Persónuvernd (Island) - 2020122992

English Summary

Following, complaints about the processing of personal data by Creditinfo Lánstrausts to issue reports on creditworthiness, for Netgíró ehf to use these reports, as well as the dissemination of personal data by the IL fund in the Creditinfo debt ranking system. The Icelandic DPA found that a credit assessment took place in accordance with articles 5 and 6 GDPR.

Facts

In December 2020, the DPA received a complaint by the complainant that their authorisation had been invoked by Netgíró ehf. (the controller) due to credit rating information given by Creditinfo Lánstrausts without prior to informing the claimant i.e. data subject of data transmission.

The data subject argued that to gain access to Creditinfo's information about themself, they had to agree to the company's use of certain additional information from its debt position system when calculating their credit rating. Additionally, Creditinfo allegedly used incorrect information from the debt position system in the calculation, as the IL fund communicated information to the system about the complainant's debt to the fund even though they had already paid the debt in question.

Netgíró ehf. have been prohibited from using information about Creditinfo's credit rating, which has been incorrectly calculated, and that the company is obliged to notify the borrower (this case the complainant) in advance when it intends to cancel the borrower's authorization due to changes in Creditinfo's credit rating.

The defendants in this case argued that the data subject had in fact been notified and reminded that they can withdraw their consent at any point and that Creditinfo was considered a processor in the debt position system.

Holding

The DPA held that the processing of financial data is considered personal data and falls under the authority of the DPA. The DPA is responsible for monitoring the implementation of Act No. 90/2018, on Data Protection and the Processing of Personal Data, Regulation (EU) 2016/679 (General Data Protection Regulation) and Act No. 75/2019, on the Processing of Personal Data for Law Enforcement Purposes.

The controller is responsible for ensuring that the processing of personal data complies with Act No. 90/2018 and Regulation (EU) 2016/679 (GDPR).

In the present case there are three controllers. Firstly, Creditinfo is the controller of the processing that involved the use of information registered with the company for the preparation of reports on the complainant's credit status. Secondly, the ÍL Fund is the controller of the processing involved in the transmission of information about the complainant in the Creditinfo debt ranking system. Thirdly, Netgíró is the controller of the processing that the undertaking itself carried out in assessing the applicant's creditworthiness when requesting financial assistance from the complainant.

Eventually, the DPA found that the processing of personal data about the complainant's debt status and credit assessment took place in accordance with the Icelandic national data protection law Act no. 90/2018 and Articles 5 and 6 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Processing of personal information by Creditinfo Lánstraust, Netgíró ehf and ÍL-sjóð

Case no. 2020122992

9.11.2022

In a case where there was a complaint about the processing of personal information in connection with the preparation of reports on creditworthiness by Creditinfo Lánstraust hf., the Data Protection Authority ruled on the use of Netgíró ehf. on such reports and the cancellation of the complainant's authorization at the company based on them, as well as due to the ÍL Fund sharing information about the complainant in Creditinfo's debt status system.

The conclusion of the Personal Protection Agency was that Creditinfo's processing of information about the complainant's debt status was in accordance with the provisions on authorizations and basic requirements for processing according to the Personal Protection Act, processing by Netgíró ehf. on information about creditworthiness assessment also complied with the law and that the ÍL Fund's sharing of the complainant's information in Creditinfo's debt status system also complied with the law.

Ruling

about a complaint about the processing of personal data by Creditinfo Lánstraust hf., Netgíró ehf. and ÍL Fund in case no. 2020122992.

i
Procedure
1.
Outline of a case

On December 2, 2020, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about the processing of personal information about him in connection with the preparation of reports on his creditworthiness by Creditinfo Lánstraust hf. (Creditinfo), over the use of Netgíró ehf. on such reports and the cancellation of his authorization by the company based on them, as well as due to the sharing of information about himself by the ÍL Fund in Creditinfo's debt status system.

Personal protection invited Creditinfo, Netgíró ehf. and ÍL Fund to comment on the complaint by letter, dated August 10, 2021. Received responses from Creditinfo, etc., responses from ÍL-sjóð on September 1, 2021 and responses from Netgíró ehf. 8 October s.á. When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

The processing of the case has been delayed due to the heavy workload at Personal Protection.

There is a dispute about Creditinfo's authority to use additional information about the complainant when calculating his credit rating and whether Creditinfo used incorrect information from the company's debt status system during the calculation. There is also a dispute as to whether ÍL Fund has shared incorrect information in Creditinfo's debt status system. Finally, the dispute concerns whether Netgíró ehf. has been allowed to use information about the complainant's credit rating when deciding on the cancellation of authorization at the company without prior notification to him.

2. The point of view of the complainant

The complainant refers to the fact that on December 1, 2020, he intended to use his authorization at Netgíró ehf. but then he realized that the authorization had been canceled due to his credit rating at Creditinfo.

The complainant states that in order to gain access to information about himself at Creditinfo, he had to agree to the company's use of certain additional information from its debt status system when calculating his credit rating. Creditinfo has also used incorrect information from the debt status system for the calculation, as ÍL Fund has communicated information to the system about the complainant's debt to the fund, despite the fact that he has already paid the relevant debt.

The complainant also considers the conduct of Netgíró ehf. have been prohibited from using information about Creditinfo's credit rating, which has been incorrectly calculated, and that the company has an obligation to notify borrowers in advance when the borrower's authorization is to be canceled due to changes in Creditinfo's credit rating.

3.
Creditinfo's point of view

It is stated by Creditinfo that following an inquiry from the complainant, dated On December 2, 2020, he was informed that he had given his consent to the use of additional information in the preparation of a credit assessment and was advised that he could withdraw his consent. Creditinfo has informed the complainant that the factors that were calculated for reduction related to data that the complainant himself had agreed to be used in the preparation of the assessment, i.e. on m. information from the debt status system that was retrieved on December 2, 2020 and showed, among other things, loans in arrears with the ÍL Fund. The complainant was also informed that Creditinfo was considered a processing party for the debt status system, where the actual status of all the person's obligations was shown according to the lender's information systems. The ÍL Fund was responsible for publishing information in the system and the complainant should contact him regarding the issue. Creditinfo also points out that when the complainant's arrears with the ÍL Fund were settled at the beginning of December 2020, his credit rating was recalculated.

4.
ÍL Fund's point of view

It is stated by the ÍL Fund that a debt collection claim has been established against the complainant, dated 1 November 2020, due to the complainant's loan from the fund due on 1 November s.á. and one day at 4 p.m. According to information from the organization's payment system, the claim was paid on December 2, 2020 at 01:56. Information on paid claims on loans at ÍL-fund is updated daily at 22:30 after the end-of-day settlement is carried out. Payments that are made after 9:00 p.m., however, do not result in the update at 10:30 p.m., as the banking day at the banks' Accounting Office ends at 9:00 p.m. If the claim was paid on December 2, 2020, the information about the registered person was updated the same day, in the evening, provided that it was paid before 21:00 on that day. Information shared in Creditinfo's debt status system takes into account the end-of-day settlement. The complainant's debt status was retrieved from the debt status system on December 2, 2020, but the sharing of information at that time took into account the end-of-day settlement on the 1st. Updates on paid claims are not in real time, and the dissemination of information to the debt status system thus takes into account the end-of-day settlement of the previous day.

ÍL-sjóður denies having communicated wrong information to the system. The information was correct, taking into account the technical solutions and systems used. Unrealistic demands for updating information between systems must not be made. By updating information daily, it is promoted that the correct information is shared at all times.

5.
The point of view of Netgíró ehf.

It is described by Netgíró ehf. that the processing took place on the basis of items 1, 2 and 3. Paragraph 1 Article 9 Act no. 90/2018. The company obtains a credit assessment of its customers in order to fulfill a legal obligation under other laws, such as the Consumer Credit Act no. 33/2013.

It is noted that the company only requests the information that is necessary and that laws and regulations stipulate that must be obtained. Immediately at the start of the transaction, the customer agrees to the company's terms and conditions and specifically agrees to the acquisition of a credit rating, where he is responsible for the collection of information from the Creditinfo database and that he is registered there for creditworthiness and default monitoring.

Netgíró ehf. that the company is not responsible for mediating other companies in Creditinfo's debt status system. Netgíró ehf. notes that from the data accompanying the company's letter of October 8, 2021, it can be seen that the company responded to the complainant's changed credit rating as soon as the relevant information was received. The company also refers to a screenshot with an overview of the complainant's acceptance of the company's terms and conditions, including its authority to obtain information about the complainant's creditworthiness.

II.
Assumptions and conclusion
1.
Scope – Responsible party

This case concerns the processing of financial information about the complainant. Regarding the processing of personal information that falls under the authority of the Personal Protection Authority[1] The person responsible for the processing of personal information is compatible with Act no. 90/2018 and Regulation (EU) 2016/679 is the named responsible party.

As stated here, Creditinfo is considered to be the responsible party for the processing that involved the use of information registered with the company, for making reports on the creditworthiness of the complainant.

However, the ÍL Fund is considered to be the responsible party for the processing that involved sharing information about the complainant in Creditinfo's debt status system. However, Personal Protection considers Creditinfo to be a processor of information in the debt status system, cf. Number 7. Article 3 Act no. 90/2018.

Finally, Netgíró ehf. be responsible for the processing that the company itself carried out when assessing the creditworthiness of the complainant when he requested financial assistance from it.

2.
Creditinfo business license

Regarding the Creditinfo aspect, it is considered that Personal Protection has granted the company a license for the processing of information on financial matters and creditworthiness, cf. Article 15 Act no. 90/2018. In that provision, more specifically, the license requirement for the operation of a financial information agency and the processing of information concerning financial matters and the creditworthiness of individuals and legal entities, incl. default registration and credit assessment, in order to pass them on to others. When the events in this case took place, Creditinfo's license for the processing of information on financial matters and creditworthiness was valid, dated 29 December 2017 (case no. 2017/1541).

3.
Conclusion

All processing of personal information must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. The sources that are mainly considered here are that the registered person has given his consent to the processing of personal information about him for the benefit of one or more specific goals, cf. Number 1. Article 9 of the law, or that the processing was necessary due to the legitimate interests of the responsible party or a third party, unless the interests and fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh, cf. Number 6. of the same provision.

In addition to authorization according to the above, the processing of personal data must satisfy the basic requirements of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of the regulation. This includes, among other things, that care must be taken to ensure that personal information is processed in a legal, fair and transparent manner towards the data subject (item 1 of the provision of the law); that they are sufficiently relevant and not beyond what is necessary based on the purpose of the processing (item 3); that they are reliable and updated as needed, but that personal information that is unreliable or incomplete, based on the purpose of its processing, must be deleted or corrected without delay (item 4) and that it is preserved in such a way that it is not possible to identify registered persons for longer than necessary based on the purpose of processing (item 5).

It is clear that before requesting information about the complainant's creditworthiness from Creditinfo, the complainant had accepted the authorization of Netgíró ehf. to call for such information in connection with credit facilities. When the complainant's credit rating was then calculated at Creditinfo, information about his debt status was used, but it is clear from the case file that the complainant agreed to Creditinfo's use of such additional information when preparing reports on his credit rating. According to the complainant's e-mail communication with Creditinfo, it is also clear that he was informed about what such consent entails and about his authority to revoke it. Accordingly, it cannot be seen that he had to agree to Creditinfo's use of such information as stated in the complaint, but also refer here to chapter 38 in the document "Statement with standard conditions in business licenses for financial information agencies" from May 3, 2021 which can be found on the Privacy Protection website.

Personal Protection has previously ruled in a case where Creditinfo's authority to make reports on creditworthiness with the use of so-called additional information based on the consent of registered persons was tested, cf. ruling of the institution, dated January 28, 2021, in case no. 2020010634. In the case, Personal Protection came to the conclusion that the complainant's acceptance of Creditinfo's additional terms had fulfilled the conditions according to Article 10. Act no. 90/2018 on approval and thus Creditinfo would have been authorized according to item 1. Article 9 of the Act to make reports on the credit rating of the complainant. The Data Protection Authority also considered that the processing had been in accordance with the principles of Article 8. of the law. Refer to section 4. and 3.1. in the ruling for further justification.

The Personal Protection Authority considers the above points of view in case no. 2020010634 are applicable in the matter that is being resolved here. Creditinfo's e-mail communication with the complainant and the company's education in other respects in the above ruling are largely comparable to this case. Personal Protection Creditinfo therefore believes that it has been authorized according to number 1. Article 9 Act no. 90/2018 to use additional information about the complainant when making a credit assessment of him. It will not be seen that the processing has otherwise violated Article 8. Act no. 90/2018. As mentioned before, Creditinfo is a processor of the debt status system, and if the information there is incorrect, it is the responsibility of the person who transmits the information to the system, i.e. ÍL fund in this case.

