Garante per la protezione dei dati personali - 9547248
The Italian DPA (Garante per la protezione dei dati personali) reprimanded Barclays for an excessive retention of the complainants’ personal data in a credit information system (CIS) recognising that it was an isolated and bona fide mistake.
English Summary[edit | edit source]
Facts[edit | edit source]
In 2010, the complainants entered into a mortgage loan with Barclays Bank Plc. In 2015, the loan was classified as non-performing and in April 2016 the debt was settled out of court. In October 2018, the lawyer of the complainant contacted the bank to protest the entering of complainants’ names into the CIS, and to request the deletion of the report of non-performance. Barklays replied that, as the retention period of 36 months – laid down by Article 6(5) of Attachment 5 of the “Codice di condotta per i sistemi informativi gestiti da soggetti privati in tema di crediti al consumo, affidabilità e puntualità nei pagamenti” – was not expired yet, the processing of data was lawful. Hence, the request for removing the information was denied. In November 2018 the complaint was filed. In October 2019 Barclays informed the Garante that Crif S.p.A., the service provider for the CIS, deleted the information from the system as of May 2019.
Dispute[edit | edit source]
As mentioned, initially Barclays held, in its communications with the complainants, that Article 6(5) of Attachment 5, and not Article 6(2) – providing for a shorter retention period of 24 months – should be applied. This was, according to the bank, due to the “particular seriousness of the non-performance” and, most importantly, because the settlement did not completely restore the loss of credit incurred by the bank itself. However, in January 2019, Barclays gave a different explanation to the Garante. Due to the particular seriousness of the debt position of the complainants, classified as “non-performing”, the bank had to report the situation to the Bank of Italy's Central Risk Office. The information related to the complainants had then to remain in the Central Risk Office’s information system, accessible by intermediaries, for 36 months, as per the applicable Bank of Italy’s Circular. This led Barclays to a “bona fide mistake”, as the bank applied the 36 months retention period to both the Bank of Italy’s information system and the CIS. The Garante found that the retention periods provided by Article 6(2)(b) were indeed applicable to the case at issue. The Italian DPA also noted that the breach constituted only an isolated case, and that indeed the mistake was made in good faith. Moreover, after receiving the notification of the alleged violations from the Garante in November 2019, Barclays promptly implemented organisational measures to correct the mistake and avoid similar cases in the future. Finally, the DPA considered that during the time of the proceedings, the disputed credit information had been completely deleted from the CIS.
Holding[edit | edit source]
The Garante held that there were no grounds to adopt corrective measures as per Article 58(2) GDPR, and that, although there was a violation of Articles 5(1)(a) and (e) GDPR, “the circumstances referred to above lead to classify the case as a "minor infringement", within the meaning of Article 83 and recital 148 of the Regulation”. The Garante hence reprimanded Barclays pursuant to Article 58(2)(b) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web n. 9547248] Provision of January 27, 2021 Register of measures n. 27 of January 27, 2021 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Regulations"); GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; GIVEN the complaint presented to the Guarantor pursuant to art. 77 of the Regulations and regularized on 27 November 2018 against Barclays Bank Plc (hereinafter, the "Company"), represented and defended by the lawyer. Massimiliano Masnada, with whom XX and XX represented that they had filed an application in order to obtain the cancellation of the negative credit information concerning them communicated by the Company to the credit information system (hereinafter, sic) of Crif SpA; CONSIDERING that the Company has provided a negative response to the request, reaffirming the lawfulness of the processing of information based on the data retention times provided for by the "Code of ethics and good conduct managed by private subjects in terms of consumer credit, reliability and punctuality in payments "- Annex 5 of the Code (hereinafter," code of ethics ") CONSIDERING that the Office, with a note dated January 31, 2019, invited the Company to provide feedback on the facts of the complaint, as well as to evaluate the possibility of adhering to the requests of the interested parties; GIVEN the acknowledgment sent on February 28, 2019 with which the data controller declared that: - on December 17, 2010 the complainants entered into a land loan agreement with the Company during which numerous defaults on the part of the borrowers occurred in relation to the original amortization plan; - "the practice became non-performing on January 28, 2015 and was settled out of court on April 14, 2016, by closing the balance and writing off the debt position"; - with notes of 9 and 19 October 2018, the complainants, through their lawyer, contesting the reporting of their name to the sic of Crif SpA, made by the Company "following the classification of the practice as non-performing", requested the cancellation negative credit information referring to the relationship in question; - the Company provided "timely response (...) to these requests, highlighting the full legitimacy and correctness of the conduct perpetrated and, consequently, denying the right to delete the data as the term provided for by the relevant legislation has not yet expired" dictated by cited code of ethics; - taking into account not only the "particular gravity of the non-fulfillment" (as emerges from the communications of the Company that preceded the reports), but above all the fact that the definition of the debt position with settlement agreement in full and write-off, while involving the extinction of the debt "with partial satisfaction of the creditor (...) cannot be considered fully satisfactory of the credit right", in the present case, in the opinion of the Company, the data retention term provided for by art. 6, paragraph 5, of the aforementioned code of ethics and not the shorter term provided for by art. 6, paragraph 2, lett. b); - in light of these considerations, since the deadline for cancellation has not yet elapsed, i.e. 36 months from the date of termination of the relationship (to be identified in the payment), currently, in the opinion of the Company, the complainants do not have any right to cancellation of the information subject to dispute that would still be necessary with respect to the purposes for which it is processed (Article 17, paragraph 1, letter a) of the Regulation); GIVEN the note of 11 September 2019 with which the Office notified the parties of the extension of the deadline for the decision of the complaint pursuant to art. 143, paragraph 3 of the Code; GIVEN the note sent on 11 October 2019 with which the Company declared; - to have received confirmation from Crif SpA of the cancellation of the credit information subject to dispute, as no further reports made by the Company in association with the name of the complainants were found at the SIC; - that the cancellation "took place with effect from 1 May 2019, with effect from the term of 36 months from the last update", a circumstance which would confirm, in the opinion of the Company, the applicability of the retention period to this case provided for by art. 6, paragraph 5, of the aforementioned code of conduct; NOTING that, following checks carried out by the Office during the investigation, Crif SpA, in response to a specific request for information, declared that: - following the latest update on the report contributed by Barclays Bank PLC on 30 June 2016, the reports of late payments (most recently marked with the number "0") were removed from the position in question, but it was added at the same time, under the item "other notifications ", the negative signaling of loss (marked by the graphic sign" P "); - having the position in question maintained the credit information of a negative type, the institution of the cancellation of positive data for revocation of consent did not operate so that the position was definitively canceled from the sic only in June 2019 pursuant to art. 6, paragraph 5, of the aforementioned code of conduct; GIVEN the note dated 27 November 2019 with which the Office, on the basis of the elements acquired during the preliminary investigation and subsequent assessments, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the alleged violations of the Regulation found by communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation; GIVEN what is represented in the defense brief sent on January 15, 2020 and reiterated at the hearing held at the Guarantor's Offices on January 16, 2020 during which the Company, in fully referring to the defensive writings, argued that: - the non-compliance of the complainants, considered particularly serious, and the transfer to a loss for the Company - of more than 2/3 of the credit claimed - led to the debt position of the complainants, despite the settlement agreement, being qualified as "non-performing ”That the Company, by virtue of the obligations imposed on supervised intermediaries, has duly reported to the Central Credit Register of the Bank of Italy; - the Circular of the Bank of Italy no. 139 of 11 February 1991 - 18th update of January 2019 (Instructions for intermediaries participating in the Central Credit Register) provides that, among the "bad loans-receivables passed to loss", "the unrecovered fractions of the non-performing loans that have been the subject of settlement agreements with customers ", and indeed" establishes that in the event of partial repayments of the credit, even following a settlement agreement, the report must remain, resulting only in a reduction of the amount reported "; - the aforementioned Circular also provides, in the event of a loss of part or all of the credit posted as "non-performing", that "the period that can be queried by intermediaries through the first information service [...] may extend to thirty-six surveys [ monthly reports communicated by the credit institution to the Bank of Italy, Ed.] "; - given the concomitant reporting of bad debt in the Central Credit Register and in the sic of Crif SpA, the Company, committing "the error in good faith" [...] "has interpreted the CRIF manual and the circular of the Bank of Italy in the context of the regulatory framework applicable to the dispute in question, where it considered that the retention period of the information applicable to the case of the complainants was 36 months, instead of 24 months "; - with regard to remedial measures, following the notification pursuant to art. 166 paragraph 5 received by the Office, the Company "immediately started the auditing activity and updated all its internal procedures", bringing the period for keeping negative credit information reported in the SIC from 36 to 24 months from the last update. to non-performing loans extinguished as a result of a settlement agreement, regardless of the loss suffered; - finally, the Company has established a plan of corrective actions aimed at preventing, from the outset, through the analysis of the IT flows between the internal systems and Crif SpA, the repetition of situations similar to the one in question which in any case represented a case isolated; NOTING that the assessment of the lawfulness of the processing carried out by the Company must be carried out in relation to the provisions of the previous "Code of ethics and good conduct for information systems managed by private parties on the subject of consumer credit, reliability and punctuality in payments" held I realize that the complaint must be considered usefully proposed to the Guarantor on 27 November 2018 and that the facts of the same occurred in the validity of the code of consumption, reliability and punctuality in payments "(hereinafter," code of conduct ") approved by the Guarantor on 12 September 2019 and currently applicable provides,in relation to the terms of retention of data referring to delays in regularized payments, provisions completely similar to those of the previous code of ethics; NOTING that art. 5, par. 1, lett. a) and e) of the Regulation sets out the principles of lawfulness, correctness and transparency of the data processing of the interested party, providing that the data of the same is kept for a period of time not exceeding the achievement of the purposes for which they are processed; CONSIDERING that the same Recital 39 of the Regulation places on the owner "the obligation to ensure [...] that the retention period of personal data is limited to the minimum necessary" for the purposes of the processing "and from this follows, as required by 'art. 17, par. 1, lett. a) of the Regulation, the obligation for the owner to delete data that are no longer necessary in relation to the purposes for which they were collected or subsequently processed if the interested party exercises with reference to them his right of cancellation through specific request; CONSIDERING that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or the exercise of the powers of the Guarantor"; NOTING that, based on the results of the investigation, it emerged that the Company: - despite the definition of the credit relationship by means of a settlement and write-off agreement with the consequent extinction of the debt obligations deriving from the contract, it considered, given the seriousness of the non-fulfillment, the fact that these methods of closing the relationship involved a significant loss for the bank , and the concomitant reporting of bad debt to the Central Credit Register of the Bank of Italy, to apply the retention period provided for by art. 6, paragraph 5, of the aforementioned code of ethics and not the shorter term provided for by art. 6, paragraph 2, lett. b), maintaining the permanence of the negative credit information object of dispute in the sic managed by Crif SpA for 36 months from the settlement agreement; Whereas - the definition of debt positions as a result of a settlement agreement in full and withdrawn, such as the one signed between the parties in the case we are dealing with, fully falls within the methods of "regularization of non-fulfillment" provided for by art. 1 of the previous code of conduct (as also confirmed in art. 2 of the currently applicable code of conduct); - the negative credit information subject to dispute should have been canceled from the SIC of Crif SpA within 24 and not 36 months from the regularization as required by art. 6, paragraph 2, lett. b) of the previous code of conduct (and similarly confirmed in Annex 2 - Retention times of the current code of conduct); - no suitable elements have emerged to prove the legality of the permanence of the data object of dispute in the sic of Crif SpA at the time of the proposal of the cancellation request by the interested parties; NOTING that, on the basis of the statements made by the Company, it appears to have been an isolated incident, caused by an "error in good faith" which led the operator to apply the different timing envisaged for reporting to the Bank's Central Credit Register of Italy based on other assumptions; NOTING that the Company has declared that it has implemented, after this episode, operational measures aimed at complying with the provisions of the code of ethics and currently confirmed by the code of conduct regarding the retention times of data relating to delays in payments subsequently regularized, also following settlement agreements with residual losses; NOTING that, with regard to the petitioners' application, the results of the investigation revealed that, pending the proceedings, the credit information subject to dispute has been completely canceled from the SIC of Crif SpA; CONSIDERING therefore that, with regard to the application subject to complaint, also considering the absence of counter-arguments of the complainants on this point, there are no conditions for the adoption of corrective measures pursuant to art. 58, par. 2, of the Regulations, by the Authority; this, without prejudice to the possibility for the interested parties to assert any damage profiles before the ordinary judicial authority; CONSIDERING that, although a violation of Articles articles 5, par. 1, lett. a) and e) of the Regulations and therefore, in relation to this profile, the complaint is well founded, the circumstances mentioned above lead to qualify the case as a "minor violation", pursuant to art. 83 and recital 148 of the Regulation; CONSIDERING therefore, pursuant to art. 58, par. 2, lett. b), of the Regulations to have to adopt the measure of warning against Barclays Bank Plc due to the violations found and indicated above; CONSIDERING that the conditions exist for the annotation of the provision in the internal register of the Authority provided for by art. 57, par. 1, lett. u) of the Regulation and by art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor; EXAMINED the documentation in deeds; GIVEN the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000; RAPPORTEUR prof. Pasquale Stanzione; WHEREAS, THE GUARANTOR to. pursuant to art. 58, par. 2, lett. b), of the Regulations warns Barclays Bank PLC as represented in the motivation; b. believes that the conditions set out in art. 57, par. 1, lett. u) of the Regulations and art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor bearing the "Internal register of violations and corrective measures adopted". Pursuant to art. 78 of Regulation (EU) 2016/679, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad. Rome, January 27, 2021 THE PRESIDENT Stanzione THE RAPPORTEUR Stanzione THE SECRETARY GENERAL Mattei