo to object to the processing of his personal data, arguing that the information on the basis of which his credit score had been calculated was more than 4 years old. In parallel, he also requested Creditinfo to erase his personal data. Creditinfo however rejected this request, arguing that the information in question was still valid and relevant, as it had been registered by the Bank less than 4 years ago.
On 5 February 2020, the Complainant decided to file a complaint with the Icelandic DPA.
The dispute brought to the attention of the Icelandic DPA therefore mainly concerned the date from which the four years period provided in the operating license of Creditinfo must be calculated. On the one hand, the Complainant was arguing that this date should be the date when he had been recognized in default of payment (i.e. the date of the judgment). On the other hand, Creditinfo was arguing that this date should be the date on which the Bank registered the information in its default register.
Holding
After reviewing the facts of the case and the operating licence of Creditinfo, the Icelandic DPA considered that the processing of the Complainant's personal data by Creditinfo was unlawful. In particular, the Icelandic DPA found that Creditinfo shoulf have used the date of the judgment rendered by the supreme court as the date from which the four-year deadline starts. The fact that the Bank was late in registering the claim in the default register of Creditinfo should not put the data subject at a disadvantage. Furthermore, the Icelandic DPA noted that Creditinfo had been informed by the Complainant about this discrepancy between, on the one side, the day of the judgment, and on the other side, the date of the registration by the Bank. The Icelandic DPA further stated that, in light of the principle of fairness,s lawfulness and transparency (Article 5(1) GDPR), Creditinfo should have responded to the Complainant's comments in this respect, and base the four-year period on the date of the judgment and not the date of registration of the claim by the Bank.
For these reasons, the Icelandic DPA concluded that Creditinfo did not comply with the GDPR, and thus ordered the latter to delete the data of the Complainant and send a confirmation of such a deletion at the latest by 22 October 2021.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions Enter keywords SolutionsReviewsLicensingMiscellaneous letters Search for solutions Year from: Year to: Search Creditinfo's processing of personal information does not comply with the law Case no. 2020020909 10/4/2021 The Data Protection Authority received a complaint about Creditinfo's use of information about the complainant's previous defaults in making a credit rating with the company. Creditinfo did not consider the claim in question to be older than four years, but cf. a provision in the company's operating license is not permitted to work with claims older than that. The company was based on the same date as the claim was registered in the default register by creditors. The complainant stated that he had sent Creditinfo a suggestion that the creditor had registered the arrears about two years after the Supreme Court overturned its judgment from which the claim arose. The complainant considered that Creditinfo should have based the four-year time limit on the time when information about the judgment in question came into being, i.e. when it is announced and published on the Supreme Court's website, but not the date of registration in the default register. In view of the above, the Data Protection Authority ruled that Creditinfo's processing of information about the complainant's previous defaults had not been in accordance with the Act on Personal Data Protection and the Processing of Personal Data. Creditinfo was also asked to delete information about the claim from its files. Ruling On September 22, 2021, the Data Protection Authority issued a ruling in case no. 2020020909: I. Procedure 1. Complaints and correspondence On 5 February 2020, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about the processing of personal information about him by Creditinfo Lánstrausti hf. (Creditinfo) in connection with the preparation of reports on his credit rating. By letter dated On 8 May 2020, Creditinfo was notified of the above complaint and given an opportunity to comment on it. Creditinfo's reply was received by the Data Protection Authority on 28 May 2020. By letter dated On 2 June 2020, the complainant was invited to comment on Creditinfo's above reply. The complainant replied by letter dated June 19 s.á. In resolving the case, all the above-mentioned documents have been taken into account, although not all of them are explained separately in the ruling. The handling of this case has been delayed due to significant concerns at the Data Protection Authority. 2. More about the complaint There is a complaint about Creditinfo's use of information about the complainant's previous defaults in making a credit rating with the company. These are defaults that have their roots in the Supreme Court ruling that was handed down [dated …]. The complainant states that he sent an e-mail to Creditinfo in January 2020 with comments on the registration due to the arrears and objected to it on the grounds that the information was older than four years, cf. provisions of the company's operating license. Creditinfo objected to this on the grounds that the information had been recorded [dated …] And were therefore not older than four years. The complainant therefore considers that it can be deduced from the available information that Landsbankinn hf., As the creditor of the registered transaction, has refused to record information about the judgment in Creditinfo's default register for about two years since it fell. The complainant considers that Creditinfo should have based the four-year period on the time at which information about the judgment in question was obtained, i.e. upon its promulgation and publication on the website of the Supreme Court [dated …], But not the date of registration in the default register. It is also demanded that Creditinfo be made to delete information about the judgment from its files, cf. Paragraph 3 Article 5 of Regulation no. 246/2001 on the collection and dissemination of information on financial matters and creditworthiness. 3. Creditinfo's views Creditinfo refers to the fact that the claim was registered by Lögheimtun ehf., On behalf of Landsbanki Íslands hf., [Dated …]. In accordance with the provisions of Creditinfo's operating license, the complainant was notified of the proposed registration [dated …] And given 17 days to object. On [date …] The entry had been registered in the default register but it had then been deregistered [dated …] By Lögheimtun ehf. on the basis of prepayment. According to Creditinfo's operating license (case no. 2016/1626 with the Data Protection Authority), which was valid when the above claim was registered with the default register, subscribers were authorized according to Art. 3. tölul. Articles 2.2.1. to record in the default register information that the debtor has been ordered to pay a debt by a court. In Article 2.1. The operating license states that information that measures against the data subject's creditworthiness may not be disseminated when it has reached the age of four. Then say in Article 2.7. that information on individual debts shall be deleted if it is known that they have been returned and that information shall be deleted from the records of the Financial Information Office when they are four years old. The above registration was related to a claim which was undisputed, i.e. it had been the final decision of the court, the claim had still been in arrears on the date of registration and had not reached the age of four on that day. In Creditinfo's opinion, it was therefore permitted to register it on the default register with reference to the provisions of the company's operating license. The registration in question was deregistered before she became four years old or on [date. Þegar] when the claim has been paid. Creditinfo's operating license (case no. 2016/1626 with the Data Protection Authority) does not cover the publication of credit rating reports. However, the license authorizes the company to use previous entries in the default register when preparing a credit rating. In Article 2.7. it is stated that the company is authorized to use it for a maximum of four years from the registration of the information for the purpose of making a credit rating, provided that information on the claim itself is not shared. Creditinfo points out that the claim in question was registered in the default register on [dated …]. As stated above, Creditinfo may use information on previous registrations for up to four years from the registration of the information for the purpose of making a credit rating. It had not been four years since the registration of the claim and therefore it had still affected the complainant's credit rating. Creditinfo therefore believes that the company has complied with the provisions of the operating license, the Act on Personal Data Protection and the Processing of Personal Data, as well as rules set on the basis of that Act. II. Assumptions and conclusion 1. Scope - Responsible party Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file. This case concerns the registration and use by Creditinfo of information about the complainant's defaults in the preparation of a credit rating about him by the company. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority. The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. As such, Creditinfo is considered to be responsible for the processing complained of, ie. registration and use of information about the complainant's defaults when making a credit rating about him. 2. The operating license of Creditinfo Lánstraust hf. Operation of a financial information office and processing of information concerning the financial affairs and creditworthiness of individuals and legal entities, incl. defaults and the preparation of credit ratings, in order to communicate them to others, shall be subject to the permission of the Data Protection Authority, cf. Article 15 Act no. 90/2018, Coll. Paragraph 1 Article 2 of Regulation no. 246/2001 on the collection and dissemination of information on financial matters and creditworthiness. Creditinfo's operations are to a large extent covered by the above provisions and the Data Protection Authority has granted the company an operating license in accordance with them, cf. as regards individuals regarding Creditinfo's operating license for the processing of information on financial matters and creditworthiness, dated 29 December 2017 (case no. 2017/1541), and a temporary operating license for the processing of personal information for the purpose of making a credit rating, dated 23 August 2018 (case no. 2018/1229), which were in force when the events of this case took place. 3. Legality of processing All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Paragraph 1 Article 6 Regulation (EU) 2016/679. The Data Protection Authority has considered that the processing of personal information that takes place in Creditinfo's information systems on financial matters and creditworthiness can be based on point 6. Article 9 of the Act, cf. point e of the first paragraph. Article 6 of the Regulation, on the grounds that the processing is necessary in the interests of legitimate interests, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail. In addition to the authorization according to the above, the processing of personal information must always be in accordance with all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 of the Regulation. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); and that they shall be reliable and up-to-date as necessary and that personal information which is unreliable or incomplete, as to its purpose, shall be deleted or rectified without delay (paragraph 4). Here it is tested whether Creditinfo was allowed to use information on the entry in the default register when preparing reports on the complainant's credit rating for four years from the registration of the information in the default register or whether Creditinfo should have used the four-year deadline for pronouncing the Supreme Court ruling. The Data Protection Authority has several times before concluded that Creditinfo was allowed to use information on previous entries in the default register when preparing credit ratings for individuals. Refer to it e.g. to the ruling of the Data Protection Authority, dated 11 September 2020, in case no. 2020010592. In that ruling, the Data Protection Authority came to the conclusion that Creditinfo was allowed to use information on the entry in the company's default register when preparing reports on the complainant's credit rating, for a maximum of four years from the registration of that information, cf. provisions in the operating license of Creditinfo. Regarding the reasoning of the Data Protection Authority in this regard, reference is made to the above-mentioned ruling of the Agency, but the Data Protection Authority considers that the same views apply in the case that is being resolved here. As is the case in this case, however, it is clear that the creditor in question refused to register the claim in question on the default register for two years from the time the judgment was rendered. Creditinfo was informed of this, e.g. by e-mail from the complainant on 27 January 2020 in which he commented on the registration. With reference to views on fairness, reliability and proportionality, cf. Points 1, 3 and 4 Paragraph 1 Article 8 Act no. 90/2018 and the corresponding provisions in the first paragraph. Article 5 of Regulation (EU) 2016/679, it must be considered that Creditinfo was obliged to respond to the complainant's comments and to base the four - year period on the date of the judgment and not the date of registration of the claim. In general, it must be assumed that it does not take long from the issuance of judgments to the registration of information on claims based on them, among other things as this could lead to such claims having an impact on the reporting of creditworthiness of listed individuals for much longer than planned. was at the time of issuing the operating license, cf. above. In view of the above, the conclusion of the Data Protection Authority is that Creditinfo's processing of information on the complainant's previous arrears as of [...] was not in accordance with Act no. 90/2018, on personal protection and the processing of personal information. In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, Creditinfo is hereby requested to delete information about the relevant claim from its database, if this has not already been done. Confirmation that these instructions have been followed shall be received by the Data Protection Authority no later than 22 October 2021. U r s k u r ð a r o r ð: Creditinfo's processing of personal information about [A] was not in accordance with Act no. 90/2018, on personal protection and the processing of personal information. In accordance with this conclusion, and with reference to points 6 and 7. Article 42 Act no. 90/2018, Creditinfo is hereby requested to delete information about the relevant claim from its database. Confirmation that these instructions have been followed shall be received by the Data Protection Authority no later than 22 October 2021. Privacy, September 22, 2021 Ólafur Garðarsson chairman Björn Geirsson Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter