Persónuvernd (Iceland) - Nr. 2020123144

From GDPRhub
Persónuvernd (Iceland) - Nr. 2020123144
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 14 GDPR
Article 17 GDPR
Article 17 Data Protection Act No. 90/2018
Type: Complaint
Outcome: Rejected
Decided: 14.09.2021
Published: 15.09.2021
Fine: None
Parties: Creditinfo (IS)
Anonymous data subject
National Case Number/Name: Nr. 2020123144
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Icelandic
Original Source: Skráning Creditinfo Lánstraust hf. á vanskilaskrá í samræmi við lög (in IS)
Initial Contributor: FD

The Icelandic DPA rejected the complaint of a data subject in the context of a dispute between the latter and a credit scoring company (the defendant). The data subject had previously requested the defendant to erase his personal data as published on its website, but the defendant had rejected the erasure request. The Icelandic DPA found that the defendant had complied with the applicable data protection law, and in particular with Article 14 of the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

In Iceland, the processing of personal data relating to the creditworthiness of individuals is regulated, among others, by Article 2 of Regulation no. 246/2001 as well as Article 15 of the Icelandic Data Protection Act no. 90/2018. In particular, companies willing to publish information relating to the creditworthiness of individuals must first obtain an operating license from the Icelandic DPA, which sets out specific terms for the processing of personal data for the purpose of credit scoring.

Such a license was delivered by the Icelandic DPA to the company Creditinfo on 29 December 2017. According to the terms of this operating license, Creditinfo had to, prior to the publication of any financial data relating to individuals, inform them by sending an information notice by letter. The operating license does not require such letters to be registered letters. The information notice is supposed to give to data subjects the opportunity to present objections (for example, if the data are inaccurate or incomplete, or if a settlement had been reached).

On 28 December 2020, the Icelandic DPA received a complaint from a data subject (hereinafter the Complainant) regarding the publication of information about him in the default register of Creditinfo. The Complainant claimed that he hadn't received any information prior to the publication of these data, and that, in spite of his erasure request, Creditinfo had refused to delete the concerned data.

Creditinfo, for its part, was arguing that a letter dated March 16, 2020, had been sent to the complainant, and provided evidence thereof to the Icelandic DPA. Credit info further specified than in case the individual does no longer live at the indicated address, the letter is normally returned, and the address is corrected by taking into account the data of the National Registry. In that case, however, Creditinfo informed the Icelandic DPA that the letter had not been returned.

Holding[edit | edit source]

After analysing the facts of the case, the Icelandic DPA considered that Creditinfo had complied with Article 14 of the GDPR. In particular, the Icelandic DPA noted that Creditinfo had provided sufficient evidence that a letter containing an information notice had been sent to the data subject prior to the publication of the personal data, in accordance with its operating license. The Icelandic DPA therefore concluded that Creditinfo had respected the terms of its operating license, and had not infringed Article 14 GDPR.

With regards to the fact that the Complainant was claiming not having received the letter, the Iceland DPA simply noted that it was not in a position to resolve the dispute regarding this factual aspect of the case but that it could however take a position on whether Creditinfo had complied with the procedure set out in its operating license (which, here, proved to be the case).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations sacrificed other rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Staff and management for media requests for promotional events policy and gildiÁrsskýrslur201620152014201320122011201020092008200720062005200420032002200120001999Annað materials Privacy policy Legal mouth AccessibilityService DesksTwitterEnglishDecisions
             
                
    
    Enter keywords
    
    
      
    
    
  
  
                    SolutionsReviewsLicensingMiscellaneous letters
             
                
                
                                
            Search for solutions
            
        
                
            
                Year from:
                
            
            
                Year to:
                
            
        
                
            Search
        
    
    



    


    


    
      Registration of Creditinfo Lánstraust hf. on the default register in accordance with law
      Case no. 2020123144
    

    

     
      
      
        9/14/2021
        
      
      
      
     

    

  

  

  
      Privacy received
a complaint to the effect that the complainant has been registered on Creditinfo's default register
Lánstraust hf. without having received proper instruction on the registration before.
The complaint also concerned that Creditinfo Lánstraust hf. has refused to eliminate the effect
of the listing on the results of credit reports. In the ruling of the Data Protection Authority
states that the processing of Creditinfo Lánstraust hf. has complied with the law on
privacy and be in accordance with the procedures laid down in
operating license of the Data Protection Authority for Creditinfo Lánstraust hf.

