AKI (Estonia) - 2.1.-1/21/129
|AKI - 2.1.-1/21/129|
|Relevant Law:||Article 6 GDPR|
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
|National Case Number/Name:||2.1.-1/21/129|
|European Case Law Identifier:||EDPBI:EE:OSS:D:2022:319|
|Original Source:||EDPB (in EN)|
|Initial Contributor:||Alexander Smith|
The Estonian DPA held that the legal basis for transferring a data subject's debt data to a third party was legitimate interest, not contractual necessity. The DPA also reprimanded the controller for failing to reply to an access request within one month.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject found out that the controller had included his information regarding the generation of a debt of €2,706.41 in a transfer and listing with ASNEF (a credit default register).
The data subject then requested information regarding the generation of the debt and communication of the payment request. The controller did not respond, and the data subject filed a complaint with the Data Protection Inspectorate (Andmekaitse Inspektsioon - AKI).
The AKI sent an enquiry to the controller with the following questions:
- What was the legal basis for the processing?
- Was a transfer made to ASNEF? If so, when and under what legal basis?
- Were there documents relating to the data subject's debt, and if so, have these been received by the controller?
- Was the insolvency file's accuracy verified before transfer?
- Was the data subject informed of the transfer, and if so, how?
- Why hadn't the controller replied to the data subject's access request?
The controller responded to the AKI, claiming that the legal basis for this processing was Article 6(1)(b) GDPR (neccessary for the performance of a contract). The controller's contract with the data subject stipulated that the controller had the right to make such a transfer following overdue payment or default. The controller claimed the purpose of this provision was to allow the data subject the opportunity to monitor his debts and to give others the opportunity to process the subject's data on the basis of legitimate interest to assess his creditworthiness. The controller also claimed the data subject had known of this right to transfer since it was included in the contract.
Holding[edit | edit source]
The AKI disagreed with the controller about the legal basis for the transfer because it was not necessary for the completion of the contract. Instead, the AKI held that the correct basis was legitimate interest (subject to a legitimate interests test).
The AKI found that the controller did not comply with Article 12(3) GDPR as it did not reply to the data subject's request within one month or provide reasons for its failure to reply.
The AKI reminded the defendant of its obligation under Article 13 GDPR and Article 14 GDPR to inform the data subject in a concise, clear, comprehensible, and easily accessible form using clear and simple language. It noted this information should also be provided in such form if requested in accordance with Articles 15 to 22 and 34 GDPR.
Comment[edit | edit source]
This was a decision made under Article 60 GDPR. The complaint was referred from the data subject's own Member State to the Republic of Estonia's Data Protection Inspectorate. Per Article 60(7) GDPR this decision was notified to the EDPB.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
FOR DATA PRIVACY AND FREEDOM OF INFORMATION Dear Your: 08/02/2021 Member of the Management Board Our: 19/01/2022 No. 2.1.-1/21/129 Reprimand and notice of termination of the proceedings in a case concerning the protection of personal data Through the cross-border proceedings system IMI, the Estonian Data Protection Inspectorate (the Inspectorate) received a complaint from pursuant to which he learned on 02/09/2020 about the inclusion intoASNEF insolvency file of an alleged debt owed to amounting to 2.706,41 EUR. On 14/09/2020 the claimant contacted customer support, in order to request all the information regarding the generation of the abovementioned debt, as well as the reliable communications of the payment request, without receiving any answer to the whole of the raised questions. The claimant stated that he kept on asking for the preventive cancellation of the debt inscription, but got no satisfactory reply. Based on the above, we have initiated supervision proceedings on the basis of clause 56 (3) 8) of the Personal Data ProtectionAct. Throughout the supervision proceedings, we submitted an enquiry to in which we asked the following: 1. What is the legal basis (show the specific legal provision) for processing thepersonal data ofthecomplainant? If theprocessing is necessary for theperformance of a contract to which the data subject is party, then they should send a copy of the contract concluded with the claimant. 2. Has transferred the claimant’s data to the Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and when? If they have, we asked them to indicate the legal basis and purpose of the transfer. 3. Are there any documents proving the claimant’s debt? Has the complainant received the documents? 4. Was the accuracy of the insolvency file verified before it was transferred to ASNEF? 5. Whether and how was the complainant informed of the right to transfer data and the actual transfer of data. If the notice was given, we asked to provide proof of notification. 6. Why hasn’t replied to the claimant’s questions? If they have answered, we asked to send a copy of the answer to the inspectorate. In their response to the enquiry of the Data Protection Inspectorate, said the following:, FOR DATA PRIVACY AND FREEDOM OF INFORMATION has transferred the complainant’s data to ASNEF payment default register as of 09.03.2020 and the legal basis for the transfer of data is the performance of the contract on the basis of Article 6 (1) (b) of the GDPR (see also clause 13.11 of the Agreement): 13.1. Following a payment overdue or default under the Loan Agreement, the Lender shall have a right, in each case pursuant to the applicable law, to notify the Borrower thereof and send the following information to the chosen Payment Default Register: 1) given name and surname of the Borrower; 2) national identification number of the Borrower; 3) commencement and end date of the payment default; 4) the total amount of the payment default; and 5) data concerning the nature of the contractual relationship