Persónuvernd (Iceland) - 2022020333

From GDPRhub
Revision as of 13:19, 8 March 2023 by SR (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2022020333
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 32(1) GDPR
Act no. 32/2009 Article 2(2)
Act no. 32/2009 Article 7(1(d))
Type: Complaint
Outcome: Upheld
Started: 07.02.2022
Decided: 14.12.2022
Published:
Fine: n/a
Parties: Íslandsbanki (Bank of Iceland)
National Case Number/Name: 2022020333
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: Nur-Khmeydan

According to the Icelandic DPA, in case of legal obligation to carry out a certain processing operation, controllers must assess the law requirements diligently before taking any action. In this case, a bank should have verified the accuracy of information available in some official registration books before disclosing the data subject's data to third parties.

English Summary

Facts

The Bank of Iceland shared the data subject’s debt status with third parties who owned flats in the same building of the data subject. According to the controller, there was an obligation to do so under national law (Article 7(1(d)) Act no. 32/2009). Essentially, in case of debts, the bank is obliged to inform the co-owner(s) of the existence and status of a mortgage on their building. The data subject filed a complaint.

Holding

The DPA agreed that there was a legal obligation on the controller arising from the national provision to notify owners of the property. The processing was therefore lawful under Article 6(1) GDPR.

It considered that registration books can usually be relied on for the authenticity of the information. However, in this case, the data subject had 100% ownership while the other 25 people mentioned in the registration book only had property lease agreements. The data controller therefore had every reason to examine and further investigate the registration book before sending out such notifications. Indeed, the controller was the responsible party for taking appropriate technical and organizational security measures to ensure adequate security of personal data.

Consequently, the DPA held that the controller did not fulfill its duty of diligence and did not ensure appropriate security of the personal data under Article 5(2) and 32(1) GDPR. Pursuant Article 58(2)(c) GDPR, it asked the data controller to take measures to ensure the appropriate security of personal information to be maintained when sending notifications. No fine was imposed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Processing of personal information by Íslandsbanki hf.

Case no. 2022020333

14.12.2022

One of the main obligations of those who work with personal data is to ensure its security. In this case, appropriate security was not observed when sharing information, which resulted in it being shared with unauthorized parties.

----

The Swedish Data Protection Authority ruled in a case where there was a complaint about the processing of personal data by Íslandsbanki. More specifically, the complaint was based on the fact that Íslandsbanki had shared information about the complainant's debt status to others who owned real estate in the same building as the complainant.

The conclusion of the Personal Protection Authority was that Íslandsbanki had not taken appropriate security measures when sharing the complainant's personal information, and the institution recommended that Íslandsbanki take measures to ensure that appropriate security measures will subsequently be implemented.

Ruling

about a complaint about the processing of personal data by Íslandsbanki hf. in case no. 2022020333:

i
Procedure
1.
Outline of a case

On February 7, 2022, Personal Protection received a complaint from [A] (hereinafter the complainant). The complaint was based on the fact that Íslandsbanki hf. (hereafter Íslandsbanki) had communicated information about the complainant's debt status to unauthorized parties by letter. More specifically, Íslandsbanki had sent the balance of two mortgage bonds to others who owned real estate in the same building as the complainant.

Personal Protection invited Íslandsbanki to comment on the complaint in a letter dated 24 October 2022 and the bank's answers were received by email on 8 November s.á.

When resolving the case, the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

2.
The main points of view of the parties

There is a dispute over the legality of the processing of personal information about the complainant by Íslandsbanki, which involved sharing information about his debt status to others who owned real estate in the same building as the complainant.

The complainant essentially relies on the fact that Íslandsbanki carried out the mediation in question without authorization.

On the part of Íslandsbanki, it is based on the fact that the processing in question was based on point d of paragraph 1. Article 7 Act no. 32/2009, on guarantors, which obliges the bank to send the loan guarantor a notification about the status of the loan for which the guarantor stands and an overview of guarantees after each year's end. The bank points out that when making such notifications, information about the issuers of mortgage debt and security bonds is compared with the owners of real estate according to the registration books of the commissioners, and if the issuer is other than the owner of the property, it is a so-called mortgage, which the bank is obliged to notify the owner of the property about according to the aforementioned provisions of the law on guarantors. In the case complained of, the registration in the registration book was in such a way that all apartment owners in the complainant's house were registered registered owners of his property. Íslandsbanki points out that the case was investigated by the commissioner after the bank received a comment from the complainant regarding the case. According to the commissioner's explanations, it appears that the registration in question was made in connection with the registration of an amendment to the land lease agreement, and the registration was corrected following the bank's comments.