    

    
    Ruling On August 6, 2021, the Data Protection Authority issued a ruling in case no. 2020123144: I. Proceedings 1. Outline of the case On 28 December 2020, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) regarding the registration of information about him on the default register of Creditinfo Lánstraust hf. (Creditinfo) without having received prior information about the registration. The complaint also relates to the fact that Creditinfo refused to delete the effect of the listing on the results of credit rating reports. By letter dated On April 21, 2021, Creditinfo was invited to provide explanations regarding the complaint. The answer was by letter dated. 11 May 2021. By e-mail, dated June 7, 2021, the Data Protection Authority requested further information from Creditinfo. The answer was sent by e-mail the same day. In a telephone call on 11 June, the Data Protection Authority requested further information from Creditinfo. The Data Protection Authority received an e-mail from Creditinfo following the call on 15 June. All the above documents have been taken into account in resolving the case, although not all of them are specifically mentioned in the following ruling. 2. The complainant's views The complainant refers to the fact that Creditinfo did not agree to erase information about certain defaults that were entered in the company's register. He states that he has not received a notification from Creditinfo about the planned listing on the default register, dated. March 16, 2020, and therefore he did not have the opportunity to present objections, including the settlement of the claim. Information on the settlement of the claim was received by Creditinfo on 12 April, i.e. on the same day as the default entry has been registered in the default register. 3. Creditinfo's views Creditinfo refers to the fact that the arrears were registered with reference to point 7. item 2.2.1 in the then valid operating license of Creditinfo, which was issued on 29 December 2017. Authorization for registration can be found in Article 8. a loan agreement that the complainant has signed with a creditor, which states that by signing the agreement, the complainant's creditors may request registration with Creditinfo in arrears, which may occur on the loan and have lasted for a.m. 40 days, for publication in the register of defaults and public acts. The claim was in arrears from 3 February 2020 to 12 April this year. but on that day the claim was deregistered from the default register on the basis of prepayment. In accordance with clause 2.4 of Creditinfo's operating license, the complainant was sent a notification of registered domicile pursuant to Art. National Registry on the planned registration of information in the default register on 16 March 2020. The attached reply letter to Creditinfo was a copy of the letter, addressed to the complainant. Creditinfo refers to the fact that since the company did not receive information about the settlement of the case or the complainant's objections, the entry was registered on 2 April 2020. 4. Further communication the proposed listing of the company's default register had been received by the recipient. If so, it was requested that the history of the letter sent to the complainant on 16 March 2020 be traced. Creditinfo replied that a letter on the planned registration of a default register was sent to a registered domicile according to the National Registry by ordinary mail in accordance with the provisions of the company's operating license. Letters sent by regular mail would not be traceable. Creditinfo referred to the fact that if a letter was sent back to the company, the procedure would be to check whether the person in question had received a new address registered with the National Registry, and in those cases the letter would be sent to a new address. If the address were unchanged in the National Registry, it would be registered with Creditinfo that the letter had been sent back from Póstin. Creditinfo confirmed that the letter had not been returned from Póstin to the company. The Data Protection Authority also received a forwarded e-mail from Umslag ehf. to Creditinfo where the printing and mailing of the aforementioned letter to the complainant, i.e. educational notice due to the planned registration in the default register, dated March 16, 2020, is confirmed. It was also confirmed by Creditinfo that the claim in question had been registered in the default register on 2 April 2020, but not on 12 April 2020, as stated in the complaint.II.Conditions and conclusion1. Scope - Responsible Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal information that is partly or wholly automatic and the processing by other methods than automatic of personal information that is or should become part of a file. In this respect and with regard to the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority. The person responsible for the processing of personal data complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Creditinfo is considered to be responsible for the processing in question. 2. Operating license of Creditinfo Lánstraust hf. Operation of a financial information office and processing of information concerning financial matters and creditworthiness of individuals and legal entities, incl. defaults and the preparation of credit ratings, in order to communicate them to others, shall be subject to the permission of the Data Protection Authority, cf. Article 15 Act no. 90/2018, Coll. Paragraph 1 Article 2 of Regulation no. 246/2001, on the collection and dissemination of information on financial matters and creditworthiness. Creditinfo's operations are to a large extent covered by the above provisions and the Data Protection Authority has granted the company an operating license in accordance with them, cf. as regards individuals regarding Creditinfo's operating license for the processing of information on financial matters and creditworthiness, dated 29 December 2017 (case no. 2017/1541), which was in force when the events of this case took place. 