from which the arrears arise. The Payment Default Register shall have the right to communicate the aforementioned data on the basis of a contract entered into for an indefinite period to other credit providers and other persons who have a legitimate interest concerning the creditworthiness of the persons entered in the register and collect a charge therefor. The Payment Default Register shall have a right to communicate the following data concerning the person who is an object of the inquiry to the other persons with a legitimate interest: 1) commencement and end dates of the payment default; 2) the total amount of the payment default; and 3) the business sector from where the payment default arose. The Borrower shall have the right to submit a claim to the Payment Default Register pursuant to the procedure published on the webpage of the Payment Default Register and demand deletion of a payment default entry from the Payment Default Register. The purpose of processing the data mentioned herein is to allow the Borrower to monitor his/her payment defaults and allow other persons with legitimate interest concerning the creditworthiness of the Borrower to rely on the disclosed information upon making credit decisions with respect to the Borrower. The purposes of the processing are: 1) performance of the contract; 2) giving the complainant the opportunity to monitor his / her debts to (in addition to other notifications and the complainant’s portal account); and 3) giving others the opportunity to process the complainant’s data on the basis of a legitimate interest in order to assess the complainant’s creditworthiness. Please note that these purposes and grounds have also been assessed separately for by the Spanish Supreme Court, which has confirmed the lawfulness of the processing of customer data for such purposes and grounds. Thecomplainantreceivedinformationabouthisdebtfromhisportalaccount,fromnotifications sent by and from notifications sent by the Spanish default register. According to the complainant has been aware of all these sources of information, i.e. he has visited the portal account repeatedly, the notifications have been received (including opened) and the data included the Spanish payment default register is also known to the complainant., FOR DATA PRIVACY AND FREEDOM OF INFORMATION verifies the accuracy of the debt data through a technical solution that notifies the system of the loan amount on the due date. Verifiability is ensured by checking the payment deadline and the receipt of the loan repayment from bank account. The Appellant was at the earliest aware of the right to transfer data when concluding the contract. This right arises from clause 13.1 of the contract. repeatedly informed the complainant by e-mail (ie 04.02.2020, 08.02.2020, 17.02.2020 and 02.03.2020) before sending the defaults to the Spanish default register. In order to prove this, we also included a list of outgoing notifications, the fourth box of which also shows that the complainant has also opened these three notifications. In addition, the payment default register itself informed the complainant of the publication of the payment default. PursuanttoClause13.1ofthecontract,thecomplainanthasexercisedhisrighttocommunicate with the Spanish default register in connection with the cancellation of the default himself. The complainant has exercised this right twice. The first notification of the complainant to the default register took place on 18.09.2020 (at that time was not aware of the out-of-court settlement of the default and we confirmed to the default register on 23.09.2020 that the data had been duly disclosed). received the complainant’s letter by post on 06.10.2020. The second notification of the Applicant to the payment default register took place on 29.10.2020. At that moment, also became aware of the out-of-court settlement and requested that the payment e deleted from the default register on 04.11.2020 (incl. Further notifications were blocked). We add that the deadline for replying to the complainant’s letter was 06.11.2020, but as the situation related to the complainant was resolved through the payment default register (incl. it was used as a communication channel), the complainant was not notified separately. The complainant received the relevant information with the payment default register and the situation was resolved. On 10 February, the SpanishAgency for Data Protection replied that the claim had been settled because the data of theAppellant had been removed from the payment default register pursuant to an out-of-court settlement. The SpanishAgency for Data Protection added that theAppellant had been informed of the possibility of being entered to the payment default register in the contract and also before the payment default was entered. POSITION OF THE DATA PROTECTION INSPECTORATE 1. Lawfulness of the processing of personal data In its reply, stated that it had transmitted the personal data of the Appellant to ASNEF under Article 6 (1) (b) of the GDPR. The Data Protection Inspectorate does not agree with this, as the transfer of the debt data of the Appellant to the payment default register is not an act that has to perform in order to fulfil its contract with the Appellant. The legal basis for providing the debt data of the Appellant to a third party can be derived from Article 6 (1) (f) oftheGDPR, i.e. a legitimateinterest. Relyingon this legal basis, the controller is obliged to carry out a detailed assessment of the legitimate interest and to consider whether, FOR DATA PRIVACY AND FREEDOM OF INFORMATION or not the processing of the data is permissible in a particular case. If the assessment shows that the processing of the data is not permissible, it must be stopped. Otherwise, the controller must prove to the data subject that there are legitimate reasons to continue processing the data. 2. Release of personal data On 14 September 2020, the Appellant sent a request to to issue to him all the necessary documents regarding the debt, including the contract concluded between the Appellant and and documents regarding how the principal debt, interest, service fees, etc. have arisen. received the letter of the Appellant by post on 6 October 2020. Aperson ocuments or, for example, a citation of contract clauses, goes beyond the scope of the GDPR. However, a person may request a copy of personal data