Regarding the ÍL fund's sharing of information about the complainant in Creditinfo's debt status system, refer to item 6. Article 9 Act no. 90/2018 which the Personal Protection Authority has considered to support this type of processing, but in the end the sharing must be compatible with the aforementioned basic requirements of Article 8. of the law, i.e. on m. Number 4. Paragraph 1 on the reliability of personal information and its updating as necessary. That provision means that a financial institution, which transmits information into the system in question, must make sure that these are valid claims.

It is clear that when the complainant first received information about the cancellation of authorization at Netgíró ehf. due to his credit rating at Creditinfo, i.e. on December 1, 2020, his debt to ÍL funds was unpaid. It is therefore indisputable that when calculating the credit rating, valid information about the ÍL fund's claim was communicated to the debt status system.

The complainant's investigation revealed that the following day, ie. 2. s.m., there had been no change in his credit rating and that information about the claim in question was still in Creditinfo's debt status system. According to the case file, however, it is clear that the complainant first paid the claim at 01:56 that day. As stated in the response letter of the ÍL Fund, dated On September 1, 2021, the dissemination of information in Creditinfo's debt status system takes into account the end-of-day settlement, i.e. status of claims at 21:00 of that day. If claims are paid after that time, they are therefore not included in the end-of-day settlement of the relevant day, but of the following day. The Personal Protection Authority does not consider the aforementioned procedure of the ÍL Fund to be in conflict with the provisions of Article 8. Act no. 90/2018, cf. in particular, claim 4. Paragraph 1 of that article on updating information as needed, but the organization believes that it must agree with the ÍL Fund's point of view that unrealistic demands cannot be made on updating information between systems.

In view of the above, the conclusion of the Personal Protection Authority is that the processing of personal information about the complainant by the ÍL Fund was in accordance with Act no. 90/2018, on personal protection and processing of personal information.

Regarding the part of Netgíró ehf. is to consider that according to item 3. Article 9 Act no. 90/2018 personal data may be processed if it is necessary to fulfill a legal obligation. When evaluating authorization for processing, provisions in other laws that are relevant in each case must be taken into account. In paragraph 1 Article 10 Act no. 33/2013 on consumer loans states that the lender is obliged to assess the consumer's creditworthiness before concluding a consumer loan agreement. In point k of Article 5 the same law states, among other things, that credit assessment shall be based on the business history of the parties and/or information from databases on financial matters and creditworthiness.

With reference to the above, Personal Protection believes that the acquisition of Netgíró ehf. on information about the complainant's creditworthiness have been carried out on the basis of the aforementioned provisions of Act no. 33/2013, and can therefore rely on authorization in item 3. Paragraph 1 Article 9 Act no. 90/2018. In the opinion of the Personal Protection Authority, it must not be seen that the provisions of Article 8. Act no. 90/2018 or other provisions of the law require that Netgíró ehf. notify the borrowers in advance of the cancellation of the authorization, if the credit rating has changed. It is clear that the company immediately reacted to the changed creditworthiness by increasing the complainant's authorization when information about it was available.

Ruling:



Processing Creditinfo Lánstraust hf. on the information about the complainant's debt status when making a credit assessment of the complainant was in line with the provisions on authorizations and basic requirements for processing in Act no. 90/2018 and Regulation (EU) 2016/679.

Communication of the ÍL Fund's information about the complainant in the debt status system of Creditinfo Lánstraust hf. agreed with the same provisions of law no. 90/2018 and Regulation (EU) 2016/679.

Processing Netgíró ehf. on the information about the complainant's credit rating was consistent with the same provisions of Act no. 90/2018 and Regulation (EU) 2016/679.

Privacy, November 9, 2022

Þórður Sveinsson                    Inga Amal Hasan



[1] Personal protection oversees the implementation of Act no. 90/2018, on personal protection and the processing of personal data, Regulation (EU) 2016/679 (the General Data Protection Regulation) and Act no. 75/2019, on the processing of personal information for law enforcement purposes.