AKI (Estonia) - 2.1.-1/21/129
AKI - EDPBI:EE:OSS:D:2022:319 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 19.06.2022 |
Published: | 19.06.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | EDPBI:EE:OSS:D:2022:319 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | Alexander Smith |
The lawful basis for transfer of debt data to a payment default register is the existence of a legitimate interest.
The controller shall respond to requests under Article 15 to 22 GDPR within one month, unless an exemption or extension applies.
English Summary
Facts
The complainant learned that the defendant had included their information in a transfer and listing with ASNEF, regarding the generation of a debt €2,706.41.
The complainant requested information regarding the generation of the debt, and communication of the payment request. This was not provided.
The Data Protection Inspectorate (DPI) sent to enquiry to the defendant regarding: Lawful Basis for processing; If a transfer had been made to ASNEF, is so when and the lawful basis to do so; Are there documents relating to the complainant's debt. Have these been received by the defendant? Was the insolvency file's accuracy verified before transfer? Whether and how the complainant was informed of the transfer; Why had the defendant not replied to the complainant's questions.
In its defence, the defendant argued that the lawful basis for such processing was Article 6(1)(b) GDPR, Contract. The defendant argued that the contractual terms it had with the claimant included provisions which stipulated that the defendant had a right to make such a transfer following an overdue payment or default. This was for the purposes of allowing the complainant the opportunity to monitor his/her debts and to give others the opportunity to process the complainant's data on the basis of legitimate interests in order to assess the complainant's credit worthiness.
The defendant also notes that the complainant was aware of the defendant's right to transfer when concluding the contract, as such a provision was within the contract.
Holding
Lawful Basis - The DPI does not agree that Contract is the correct lawful basis for the transfer, as it is not something the defendant must do to complete their contract. Instead the correct basis is Legitimate Interests (subject to a legitimate interests test).
Release of Personal Data - The DPI finds that the defendant did not comply with Article 12(3) GDPR as the defendant did not reply to the complainant's request within one month, or provide reasons for not providing the requested information.
The DPI reminds the defendant of its obligation under Article 13 and 14 GDPR to inform the data subject in a concise, clear, comprehensible, and easily accessible form using clear and simple language. This information should also be provided in such form if requested in accordance with Article 15 to 22 and 34 GDPR.
Comment
This was a decision made under Article 60 GDPR. The complaint was referred from the Complainant's own member state to the Republic of Estonia's Data Protection Inspectorate. Per Article 60(7) GDPR this decision was notified to the EDPB.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
FOR DATA PRIVACY AND FREEDOM OF INFORMATION Dear Your: 08/02/2021 Member of the Management Board Our: 19/01/2022 No. 2.1.-1/21/129 Reprimand and notice of termination of the proceedings in a case concerning the protection of personal data Through the cross-border proceedings system IMI, the Estonian Data Protection Inspectorate (the Inspectorate) received a complaint from pursuant to which he learned on 02/09/2020 about the inclusion intoASNEF insolvency file of an alleged debt owed to amounting to 2.706,41 EUR. On 14/09/2020 the claimant contacted customer support, in order to request all the information regarding the generation of the abovementioned debt, as well as the reliable communications of the payment request, without receiving any answer to the whole of the raised questions. The claimant stated that he kept on asking for the preventive cancellation of the debt inscription, but got no satisfactory reply. Based on the above, we have initiated supervision proceedings on the basis of clause 56 (3) 8) of the Personal Data ProtectionAct. Throughout the supervision proceedings, we submitted an enquiry to in which we asked the following: 1. What is the legal basis (show the specific legal provision) for processing thepersonal data ofthecomplainant? If theprocessing is necessary for theperformance of a contract to which the data subject is party, then they should send a copy of the contract concluded with the claimant. 2. Has transferred the claimant’s data to the Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and when? If they have, we asked them to indicate the legal basis and purpose of the transfer. 3. Are there any documents proving the claimant’s debt? Has the complainant received the documents? 4. Was the accuracy of the insolvency file verified before it was transferred to ASNEF? 5. Whether and how was the complainant informed of the right to transfer data and the actual transfer of data. If the notice was given, we asked to provide proof of notification. 6. Why hasn’t replied to the claimant’s questions? If they have answered, we asked to send a copy of the answer to the inspectorate. In their response to the enquiry of the Data Protection Inspectorate, said the following:, FOR DATA PRIVACY AND FREEDOM OF INFORMATION has transferred the complainant’s data to ASNEF payment default register as of 09.03.2020 and the legal basis for the transfer of data is the performance of the contract on the basis of Article 6 (1) (b) of the GDPR (see also clause 13.11 of the Agreement): 13.1. Following a payment overdue or default under the Loan Agreement, the Lender shall have a right, in each case pursuant to the applicable law, to notify the Borrower thereof and send the following information to the chosen Payment Default Register: 1) given name and surname of the Borrower; 2) national identification number of the Borrower; 3) commencement and end date of the payment default; 4) the total amount of the payment default; and 5) data concerning the nature of the contractual relationship from which the arrears arise. The Payment Default Register shall have the right to communicate