collected about them pursuant to Article 15 (1) and (3) of the GDPR, in which case it is not prohibited for a copy of personal data to be issued as a copy of a document.An entry or extract from a database that reflects, inter alia, the name of the person, the components of the claim against them (principal, interest, recovery costs, etc.) constitutes personal data, and is thus the scope of the GDPR. In accordance with recital 59 of the GDPR, the controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests. Article 12 (3) of the GDPR lays down the same deadline for replying to the request of the Appellant. In its reply, explained that since the deadline for replying to the Appellant was 6 October 2020 but before that, the Appellant had entered into an out-of-court settlement, of which became aware on 29 October 2020, the debt claims against theAppellant were deleted from the payment default register on 4 November 2020. In addition, the request of the Appellant for the release of his debt data was settled through the payment default register. As the payment defaults had been cleared before the deadline for replying to the Appellant and the Appellant had received information of interest to him through ASNEF, did not consider it necessary to provide the Appellant with documents and other information relating to his debt. The Data Protection Inspectorate finds that the conduct of was not lawful because, pursuant to Article 12 (3) of the GDPR, was obliged to reply to the Appellant within one month or to provide reasons for not providing theAppellant with the requested documents and/orinformation (see GDPR recital 59,Article 12 (4)), even ifthe claim oftheAppellant falls outside the scope of the GDPR. Therefore, should have provided theAppellant with a copy of the personal data he had requested (if theAppellant had requested it) or explained in its reply why this was not done or if theAppellant had requested specific documents, should have justified why it was not possible to submit the documents on the basis ofArticle 15 of the GDPR. I would like to explain that it is obligation of the controller to make sure that data is being processed in compliance with the GDPR. However, disregarded the explicit request of theAppellant to provide him with documents relating to his debt and did not explain to the Appellant why it could not do so. In view of the above, violated the requirements set out in the GDPR. However, based on the fact that the Appellant received the information requested by him through the payment default register and his debt details have been deleted from the payment default register as a result of an out-of-court settlement,, FOR DATA PRIVACY AND FREEDOM OF INFORMATION I reprimand underArticle 58 (2) (b) of the GDPR and draw attention to the following: 1. The legal basis for the transmission of debt data to a payment default register is the existence of a legitimate interest (Article 6 (1) (f) of the GDPR). is obliged to carry out a detailed assessment of the legitimate interest and to consider whether or not the processing of the data is permissible in every particular case. If the assessment shows that the processing of the data is not permissible, it must be stopped. Otherwise, the controller must prove to the data subject that there are legitimate reasons to continue processing the data. 2. The controller shall take appropriate measures to provide the data subject with the information referred to in Articles 13 and 14 and to inform them of the processing of personal data in accordance with Articles 15 to 22 and 34 in a concise, clear, comprehensible, and easily accessible form using clear and simple language. This information is provided in writing or by other means, including, where appropriate, electronically. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is established by other means (Article 12 (1) of the GDPR). 3. The controller has the obligation to submit a copy of the personal data concerning the data subject at the request of the data subject (Article 15 (3) of the GDPR). If the data subject wants personal data about themselves, must do everything in its power to ensure that all personal data is released. If personal data are not released, it must be made very clear which type of data and for what reason cannot be released. 4. The controller provides information on action taken on a request underArticles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. This period may be extended by two months, if necessary, taking into account the complexity and volume of the request. The controller informs the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay (Article 12 (3) of the GDPR). Thus, if a person requests a copy of personal data concerning them, the copy must be provided within one month or, if justified, the deadline for replying may be extended within that month. In accordance with theGDPR, themaximum legal term forproviding data can be three months. 5. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy (Article 12 (4) of the GDPR). Thus, if considers that it has reasonable grounds for not releasing data, this must be justified to the data subject within one month., FOR DATA PRIVACY AND FREEDOM OF INFORMATION In view of the above and the fact that the Appellant, received the informationconcerninghimthroughthepaymentdefaultregisterASNEF, Iwillterminate the supervision proceedings. I further note that in a situation where the improper practice of processing personal data in this way continues, the Data Protection Inspectorate has the right to issue a precept to (and, if necessary, impose a penalty payment) or hold the controller liable in a misdemeanour. A legal person may be fined up to 20,000,000 euros or up to 4% of its total annual worldwide turnover for the previous financial year, whichever is greater. This administrative act can be disputed within 30 days by: - submitting a challenge to the Director General of the Data Protection Inspectorate pursuant to theAdministrative ProcedureAct or 1 - filing a 2etition with an administrative court pursuant to the Code of Administrative Court Procedure (in this case, anychallenges submitted in the same case can no longer be processed). Respectfully /signed digitally/ Lawyer Authorised by the Director General 1https://www.riigiteataja.ee/en/eli/527032019002/consolide 2https://www.riigiteataja.ee/en/eli/512122019007/consolide