Garante per la protezione dei dati personali (Italy) - 9547248
The case involves the excessive retention of data related to the complainants’ negative credit history in a credit information system (CIS). The Italian DPA reprimanded Barclays recognising that it was an isolated and bona fide mistake.
English Summary
Facts
In 2010, the complainants entered into a mortgage loan with Barclays Bank Plc. In 2015, the loan was classified as non-performing and in April 2016 the debt was settled out of court. In October 2018, the lawyer of the complainant contacted the bank to protest the entering of complainants’ names into the CIS, and to request the deletion of the report of non-performance. Barklays replied that, as the retention period of 36 months – laid down by Article 6(5) of Attachment 5 of the “Codice di condotta per i sistemi informativi gestiti da soggetti privati in tema di crediti al consumo, affidabilità e puntualità nei pagamenti” – was not expired yet, the processing of data was lawful. Hence, the request for removing the information was denied. In November 2018 the complaint was filed. In October 2019 Barclays informed the Garante that Crif S.p.A., the service provider for the CIS, deleted the information from the system as of May 2019.
Dispute
As mentioned, initially Barclays held, in its communications with the complainants, that Article 6(5) of Attachment 5, and not Article 6(2) – providing for a shorter retention period of 24 months – should be applied. This was, according to the bank, due to the “particular seriousness of the non-performance” and, most importantly, because the settlement did not completely restore the loss of credit incurred by the bank itself. However, in January 2019, Barclays gave a different explanation to the Garante. Due to the particular seriousness of the debt position of the complainants, classified as “non-performing”, the bank had to report the situation to the Bank of Italy's Central Risk Office. The information related to the complainants had then to remain in the Central Risk Office’s information system, accessible by intermediaries, for 36 months, as per the applicable Bank of Italy’s Circular. This led Barclays to a “bona fide mistake”, as the bank applied the 36 months retention period to both the Bank of Italy’s information system and the CIS. The Garante found that the retention periods provided by Article 6(2)(b) were indeed applicable to the case at issue. The Italian DPA also noted that the breach constituted only an isolated case, and that indeed the mistake was made in good faith. Moreover, after receiving the notification of the alleged violations from the Garante in November 2019, Barclays promptly implemented organisational measures to correct the mistake and avoid similar cases in the future. Finally, the DPA considered that during the time of the proceedings, the disputed credit information had been completely deleted from the CIS.
Holding
The Garante held that there were no grounds to adopt corrective measures as per Article 58(2) GDPR, and that, although there was a violation of Articles 5(1)(a) and (e) GDPR, “the circumstances referred to above lead to classify the case as a "minor infringement", within the meaning of Article 83 and recital 148 of the Regulation”. The Garante hence reprimanded Barclays pursuant to Article 58(2)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