the aforementioned data on the basis of a contract entered into for an indefinite period to other credit providers and other persons who have a legitimate interest concerning the creditworthiness of the persons entered in the register and collect a charge therefor. The Payment Default Register shall have a right to communicate the following data concerning the person who is an object of the inquiry to the other persons with a legitimate interest: 1) commencement and end dates of the payment default; 2) the total amount of the payment default; and 3) the business sector from where the payment default arose. The Borrower shall have the right to submit a claim to the Payment Default Register pursuant to the procedure published on the webpage of the Payment Default Register and demand deletion of a payment default entry from the Payment Default Register. The purpose of processing the data mentioned herein is to allow the Borrower to monitor his/her payment defaults and allow other persons with legitimate interest concerning the creditworthiness of the Borrower to rely on the disclosed information upon making credit decisions with respect to the Borrower. The purposes of the processing are: 1) performance of the contract; 2) giving the complainant the opportunity to monitor his / her debts to (in addition to other notifications and the complainant’s portal account); and 3) giving others the opportunity to process the complainant’s data on the basis of a legitimate interest in order to assess the complainant’s creditworthiness. Please note that these purposes and grounds have also been assessed separately for by the Spanish Supreme Court, which has confirmed the lawfulness of the processing of customer data for such purposes and grounds. Thecomplainantreceivedinformationabouthisdebtfromhisportalaccount,fromnotifications sent by and from notifications sent by the Spanish default register. According to the complainant has been aware of all these sources of information, i.e. he has visited the portal account repeatedly, the notifications have been received (including opened) and the data included the Spanish payment default register is also known to the complainant., FOR DATA PRIVACY AND FREEDOM OF INFORMATION verifies the accuracy of the debt data through a technical solution that notifies the system of the loan amount on the due date. Verifiability is ensured by checking the payment deadline and the receipt of the loan repayment from bank account. The Appellant was at the earliest aware of the right to transfer data when concluding the contract. This right arises from clause 13.1 of the contract. repeatedly informed the complainant by e-mail (ie 04.02.2020, 08.02.2020, 17.02.2020 and 02.03.2020) before sending the defaults to the Spanish default register. In order to prove this, we also included a list of outgoing notifications, the fourth box of which also shows that the complainant has also opened these three notifications. In addition, the payment default register itself informed the complainant of the publication of the payment default. PursuanttoClause13.1ofthecontract,thecomplainanthasexercisedhisrighttocommunicate with the Spanish default register in connection with the cancellation of the default himself. The complainant has exercised this right twice. The first notification of the complainant to the default register took place on 18.09.2020 (at that time was not aware of the out-of-court settlement of the default and we confirmed to the default register on 23.09.2020 that the data had been duly disclosed). received the complainant’s letter by post on 06.10.2020. The second notification of the Applicant to the payment default register took place on 29.10.2020. At that moment, also became aware of the out-of-court settlement and requested that the payment e deleted from the default register on 04.11.2020 (incl. Further notifications were blocked). We add that the deadline for replying to the complainant’s letter was 06.11.2020, but as the situation related to the complainant was resolved through the payment default register (incl. it was used as a communication channel), the complainant was not notified separately. The complainant received the relevant information with the payment default register and the situation was resolved. On 10 February, the SpanishAgency for Data Protection replied that the claim had been settled because the data of theAppellant had been removed from the payment default register pursuant to an out-of-court settlement. The SpanishAgency for Data Protection added that theAppellant had been informed of the possibility of being entered to the payment default register in the contract and also before the payment default was entered. POSITION OF THE DATA PROTECTION INSPECTORATE 1. Lawfulness of the processing of personal data In its reply, stated that it had transmitted the personal data of the Appellant to ASNEF under Article 6 (1) (b) of the GDPR. The Data Protection Inspectorate does not agree with this, as the transfer of the debt data of the Appellant to the payment default register is not an act that has to perform in order to fulfil its contract with the Appellant. The legal basis for providing the debt data of the Appellant to a third party can be derived from Article 6 (1) (f) oftheGDPR, i.e. a legitimateinterest. Relyingon this legal basis, the controller is obliged to carry out a detailed assessment of the legitimate interest and to consider whether, FOR DATA PRIVACY AND FREEDOM OF INFORMATION or not the processing of the data is permissible in a particular case. If the assessment shows that the processing of the data is not permissible, it must be stopped. Otherwise, the controller must prove to the data subject that there are legitimate reasons to continue processing the data. 2. Release of personal data On 14 September 2020, the Appellant sent a request to to issue to him all the necessary documents regarding the debt, including the contract concluded between the Appellant and and documents regarding how the principal debt, interest, service fees, etc. have arisen. received the letter of the Appellant by post on 6 October 2020. Aperson ocuments or, for example, a citation of contract clauses, goes beyond the scope of the GDPR. However, a person may request a copy of personal data collected about