Persónuvernd (Island) - 2022111927

The Icelandic DPA held that a company offering so-called "small loans" (eCommerce 2020) breached Article 5(1)(a) GDPR by sending information on non-payments to be registered at a credit information company where its loan terms did not include a provision on such data sharing. The company was fined ISK 7,500,000 (approx. € 51,000).

English Summary

Facts

A company offering so-called "small loans" - eCommerce 2020 ApS (eCommerce) – sent information about non-payments of loans for registration at a credit scoring company - Creditinfo Lánstrausti hf.

The Icelandic DPA issued a decision (case no. 2020061901 – see summary on GDPRHub) against Creditinfo Lánstrausti hf. after the consumers' association of Iceland filed a complaint against it. Following the investigation in that case, it was revealed that the loan terms of eCommerce did not include any provision stating that non-payment (for 40 days) leads to registration of non-payment at Creditinfo Lánstrausti hf.

However, in this case eCommerce 2020 disputed the fact that such provision was missing and argued that regardless of the wording in the company's loan terms at any given time, borrowers were always informed of the consequences of non-payments on their loans. Furthermore, eCommerce claimed that there was always some kind of provision in the company's loan terms stating that if a loan defaulted, the company has the right to entrust a third party to collect the loan.

It was also revealed that information on non-payments were registered on behalf of eCommerce 2020 ApS despite the fact that the amount of the payment default was below the minimum amount that could be registered according to the terms of the business license of Creditinfo Lánstrausti hf.

In light of the above, the Icelandic DPA considered that there may be grounds for imposing an administrative fine on eCommerce 2020 ApS, and initiated an investigation.

Holding

Firstly, the Icelandic DPA concluded that eCommerce is responsible as the controller for the processing of the personal data in question when eCommerce sends the information on non-payments to Creditinfo Lánstrausti hf. for registration. Moreover, the DPA stated that eCommerce is liable for ensuring that the conditions of the loan terms are met for the registration of non-payments.

Secondly, the DPA considered the lawfulness of the processing of perosnal data in question. The fact that eCommerce sent the information on non-payments of loans for registration despite the fact that the necessary term relating thereto was missing in the loan terms was noted by the DPA. Additionally, the DPA took into account that eCommerce sent information on non-payments for registration even when the amounts were below the minimum amount that could be registered according to the business license of Creditinfo Lánstrausti hf.

Following the above considerations, it was found by the DPA that eCommerce violated Article 6(1)(f) GDPR when it sent the information on non-payments for registration on the basis of legitimate interests. The legitimate interests of eCommerce did not outweigh the interests or fundamental rights and freedoms of the data subjects.

Furthermore, the DPA found that with regard to its processing of personal data in question eCommerce breached the principle of lawfulness, fairness and transparency under Article 5(1)(a) GDPR as well as the accountability principle pursuant to Article 5(2) GDPR.

Consequently, eCommerce was issued with a fine of ISK 7,500,000 (approx. € 51,000) due to the registration of unpaid claims due to the so-called small loans at Creditinfo Lánstrausti hf. without the registration conditions being met.

Comment

In this decision the reasoning behind the Icelandic DPA's conclusion where it found that the controller breached Article 6(1)(f) GDPR seems to be very limited.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Fine against eCommerce 2020 ApS for registering information with Creditinfo Lánstrausti

Case no. 2022111927

4.7.2023

In general, the processing of personal data must be lawful, fair and transparent. Operation of a financial information agency and processing of information concerning financial matters and the creditworthiness of individuals and legal entities, including Registration of defaults, in order to communicate them to others, is subject to the permission of the Personal Protection Agency. In addition, subscribers to the financial information office's information systems, who share information for registration there, are responsible for having authorization for that sharing and registration.

In this case, information on loan defaults, which was provided by eCommerce 2020 ApS, was sent for registration at the financial information office without the necessary terms relating thereto having been included in the company's loan terms and conditions. Then information about claims was sent for registration, even though they were below the applicable minimum amount.

-----

Personal Data Protection has imposed an administrative fine, in the amount of ISK 7,500,000, on eCommerce 2020 ApS due to the registration of unpaid claims due to so-called small loans at the financial information agency Creditinfo Lánstrausti hf. in a given period without the registration conditions being met.

When deciding on the imposition of a fine and its amount, the number of those registered, the fact that the processing was related to the core activity of eCommerce 2020, the fact that the activity was intended to generate profit, as well as the particularly burdensome nature of the processing, i.a. in connection with the possibilities of the registered for credit facilities for the purchase of apartments or unforeseen expenses. The operating profit that the company enjoyed as a result of the loans in question had special weight when determining the amount of the fine, but it was also taken into account that there had been a significant decline in the company's activities since the events of the case took place.

Decision

On June 27, 2023, the Board of Personal Protection made the following decision in case no. 2022111927, i.e. due to an examination of the registration of information on non-payment of so-called small loans by eCommerce 2020 ApS:

i
Procedure
1.
Outline of the case – Procedure

The beginning of this case can be traced back to the fact that on June 16, 2020, Personal Protection received a complaint from the Consumer Association about the processing of personal information by the financial information agency Creditinfo Lánstrausti hf. in connection with so-called small loans (case no. 2020061901), but they were, among other things, provided by eCommerce 2020 ApS.

The consumer association's complaint was that Creditinfo Lánstraust hf. had registered claims for such loans despite the fact that the interest and costs of the loans had violated consumer legislation. Correspondence took place on that issue between Personal Protection and Creditinfo Lánstraust hf., i.e. regarding whether the registration of default on the loans had been legal. Was the case limited to a specific period that began with the entry into force of Act no. 90/2018, and thus the fines of the Personal Protection Agency, and until the agency believed that the granting of the loans had been brought in accordance with the law.

On November 18, 2022, the National Court issued a judgment in case no. 646/2021, but it was concluded that Danish law and not Icelandic law had applied to the interest and costs of the loans in question during the aforementioned period. From that court decision, it was clear that the registration in question could not be considered to be in violation of the above-mentioned demand for legality, with reference to the fact that the loans had violated the consumer legislation in the country.

However, following the investigation of the aforementioned case due to a complaint from the Consumers' Association, a new solution is now being tried, i.e. on the terms of the loans in question in relation to item 7. section 2.2.1 of the license of the Personal Protection Agency that was in force when the events of the case took place, i.e. permit, dated 29 December 2017 (case no. 2017/1541), cf. Number 7. section 2.2.2 of the current work permit, dated March 1, 2023 (case no. 2022111817). Does the work permit clause contain the rule that at Creditinfo Lánstrausti hf. it is permitted to register arrears when the loan or debt document from which the debt is derived stipulates authorization to register arrears that have lasted for 40 days, cf. and further conditions of the provision in that regard. The Personal Protection Authority has considered it clear that the registration of defaults on the loans in question could have been made clear by a provision like this in the loan terms and conditions.

The communication between the Personal Data Protection Authority and Creditinfo Lánstraust hf., in the interest of investigating a case regarding a complaint by the Consumers' Association, revealed that since the entry into force of Act no. 90/2018, on July 15, 2018, until May 23, 2019, a provision like this was missing in the terms of loans run by eCommerce 2020 ApS, but information about them was nevertheless sent to the default registration. Appears in the documents of the case, i.e. explanations provided by Creditinfo Lánstraust hf. provided in an email on June 16 and 20, 2022, that about 2,000 registrations from eCommerce 2020 ApS had then been found from July 15, 2018 to the end of November 2019, in accordance with the assumptions that were then based on. A reservation was made regarding the deletion of information due to the rules on maximum retention time, and it must therefore be assumed that there were more registrations.

It is also known that claims were registered on behalf of eCommerce 2020 ApS despite the fact that their capital was below the minimum amount of claims that could be registered according to the terms of the work permit, cf. beginning of section 2.2.1 of the work permit 2017, cf. the beginning of section 2.2.2 in the current license, but according to the aforementioned explanations Creditinfo Lánstraust hf. claims by the company against 577 individuals were deregistered for this reason at the Financial Information Agency in August 2019.

In light of the above, the Personal Protection Authority considered that there may be grounds for imposing an administrative fine on eCommerce 2020 ApS. A letter was therefore sent to the company, dated December 6, 2022, where the right to object was granted on that issue, as well as access to relevant data, i.e. on m. out of a case due to the aforementioned complaint of the Consumers' Association against Creditinfo Lánstrausti hf. It was noted that a fine could amount to ISK 15,000,000, i.a. in view of the number of those registered.

It was answered f.h. of the company with a letter from its lawyer, dated February 27, 2023. In the letter, among other things, a comment was made that with the letter of the Data Protection Authority, dated 6 December 2022, would not have included a copy of the consumer association's complaint to Personal Protection, dated 16 June 2020, and a copy of the letter from the Data Protection Authority to Creditinfo Lánstraust hf., dated December 30, 2021, where the right to object to fines due to the registration of said claims with the financial information office was granted. By e-mail on March 1, 2023, the lawyer of eCommerce 2020 ApS was granted access to the aforementioned data and given the opportunity to make further comments on the matter. By letter, dated 10 a.m., additional answers were received from the law firm.

When resolving the case, the above-mentioned documents have been taken into account, even though not all of their content is separately explained in this decision.

2.
Vision eCommerce 2020 ApS

In the letter of the lawyer of eCommerce 2020 ApS, dated 27 February 2023, reference is made to the fact that according to the judgment of the Reykjavík District Court on 11 August 2021 in case no. E-5637/2020, which was confirmed by the judgment of the National Court on November 18, 2022 in case no. 646/2021, the applicable Danish law on the activities of eCommerce 2020 ApS. The decision of the Consumer Agency on August 21, 2019 in case no. 31/2019, to the effect that the company had violated various provisions of Act no. 33/2013.

It is stated in the letter that according to this the company is not bound by Icelandic consumer credit legislation. It also says that the fine decision against the company will therefore not be based on the fact that Icelandic law and other types of rules in Iceland require certain conditions, i.e. on m. that Icelandic companies can only collect information on debts of individuals that amount to a certain amount if a claim is sent for registration of arrears at the financial information office.

It is also based on the fact that the company cannot be held responsible for the claims made to Creditinfo Lánstraust hf. in a work permit to the financial information office. Nowhere is there any reference to the fact that other parties, e.g. those who register claims with the salon, can be responsible for the requirements or conditions stated in the work permit.

In addition, it says that on the basis of the available data, it is not possible to confirm that the provision in question in the loan terms was lacking in the terms of eCommerce 2020 ApS during the period under consideration. It is indisputable that after May 23, 2019, such a provision was in the company's loan terms. There are only examples of loan terms with validity from 3 September 2018 and standard consumer information from the unit Hraðpeningim within eCommerce 2020 ApS, dated April 24, 2019, where provisions like this were missing. In the company's opinion, that information is not sufficient to confirm that the provision has always been missing from its loan agreements.

Furthermore, it is noted that all claims that the company has sent for default registration at Creditinfo Lánstrausti hf. have been made in consultation with the financial information office. She was responsible for not disclosing information about claims that were below the minimum amount of claims that could be registered according to her work license and the Personal Protection Act.

Finally, the fine amount specified by the Personal Protection Agency is contested. It is pointed out that eCommerce 2020 ApS has been inoperable due to legal proceedings in connection with the aforementioned decision of the Consumer Agency from August 21, 2019, but the legal proceedings have ended with the judgment of the National Court, in case no. 646/2021, on November 18, 2022. There has therefore been a decline in the company's turnover and that is not to blame. It is noted that, however, if the Personal Protection Agency considers it a reason to apply sanctions in the form of a fine, the company's role was minor, and it is also rejected that the extensive processing referred to by the Personal Protection Agency in the letter of December 6, 2022 should have an impact on the amount of the fine. It is also emphasized that as soon as the company was informed of the need for the provision in question in the loan terms, the company's documents were corrected.

With a letter from the company's lawyer, dated On March 10, 2023, the previous viewpoints of eCommerce ApS 2020 were reiterated, but it was also noted that, regardless of the wording in the company's loan terms and loan agreements at any given time, borrowers were always clearly informed of the consequences of defaulting on their loans. Thus, there was always a provision in the company's loan terms that if a loan defaulted, the lender had the right to entrust a third party to collect the loan. Borrowers were also informed in loan agreements that if the loan defaulted, the lender would take their claim to court if necessary. The company had no intention of omitting certain clauses or wording in its loan documents.

II.
Assumptions and conclusion
1.
Scope – Delimitation of matter

Scope of law no. 90/2018, on personal protection and processing of personal information, and Regulation (EU) 2016/679, and thus the authority of the Personal Protection Agency, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic, cf. Paragraph 1 Article 4 of the Act and paragraph 1 Article 2 of the regulation.

This case concerns the sending of information about personal defaults for registration at the financial information agency Creditinfo Lánstrausti hf. Accordingly, and taking into account the above-mentioned provisions, this case concerns the processing of personal data that falls under the authority of the Personal Protection Agency.

The resolution of the case is limited to whether eCommerce 2020 ApS, when sending information for default registration at Creditinfo Lánstrausti hf. take care of the conditions for the registration, cf. discussion in chapter 3 below. The period under consideration for the imposition of a fine extends from the entry into force of the fine authorization together with the publication of the current personal protection legislation, i.e. July 15, 2018, to May 23, 2019 on the one hand, in terms of claims that were sent for default registration at Creditinfo Lánstrausti hf. however, terms relating thereto were missing from the loan terms, and on the other hand on August 29, 2019, in terms of claims that were sent for default registration despite being below the minimum capital of claims that could be registered.

In the opinion of the Data Protection Authority, the court decision does not mean that Danish law applied to the interest and costs of loans provided by eCommerce 2020 ApS during the aforementioned period, cf. judgment Reykjavík District Court 11 August 2021 in case no. E-5637/2020 and the judgment of the National Court on November 18, 2022 in case no. 646/2021. It is known that when collecting loans on behalf of eCommerce 2020 ApS, the company used the collection services of domestic collection companies and default registration with Creditinfo Lánstrausti hf. Icelandic laws and regulations apply to this, cf. among other things, the Collection Act, no. 95/2008, and Personal Protection license for Creditinfo Lánstrausti hf., cf. Paragraph 2 Article 15 Act no. 90/2018.

In addition, it should be noted that consideration has been given as to whether this case should be handled on the basis of the rules on cross-border processing, cf. Article 56 regulation (EU) 2016/679, given that the company eCommerce 2020 ApS is registered in Denmark. In the communication between the Icelandic and Danish personal protection agencies in e-mails on November 10 and 15, 2022, it was concluded that this was not necessary, as it was a case of processing of personal information that took place entirely in Iceland, cf. Paragraph 2 Article 56 of the regulation.

2.
Guarantor

The person responsible for the processing of personal information is compatible with Act no. 90/2018 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation.

It is known that loans by eCommerce 2020 ApS, which were granted in the period from July 15, 2018 to May 23, 2019, were granted through certain brands of the company, i.e. 1909, Hrádpeninga, Smálán and Múla. It will not be seen that during the time that the brands were owned by eCommerce 2020 ApS, there was an independent party involved and the company has been represented in matters related to the loans, i.e. on m. in court, but in that connection case no. E-5637 before the Reykjavík District Court, which concluded with the judgment on August 11, 2021, as well as case no. 646/2021 before the National Court due to the district court's appeal there, cf. now the judgment of the National Court on November 18, 2022.

In the opinion of the Personal Protection Agency, subscribers to the information systems of the financial information office, who share information for registration there, are responsible for the authorization of that sharing and registration. The terms and conditions of the work permit define very clearly which conditions must be met so that subscribers are allowed to register arrears, cf. point 2.2.1 of the license of the Personal Protection Agency that was in force when the events of the case took place, i.e. permit, dated 29 December 2017 (case no. 2017/950), cf. point 2.2.2 of the current work permit, dated May 3, 2021 (case no. 2020041404). It is the subscriber's responsibility to ensure that the conditions in that regard are met. Is that result in accordance with the previous implementation of the Personal Protection Agency, cf. i.a. ruling of the day February 24, 2016, in case no. 2015/1519, and ruling, dated January 18, 2018, in case no. 2016/1687. Then the Spanish Personal Protection Agency came to a similar conclusion in a ruling dated June 7, 2021, in case no. PS/00140/2021, i.e. that the creditor had been responsible for ensuring that the conditions were met for the registration of defaults with the financial information office and that he should pay a fine for failure to do so.

It is also to be considered that according to the terms and conditions of the license, subscribers to the information systems of the financial information office must comply with the terms of the subscription agreement that the financial information office makes with them. It was like that in point 2.9. in the 2017 work permit, it is prescribed that Creditinfo Lánstraust hf. should make a subscription agreement with the subscribers, with more specific provisions, as well as take appropriate measures if it becomes apparent that the subscribers have violated the provisions of the agreement. A similar provision can be found in Article 6. current license, but it is also assumed that Personal Protection will use its powers, such as the imposition of an administrative fine, against a subscriber who has not complied with the terms of the subscription agreement.

In light of the above, the Data Protection Authority believes that eCommerce 2020 ApS must have the status of responsible party for the processing of personal information in connection with the loans in question, i.e. on m. what concerns the provision of information about the processing in the loan terms.

3.
Lawfulness of processing

All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. It has been considered that the processing of information about financial matters and the creditworthiness of individuals can, among other things, be supported by item 6. Paragraph 1 provisions of the law, cf. Clause f of the provision of the regulation, i.e. on the basis that processing is necessary for legitimate interests unless the interests or fundamental rights and freedoms of the data subject outweigh.

In addition to authorization, the processing of personal information must always be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of the regulation. Among other things, it is stipulated that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision.

Operation of financial information agencies and processing of information concerning financial matters and the creditworthiness of individuals and legal entities, including registration of defaults, in order to pass them on to others, is subject to the permission of the Personal Protection Agency, cf. Paragraph 1 Article 15 Act no. 90/2018, cf. Paragraph 1 Article 2 regulation no. 246/2001 on the collection and dissemination of information on financial matters and creditworthiness. When assessing whether the processing of personal information in connection with registration of default is compatible with the aforementioned provisions of Articles 8 and 9. Act no. 90/2018, cf. Articles 5 and 6 of regulation (EU) 2016/679, the relevant terms in the work permit for a financial information agency should be considered.

In the operating license conditions, there is a list of when information about defaults can be registered with Creditinfo Lánstrausti hf., but there can be mentioned authorization for registration on the basis of a special statement to that effect in a loan or debt document, cf. Number 7. section 2.2.1 of the work permit that was in force when the incident occurred, i.e. permit, dated 29 December 2017 (case no. 2017/1541), cf. Number 7. section 2.2.2 of the current work permit, dated March 1, 2023 (case no. 2022111817). Among the things stated in this registration authorization is that the declaration of registration must be prominent and clear and that defaults must have lasted for at least 40 days. As mentioned earlier, it will be considered that the registration of defaults on the loans in question could have been justified by a provision like this in the loan terms, but it was also an element of transparency towards the registered.

In the interest of the aforementioned investigation due to a complaint from the Consumers' Association, the Personal Protection Agency obtained samples of the loan terms of loans run by eCommerce 2020 ApS, both from Creditinfo Lánstrausti hf. and from the Consumers Association. Together with the terms and conditions, standard consumer information was received from July 24, 2019, which did not contain the specified provision on default registration, but given that the business license provision in question does not cover consumer information such as this, it will not be considered separately here. It is a different matter for the three loan terms that were received, but they were valid from 3 September 2018, 25 March 2019 and 23 May 2019. and only the last-mentioned had to keep the aforementioned provision on default registration, cf. also loan terms with similar clauses that the Personal Protection Agency had previously obtained from the collection agency of the claims in question, i.e. Almennri inheimtu ehf., on 22 October 2019. It is also known that on 4 June s.á. eCommerce 2020 ApS confirmed in an email to Creditinfo Lánstraust hf., where the financial information office requested clarification in relation to the loan terms of eCommerce 2020 apS, that a provision like this had not been in the company's loan terms from July 2018, in addition to which the company confirmed that the terms in question had been intended for cross-border use. It was also stated that the loan agreements had now been corrected and it was clearly stated that non-payment for 40 days led to registration of non-payment with Creditinfo Lánstrausti hf., cf. and the aforementioned terms and conditions from May 23, 2019.

In addition to the fact that the term in question was missing until now, it can be tested separately whether it was presented in a sufficiently prominent and clear way when it had been entered into the loan terms on another level. It will not be considered that potential deficiencies in that respect could, as in the case here, have significance in the imposition of fines. In accordance with the delimitation of the case, cf. Chapter 1 above, there is therefore no reason to discuss this issue further, but it could come up later. Regardless of that, however, it is clear that when the term in question was completely missing, the possibilities of the registered person to make an informed decision when taking out a loan were significantly reduced.

To this end, it must also be considered that according to the terms of the work permit, information about claims will not be registered on the basis of the aforementioned work permit clause unless they reach a certain minimum amount, cf. beginning of section 2.2.1 of the work permit 2017, cf. beginning of section 2.2.2 of the current work permit. As mentioned above, it has been revealed that in August 2019, Creditinfo Lánstraust hf. claims by eCommerce 2020 ApS against 577 individuals whose capital was below the then minimum amount of claims, i.e. 50,000 ISK.

According to what has been explained here, claims were sent from eCommerce 2020 ApS for default registration at Creditinfo Lánstrausti hf. even though the necessary term relating thereto was missing from the loan terms, cf. aforementioned clause 7. section 2.2.1 of the business license of the financial information office, dated 29 December 2017 (case no. 2017/1541). It is also known that until August 2019, eCommerce 2020 ApS sent claims for non-payment registration despite the fact that they were below the minimum amount of claims that could be registered, cf. the beginning of the same section of the license.

From all of the above, it follows that the aforementioned processing of personal information by eCommerce 2020 ApS did not comply with the requirements of section 6. Article 9 Act no. 90/2018 and point f of paragraph 1. Article 6 of regulation (EU) 2016/679, i.e. on authorization for processing on the basis of legitimate interests that outweigh the interests or fundamental rights and freedoms of the data subject. Where other processing authorizations according to Article 9 of the Act and Article 6 of the regulation could not refer to the failed processing according to this authorization, but in addition, the basic principle of legal, fair and transparent processing was not complied with, cf. Number 1. Paragraph 1 Article 8 and point a of paragraph 1 Article 5 of the regulation, cf. and paragraph 2 of both clauses.

4.
Perspectives on the application of sanctions

Next comes up for consideration as to whether an administrative fine should be imposed on eCommerce 2020 ApS, cf. Article 46 Act no. 90/2018, cf. also Article 83 of regulation (EU) 2016/679. As stated in paragraph 1. Article 46 of the Act, Personal Protection may, among other things, impose an administrative fine on any controller or processor pursuant to paragraph 4. of the provision that violates any of the provisions of the regulation listed in paragraphs 2 and 3. its

More specifically, it is considered here whether a fine should be imposed on eCommerce 2020 ApS for a violation of the aforementioned provisions of a-section 1. paragraph. and paragraph 2 Article 5 and f-points 1. paragraph Article 6 of regulation (EU) 2016/679, cf. penalty authority in paragraph 1 and number 1. Paragraph 3 Article 46 Act no. 90/2018, cf. Paragraph 2 and point a of paragraph 5. Article 83 of the regulation.

When deciding on that and on the amount of the fine, paragraph 1 should be considered. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 of the regulation. There are listed issues that can either be relevant for the benefit of the case or to his disadvantage, and the ones that will be tried in this case will be discussed here.

a. The nature, seriousness and duration of the offence

According to number 1 Paragraph 1 Article 47 Act no. 90/2018, cf. a-point 2. paragraph Article 83 of Regulation (EU) 2016/679, the nature, severity and duration of the breach must be taken into account, with regard to the nature, scope and purpose of the processing, as well as the number of data subjects affected and the serious damage they suffered.

As things stand here, ie. in the case file regarding the Consumer Association's complaint against Creditinfo Lánstrausti hf., that the number of those registered was quite large. According to explanations from Creditinfo Lánstrausti hf. in e-mails on June 16 and 20, 2022, they were more precisely about 2,000, but the explanations were provided with the caveat of the deletion of information due to the rules on the maximum retention period.

Register of Creditinfo Lánstraust hf. on the financial affairs of individuals, it is the only such register in Iceland, and a lookup in the register is usually a basic prerequisite for the facilitation of financial companies, e.g. commercial bank. Illegal registration in such a register must therefore be considered particularly burdensome and may make it impossible for the registered person to receive a loan from credit institutions, such as for the purchase of an apartment or for unforeseen expenses. It can therefore be assumed that the persons affected by the registration may have suffered serious damage.

With reference to the above, considerations about the extent of processing and the number of those registered must be considered to have a burdensome effect on the application of fines.

b. Scope of responsibility in terms of technical and organizational measures

According to number 4. Paragraph 1 Article 47 Act no. 90/2018, cf. point d, paragraph 2 Article 83 of Regulation (EU) 2016/679, it is necessary to consider how much responsibility the controller or processor has with regard to technical and organizational measures.

The processing of personal data in question was related to the core activities of eCommerce2020 ApS at the time the processing took place, i.e. lending. High demands must therefore be made on the company for technical and organizational measures to enforce the principles of personal protection and protect the rights of registered individuals, both when the processing methods are determined and when the processing itself takes place.

It is considered that these requirements have not been sufficiently complied with and this has a burdensome effect on the application of the fine.

c. Categories of personal information

According to number 7 Paragraph 1 Article 47 Act no. 90/2018, cf. point g, paragraph 2 Article 83 of Regulation (EU) 2016/679, it is necessary to consider which categories of personal data were affected by a breach.

The information in question here is not considered sensitive personal information, cf. Number 3. Article 3 Act no. 90/2018 and paragraph 1 Article 9 of regulation (EU) 2016/679. However, they relate to the financial problems of individuals, as well as working with them in a burdensome context for the registered person. Is this likely to have an aggravating effect?

d. Other aggravating or mitigating factors related to the circumstances of the case

According to number 11 Paragraph 1 Article 47 Act no. 90/2018, cf. k-item 2. paragraph Article 83 of Regulation (EU) 2016/679, other aggravating or mitigating factors than those listed earlier in the provision, such as profit obtained or loss avoided, directly or indirectly, as a result of a violation, should be considered.

As is the case here, it will be considered to have an aggravating effect when applying a fine that the processing in question took place as part of an activity that was supposed to generate a profit, regardless of whether the processing as such resulted in a profit or not.

At the same time, it is to be considered that eCommerce 2020 ApS did not add information about non-payment registration to its loan terms until receiving external suggestions, and this will also be considered to have a burdensome effect on the application of fines.

5.
Conclusion on imposition and amount of fine

As mentioned above, the Personal Protection Agency can impose an administrative fine on any controller or processor who violates any of the provisions of the regulation listed in paragraphs 2 and 3. Article 46 Act no. 90/2018, cf. Article 83 of regulation (EU) 2016/679. In number 1 Paragraph 3 of the legal provision, cf. point a 5. paragraph of the regulation clause, it is stated that a violation of the basic rules for processing according to Articles 5, 6, 7 and 9. of the regulation may concern administrative fines.

As explained in chapter 3 above, it is clear that eCommerce 2020 ApS violated point a of paragraph 1. and paragraph 2 Article 5 and Article 6 of regulation (EU) 2016/679. Taking into account all of the above, the conclusion of the Data Protection Authority is that an administrative fine should be imposed on the company.

According to paragraph 3 Article 46 Act no. 90/2018, cf. Paragraph 5 Article 83 of the regulation, the amount of administrative fines for violations of the aforementioned provisions can range from ISK 100 thousand to ISK 2.4 billion or, in the case of a company, up to 4% of its total annual turnover worldwide in the following financial year, whichever is higher.

In the opinion of the Personal Protection Agency, the amount of the fine must reflect the seriousness of the violation. In this regard, the Data Protection Authority considers the onerous nature of the processing to be of particular importance and that all circumstances and the points of view outlined above should be taken into account, i.e. on m. that the processing was related to the company's core business.

It is clear that eCommerce 2020 ApS enjoyed a large operating profit in 2018 according to the company's existing financial statements, i.e. 10,525,067 Danish kroner, but its operations have declined significantly in recent years and the company's operations suffered a loss in the amount of -310,390 Danish kroner in 2021. When determining the amount of the fine, this decline is taken into account, as well as the fact that, according to the explanations provided, the company has been inoperable following the decision of the Consumer Agency on August 21, 2019 in case no. 31/2019.

In view of all the above, an administrative fine of ISK 7,500,000 is considered reasonable.

Decisions:

Processing eCommerce 2020 ApS, which consisted of sending claims for non-payment registration at Creditinfo Lánstrausti hf. without the conditions for registration of non-payment according to the company's current business license being fulfilled, was not compatible with the provisions of item 1. Paragraph 1 and paragraph 2 Article 8 and. Article 9 Act no. 90/2018, cf. point a, paragraph 1 and paragraph 2 Article 5 and paragraph 1 Article 6 of regulation (EU) 2016/679.

An administrative fine of ISK 7,500,000 is imposed on eCommerce 2020 ApS. The fine must be paid to the treasury within one month from the date of this decision, cf. Paragraph 6 Article 46 Act no. 90/2018.

Privacy, 27 June 2023

Ólafur Garðarsson

chairman

Árnína Steinunn Kristjánsdóttir Björn Geirsson

Vilhelmína Haraldsdóttir                          Þorvarður Kári Ólafsson