Íslandsbanki believes that it was possible to rely on the registration of the registration book when broadcasting the announcements, as such registrations are generally reliable. Íslandsbanki also believes that the processing in question was not a breach of security in the sense of the privacy legislation, as the bank believed it was relying on the reliable owner registration of a public entity. Finally, Íslandsbanki relies on the fact that the personal information in question is not sensitive, as it is registered in an official registration in the notary register.

Íslandsbanki sent Personal Protection a copy of the mortgage statement for the complainant's real estate, dated May 9, 2021, in support of his case preparation. According to the mortgage summary, the complainant was the registered owner of 100% of the property according to a conditional ownership authorization, i.e. purchase agreement, but another person was registered as the owner of 100% of the property according to an unconditional right of ownership, i.e. waiver According to the mortgage summary, 25 other individuals were also registered owners according to the land lease agreement, but their share of ownership was not specified.

II.
Conclusion
1.
Scope - Guarantor

Scope of law no. 90/2018, on personal protection and processing of personal data, and regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of Personal Protection, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic.

This case concerns Íslandsbanki's dissemination of information about the complainant's debt status to others who owned real estate in the same building as the complainant. It concerns the processing of personal data that falls under the authority of the Personal Protection Agency.

Information on debt status is not sensitive personal information, as defined in section 3. Article 3 Act no. 90/2018, cf. Paragraph 1 Article 9 of Regulation (EU) 2016/679, but financial information may concern people's pure private interests. The information that this case concerns, i.e. real debt status, are not officially registered in the registration book, as Íslandsbanki claims, since the mortgage bond statement only shows the initial amount of mortgage bonds. The mortgage statement therefore does not reflect the actual debt position at any given time, contrary to the announcements that this case concerns.

As stated here, Íslandsbanki is considered to be the responsible party for the processing in question according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679.

2.
Lawfulness of processing

All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. Has Íslandsbanki referred to the fact that the processing discussed here was necessary to fulfill the legal obligation that rests on the bank according to law no. 32/2009, on guarantors, cf. Number 3. of the legal provision, cf. c-point 1. paragraph of the regulatory provision.

In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Article 5 of regulation (EU) 2016/679. The principles stipulate, among other things, that personal data must be processed in such a way that the appropriate security of the personal data is guaranteed (section 6 of the legal provision). The responsible party is responsible for ensuring that the processing of personal information is always compatible with the principles and must be able to demonstrate this, cf. Paragraph 2 Article 8 of the law, cf. Paragraph 2 Article 5 of the regulation.

More detailed provisions regarding the security of personal information can be found in Article 27. Act no. 90/2018 and Article 32 of regulation (EU) 2016/679. According to paragraph 1 of both clauses, the responsible party must take appropriate technical and organizational security measures to ensure adequate security of personal data that takes into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of data subjects. When assessing adequate security, the risk that processing entails must be taken into account, among other things that access to personal information is granted without permission, cf. Paragraph 2 of the regulatory provision.

When assessing legality according to the aforementioned provisions, other relevant legal rules must also be taken into account.

According to Íslandsbanki's explanations, the processing of personal information discussed here is based on point d of paragraph 1. Article 7 Act no. 32/2009, on guarantors. The provision stipulates that the lender must send the guarantor a notification at the end of each year about the status of a loan for which he is a guarantor. According to paragraph 2 Article 2 of the same law, the term guarantor includes, among other things, a person who pledges his specified property as security for the borrower's performance, subject to further conditions being met.

It is also to be considered that according to the non-statutory rule of notarization law, notarization books have what has been called real authenticity. This means that there is usually a chance that the information in the registration books is correct. In cases where there is no full agreement between the registered rights over property and the real rights, for example due to a mistake by the notary manager during registrations, the reliability of the information recorded in the registration books can generally be relied upon.