3. Legality of processing creditworthiness of individuals. It is also tested whether Creditinfo was allowed to refuse the complainant to delete the effect due to the registration according to the second paragraph. Clause 2.7 of the aforementioned operating license on the results of reports on financial matters and creditworthiness. In the second paragraph. Article 17 Act no. 90/2018 states that the data subject has the right to information about processing, whether personal information is obtained from him or not, as well as the right to access personal information about himself according to the instructions of 13-15. gr. Regulation (EU) 2016/679. In Article 14 of the Regulation deals with information that the responsible party must provide when personal information has not been obtained from a registered person. According to para. of the provision, the responsible party shall provide the information referred to in the first and second paragraphs. within a reasonable time after receiving the personal information, but at the latest one month later, and taking into account the special circumstances that apply to the processing of the personal information. Clause 2.4 of the aforementioned operating license states that the data subject is entitled to instruction from the financial information agency that she has entered his name on a file for which she is responsible. The agency shall provide him with such instruction no later than four weeks after it registers information about him. However, it may postpone it until 14 days before disseminating the information for the first time. Section 2.4.2 states that an educational notification shall be sent to a registered legal domicile according to the National Registry and that if the Financial Information Office becomes aware that the instruction has not been delivered, or if it has reason to believe that it is, it shall send the registered other notification. In the second paragraph. of the provision, reference is made to the educational obligation according to para. Article 21 Act no. 77/2000 (the provision of the then applicable Personal Data Protection Act which is comparable to Article 14 of the Regulation) but at the same time stated that it does not mean that a person may never be registered unless he has indeed received instruction. If an educational notice has been sent back, and the financial information office has checked whether the data subject has received a new address according to the National Registry, and tried to send him a new notice there, but it has been sent back or sent by heel with a signature that he has not visited, or refused to give it receipt, the office may have his name on file. In the third paragraph. The same article states that in addition to choosing a financial information agency to follow the above-mentioned work process, it must always have documents that confirm that it has done so and can present them at the request of the Data Protection Authority. As previously stated, Creditinfo has stated that a letter was sent to the complainant, dated. March 16, 2020, where he was notified of the planned registration of defaults. It has also been stated by the company that the letter has not been returned. The complainant, however, states that he did not receive the letter in question. Incidents in this respect are word for word and the Data Protection Authority is not in a position to resolve disputes about the facts of the case in this regard. However, the Agency may take a position on whether an adequate work process has been followed in the provision of training in the light of the above-mentioned operating license provision. In this connection, it is to be considered that, as described in section I.4 above, Creditinfo informed the Data Protection Authority on 11 and 15 June 2021 about the company's work process when sending the letter in question. The company Personavernd also sent a confirmation from Umslag ehf., Which sends a letter to Creditinfo, that the letter had been printed and mailed. The Data Protection Authority considers that this work process for the provision of education has been satisfactory in light of the law and the above-mentioned operating license terms. In view of the above, the conclusion of the Data Protection Authority is that Creditinfo's processing of the complainant's personal information was in accordance with Act no. 90/2018, on personal protection and the processing of personal information, cf. Regulation (EU) 2016/679. For this reason, it cannot be considered that Creditinfo had to eliminate the effect of registering the complainant's defaults on the results of reports on financial matters and creditworthiness. At the same time, however, it should be noted that in the light of para. clause 5.3 in the new operating license, dated 3 May 2021, cf. change on 10 June this year, such effects due to the listing should now have disappeared. on personal information about [A], which consisted of registering information about him on the default register of Creditinfo Lánstraust hf. and the company's refusal to eliminate the effect of the listing on the results of credit rating reports, complied with Act no. 90/2018, on personal protection and the processing of personal information, cf. Regulation (EU) 2016 / 679.F.h. Privacy, Þórður Sveinsson Helga Sigríður Þórhallsdóttir


    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter