Persónuvernd (Island) - 2020061901: Difference between revisions

The Icelandic DPA held that a credit scoring company that registered information on non-payments without meeting the conditions for registration being fulfilled according to the operational license of the said company, breached the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR. The company was fined 37,856,900 ISK (approx. €257 660).

English Summary

Facts

A credit scoring company - Creditinfo Lánstrausti hf. (the controller) - processes information on financial matters and the creditworthiness of individuals and businesses. A small loan company - eCommerce 2020 ApS - provided information to the controller on non-payments of so-called small loans which the controller then registered.

The controller conducts its business on the basis of an operating license. According to the license terms there are conditions that must be met when information about defaults should registered by the controller: inter alia, the registration must be prominent and clear and the payment default must have lasted for at least 40 days. Further, that information about non-payment is registered only when the amount reaches a certain minimum amount.

The Consumers' Association of Iceland filed a complaint with the Icelandic DPA against the controller about the controller’s processing of personal data in connection with the registration of non-payment of the small loans. The association claimed in its complaint that the registration of the information violated consumer legislation which goes against the principle of lawfulness pursuant to Article 5(1)(a) GDPR.

The controller had carried out an interest assessment in connection with the processing and claimed to have a legitimate interest to the said processing of personal data pursuant to Article 6(1)(f) GDPR.

Holding

In its investigation, the DPA considered that the relevant terms of the controller’s operating license must be considered in this case. According to the license terms, the original documents connected to the loan must always be examined and a position taken as to whether the conditions for registration are met in individual cases.

The DPA viewed that the controller has a special obligation to check whether the requirements for registering non-payments on the basis of information received by eCommerce 2020 ApS have been met. Furthermore, the DPA considered that, in light of the accountability principle enshrined in Article 5(2) GDPR, the fact whether the controller examined the original terms of loans connected with its registration of non-payment to be relevant.

Moreover, it was revealed during the course of the investigation that the controller had registered, on the basis of information received by eCommerce 2020 ApS, non-payments of 577 individuals whose capital was below the required minimum amount as required in the license.

The DPA also examined the terms of the loans granted by eCommerce 2020 ApS, and found out that the terms did not include any provision stating that non-payment (for 40 days) leads to registration of non-payment at the controller’s company.

Eventually, the DPA found that the said processing of personal data by the controller breached the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR. Additionally, it held that the controller breached the accountability principle pursuant to Article 5(2) GDPR and did not comply with Article 6(1)(f) GDPR as the controller could not rely on legitimate interests for its processing operations.

An administrative fine of 37,856,900 ISK (approx. €257 660) was imposed on the controller.

Comment

In this decision the reasoning behind the Icelandic DPA's conclusion where it found that the controller breached Article 6(1)(f) GDPR seems to be very limited.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Fine against Creditinfo Lánstrausti hf. due to the registration of information on loan defaults provided by eCommerce 2020 ApS

Case no. 2020061901

4.7.2023

In general, the processing of personal data must be lawful, fair and transparent. Operation of a financial information agency and processing of information concerning financial matters and the creditworthiness of individuals and legal entities, including Registration of defaults, in order to communicate them to others, is subject to the permission of the Personal Protection Agency. Subscribers to the financial information office's information systems, who share information for registration there, are responsible for the authorization for that sharing and registration. Then it is among the duties of the financial information office to check whether the registration conditions are met.

In this case, the financial information agency Creditinfo Lánstraust hf. information on loan arrears, which was provided by eCommerce 2020 ApS, for registration without the necessary terms relating thereto having been included in the loan terms and conditions. Claims that were below the current minimum amount were also registered.

-----

Personal Protection has issued a ruling in a case due to a complaint from the Consumers' Association about the financial information agency Creditinfo Lánstrausti hf., but a complaint was made about the agency's registration of information from eCommerce 2020 ApS about defaults on so-called small loans.

In the ruling, the Data Protection Authority came to the conclusion of the imposition of an administrative fine on Creditinfo Lánstraust hf., in the amount of ISK 37,856,900, as information had been recorded without the registration conditions being met. It was based on the fact that the financial information office had an obligation to investigate that matter and that this obligation had not been adequately fulfilled. Furthermore, the number of registered users, the fact that the processing was related to the firm's core business, the fact that the activity was intended to generate profit, the delay in the deletion of registrations after the failure of the registration conditions was revealed, as well as the particularly onerous nature of the processing, were also taken into account, i.a. in connection with the possibilities of the registered for credit facilities for the purchase of apartments or unforeseen expenses. It was also pointed out that the inspection carried out by the agency on the registrations in question did not take place until external suggestions were received, but at the same time it was taken into account that the inspection responded to the suggestions voluntarily, so that the registrations were eventually deleted.

With reference to the above and other facts in the case, a conclusion was reached regarding the aforementioned fine amount, which amounted to 2.5% of the annual turnover of Creditinfo Lánstraust hf. according to the last financial statement.

Ruling

On June 27, 2023, the Board of Personal Protection issued the following ruling in case no. 2020061901, i.e. due to the consumer association's complaint about the registration of information on non-payment of so-called small loans at Creditinfo Lánstrausti hf.:

i
Procedure
1.
Complaint and procedure

On June 16, 2020, Personal Protection received a complaint from the Consumer Association about the processing of personal information by the financial information agency Creditinfo Lánstrausti hf. in connection with so-called small loans. The complaint was that the agency had registered claims for such loans despite the fact that the interest and costs of the loans had violated consumer legislation. Correspondence took place on that point and by letter, dated On December 30, 2021, the Personal Protection Agency granted the right of objection to whether an administrative fine should be imposed on it, given that the registration did not comply with the requirement for the legality of personal data processing, cf. Number 1. Paragraph 1 Article 8 Act no. 90/2018 on personal protection and processing of personal information and point a of paragraph 1. Article 5 of regulation (EU) 2016/679. In that connection, numerous solutions were referred to the relevant parties that the granting of the loans had violated the law, but the Data Protection Authority believed that, in light of these solutions, special vigilance was needed in connection with the registration of the claims in question. More specifically, it looked at registrations from the entry into force of Act no. 90/2018, on 15 July 2018, until the end of 2019, at which time the Personal Protection Authority considered that the granting of the loans had been brought in line with these resolutions. Were the loans at that time, and from some time before the law came into effect, granted by a company registered in Denmark, i.e. eCommerce 2020 ApS, through units within the company named 1909, Hraðpeningar, Múli and Smálán.

As far as information about the claims of this company and its units is concerned, it should be noted that before the Consumers' Association's complaint was received, the Personal Protection Authority had started an examination of the processing of the information and sent Creditinfo Lánstrausti hf. letter, dated April 27, 2020 (case no. 2020010436 at the institution), where with reference to section 6. Paragraph 1 Article 42 Act no. 90/2018, a ban was placed on the entry of information from debt collectors about the claims while the examination was over. Then the Personal Protection Agency sent a letter dated May 20, 2021, where it was requested to be informed whether claims for so-called small loans had been received for registration in the future and how they had been dealt with. They responded with a letter from the office, dated June 4, s.á., but it says that as of February 19, 2020, there was no contract in force for the registration of said claims with the collection agency and that since then no such claims have been registered, in addition to all registrations for such claims have been deleted and their effects removed.

On November 18, 2022, the National Court issued a judgment in case no. 646/2021, but it was concluded that Danish law and not Icelandic law had applied to the interest and costs of the loans in question during the aforementioned period. From that court decision, it was clear that the registration in question could not be considered to be in violation of the above-mentioned demand for legality, with reference to the fact that the loans had violated the consumer legislation in the country. However, a new resolution issue was tried, i.e. in connection with the listing in the terms of the license of Creditinfo Lánstraust hf. on when claims can be registered.

It can be clearly considered that this could have been mainly based on a provision in the loan terms and conditions to the effect that in case of certain defaults, a claim would be sent for registration at Creditinfo Lánstrausti hf., cf. Number 7. section 2.2.1 of that Personal Protection license for the financial information office, dated 29 December 2017 (case no. 2017/1541), which was in force during the period under review in that regard. However, as the Consumers' Association had pointed out, cf. discussion in Chapters 2 and 4 below, a clause like this was missing from the loan terms of eCommerce 2020 ApS. Was there more specific about the period from when law no. 90/2018 came into force and until then provisions as described here had been added to the company's loan terms, but there the date 23 May 2019 is taken into account as explained later. Then it turned out that information about claims was not immediately deregistered and it turned out that the provision in question in the loan terms was missing. Subject to the deregistration of claims due to the rules on the maximum retention period, the explanations carried instead, cf. 3. chapter below, that the deregistration would not have happened until later, i.e. on the one hand in August 2019 when information on claims against 577 individuals with capital under 50,000 ISK was deleted and on the other hand following the cancellation of Creditinfo Lánstraust hf. on the agreement with the debt collection agency in question in February 2020, cf. explanations received from the company on 6 April s.á.

On the basis of the above, the Personal Protection Agency considered that the registration of Creditinfo Lánstraust hf. would have satisfied the legality requirement of item 1. Paragraph 1 Article 8 Act no. 90/2018 and point a of paragraph 1. Article 5 of regulation (EU) 2016/679. This included that, based on the data of the case, the Personal Protection Authority believed that there might be a need for the financial information agency to examine the loan terms of eCommerce 2020 ApS to make sure that the registration conditions according to section 7. section 2.2.1 of the 2017 work permit would be satisfied. At the same time, the Personal Protection Authority considered whether the requirement at the beginning of the same section of the permit regarding the minimum amount of claims that could be recorded had been sufficiently complied with, i.e. the aforementioned amount of principal. In addition, the Personal Protection Agency considered that the requirement of the aforementioned provisions of the law and the regulation that the processing of personal information must be transparent must be taken into account, but in this connection it was referred to that according to the aforementioned work permit provision on the registration of defaults based on a provision in the loan terms and conditions, such a provision must be prominent and clear. The Personal Protection Agency also looked at liability according to paragraph 2. Article 8 of the Act and paragraph 2 Article 5 of the regulation, i.e. obligation of the responsible party to be able to demonstrate compliance with the basic requirements of the personal protection legislation, but the Personal Protection Authority considered the survey of loan terms as described above to be part of complying with that obligation. The institution therefore sent a letter to the financial information office, dated November 14, 2022, where she was again given the opportunity to object to the imposition of an administrative fine, which was expected to amount to up to 60,571,040 ISK, i.e. 4% of the company's total turnover in 2021, cf. Paragraph 3 Article 46 Act no. 90/2018 and paragraph 5 Article 83 of regulation (EU) 2016/679.

The answer was provided by Creditinfo Lánstraust hf. with a letter from [A] lawyer, dated December 5, 2022. In Chapter 5 below, the content of that letter will be discussed. Before that, an examination of the loan terms of eCommerce 2020 ApS and what it has revealed will be reviewed, cf. Chapter 2, what has been stated about the retention of information about defaults on the loans, cf. Chapter 3, and comments from the Consumers' Association which have special importance here, cf. Chapter 4. In this regard, it should be noted that this decision does not cover all the material from the correspondence, but an effort has been made to limit the issue to those issues which, in view of their seriousness, may be grounds for the imposition of a fine, as is the case here. However, other issues may come into consideration later, such as in connection with the proactive supervision of the Personal Protection Agency.

2.
Obtaining samples of eCommerce 2020 ApS loan terms and related items

Following an exchange of letters regarding a complaint in this matter, the Personal Protection Authority considered it necessary to obtain samples of the terms of the eCommerce 2020 Aps, i.e. to investigate the extent to which the costs of loans from the company would have violated consumer legislation based on the interpretation of it by competent parties. Was Creditinfo Lánstrausti hf. therefore sent a letter, dated 8 July 2022, where reference was made to the report "Operating environment of small loan companies in Iceland and proposals for improvement" which a special working group submitted to the Minister of Tourism, Industry and Innovation in January 2019 and which was published on the Government's website on 19 February s.á. , along with a news story about her. It was stated that, based on the report and the news, it was clear that the government had considered the need for a special response due to the loans in question, and in that regard could try the legality requirement of item 1. Paragraph 1 Article 8 Act no. 90/2018 and point a of paragraph 1. Article 5 regulation (EU) 2016/679 due to the registration of information about them at Creditinfo Lánstrausti hf. It was also requested in the letter that the Financial Information Agency send Personal Protection a sample of terms and conditions that it may have obtained from the company in question to check their legality, while the Consumer Association was also sent a letter dated July 8, 2022, where samples of the company's terms and conditions that the organization may have received from individual borrowers were also requested.

Creditinfo Lánstraust hf. replied with a letter, dated July 22, 2022, and the Consumer Association by letter, dated 29. s.m. With a letter from Creditinfo Lánstraust hf. included standard consumer information that the company had obtained from the Hráðpeningim unit within eCommerce 2020 ApS, with a validity period from 24 July 2019. Two loan terms were also included with a letter from the Consumers' Association, with a validity period from 3 September 2018 and 25 March 2019 on the one hand, but the former the terms were from the unit 1909 and the latter from the unit Smálán.

As the Consumers' Association drew attention to in its letter, the terms that were added did not contain such a provision on registration of arrears as mentioned earlier, and the same applied to the consumer information that was attached to Creditinfo Lánstraust hf.'s letter. The Personal Protection Agency considered this to call for further investigation and therefore sent a letter to the Financial Information Office, dated September 13, 2022, where it was asked whether the agency had, in communication with eCommerce 2020 ApS, examined the basis for claims being sent from there for non-payment registration, i.e. on m. whether the loan terms and conditions contained the provision in question. It was stated that a complete overview of observations like these was requested, along with copies of all communications and data related to them, i.e. on m. loan terms that the agency may have obtained.

They responded with a letter dated September 30, 2022. With that came the loan terms with a validity period from May 23, 2019 from the unit Fast money within eCommerce 2020 ApS, but the terms contain provisions as discussed here. There was also email communication from 8 May to 4 June 2019 between Creditinfo Lánstraust hf. and, on the other hand, eCommerce 2020 ApS and the collection agency of that company, i.e. General collection ehf. In this communication, Creditinfo Lánstraust hf. of the matter, in light of the inquiries that the financial information office had received, that a provision like this would have to be in the loan terms of eCommerce 2020 ApS, cf. and a reference in the communication to the office's suggestion regarding Almennrar inhimatu ehf. in an email on May 6, 2019. The financial information office also explained that, i.e. in an email on May 29th, that she had gone through the aforementioned terms and conditions at Hráðpeningum and spotted this provision there. The salon requested older versions of the terms and conditions that confirmed that the clause had been there since July 2018, but received a response from eCommerce 2020 ApS, i.e. in an email on June 4, 2019, that this had not been the case, but that the terms had now been corrected in this respect.

It should be mentioned that, in addition to the above, Personal Protection has received contract terms from eCommerce 2020 ApS in connection with a case (no. 2019061308) due to an inquiry from the Consumers' Association about the legality of default registration for the loans in question. Received these terms and conditions in an email on October 22, 2019 from the aforementioned collection agency, Almennri inhheimtu ehf. Do the terms, which are not identified to a specific unit within the company, contain a provision that in the event of default, there may be a default registration, unlike the terms mentioned earlier.

3.
About the retention period of information on the requirements of eCommerce 2020 ApS

In previous communications, it has been stated when claims from eCommerce 2020 ApS have been deregistered at Creditinfo Lánstrausti hf. On the one hand, there is a reference to communications regarding the number of registered persons, but the Personal Protection Authority requested that information be given about it in a letter to Creditinfo Lánstraust hf., dated 13 June 2022, i.e. in the period from 15 July 2018 to the end of November 2019 in accordance with the assumptions that were then based on interest and cost of loans, cf. discussion in chapter 1 above. A response to the letter was received by e-mail from the financial information office on June 16 and 20, 2022, where it was explained that registrations from the period in question could be found for 2,149 individuals, of which 1,919 would not have been really affected by the registration due to cases from other creditors. A reservation was then made regarding the deletion of registrations in light of their maximum retention period, and it was noted that in August 2019 all claims from the aforementioned parties had been scrutinized. Had the claims against 577 individuals been deregistered, it would have turned out that their capital was under 50,000 ISK.

However, information on deregistration can be found in case no. 2020021020, where it was discussed the sending of certain claims for non-payment registration by the collection agency of said claims. Had an examination by Creditinfo Lánstraust hf. revealed that the claims had been sent from him for registration without adequate authorization and for that reason the company sent a notification to the Personal Protection Agency about a security breach, dated February 21, 2020. The claims in question were not related to eCommerce 2020 ApS, but it was also stated in an email to Personal Protection on April 6, 2020 that all registrations from the collection agency in question had been erased, regardless of who the claimant was.

4.
Comments from the Consumers' Association in relation to authorization for registration

On the basis of Article 15 administrative law no. 37/1993 was a letter from Creditinfo Lánstraust hf. to Personal Protection, dated 30 September 2022, cf. discussion in chapter 2 above, sent to the Consumers' Association together with accompanying documents. This was done after receiving a data request from the organization in an email on October 6, 2022, which was answered on the 13th and 24th p.m., but as a result, a letter was received from the organization, dated 28. s.m.

In the letter, the organization draws attention to the fact that the specific terms and standard consumer information of eCommerce 2020 ApS, which the Data Protection Authority had received from Creditinfo Lánstrausti hf., lacked a provision on default registration. It is also emphasized that such a provision was not found in the terms and conditions that the Consumers' Association had sent to Personal Protection.

It is noted that in the aforementioned e-mail communication from May 6 to June 4, 2019, where Creditinfo Lánstraust hf. requested clarification in connection with the loan terms of eCommerce 2020 ApS, the latter company's acknowledgment of the lack of said terms can be found, cf. the above states that on June 4, 2019, the company said that the terms and conditions have now been corrected in this respect. Says that this recognition covers the period from July 2018 to May 2019, but that the Consumers' Association believes that in practice it was a longer period and that the improvements were only limited and limited to the Fast Money unit within eCommerce 2020 ApS. There was also significant evidence that the disclosure in the terms of that unit met the requirements to be prominent and clear.

It also says, among other things, that no information can be found anywhere in the submitted data that Creditinfo Lánstraust hf. has, as a result of the aforementioned e-mail communications, deleted illegal default registrations, notified borrowers of incorrect and illegal registrations or taken action to correct their own databases, such as deleting all entries and registrations of the persons concerned. Assuming that it is true, it is a serious violation of the law on personal protection, especially when you consider that according to the submitted data, Creditinfo Lánstraust ehf. no action was taken in relation to the registration of said claims until May 2019.

5.
Comments on behalf of Creditinfo Lánstraust hf.

In the letter [A] of the lawyer on behalf of Creditinfo Lánstraust hf., dated December 5, 2022, views are reviewed in relation to responsibility for the processing of personal data due to default registration. Says in this regard that a distinction must be made between the processing operations that consist on the one hand in the communication and registration of arrears and on the other hand the preservation of those registrations in the database of the financial information office and further processing, incl. providing access to information to third parties. It is noted that subscribers to the agency's information systems, who share information for registration there, are responsible for having authorization for that sharing and registration. The type of requirements in question are very clearly delineated in the license and subscription agreement and it is the responsibility of the subscribers to ensure that the conditions in that regard are met, but this is confirmed in the implementation of the Personal Protection Act, cf. ruling, dated February 24, 2016, in case no. 2015/1519, and ruling, dated January 18, 2018, in case no. 2016/1687. Furthermore, the Spanish Personal Protection Agency has reached a similar conclusion in a ruling dated June 7, 2021, in case no. PS/00140/2021, i.e. that the creditor had been responsible for ensuring that the conditions were met for the registration of defaults with the financial information office and that he should pay a fine for failure to do so. The wording of Creditinfo Lánstraust hf.'s business license cannot be seen otherwise. but that the Personal Protection Agency directly assumes that subscribers and creditors are responsible for the conditions for registration being met, cf. clause 2.9 of the aforementioned work permit of December 29, 2017, which was in force during the period under discussion. If there is a subscription agreement with more specific provisions that the financial information agency should make with subscribers, and that it should take appropriate measures if it becomes apparent that they have violated these provisions in order to prevent this from happening again. A similar provision can be found in the subsequent work permit, dated May 3, 2021 (case no. 2020041404), where it is assumed that the Data Protection Authority will use its powers, such as the imposition of an administrative fine, against a subscriber who has not complied with the subscription terms. According to Creditinfo Lánstraust hf. it is therefore quite clear that the subscribers who sent said claims for registration at the Financial Information Agency, i.e. the lender eCommerce 2020 ApS and the collection agency Almenn inhheimta ehf., were responsible parties in the sense of personal protection legislation. Accordingly, they were responsible for only registering defaults that met the requirements of that legislation and the requirements in the agency's license. It is noted in this regard that she is responsible for the preservation of the information and further processing, including as far as access by third parties is concerned, however, this issue does not seem to be to any extent about the processing operations, but only whether it was allowed to record the arrears in question.

Regarding authorization for said processing, reference is made to item 6. Article 9 Act no. 90/2018, to the effect that personal data may be processed on the basis of legitimate interests that outweigh the interests or fundamental rights and freedoms of the data subject. Says in this regard that Creditinfo Lánstraust hf. has carried out an interest assessment in connection with the processing and taken various measures to protect the interests of the data subjects in accordance with this assessment. Reference is also made to the authorization that the financial information office had according to the 2017 work permit to register information about debts of individuals that amounted to at least 50,000 ISK in principal, provided that the institution had received conclusive written information confirming the existence of the relevant debt, in addition to which one of the nine specified conditions would be met, cf. section 2.2.1 of the license.

It is noted that on April 22, 2016, the agency entered into an agreement for the registration and processing of information on defaults with Collectum ehf., later Almenna inhheimtu ehf., but a copy of the agreement was omitted with the lawyer's letter. Says that the contract contained clear provisions that reflected the conditions of the work permit that was in effect when the contract was signed. Reference is made to Article 1. of the agreement, where it was discussed the obligation of Almennrar inhimatu ehf. to always have written documents on hand about the existence and non-payment of claims sent for registration; Article 2 of the agreement, where, among other things, a 50,000 ISK minimum amount of debt was prescribed and it was emphasized that registration had to be covered by an authorization in the work permit, as well as that if it was based on a provision in the loan terms about default registration, a statement to that effect had to be prominent and clear and specify at least 40 days in arrears; and Article 5 of the agreement, where it was stipulated the right of Creditinfo Lánstraust hf. to get data from Almennri inhimatu ehf. on claims that would have been registered in order to check the validity and reliability of the data.

It is stated that subscribers to default information at Creditinfo Lánstrausti hf. enter information into the systems themselves, either through the company website of the financial information agency or a web service connection that is often directly connected to the respective subscriber's billing system. In both cases, subscribers must enter information about the amount of the claim and the basis on which the registration is based by checking the relevant authorization from the agency's license, otherwise the registration is rejected. In this way, there is a written confirmation of the subscribers on the above-mentioned points. Also, nowhere was the requirement made in the license that the agency examine original documents, in this case contract terms, for each and every claim from subscribers to check whether the conditions for registration were met due to the claim as such. It is pointed out that during the period in which said claims were registered, authorization was assumed in nine types of cases, cf. section 2.2.1 of the 2017 license, and that only one of these sources was based on a provision to that effect in the loan terms. Says that it will not be seen on what legal basis Creditinfo Lánstraust hf. should have called for the underlying documents in individual cases, such as when registration was based on the fact that a debt had fallen due, that a forced contract had been breached or that the debtor had signed a declaration of propertylessness. At the same time, it will not be seen on what legal basis the subscriber could have communicated such information to the financial information agency, but in that connection, reference is made to the provisions on bank secrecy in Act no. 161/2002 on financial companies by which many creditors are bound. In addition, it is in accordance with the proportionality principle of the Personal Protection Act that the processing of original documents is done by the subscriber and it is sufficient for him to confirm in writing with the agency which authorization for registration according to the work permit is fulfilled in relation to individual requirements. It should be kept in mind that during the aforementioned period, about 20,000 non-payment claims were registered, and an examination of the underlying original documents for all of them would have called for very extensive processing. The Personal Protection Agency also confirmed that it would have been unrealistic for Creditinfo Lánstraust hf. to always have primary data, cf. Chapter 6 of the Personal Protection's letter to the Financial Information Office, dated October 7, 2020 (case no. 2020041404 at the institute), which was sent together with drafts of standard terms and conditions in work permits to such offices that were placed in the comment process a day later, but in the section in question a change was made to the draft in light of the above-mentioned point of view.

It is noted that according to the license conditions, Creditinfo Lánstrausti hf. to send a person a notice of the proposed registration before the information is entered into the register. Reference is made to paragraph 2. section 2.4.1 of the 2017 work permit, to the effect that the educational notice should inform about the right to delete information about a claim or its amount if there is no confirmed court order to that effect. Says that, according to this, the work permit expressly assumed that there was no legal act in all cases that confirmed the correctness of the information about default. It also states that in accordance with the above, Creditinfo Lánstraust hf. always send a notification to the relevant person who has the right to object to the registration, verbally or in writing. If a claim has also been deregistered at the same time if there was a lack of confirmation by an official legal act, but according to that the financial information office did not assess any objections but deregistered claims regardless of whether the objections were justified or not. It must then be considered that the information was related to the contractual relationship between the subscriber and the registered person, but therefore the agency had to rely on the provision of information from these parties. It may be mentioned that the license has prohibited the registration of disputed debts that the registered person would have objected to with the creditor, cf. Paragraph 3 of clause 2.1 in the license, but the agency has therefore had to rely on the fact that either the creditor, i.e. the subscriber, or the registered person, would forward the objections to him.

In this regard, reference is made to the above-mentioned letter from the Data Protection Authority to Creditinfo Lánstraust hf., dated October 7, 2020, i.e. Chapter 5 of the letter, which dealt with the proposal of the financial information office that it could reject the registration of a claim, it believed that there was doubt about its legality even if the debtor had not raised objections. Personal Protection noted that although this was not stipulated in the then-current work permit from 2017, it could be considered clear that the agency had this authorization. However, it would be beneficial to remove this from the work permit conditions, and it would be natural that it would then not only be permitted but also mandatory to refuse registration. Is the understanding expressed in the lawyer's letter that according to this it was not at all clear that the legality of the processing of Creditinfo Lánstraust hf. would be subject to the financial information agency's assessment of the legitimacy of the underlying claim. It also says that the legal position that prevailed during the period under consideration must be taken as a basis, and that it is therefore not possible to take into account the subsequent work permit conditions, nor the additional explanations of the Personal Protection Agency and the requirements that the organization has made to the agency after the period in question.

With reference to the above, the legality of the processing of personal information by Creditinfo Lánstrausti hf. is therefore completely rejected. has been subject to an assessment of the legitimacy of the claim for which the subscriber requested registration as a creditor. It is also said that it is absolutely clear that such a requirement was in no way reflected in the work permit and the documents of the case show that it was not until after the mentioned period, in the run-up to the granting of the work permit on May 3, 2021, that the Personal Protection Authority considered it a reason to change from the previous implemented so that the Financial Information Agency would not only be allowed to reject a registration if there was doubt about its legality, but the registration would then be impermissible.

After that, reference is made to the requirement for a minimum amount of principal, cf. beginning of section 2.2.1 of Creditinfo Lánstraust hf.'s business license. 2017, and stated that the financial information agency, in light of the subscription agreement with Almenna inhheimtu ehf., had good faith that the principal of the claims was compatible with that claim. Due to a dispute that arose in August 2019 regarding the legality of the costs of eCommerce 2020 APS loans, taking into account the provisions of consumer legislation, the agency also conducted an audit of the company's registrations. As a result of that audit, a total of 577 claims were deregistered where the original principal was found to be lower than ISK 50,000.

In continuation of this, the terms of the eCommerce 2020 ApS loans are discussed in relation to whether there is a provision that certain defaults would be registered with Creditinfo Lánstrausti hf., cf. Number 7. section 2.2.1 of the 2017 work permit. In this regard, Personal Protection is said to proceed from the fact that there was no authorization for non-payment registration in the terms and conditions of eCommerce 2020 ApS and related parties in the period from July 15, 2018 to May 29, 2019. This is rejected that can be assumed from this, since adequate information is not available. It is noted in this regard that there are no terms in the case for the period from July 15 to September 3, 2018, and there are no terms in relation to the unit within the company called Múli. Furthermore, there is only one loan agreement with a particular borrower, i.e. from the unit Smálán, dated March 25, 2019. The case also lacked information about which loan documents were signed by the individuals who were registered as a result of default at Creditinfo Lánstrausti hf. by eCommerce 2020 ApS and related parties during the defined period, but it is noted that it cannot be ruled out that the persons concerned have signed loan documents from third parties who have then transferred their claim to eCommerce 2020 ApS or units within that company. According to this, there was a considerable lack of case preparation regarding the alleged violation by Creditinfo Lánstraust hf. to register illegal claims.

As regards the privacy legislation's requirement for transparency, cf. Number 1. Paragraph 1 Article 8 Act no. 90/2018 and point a of paragraph 1. Article 5 regulation (EU) 2016/679, it is therefore completely contested that Creditinfo Lánstraust hf. was able to be responsible for the fact that the loan terms of eCommerce 2020 ApS and related parties met that condition. The Financial Information Agency has no control over how subscribers and creditors set up their credit and debt documents, even if it is clear from the subscription agreement what the requirements are for such documents. The above-mentioned work permit provision on authorization for registration based on a provision in the loan terms and conditions also relates to the legality of sharing information to the financial information agency from subscribers, but they are responsible for meeting requirements in that regard. To the extent that the license clause includes an independent educational obligation towards the registered person, it is also based on the fact that subscribers must be provided with that education. At Creditinfo Lánstrausti hf. is, however, responsible for ensuring transparency and education regarding the processing operations for which the financial information office is responsible, i.e. in connection with the retention of default information and further processing, including third party access to information, cf. i.a. clause 2.4 of the work permit 2017. In this regard, reference is made to the obligation to warn and educate according to Article 4. regulation no. 246/2001 and noted that Creditinfo Lánstraust hf. has complied with that provision, both with letters sent to the registered person and with the privacy policy that is available on the website of the financial information office. There is nothing in the case to indicate that the institute has neglected its educational duty or that there is a lack of transparency with regard to the processing operations for which it is responsible, and it is therefore completely rejected that it has violated the aforementioned requirement for transparency.

Regarding liability according to paragraph 2 Article 8 Act no. 90/2018 and paragraph 2 Article 5 of regulation (EU) 2016/679, i.e. obligation of the responsible party to be able to demonstrate compliance with the basic requirements of the privacy legislation, the position is confirmed that the obligations in connection with the registration of default claims rested on the subscribers and creditors and not Creditinfo Lánstrausti hf. Therefore, it is not up to the financial information agency to demonstrate that those obligations have been complied with by taking out the credit documents of subscribers and creditors, as well as the amount of the principal. At the same time, however, it is noted that the Financial Intelligence Agency has in practice carried out such monitoring and taken appropriate measures.

Also in this connection, reference is made to what was reported earlier about a large number of solutions to the competent authorities that the granting of so-called small loans had violated the law, but the Personal Protection Authority believed that, in light of these solutions, special vigilance had to be exercised when registering claims due to these borrow It is stated that of the resolutions of the Consumer Agency in this regard in 2019, one concerned eCommerce 2020 ApS, while the other concerned parties who granted the loans in question before the company began operations. Furthermore, reference is made to the fact that the case in question did not end definitively until the aforementioned judgment of the National Court on November 18, 2022 in case no. 646/2021, to the effect that the loan agreements of eCommerce 2020 ApS did not constitute a violation of Icelandic consumer legislation. It is noted that according to this, the legal position in relation to the underlying contractual relationship between eCommerce 2020 ApS and the borrower was unclear. It also states that this underlying contractual relationship, in addition to a possible breach by creditors and subscribers of applicable laws, cannot have the effect that Creditinfo Lánstraust hf. need to re-evaluate the legality of registering a default on a claim unless there are objections from the registered party that must be taken into account. Measures will not be required by the Financial Intelligence Agency unless the parties' disagreements have been brought to a final conclusion.

Reference is made to the above-mentioned reference by Personal Protection to the report "Operating environment of small loan companies in Iceland and proposals for improvement" which a working group submitted to the Minister of Tourism, Industry and Innovation in January 2019. Regarding the fact that the government has considered a reason for a special response due to so-called small loans, reference is made to Act no. 163/2019 where, among other things, law no. 33/2013 on consumer loans was amended in relation to the loans in question. It is described in the lawyer's letter that the amendment law entered into force on December 17, 2019, i.e. after the period in which it is assumed by the Personal Protection Agency that a violation may have occurred in the activities of Creditinfo Lánstraust hf. Reference is also made to the above-mentioned judgment of the National Court of November 18, 2022, and it is clearly stated that, in light of the judgment, the amended law in question did not include the requirements of eCommerce 2020 ApS in question.

It is noted that despite this, Creditinfo Lánstraust hf. regularly check the terms and conditions of its customers to ensure that the subscription agreement was fulfilled, incl. to investigate whether registration on the basis of loan terms met the requirements in that regard. If the staff's inspection has been carried out in such a way that the relevant customer's loan process has been followed and the information that was available to prospective borrowers has been examined. Furthermore, the staff of Creditinfo Lánstraust hf. been in communication with representatives of eCommerce 2020 ApS and certain units within the company, i.e. Quick money, from May to August 2019 and all claims from these parties were scrutinized in August 2019. As a result, the financial information agency deregistered certain claims of the company, given that there was a dispute about the legality of the costs from the loans, and is therefore rejected as a supervisory role the living room has not been taken care of. Says in that regard that at this time, however, there was no clear provision for supervision like this, i.e. by complying with subscription agreements, unlike what happened later, i.e. with paragraph 2 Article 6 of the work permit on May 3, 2021. It is also stated that, regardless of this, the duty of supervision based on the work permit is of a completely different nature than the duties according to the basic rules and the duty of responsibility according to the personal protection legislation, as well as the requirements of that legislation regarding processing authorizations.

In relation to the maximum fine amount specified in the right of objection letter from the Personal Protection Agency on November 14, 2022, i.e. 60,571,040 krónur, the cases where the institution has imposed an administrative fine to date are discussed. It is pointed out that in the two cases where the fine has been the highest, it amounted to ISK 7,500,000, cf. decision of 23 November 2021 in case no. 2020092288, and on the other hand 5,000,000 ISK, cf. decision of 3 May 2022 in case no. 2021040879. Reference is made to the fact that in the first case 226,158 individuals had been given insufficient education about the processing of personal information and that in the second case information about children had been processed, i.e. on m. sensitive personal information. It is noted in this connection that the processing of personal information discussed here took place during a very limited period of time. It also says that only a limited group of individuals could possibly have been affected by the processing, but that it was not sensitive personal information. In light of this, as well as other factors that should lead to a reduction in the amount of the fine, there is no way to see why the fine in this case should be eight to twelve times higher than the highest fines of the Personal Protection Agency so far.

More specifically, it says that the more onerous an administrative decision is, the more stringent requirements must generally be made to the administrative authority to make sure that the information behind it is true and correct. From the case law of the European Court of Human Rights, paragraph 1. Article 7 European Convention on Human Rights and paragraph 1 Article 69 of the constitution, it is also clear that the authority to determine sanctions must be clear and it must be predictable what conduct it covers. If there is any doubt about the circumstances of the case, the legal obligations under consideration and the sanctioning authority, it cannot be seen that a fine will be applied. In that regard, the decision of the Personal Protection Authority on November 28, 2018 in case no. 1507/2018, where the agency considered that, in light of the basic principle of clarity and predictability in the application of penal powers, there were no grounds for the imposition of fines. In the matter that is being resolved here, the same considerations do not apply, but in the best case, there was doubt about the obligation of Creditinfo Lánstraust hf. to assess the legality of the claims submitted for default registration by subscribers and creditors during the period in question in the case. There is also doubt as to the extent to which the creditor's underlying loan documents did not meet the conditions of the license conditions during this period, since there are no copies of the terms and conditions of all relevant units within eCommerce 2020 ApS during the period, in addition to the fact that the legality of the company's claims has been in doubt throughout to the Landsréttr pronounced the aforementioned judgment on November 18, 2022. In that context, Creditinfo Lánstraust hf. underline the importance of the Personal Protection Authority being able to administrative law, but among other things, the agency has not in any way substantiated its conclusion that the financial information agency is considered to be the responsible party here. Due to the unclear case preparation and lack of justification, it is more difficult for the agency to exercise its right of objection than it would otherwise be, and such a procedure is not in accordance with administrative law.

In continuation of this, the individual issues that must be considered when applying the sanctioning powers of the Personal Protection Agency are reviewed in light of paragraph 1. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 of regulation (EU) 2016/679. As far as the nature and seriousness of the offense is concerned (paragraph 1 of the legal provision) it is said that it must be taken into account that the person registered has always been given a 17-day deadline to object to the registration before it took place. If no assessment has been carried out by Creditinfo Lánstraust hf. after receiving such objections, registration was simply withdrawn. The financial information office has never refused to consider objections from registered persons due to default registrations from eCommerce 2020 ApS and related parties. Furthermore, the processing that is discussed here took place in a short period of time, which according to the definition of Personal Protection was 16 months, i.e. from July 15, 2018 to the end of November 2019, but in light of the fact that a provision for registration of defaults was included in the loan terms of Hrádpeninga in May 2019 it can be considered shorter, or about ten months. It is also indisputable that the purpose of registering arrears is legitimate, in addition to the fact that the alleged violation affected a relatively limited group of individuals, or about 2,149 in number. In that regard, it is said that it is not known in the case how many claims related to these individuals did not meet the conditions for registration of default, but there are only loan terms for part of the period in question, in addition to the fact that the loan period may be of different lengths and defaults may occur at any time during the loan period. As mentioned above, it is also not possible to rule out that eCommerce 2020 ApS and related parties have received assigned claims from a third party and borrowers thus signed terms from a party about which no information is available. In this regard, the number of registered persons is not available and they may still be significantly fewer than previously reported. There was also no mention that they suffered any damage, but in that regard it is confirmed that Creditinfo Lánstraust hf. has never refused to take into account the objections of a registered person.

Regarding whether the violation was committed intentionally or negligently (item 2, paragraph 1, article 47, Act no. 90/2018), it is stated that there was no intention to violate the privacy legislation, but Creditinfo Lánstraust hf. has always made an effort to work with personal data in accordance with the law. In relation to measures to reduce the loss of registered persons (item 3 of the provision), it is noted that measures were taken in August 2019, when a dispute regarding the legitimacy of claims from eCommerce 2020 ApS was revealed, in order to reduce from possible damages, in addition to the cancellation of the subscription agreement with Almenna inhheimta ehf. in February 2020 for the same purpose. As regards responsibility with regard to technical and organizational measures (item 4 of the provision, it is stated that there was no lack of such measures and as to whether previous violations should have an effect (item 5 of the provision) it is stated that no attempt is made to such violations that matter. Regarding the extent of cooperation with the Personal Protection Agency (paragraph 6 of the provision) it is stated that all inquiries from the Personal Protection Agency regarding the case have been responded to within the specified time limits, while at the same time all requested information has been answered as accurately as possible Regarding the categories of personal information affected by a breach (item 7), it is stated that there was no sensitive information, but only general information, and the way in which the Personal Protection Agency was alerted to the breach (item 8) is referred to to the complaint of the Consumers' Association and noted that it cannot be considered burdensome that it became the cause of the case. With regard to compliance with the instructions on remedial measures (item 9), reference is made to the ban on the registration of so-called small claims according to a letter from Personal Protection, dated April 27, 2020 (case no. 2020010436 at the institute), and it is noted that this ban has been complied with, and that there are no further instructions from the institute in this regard. In relation to compliance with recognized codes of conduct or recognized certification arrangements (item 10), it is stated that there are no codes of conduct, but that work is being done to implement the information security standard ISO 27001/2021 in the operations of Creditinfo Lánstraust hf. It also states about other aggravating or mitigating factors, such as profit resulting from a breach (item 11), that the financial information agency has not benefited from the registration of the claims in question, since it does not get paid for the claims that are sent to it for non-payment registration .

At the end of the letter from the lawyer of Creditinfo Lánstraust hf. summarizes the main points that the financial information office focuses on. Says that the precedents of Personal Protection and other supervisory bodies in Europe are clear that the responsibility for the legitimacy of a claim and for compliance with the conditions for default registration rests with the subscribers of the financial information office and creditors. There has been a subscription agreement with the debt collection agency in force with clear provisions on authorizations for registration, i.e. on m. minimum claim amount, and if responsibility for registrations was clear and rested on the shoulders of subscribers and creditors and not Creditinfo Lánstraust hf. With reference to that, it is completely rejected that the financial information agency has violated the principles of the personal protection legislation and the conditions for the legality of processing.

Furthermore, it is emphasized that in the license that was in force at the time of the incident, it was not specifically prescribed that the financial information office supervise compliance with subscription agreements, cf. on the other hand, paragraph 2 Article 6 of the professional license on May 3, 2021. Says that the agency nevertheless believes that prior to the issuance of that license, there was an extensive inspection obligation on the salon, in order to consider that inspection was carried out, as well as that there is a big difference between the obligation to such inspection on the one hand and because the financial information office is responsible for the legality of all default registrations, on the other hand. In addition, the Personal Protection Authority is not competent to apply fines pursuant to Article 46. Act no. 90/2018 due to violations of work permit conditions.

It is also said that there is a considerable lack of case preparation and the basis of the case. There are only terms for part of the period in question and only for part of the creditors concerned. There is also no record of the loan terms signed by the individuals who were subject to the registration of defaults by eCommerce 2020 ApS and related parties during the period in question.

With reference to the above, it is said that Personal Protection does not have the grounds to impose a fine due to the alleged violations of Creditinfo Lánstraust hf. However, if the institution considers that there is a sufficient basis for the imposition of a fine, it is clear, when considering the nature and extent of the offense and other factors, that its amount can never come close to the amount specified in the objection letter of November 14, 2022. In that regard, exchange not least the requirements of the Administrative Law on proportionality and equality, but the amount of the fine would be eight to twelve times higher than the highest amount so far. It also says that Creditinfo Lánstraust hf. attaches great importance in all its activities to working with data and personally identifiable information in accordance with current legislation, incl. privacy laws. All suggestions on how things can be improved are therefore welcomed, but the Financial Information Agency does not agree that there has been a violation of personal protection legislation, let alone that such a violation could justify the amount of fine that the Personal Protection Agency has announced.

II.
Assumptions and conclusion
1.
Scope – Liability – Delimitation of case

Scope of law no. 90/2018, on personal protection and processing of personal information, and Regulation (EU) 2016/679, and thus the authority of the Personal Protection Agency, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing by methods other than automated of personal data that is or is to become part of a file, cf. Paragraph 1 Article 4 of the Act and paragraph 1 Article 2 of the regulation.

Personal information is information about an identified or identifiable person, and a person is considered identifiable if it is possible to identify him, directly or indirectly, with reference to his identity or one or more factors that are characteristic of him, cf. Number 2. Article 3 of the Act and number 1 Article 4 of the regulation.

Processing refers to an operation or series of operations where personal data is processed, whether the processing is automatic or not, cf. Number 4. Article 3 of the Act and number 2 Article 4 of the regulation.

The complaint in this case relates to the entry of information about non-payment of so-called small loans on the register of Creditinfo Lánstraust hf. on financial matters and credit. Accordingly, and taking into account the above-mentioned provisions, this case concerns the processing of personal data that falls under the authority of the Personal Protection Agency.

The person responsible for the processing of personal information is compatible with Act no. 90/2018 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation. As stated here, Creditinfo Lánstraust hf. be responsible for the aforementioned processing, i.e. to receive information about defaults from subscribers to its information systems and enter them into a register, which includes, among other things, obligations to check whether the conditions for registering information are met, as explained in section 3 below.

It should be noted that in this ruling, the Privacy Protection's review is limited to whether it was permitted to record the information and related issues, i.e. in view of the lack of a provision in the loan terms on which the registration could ideally have been based, on the one hand, and the requirement for a minimum amount of claims to be registered, cf. discussion in Chapter 3. This includes dealing with the issues that the Personal Protection Authority considers that, in view of their seriousness, may give rise to the imposition of a fine, such as here, cf. and the conclusion of Chapter 1, Part I. It is emphasized that what is said there can come into consideration at a later date, such as in connection with the initiative supervision of the Personal Protection Agency.

In addition, it should be noted that consideration has been given as to whether this case should be handled on the basis of the rules on cross-border processing, cf. Article 56 regulation (EU) 2016/679, given that the company eCommerce 2020 ApS is registered in Denmark. In the communication between the Icelandic and Danish personal protection agencies in e-mails on November 10 and 15, 2022, it was concluded that this was not necessary, as it was a case of processing of personal information that took place entirely in Iceland, cf. Paragraph 2 Article 56 of the regulation.

2.
Membership of the Consumers Association

According to paragraph 2 Article 39 Act no. 90/2018, any registered person who believes that the processing of personal data about them violates the law or regulation (EU) 2016/679 can submit a complaint to the Data Protection Authority. The same applies to the representative of the data subject. According to Article 80, an institution, association or association may also of the regulation submitted a complaint to Personal Protection if they have reason to believe that the rights of a registered person have been violated.

In paragraph 1 Article 80 of the regulation further stipulates the conditions of membership according to the above. It states that in order to enjoy membership, an institution, organization or association must be established in accordance with the laws of a member state, have mandatory goals in the public interest and be active in the field of protecting the rights and freedoms of registered persons as regards the protection of personal information about them.

On the website of the Consumers' Association, you can find, among other things, the organization's basic policy, which was approved at its general meeting on October 26, 2019. It says that the Consumers' Association is a non-governmental organization that protects and promotes consumer rights and approaches consumer issues on a broad basis. The association is independent and independent of individuals, associations, companies, associations, political parties and public bodies. In the review of the organization's methods, it is also stated that the Consumers' Association is there for consumers and informs them about their rights vis-à-vis companies and the public sector, with the aim of helping them make informed decisions. The consumer association acts as an intermediary for members to achieve their rights and thus works to have a direct influence on companies and the government. Furthermore, Article 2 states the law of the Consumer Association that their purpose is to protect the interests of consumers in society. Then it says in number 3. Article 3 the organization's law that among the methods it uses to achieve its purpose is to support the legitimate demands of its members and to fight for the rights of ordinary consumers to be respected.

It is clear that the Consumer Association was founded in accordance with the laws of the country and that it is not run for profit. The organization also has mandatory goals in the interest of the public, i.e. due to consumer protection which laws have been enacted to protect, cf. i.a. law no. 33/2013 on consumer loans. From the association's complaint, dated June 16, 2020, it will be decided that it be submitted on behalf of members in general and not on behalf of named individuals. At the same time, it is clear that the Consumers' Association has made so-called small loans a lot of concern, and it can be considered clear that the complaint relates to a resolution issue that has significance for a wide group of individuals.

The main issue regarding the membership of the Consumers' Association in the complaint case discussed here concerns whether the company can be considered active in the field of protecting the rights and freedoms of registered individuals with regard to the protection of personal information. As mentioned above, the association's role is defined very broadly in its basic policy and laws. The policy and the law will not dictate that it is considered incompatible with the Consumers' Association's role to protect the interests of its members by submitting a complaint to the Personal Protection Agency.

In light of all of the above, the Personal Protection Authority believes that, as is the case here, the Consumer Association meets the requirements of Act no. 90/2018 and Regulation (EU) 2016/679 to represent its members in this matter without a specific mandate in this regard.

3.
Lawfulness of processing

All processing of personal information must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. It has been considered that the processing of information about financial matters and the creditworthiness of individuals can, among other things, be supported by item 6. Paragraph 1 provisions of the law, cf. Clause f of the provision of the regulation, i.e. on the basis that processing is necessary for legitimate interests unless the interests or fundamental rights and freedoms of the data subject outweigh.

In addition to authorization, the processing of personal information must always be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of the regulation. Among other things, it is stipulated that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision. Then in the 2nd paragraph Article 8 of the Act and paragraph 2 Article 5 the regulation prescribes what is called liability, i.e. that the responsible party shall be responsible for the processing of personal information complying with the said principles and that he shall be able to demonstrate this.

Operation of financial information agencies and processing of information concerning financial matters and the creditworthiness of individuals and legal entities, including registration of defaults, in order to pass them on to others, is subject to the permission of the Personal Protection Agency, cf. Paragraph 1 Article 15 Act no. 90/2018, cf. Paragraph 1 Article 2 regulation no. 246/2001 on the collection and dissemination of information on financial matters and creditworthiness. When assessing whether the processing of personal information in connection with registration of default is compatible with the aforementioned provisions of Articles 8 and 9. Act no. 90/2018, cf. Articles 5 and 6 of Regulation (EU) 2016/679, the relevant terms in the work permit for a financial information agency should be considered.

In the operating license conditions, there is a list of when information about defaults can be registered with Creditinfo Lánstrausti hf., but there can be mentioned authorization for registration on the basis of a special statement to that effect in a loan or debt document, cf. Number 7. section 2.2.1 of the work permit that was in force when the incident occurred, i.e. permit, dated 29 December 2017 (case no. 2017/1541), cf. Number 7. section 2.2.2 of the current work permit, dated March 1, 2023 (case no. 2022111817). Among the things stated in this registration authorization is that the declaration of registration must be prominent and clear and that the default must have lasted for at least 40 days. As mentioned earlier, it will be considered that the registration of defaults on the loans in question could have been sanctified by a provision like this in the loan terms, but it was also a factor in ensuring transparency towards the registered.

In the interests of the aforementioned investigation due to a complaint from the Consumers' Association, Personal Protection obtained samples of the terms of loans run by eCommerce 2020 ApS, both from Creditinfo Lánstrausti hf. and from the Consumers Association. Together with the terms and conditions, standard consumer information was received from July 24, 2019, which did not contain the specified provision on default registration, but given that the business license provision in question does not cover consumer information such as this, it will not be considered separately here. It is a different matter for the three loan terms that were received, but they were valid from 3 September 2018, 25 March 2019 and 23 May 2019. and only the last-mentioned had to keep the aforementioned provision on default registration, cf. also loan terms with similar clauses that the Personal Protection Agency had previously obtained from the collection agency of the claims in question, i.e. Almennri inheimtu ehf., on 22 October 2019. It is also known that on 4 June s.á. confirmed eCommerce 2020 ApS in an email to Creditinfo Lánstraust hf. that a provision like this had not been in the company's loan terms from July 2018, in addition to which the company confirmed that the terms in question had been intended for use across borders. It was also stated that the loan agreements had now been corrected and it was clearly stated that non-payment for 40 days led to registration of non-payment with Creditinfo Lánstrausti hf., cf. and the aforementioned terms and conditions from May 23, 2019.

In addition to the fact that the provision in question was missing until the publication of these last-mentioned terms and conditions, it can be tested separately whether it was presented in a sufficiently prominent and clear way when it had otherwise been entered into the loan terms and conditions. It will not be considered that potential deficiencies in that respect could, as in the case here, have significance in the imposition of fines. In accordance with the delimitation of the case, cf. Chapter 1 above, there is therefore no reason to discuss this issue further, but it could come up later. Regardless of that, however, it is clear that when the term in question was completely missing, the possibilities of the registered person to make an informed decision when taking out a loan were significantly reduced.

To this end, it must also be considered that according to the terms of the work permit, information about claims will not be registered on the basis of the aforementioned work permit clause unless they reach a certain minimum amount, cf. beginning of section 2.2.1 of the work permit 2017, cf. beginning of section 2.2.2 of the current work permit. As mentioned above, it has been revealed that in August 2019, Creditinfo Lánstraust hf. claims by eCommerce 2020 ApS against 577 individuals whose capital was below the then minimum amount of claims, i.e. 50,000 ISK.

It is clear from the above that until May 23, 2019, claims from eCommerce 2020 ApS were registered with Creditinfo Lánstrausti hf. even though the necessary term relating thereto was missing from the loan terms, cf. aforementioned clause 7. section 2.2.1 of the company's work permit, dated 29 December 2017 (case no. 2017/1541), cf. and the same number of section 2.2.2 of the current license. Furthermore, it is clear that until August 2019, claims from the same party were registered despite the fact that they were below the minimum amount of claims that could be registered, cf. the beginning of the same section of the license.

In this regard, special attention should be paid to the liability according to paragraph 2. Article 8 Act no. 90/2018 and paragraph 2 Article 5 of regulation (EU) 2016/679. It can be considered that the Financial Intelligence Agency's surveys of the terms of loans, which come to it for registration due to non-payment, can be considered a factor in compliance with this requirement.

Regarding such surveys, reference is also made to the license conditions that when registering information from subscribers, the financial information office must have received conclusive written or electronic information confirming the existence of the relevant debt and that the conditions for registration are met, cf. beginning of section 2.2.1 of the license from 29 December 2017, cf. and the beginning of section 2.2.2 of the current license.

According to its wording, this term can be understood in such a way that when a claim from a subscriber is taken for registration, the original documents must always be examined and a position taken as to whether the conditions for registration are met due to the claim as such. This includes, among other things, that the registration of a claim in light of the terms of the contract will not take place unless the terms of the contract are examined separately for each individual claim. As far as that is concerned, it should be noted that, depending on the circumstances, it may be possible to avoid a procedure like this if the relevant subscriber demonstrates conclusively that he complies with the conditions for default registration in his activities. These include the submission of standard terms that he uses when granting loans. So that an arrangement such as this is considered satisfactory, it is clear that the financial information office needs to show a certain initiative in communication with subscribers, such as through regular surveys on how the terms and conditions are made.

In this regard, the Personal Protection Agency does not think that the great discussion that had taken place for some time when processing information about the requirements in question, i.e. both registration and the following retention, took place, but criticism of these loans can be mentioned in the report "Operating environment of small loan companies in Iceland and proposals for improvement" which a special working group submitted to the Minister of Tourism, Industry and Innovation in January 2019 and which was published on The Government Council's website on February 19, s.á., together with a news item about it. At the same time, the Personal Protection Agency believes that the large number of rulings issued by the relevant parties at this time and shortly before should be taken into account that the relevant lenders had violated the law when granting the loans, but mention can be made of the ruling of the Consumer Appeals Committee on January 21, 2015 in case no. . 14/2014, decision of the same committee on 24 July s.á. in case no. 3/2015, decision of the Consumer Agency on February 15, 2016 in case no. 7/2016, ruling of the Consumer Appeals Committee on April 14, 2016 in case no. 16/2015, judgment of the Reykjavík District Court on June 9, 2016 in case no. E-1934, decision of the Consumer Affairs Appeals Committee on September 16, s.á. in case no. 3/2016, decision of the same committee on November 6, 2017 in case no. 5/2017, judgment of the Reykjavík District Court on February 27, 2019 in case no. E-2895 and the ruling of the Consumer Appeals Committee on April 29, 2020 in case no. 6/2019.

More specifically, Personal Protection believes that, in light of the above, Creditinfo Lánstrausti hf. there is a special occasion to check whether the requirements for registering claims from parties organized by eCommerce 2020 ApS have been met, and then regardless of suggestions from outside parties that there may be failures in the activities of these parties. The Personal Protection Agency also believes that there has been an excessive delay in the preparation of a survey like this, but despite the fact that there was ample reason to examine the terms and conditions of the company in question since before the entry into force of the current privacy legislation on July 15, 2018, it was only carried out shortly before the middle of 2019, cf. the e-mail communication from May 6 to June 4 of the year described in Chapter 2 of Part I.

From all of the above, it follows that the said processing of personal information by Creditinfo Lánstraust hf. did not comply with the requirements of item 6. Article 9 Act no. 90/2018 and point f of paragraph 1. Article 6 of regulation (EU) 2016/679, i.e. on authorization for processing on the basis of legitimate interests that outweigh the interests or fundamental rights and freedoms of the data subject. Since other authorization provisions could not apply here, the processing failed according to this authorization, but in addition, the basic principle of legal, fair and transparent processing was not complied with, cf. Number 1. Paragraph 1 Article 8 of the Act and point a of the 1st paragraph Article 5 of the regulation, nor the liability according to paragraph 2. of both clauses.

4.
Perspectives on the application of sanctions

Next comes up for consideration as to whether an administrative fine should be imposed on the financial information agency Creditinfo Lánstraust hf., cf. Article 46 Act no. 90/2018, cf. also Article 83 of regulation (EU) 2016/679. As stated in paragraph 1. Article 46 of the Act, Personal Protection may, among other things, impose an administrative fine on any responsible party or processing party according to Paragraph 4 of the provision that violates any of the provisions of the regulation listed in paragraphs 2 and 3. its As for the comment of the lawyer of the Financial Information Agency that there will be no fines for violations of the terms of the work permit, it should be noted in that regard that such violations can also be considered to relate to one of these regulatory provisions and a fine can then be considered.

With this in mind, it will be examined here in more detail whether a fine should be imposed on Creditinfo Lánstraust hf. for violation of the aforementioned provisions of sub-paragraph 1. and paragraph 2 Article 5 and f-points 1. paragraph Article 6 of regulation (EU) 2016/679, cf. penalty authority in paragraph 1 and number 1. Paragraph 3 Article 46 Act no. 90/2018, cf. Paragraph 2 and point a of paragraph 5. Article 83 of the regulation. It should also be pointed out, in relation to the fact that many of the relevant persons were also on the register due to other claims, that each new non-payment registration can extend the person's stay on the register and thereby increase the burdensome effects that come with it.

When deciding on that and on the amount of the fine, paragraph 1 should be considered. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 of the regulation. There are listed issues that can either be relevant for the benefit of the case or to his disadvantage, and the ones that will be tried in this case will be discussed here.

a. The nature, seriousness and duration of the offence

According to number 1 Paragraph 1 Article 47 Act no. 90/2018, cf. a-point 2. paragraph Article 83 of Regulation (EU) 2016/679, the nature, severity and duration of the breach must be taken into account, with regard to the nature, scope and purpose of the processing, as well as the number of data subjects affected and the serious damage they suffered.

It is clear that the number of those registered was quite large. According to explanations from Creditinfo Lánstrausti hf. in e-mails on June 16 and 20, 2022, they were more precisely about 2,000, but the explanations were provided with the caveat of the deletion of information due to the rules on the maximum retention period. Regarding the fact that the registrations could be related to claims that had been transferred to eCommerce 2020 ApS from third parties, it should also be noted that the provision of so-called small loans was part of the company's core business, and it must be assumed that registrations that Creditinfo Lánstrausti hf. received from it, were mainly related to that activity.

In order to do this, it is also considered that information about registered persons was not deleted immediately and it became clear that there was an authorization for registration, cf. the e-mail communications in May and June 2019 that are discussed in Chapter 3 above and Chapter 2 of Part I. Subject to the aforementioned rules on the maximum retention period, the information was instead not deleted until on the one hand in August 2019, when information on 577 individuals was removed from the register due to too low principal claims, and on the other hand following the cancellation of Creditinfo Lánstraust hf. on the contract with the collection agency eCommerce 2020 ApS in February 2020.

Register of Creditinfo Lánstraust hf. on the financial affairs of individuals, it is the only such register in Iceland, and a lookup in the register is usually a basic prerequisite for the facilitation of financial companies, e.g. commercial bank. Illegal registration in such a register must therefore be considered particularly burdensome and may make it impossible for the registered person to receive a loan from credit institutions, such as for the purchase of an apartment or for unforeseen expenses. It can therefore be assumed that the persons affected by the registration may have suffered serious damage.

With reference to the above, considerations about the extent of processing and the number of those registered must be considered to have a burdensome effect on the application of fines.

b. Subjective position

According to number 2 Paragraph 1 Article 47 Act no. 90/2018, cf. b-point 2. paragraph Article 83 of Regulation (EU) 2016/679, it should be considered whether the violation was committed intentionally or negligently.

As far as this is concerned, the Personal Protection Agency considers it a critical inaction, and therefore negligence, that the loan terms of eCommerce 2020 ApS were not examined until after receiving external suggestions, despite the reason that had previously been given for such an examination, cf. also discussed in section j below. The same applies to how long it took from eCommerce 2020 ApS's confirmation that the said clause on default registration was missing from the company's loan terms, i.e. 4 June 2019, until information about registrations from the company was deleted, cf. discussion in point a above.

c. Actions to reduce losses to registered persons

According to number 3. Paragraph 1 Article 47 Act no. 90/2018, cf. point c, paragraph 2 Article 83 of regulation (EU) 2016/679, the actions taken in order to reduce the loss of registered persons should be taken into account.

According to Creditinfo Lánstraust's explanations, it is clear that the registrations were deleted and made sure that they did not affect the interests of those registered, and this is considered to be the financial information agency's compensation. However, it has a burdensome effect against the delay in taking such measures, cf. points a and b above.

d. Scope of responsibility in terms of technical and organizational measures

According to number 4. Paragraph 1 Article 47 Act no. 90/2018, cf. point d, paragraph 2 Article 83 of Regulation (EU) 2016/679, it is necessary to consider how much responsibility the controller or processor has with regard to technical and organizational measures.

The processing of personal information in question here was related to the core activities of Creditinfo Lánstraust hf., i.e. registration of information about the financial affairs of individuals in order to communicate it to others. High demands must therefore be made on the company for technical and organizational measures to enforce the principles of personal protection and protect the rights of data subjects, both when the processing methods are determined and when the processing itself takes place.

It is considered that these requirements have not been sufficiently complied with and this has a burdensome effect on the application of the fine. It should be noted in this connection that the responsibility of subscribers to the information systems of Creditinfo Lánstraust hf. the fact that the claims sent for registration at the Financial Information Agency are registrable does not reduce its responsibility to ensure the legality of processing.

As explained in chapter 3 above, it will be considered unrealistic that the financial information office examines separately each and every claim that comes to be registered with it, and it is the responsibility of the financial information office to examine it in that light. More specifically, it means that a general control is taken towards subscribers to check the registration conditions, but it is known that this was done because of the requirements in question here. It must be taken into account that this general control could have taken place earlier, cf. point j below.

e. Previous violations of the guarantor

According to number 5 Paragraph 1 Article 47 Act no. 90/2018, cf. point e, paragraph 2 Article 83 of Regulation (EU) 2016/679, the relevant previous violations of the controller or processor, if any, should be considered.

In the implementation of Personal Protection, a number of cases where complaints have been made about Creditinfo Lánstrausti hf. and have rulings either been in favor of the financial information agency or not. It will not be seen that the results of these cases should have a special effect on the decision of guilt, neither as an aggravating factor nor as compensation.

f. Scope of cooperation with the Personal Protection Agency

According to number 6 Paragraph 1 Article 47 Act no. 90/2018, cf. point f, paragraph 2 Article 83 regulation (EU) 2016/679, the extent of cooperation with the Personal Protection Agency should be considered in order to remedy the breach and reduce its harmful effects.

It should be noted in this connection that Creditinfo Lánstraust hf. has shown a great willingness to cooperate, but it is manifested in the fact that errands, i.e. on m. information and data requests, have been readily answered and within the deadlines granted by the Personal Protection Agency. It is clear that it is considered a compensation for the financial information agency.

g. Categories of personal information

According to number 7 Paragraph 1 Article 47 Act no. 90/2018, cf. point g, paragraph 2 Article 83 of Regulation (EU) 2016/679, it is necessary to consider which categories of personal data were affected by a breach.

The information in question here is not considered sensitive personal information, cf. Number 3. Article 3 Act no. 90/2018 and paragraph 1 Article 9 of regulation (EU) 2016/679. However, they relate to the financial problems of individuals, as well as working with them in a burdensome context for the registered person. Is this likely to have an aggravating effect?

h. In what way was Personal Protection notified of a breach?

According to number 8. Paragraph 1 Article 47 Act no. 90/2018, cf. h-item 2. paragraph Article 83 of Regulation (EU) 2016/679, it is necessary to consider the way in which the Data Protection Authority was made aware of a breach, in particular whether, and to what extent, the responsible party or processor notified the breach.

This case is the result of a complaint against Creditinfo Lánstrausti hf., but at the same time the Personal Protection Agency had taken the registration of information regarding so-called small loans for examination on its own initiative, cf. point i below. These two will not be considered to have a special effect in the said context.

It should also be noted that the case regarding the initiative investigation coincides with the case regarding this complaint and has therefore been closed. However, a new case may be opened if there is a special reason to do so.

i. Compliance with instructions on measures for spare parts

According to number 9. Paragraph 1 Article 47 Act no. 90/2018, cf. point i, paragraph 2 Article 83 of Regulation (EU) 2016/679, compliance with the instructions of the Data Protection Authority on remedial measures should be considered if instructions on such measures have previously been directed to the relevant controller or processor regarding the material in question.

In a case opened by the Personal Protection Agency on its own initiative to examine the registration of information on non-payment of so-called small loans, instructions were directed to Creditinfo Lánstraust hf. on not registering a loan due to such claims, cf. letter from Personal Protection, dated April 27, 2020 (case no. 2020010436 at the institute). The examination was intended to examine whether the requirement for the legality of personal data processing, cf. Number 1. Paragraph 1 Article 8 Act no. 90/2018 and point a of paragraph 1. Article 5 of Regulation (EU) 2016/679, would be satisfied in relation to the cost of loans. There is nothing other than that the ban was complied with on this basis, as it should be understood in light of case law, cf. judgment of the National Court on 18 November 2022 in case no. 646/2021, cf. previously the judgment of the Reykjavík District Court on August 11, 2021 in case no. E-5637/2020 and the aforementioned decision of the Consumer Appeals Committee on April 29, 2020 in case no. 6/2019.

j. Other aggravating or mitigating factors related to the circumstances of the case

According to number 11 Paragraph 1 Article 47 Act no. 90/2018, cf. k-item 2. paragraph Article 83 of Regulation (EU) 2016/679, other aggravating or mitigating factors than those listed earlier in the provision, such as profit obtained or loss avoided, directly or indirectly, as a result of a violation, should be considered.

As is the case here, it will be considered to have an aggravating effect when applying a fine that the processing in question took place as part of an activity that was supposed to generate a profit, regardless of whether the processing as such resulted in a profit or not. Furthermore, it will not be considered important that a special fee is not charged when information about defaults is registered with Creditinfo Lánstrausti hf., as the registrations are used to generate profits, i.e. in making them available for a fee.

At the same time, it is necessary to consider that Creditinfo Lánstraust hf. did not examine the loan terms of eCommerce 2020 ApS until after receiving external suggestions, in addition to the fact that in light of the extensive discussion about loans run by the company, there could be reason to examine their terms before they actually happened. Will this also be considered to have a burdensome effect on the application of the fine.

5.
Conclusion on imposition and amount of fine

As mentioned above, the Personal Protection Agency can impose an administrative fine on any controller or processor who violates any of the provisions of the regulation listed in paragraphs 2 and 3. Article 46 Act no. 90/2018, cf. Article 83 of regulation (EU) 2016/679. In number 1 Paragraph 3 of the legal provision, cf. point a 5. paragraph of the regulation clause, it is stated that a violation of the basic rules for processing according to Articles 5, 6, 7 and 9. of the regulation may concern administrative fines.

As explained in chapter 3 above, it is known that the financial information agency Creditinfo Lánstraust hf. breached point a of paragraph 1 and paragraph 2 Article 5 and Article 6 of regulation (EU) 2016/679. Taking into account all of the above, the conclusion of the Personal Protection Agency is that an administrative fine should be imposed on the salon.

According to paragraph 3 Article 46 Act no. 90/2018, cf. Paragraph 5 Article 83 of the regulation, the amount of an administrative fine for a violation of the aforementioned provisions can range from 100 thousand ISK to 2.4 billion ISK or, in the case of a company, up to 4% of its total annual turnover worldwide in the following financial year, whichever is higher.

When determining the amount of the fine, the onerous nature of the processing has special weight, as well as the fact that it was carried out for profit and is a core element of Creditinfo Lánstraust hf.'s operations. The delay in deleting registrations from eCommerce 2020 ApS should also be taken into account after it became clear that their authorization was broken. It is clear that the inspection of the registrations did not begin until after receiving external suggestions, but nevertheless it should be taken into account that what was discussed was general monitoring of subscribers to the information systems of Creditinfo Lánstraust hf. which the financial intelligence agency intervened voluntarily. As explained in the right of objection letter to the agency, it has been considered to base the amount of the fine on a percentage of the turnover and to use the authorization in that regard up to the 4% maximum, but in light of this and all the circumstances, Personal Protection considers it material to depart from that and determine some a lower fine amount than the sensitivity, i.e. based on 2.5% of turnover. You have to look at the last published annual accounts from the financial information office, i.e. for the year 2021, where the total turnover was given as ISK 1,514,276,000.

Accordingly, the fine is set at ISK 37,856,900.

Ruling:

Creditinfo Lánstraust hf.'s processing, i.e. the registration of information on defaults from eCommerce 2020 ApS without the conditions for registration of defaults according to the current business license of the financial information agency being fulfilled, was not compatible with the provisions of item 1. Paragraph 1 and paragraph 2 Article 8 and Article 9 Act no. 90/2018, cf. point a, paragraph 1 and paragraph 2 Article 5 and paragraph 1 Article 6 of regulation (EU) 2016/679.

An administrative fine of ISK 37,856,900 is imposed on Creditinfo Lánstraust hf. The fine must be paid to the treasury within one month from the date of this decision, cf. Paragraph 6 Article 46 Act no. 90/2018.

Privacy, 27 June 2023

Ólafur Garðarsson

chairman

Árnína Steinunn Kristjánsdóttir Björn Geirsson

Vilhelmína Haraldsdóttir                         Þorvarður Kári Ólafsson