them pursuant to Article 15 (1) and (3) of the GDPR, in which case it is not prohibited for a copy of personal data to be issued as a copy of a document.An entry or extract from a database that reflects, inter alia, the name of the person, the components of the claim against them (principal, interest, recovery costs, etc.) constitutes personal data, and is thus the scope of the GDPR. In accordance with recital 59 of the GDPR, the controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests. Article 12 (3) of the GDPR lays down the same deadline for replying to the request of the Appellant. In its reply, explained that since the deadline for replying to the Appellant was 6 October 2020 but before that, the Appellant had entered into an out-of-court settlement, of which became aware on 29 October 2020, the debt claims against theAppellant were deleted from the payment default register on 4 November 2020. In addition, the request of the Appellant for the release of his debt data was settled through the payment default register. As the payment defaults had been cleared before the deadline for replying to the Appellant and the Appellant had received information of interest to him through ASNEF, did not consider it necessary to provide the Appellant with documents and other information relating to his debt. The Data Protection Inspectorate finds that the conduct of was not lawful because, pursuant to Article 12 (3) of the GDPR, was obliged to reply to the Appellant within one month or to provide reasons for not providing theAppellant with the requested documents and/orinformation (see GDPR recital 59,Article 12 (4)), even ifthe claim oftheAppellant falls outside the scope of the GDPR. Therefore, should have provided theAppellant with a copy of the personal data he had requested (if theAppellant had requested it) or explained in its reply why this was not done or if theAppellant had requested specific documents, should have justified why it was not possible to submit the documents on the basis ofArticle 15 of the GDPR. I would like to explain that it is obligation of the controller to make sure that data is being processed in compliance with the GDPR. However, disregarded the explicit request of theAppellant to provide him with documents relating to his debt and did not explain to the Appellant why it could not do so. In view of the above, violated the requirements set out in the GDPR. However, based on the fact that the Appellant received the information requested by him through the payment default register and his debt details have been deleted from the payment default register as a result of an out-of-court settlement,, FOR DATA PRIVACY AND FREEDOM OF INFORMATION I reprimand underArticle 58 (2) (b) of the GDPR and draw attention to the following: 1. The legal basis for the transmission of debt data to a payment default register is the existence of a legitimate interest (Article 6 (1) (f) of the GDPR). is obliged to carry out a detailed assessment of the legitimate interest and to consider whether or not the processing of the data is permissible in every particular case. If the assessment shows that the processing of the data is not permissible, it must be stopped. Otherwise, the controller must prove to the data subject that there are legitimate reasons to continue processing the data. 2. The controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13 and 14 and to inform them of the processing of personal data in accordance with Articles 15 to 22 and 34 in a concise, clear, comprehensible, and easily accessible form using clear and simple language. This information is provided in writing or by other means, including, where appropriate, electronically. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is established by other means (Article 12 (1) of the GDPR). 3. The controller has the obligation to submit a copy of the personal data concerning the data subject at the request of the data subject (Article 15 (3) of the GDPR). If the data subject wants personal data about themselves, must do everything in its power to ensure that all personal data is released. If personal data are not released, it must be made very clear which type of data and for what reason cannot be released. 4. The controller provides information on action taken on a request underArticles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. This period may be extended by two months, if necessary, taking into account the complexity and volume of the request. The controller informs the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay (Article 12 (3) of the GDPR). Thus, if a person requests a copy of personal data concerning them, the copy must be provided within one month or, if justified, the deadline for replying may be extended within that month. In accordance with theGDPR, themaximum legal term forproviding data can be three months. 5. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy (Article 12 (4) of the GDPR). Thus, if considers that it has reasonable grounds for not releasing data, this must be justified to the data subject within one month., FOR DATA PRIVACY AND FREEDOM OF INFORMATION In view of the above and the fact that the Appellant, received the informationconcerninghimthroughthepaymentdefaultregisterASNEF, Iwillterminate the supervision proceedings. I further note that in a situation where the improper practice of processing personal data in this way continues, the Data Protection Inspectorate has the right to issue a precept to (and, if necessary, impose a penalty payment) or hold the controller liable in a misdemeanour. A legal person may be fined up to 20,000,000 euros or up to 4% of its total annual worldwide turnover for the previous financial year, whichever is greater. This administrative act can be disputed within 30 days by: - submitting a challenge to the Director General of the Data Protection Inspectorate pursuant to theAdministrative ProcedureAct or 1 - filing a 2etition with an administrative court pursuant to the Code of Administrative Court Procedure (in this case, anychallenges submitted in the same case can no longer be processed). Respectfully /signed digitally/ Lawyer Authorised by the Director General 1https://www.riigiteataja.ee/en/eli/527032019002/consolide 2https://www.riigiteataja.ee/en/eli/512122019007/consolide