Íslandsbanki's case preparation will be understood to mean that the bank considered the persons who were specified as the owners of the complainant's property in the registration book, as the guarantors of the mortgage debts that rested on the complainant's property within the meaning of paragraph 2. Article 2 Act no. 32/2009 and therefore the bank had to send them a notification about the status of the loan according to point d of paragraph 1. Article 7 of the same law.

Law no. 32/2009 neither reserve nor forbid that registered ownership is taken into account when assessing whether a person has become liable for a mortgage debt by mortgaging their property. According to that, it is clear that lenders can decide to take account of notarization books for this purpose and can normally assume that such an arrangement leads to secure processing of personal information, in light of the unwritten rule of notarization law about the real reliability of notarization books.

However, notarized owner registration may give lenders a special reason for further investigation before notifications according to Act no. 32/2009 are sent, if that is the case. This can, for example, apply when it is obvious that the registration books contain incorrect information about ownership. In this connection, what is described above regarding the nature of the information that appears in notifications of this nature is taken into account, i.e. that this is financial information that may concern the pure private interests of people and is not registered in the official register. It calls for the lender to pay special attention to the security of the information, including that unauthorized parties do not get access to them, taking into account the provisions of Article 27. Act no. 90/2018 and Article 32 of regulation (EU) 2016/679. Therefore, the lender cannot rely entirely on information from registration books for the purpose of sending out notices according to Act no. 32/2009.

In the mortgage summary, which Íslandsbanki took into account when sending the notices in the present case, there are a total of 27 registered owners. It states that the complainant has 100% ownership in the property in question according to the purchase agreement, while another person has the corresponding ownership according to a waiver. Furthermore, the mortgage summary states that the ownership of the other 25 is a land lease agreement and their share of ownership is not specified. In the opinion of the Data Protection Authority, these points, i.e. the number of registered owners, their ownership and lack of ownership share, Íslandsbanki has every reason to examine the owner registration in the registration book before notifications were sent to anyone other than the waiver holder. However, from the bank's explanations, it cannot be seen that this was done, but on the contrary, it relied entirely on the notarized ownership registration for this purpose.

Considering the above, the Personal Protection Authority does not believe that it is possible to agree with Íslandsbanki that the processing in question was based on a legal obligation, cf. Number 3. Article 9 Act no. 90/2018 and point c of paragraph 1. Article 6 Regulation (EU) 2016/679, as the information was not only communicated to those whom Íslandsbanki could in good faith consider to be guarantors within the meaning of Act no. 32/2009. This also means that the bank has not demonstrated that the appropriate security of the personal information has been ensured, cf. Number 6. Paragraph 1 and paragraph 2 Article 8 of the law, cf. point f, paragraph 1 and paragraph 2 Article 5 of the regulation, cf. also Article 27 of the Act and Article 32 of the regulation.

In accordance with this conclusion, and with reference to item 4. Article 42 Act no. 90/2018, cf. point d, paragraph 2 Article 58 regulation (EU) 2016/679, Íslandsbanki is asked to take measures to ensure that the appropriate security of personal information will subsequently be maintained in connection with the sending of notifications according to law no. 32/2009. The measures shall be aimed at preventing unauthorized access to personal information during such shipments. They can, for example, consist of warnings in information systems, which may be used during such processing, that owner registration in registration books warrants special consideration before a notification is sent.

Confirmation that these instructions have been complied with, together with a description of the contents of the measures taken on this occasion, shall be received by Personal Protection no later than January 23, 2023.

Ruling:

Mediation Íslandsbanki hf. on the personal information of [A], which consisted in the fact that unauthorized parties were sent information about his debt status according to two mortgage bonds that he had issued to the bank, was neither based on authorization nor compatible with the principles of Act no. 90/2018, on personal protection and processing of personal data and Regulation (EU) 2016/679, on the security of personal data.

In accordance with this conclusion, and with reference to item 4. Article 42 Act no. 90/2018, cf. point d, paragraph 2 Article 58 regulation (EU) 2016/679, is submitted to Íslandsbanki hf. to take measures to ensure that the appropriate security of personal information will subsequently be implemented in connection with the sending of notifications according to Act no. 32/2009 on guarantors. Confirmation that these instructions have been complied with, together with a description of the contents of the measures taken on this occasion, shall be received by Personal Protection no later than January 23, 2023.



Privacy, December 14, 2022

Helga Þórisdóttir Bjarni Freyr Rúnarsson