HmbBfDI (Hamburg) - Sector-Wide Investigation on Credit Collection Services
From GDPRhub
| HmbBfDI - Sector-Wide Investigation on Credit Collection Services | |
|---|---|
 | |
| Authority: | HmbBfDI (Hamburg) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 900,000.00 EUR |
| Parties: | n/a |
| National Case Number/Name: | Sector-Wide Investigation on Credit Collection Services |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Hamburg DPA (in EN) |
| Initial Contributor: | CBMPN |
A credit collection service provider in Hamburg was fined €900,000 for storing a six-digit number of personal data records five years beyond the legal retention period. The company admitted the violation and cooperated with the DPA.
English Summary
Facts
A Hamburg-based service provider in the credit collection sector stored records containing personal data for almost five years beyond the legally mandated deletion period, without a legal basis. The violation was discovered during a sector-wide audit by the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA), which examined multiple companies in the credit collection industry due to the sensitivity of the data they process.
The audit involved detailed questionnaires, document reviews, and on-site inspections. While most companies demonstrated compliance, one company was found to have stored a six-digit number of personal data records past the retention period, violating Articles 5(1)(a) and 6(1) GDPR. Although the data had not been shared with third parties during this period, some records remained in the database five years after the legal deletion deadline. The company admitted the violation, accepted the fine, and cooperated with the supervisory authority.
Holding
The Hamburg DPA held that storing personal data beyond legally mandated deletion periods without a legal basis violates Articles 5(1)(a) and 6(1) GDPR. The authority imposed a fine of €900,000, considering the company's cooperation and acknowledgment of the violation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
+++ Please find the English version below. +++900,000 Euro fine for violation of deletion obligationsAlthough deletion deadlines had expired, a Hamburg service provider in the debt collection industry kept records containing personal data for up to five years without a legal basis. The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has now punished this administrative offence with a fine of 900,000 Euro.The violation was noticed because the HmbBfDI had audited market-strong debt collection companies as part of a focused audit. Hamburg is a leading location in this sector in Europe. The data processed on defaulting debtors tends to be particularly sensitive and is regularly shared with other bodies such as credit agencies and address investigation services. The persons concerned must therefore be able to trust that their data will be handled responsibly. Regardless of individual complaints, it was checked how the debtors’ data is stored and processed by the respective service providers. For this purpose, the companies were sent detailed questionnaires, the answers to which provided comprehensive insights into data storage. In addition, the companies were asked to submit documents such as the list of processing activities, lists of security measures and sample letters used. In addition, following the written preliminary examination, the HmbBfDI visited some companies at their respective business premises.For the most part, the HmbBfDI was able to determine a high level of professionalism and sensitivity. Through dialogue, improvements in transparency towards those affected were achieved. In particular, the formulation of meaningful data disclosure in accordance with Art. 15 GDPR and the processes for providing information on time were the focus.In the case of one company, the HmbBfDI team found during the on-site inspection that data records had continued to be retained despite the deletion deadlines having expired. Until mid-November 2023, the company stored a six-digit number of data records with personal data without a legal basis, thereby violating Article 5 paragraph 1 lit. a, 6 paragraph 1 GDPR. Even if the originally processed data sets were not passed on to third parties during this period, some of them had not been deleted from the company's database even five years after the expiry of the statutory retention period.The HmbBfDI has now punished this administrative offence with a fine of 900,000 euros. The fine notice is legally binding. The company has admitted the violation and accepted the fine. It worked professionally with the supervisory authority during the investigation, which was taken into account when determining the fine.Another of the companies examined was also found to have significant, comparable deficiencies in relation to deletion obligations - the corresponding procedure is still ongoing.Thomas Fuchs: "When the customer relationship ends, the data collected must be deleted immediately or after set deadlines. Therefore, before collecting data, companies should take stock of what data is collected and how long it may be retained. It is not acceptable if companies working in data-driven digital industries have not developed a coherent deletion concept."+++Sector-Wide Investigation on Credit Collection Services900,000 Euro Fine for Violating Deletion ObligationsAlthough the deletion deadlines had long since expired, a Hamburg-based service provider in the credit collection sector stored records containing personal data for almost five years without a legal basis. The Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA) has now punished this administrative offense with a fine of 900,000 euros.The violation came to light because the Hamburg DPA had audited companies with a strong market presence in the field of credit collection services as part of a targeted audit. Hamburg is a leading location in Europe in this sector. The data processed about defaulting debtors tends to be particularly sensitive and is regularly shared with other parties such as credit reference agencies and address investigation services. Therefore, the data subjects must be able to trust that their data will be handled responsibly.Regardless of individual complaints, the way in which debtors' data is stored and processed by the respective service providers was examined. For this purpose, the companies were sent detailed questionnaires, the answers to which provided comprehensive insights into data storage. In addition, the companies were asked to provide meaningful documents such as the directory of processing activities, lists of security measures, and sample letters used. In addition, the Hamburg DPA visited some companies at their respective business premises following the written preliminary examination.For the most part, the Hamburg DPA was able to determine a high degree of professionalism and sensitivity. During the dialogues, improvements in data storage and transparency towards data subjects were achieved. In particular, the meaningful wording of data access in accordance with Art. 15 GDPR and the processes for providing access in a timely manner were the focus of attention.However, in the case of one company, the team from the Hamburg DPA found during the on-site inspection that data records had continued to be stored without a legal basis, even though the deletion deadlines had long since expired. Until mid-November 2023, the company stored a six-digit number of data records with personal data without a legal basis, thus violating Articles 5 (1) (a) and 6 (1) of the GDPR. Even though the originally processed data records were not passed on to third parties during this period, some of them had still not been deleted from the company's database five years after the legal retention period had expired.The Hamburg DPA has now penalized the violation with a fine of 900,000 euros. The decision is legally binding. The company admitted the violation and accepted the fine. It cooperated professionally with the supervisory authority in the follow-up, which is why the fine is comparatively low.Another of the companies audited was also found to have significant, similar deficiencies in connection with deletion obligations – the corresponding procedure is still ongoing.Thomas Fuchs: “When the customer relationship ends, the data collected must be deleted immediately or after a specified period. That is why companies should take stock of what data they collect and how long they are allowed to keep it before they collect any data. It is unacceptable for companies working in data-driven digital industries not to have developed a coherent deletion policy.”
