Persónuvernd - 2020010592

From GDPRhub
Persónuvernd - 2020010592
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 4(4) GDPR
Article 5 GDPR
Article 6 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 11.09.2020
Published: n/a
Fine: None
Parties: unknown (Complainant)
Creditinfo Lánstraust (Respondent)
National Case Number/Name: 2020010592
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Website of the Persónuvernd (in IS)
Initial Contributor: Marco Blocher

The Icelandic Data Protection Authority (Persónuvernd) held

  • that Creditinfo Lánstrausti (an Icelandic credit agency) is allowed to process a data subject's personal data from the Icelandic debtors' default register and information on a company owned by the data subject for the calculation of a credit score but
  • that Creditinfo Lánstrausti is prohibited from processing information on searches in the debtor's default register regarding the data subject and information from the tax register.

English Summary

Facts

Creditinfo Lánstrausti had assigned a negative credit score to the data subject. The data subject requested information on how Creditinfo Lánstrausti had calculated his credit score.

According to Creditinfo Lánstrausti, the main factors influencing the credit score were previous defaults, especially those within the last 24 months, searches in the debtors' default register and a relationship to a company, which was also on the debtors' default register. Other factors were age, relationships with companies, number of searches in the debtors' default register and with Creditinfo Lánstrausti, information from the tax register, residence and marital status.

The data subject considered this score incorrect as he had always paid his debts and most of his bills on time. He had only failed to fully pay back a loan with his bank - the balance had also been subject of a lawsuit filed by the data subject against his bank.

In February 2019, the data subject lodged a complaint against Creditinfo Lánstrausti with the Persónuvernd claiming that Creditinfo Lánstrausti

  • has not provided him with information under Article 15 GDPR on how his credit score was calculated,
  • has used data from the tax register and data on searches in the debtor's default register regarding the data subject when calculating his credit score, which was not allowed, and
  • has disseminated an incorrect credit score about him.

The complainant also requested to completely ban Creditinfo Lánstrausti from selling individuals' credit scorings until a public body has conducted a thorough assessment of the accuracy of the credit scoring system that satisfactorily demonstrates its reliability.

Dispute

  • Did Creditinfo Lánstrausti process personal data that it was prohibited to process?
  • Did Creditinfo Lánstrausti comply with the data subject's access request under Article 15 GDPR?

Holding

Firstly, the Persónuvernd held that it is not entitled or competent to review the mathematical calculation formula and the probability assessment of Creditinfo Lánstrausti in connection with the calculation of an individual's credit score. However, it is competent to assess the assumptions on which the credit score is based, i.e. especially which data is taken into consideration.

Concerning the data processed by Creditinfo Lánstrausti the Persónuvernd then held the following:

  • According to its operating license, Creditinfo Lánstrausti is allowed to process data from the debtors' default register for a period of four years after the registration of the information as long as no information about the debt itself is provided but only statistical results. In the current case, the processed data from the debtors' default register was not yet four years old and Creditinfo Lánstrausti was allowed to process this data.
  • Creditinfo Lánstrausti is not allowed to process information on searches in the debtor's default register regarding the data subject for the credit score without the data subject's consent. In the case at hand, the data subject did not consent to such processing.
  • Creditinfo Lánstrausti is allowed to take into account the data subject's relationship to a company that is listed on the debtors' default register as it is of significant importance in assessing the data subject's finances and creditworthiness. In the case at hand, the data subject is one of the owners of the listed company.
  • Information from the tax register must not be taken into account when calculating the data subject's credit score, as it is not relevant assessing the data subject's finances and creditworthiness. Creditinfo Lánstrausti had no legitimate interest for processing this data.
  • Article 15 GDPR was not violated. Creditinfo Lánstrausti provided the data subject with all necessary information.

Comment

Please note that the initial contributor of this decision does not speak Icelandic and that the machine translation of the decision at hand is of somewhat poor quality, which makes it difficult to fully comprehend the Persónuvernd's reasoning.

The Persónuvernd applied certain provisions of national Icelandic law. Accoring to below machine translation, some of these provisions seem to be repeating the provisions of the GDPR while others are dealing specifically with credit scoring. As these provisions are not available in the English language, the initial contributor of this GDPRhub entry did not cite them. It must be noted that the Persónuvernd did not question the compatibility of the Icelandic provisions with the GDPR, even though the GDPR does not provide an opening clause for credit scoring.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Processing of Creditinfo Lánstraust hf. on personal information in connection with the preparation of credit scorings and access and information rights for the preparation of credit scoring reports
Case no. 2020010592
9/22/2020

The Data Protection Authority has ruled that Creditinfo Lánstrausti hf. had been authorized to use information on the entry in the default register, as well as to use information on the complainant's relationship with a company owned by him, when preparing a report on his credit scoring. The Data Protection Authority also considered that the service of Creditinfo Lánstraust hf. on the complainant's request for access to information on how the processing of personal information about him had taken place was in accordance with the law.

On the other hand, the Data Protection Authority considered that the company's processing of information on the complainant's searches in the default register as well as the use of information from the tax register when making a credit scoring had been prohibited.

Ruling
On 11 September 2020, the Data Protection Authority issued a ruling in case no. 2020010592 (formerly 2019020468):
I.
Procedure

1. Outline of case and correspondence

On February 10, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as the complainant) regarding the processing of personal information about itself by Creditinfo Lánstrausti hf. (Creditinfo). More specifically, he complains that he has not received sufficient justification from Creditinfo for how his credit scoring was calculated, and he claims that the company has refused access to that information. He also complains that Creditinfo has access to information from the tax register that the company has used in calculating its credit scoring. Finally, he complains that information about himself has been disseminated in Creditinfo's debt position system without authorization.

By letter dated On 11 April 2019, Creditinfo was invited to comment on the complaint. The answer was by letter dated. April 24, 2019. By letter dated On 21 May, the complainant was invited to comment on the content of Creditinfo's reply letter. The complainant's reply letter was received on 4 August s.á.

By e-mail, dated On 17 March 2020, the Data Protection Authority requested the complainant's position in connection with the last part of the complaint, which concerns the dissemination of information about him from Creditinfo's debt position system. By e-mail, dated On 15 April 2020, the complainant informed the Data Protection Authority that he did not request a substantive discussion of the part of the complaint as its main subject was a credit scoring by Creditinfo.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling in a very detailed manner.

The handling of the case has been delayed due to a lot of work by the Data Protection Authority.

2.
More about the complaint

The complainant considers that he has not received sufficient justification from Creditinfo for how his credit scoring was calculated and refers to the fact that Creditinfo denied him access to that information. The complaint comments on how Creditinfo determines the criteria for making its credit scoring, which it considers to be incorrect in its case. He refers to the fact that he has repeatedly requested information on how the calculation is made when making a credit scoring. He considers that he has not received sufficient information on the above, but only general information on the criteria for making such an assessment, and therefore he has not been able to object to the processing. The documents accompanying the complaint include the complainant's e-mail communication with Creditinfo. In an email to Creditinfo, dated On 31 August 2017, to the complainant, the company referred to the fact that the main factors contributing to the downgrading of its credit scoring were previous defaults, especially those that had been in the last 24 months, searches in the debtors' default register and effects due to relationships with the company. [X] ehf. which was on the default list. Creditinfo also points to other influencing factors, such as age, relationships with companies, number of searches in the default register and credit scoring, information from the tax register, residence and marital status.

The complainant also comments that Creditinfo has access to information about itself from the tax register, which the company then uses in calculating its credit scoring. In this connection, the complainant points to the decision of the Data Protection Authority in an initiative case regarding a database with information from tax records for the year 2016 which was made available on the website tekjur.is (case no. 2018/1507).

The complainant does not consider himself to be in arrears, he has always paid all his debts and most of all bills on time. However, it is no secret that he bought a house in 2007 and got into a lot of trouble during the collapse. Among other things, he has sued Arion Bank, which ended with an agreement in the autumn of 2017, with balances of approx. 2.5 million ISK. The complainant refers to the fact that he has always paid all other bills, although his credit scoring has dropped significantly since the above-mentioned agreement was made with the bank. The complainant points out that he offered the bank to negotiate the balance but that the bank was not interested in anything other than full payment. The complainant refers to the fact that he has paid insurance, real estate taxes and other things during the nine years he has been in court.

Creditinfo's complainant's credit scoring is therefore incorrect and he clears the assumptions that the company gives itself and considers it a matter of course that it provides him with information on how the calculation is carried out. He asks whether the Data Protection Authority has in any way verified whether the calculation formula used by the company is correct, whether it is based on sufficient data and whether Creditinfo's probability assessment in this connection is generally correct.

The complainant considers that if he needs to take out a loan, it is normal for him to go to the lender in question and give him access to the information he requests, e.g. tax returns, payslips, listed companies and so on.

3.
The views of Creditinfo Lánstraust hf.

Creditinfo refers to the obligations imposed on lenders according to Act no. 33/2013 on consumer loans, which, among other things, aims to prevent lending to individuals who are likely to fall into arrears. Creditinfo points out that lenders must have a responsible lending policy and use reliable information to prevent over-indebtedness of individuals, which is reflected in arrears and write-offs of claims. The above views are reflected in Article 10. of the Act, which specifies the principle that a lender is not permitted to grant a loan if a credit scoring and / or payment assessment indicates that the borrower does not have the financial means to repay the loan.

Creditinfo refers to the fact that in the comments on Art. in the bill that became Act no. 33/2013, special reference is made to a credit scoring, where it is stated that such a scoring can be based on, among other things, efficiency and payment history. Creditinfo is authorized to process a credit scoring in accordance with the company's opescoring license and with reference to Article 15. Act no. 90/2018. Creditinfo refers to the fact that the credit scoring is a statistical model that is updated once a day based on the assumptions available at any given time, in addition to which the company carries out regular updates on the factors that form the basis of the scoring to ensure the best possible reliability. The importance of individual factors can thus change, increase or decrease as the case may be. It is pointed out that Creditinfo's credit scoring is similar to that used in many parts of the world and that the model's forecasting power is measured regularly. The model is regularly re-evaluated on the basis of historical data on defaults and variables are updated as appropriate and their weight adjusted to improve the model's forecasting ability.

Regarding access to information on the criteria for credit scorings, Creditinfo refers to the fact that on the access-controlled service website mitt.creditinfo.is, individuals have access to information on influencing factors in their credit scorings and that this includes information on previous registrations that affect the scoring. Creditinfo's opescoring license stipulates that information from the default register may be used for the purpose of making a credit scoring at the request of the data subject, provided that no information is provided about the claims themselves but only statistical results, but a maximum of 4 years have elapsed since the information was registered, cf. Paragraph 2 Articles 2.7. in the company's opescoring license. Creditinfo subscribers who use the company's credit scoring are required to obtain an individual's approval before applying for a credit scoring.

4.
The complainant's reply letter

The complainant refers to a comment in Creditinfo's reply letter in which the company refers to the fact that its forecast model is regularly reassessed on the basis of historical data on defaults and that variables are updated as appropriate, as well as their weight being adjusted to improve the model's forecasting ability. With reference to the above, the complainant had requested to be allowed to send the development of his credit scoring from the beginning to the present day, when it had changed, why and what factors and changes had affected it. No responses were received which showed changes based on historical data. The complainant refers to the fact that Creditinfo is trusted that the basis is correct and that there is no control over the assessment. The complainant also objects to the fact that he does not have the opportunity to submit documents in order to improve his credit scoring. The complainant points out that it had a significant adverse effect on his credit scoring that Arion Bank had made an unsuccessful foreclosure on him and that he had repeatedly pointed out to Creditinfo the fact that there had been a dispute between Arion Bank and the complainant which had been resolved. by specific agreement. No consideration has been given to the above in Creditinfo's credit scoring.

Finally, the letter demands that Creditinfo be completely banned from selling individuals' credit scorings until a thorough assessment by the public body of the accuracy of the assessment that satisfactorily demonstrates its reliability has been made. Creditinfo is also required to provide the complainant with all the information on how his credit scoring is calculated, so that he has the opportunity to submit data and obtain a correction of the scoring that he considers to be incorrect.

II.
Assumptions and conclusion

1.
Legal interpretation and delimitation of a case

This case concerns a complaint received by the Data Protection Authority on 5 February 2019. This complaint concerns both incidents that occurred before and after the entry into force of Act no. 90/2018, on personal protection and processing of personal information. There is a complaint about the processing of personal information about the complainant in 2017 in connection with the preparation of a credit scoring about him and he considers that he has not yet received satisfactory answers from Creditinfo in connection with the criteria for making his credit scoring and its development. It is also stated in the case file that the complainant is still dissatisfied with Creditinfo's calculation of its credit scoring and finally the complainant demands that Creditinfo be banned from selling credit scorings of individuals until a detailed assessment by the public body of the accuracy of the scoring proves satisfactorily. its reliability has taken place. Thus, the situation still remains that the complaint relates to regarding the processing of personal information about the complainant related to the assessment of his credit scoring.

With reference to the above, in addition to the fact that the rules of the Act on Personal Data Protection that have been tried have not changed in such a way that it has material significance, the matter will be resolved on the basis of Act no. 90/2018.

2.
Scope - Responsible party

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an operation or series of operations in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns the processing of personal information about the complainant in the preparation of reports on his credit scoring with Creditinfo. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority. The complaint also requests information on whether the Data Protection Authority has verified whether the calculation formula used by Creditinfo is correct, whether it is based on sufficient data and whether Creditinfo's probability assessment in this connection is generally met. In this connection, it is considered that the tasks of the Data Protection Authority are described in more detail in Article 39. Act no. 90/2018 and according to that the Agency monitors that processing complies with Act no. 90/2018 and Regulation (EU) 2016/679, special provisions in laws dealing with the processing of personal data and other rules on the subject. With reference to this, it cannot be seen that the Data Protection Authority's supervision involves reviewing the mathematical calculation formula and the probability assessment of Creditinfo in connection with the calculation of individuals' credit scorings. That part of the complaint must therefore be considered to fall outside the scope of the Personal Data Protection Act and thus the scope of the Data Protection Authority. On the other hand, it is the responsibility of the Data Protection Authority to assess the assumptions on which the credit scoring for individuals is based, such as whether Creditinfo may use information from the tax register, previous entries in the default register or look up such calculations.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Creditinfo Lánstraust hf. be responsible for the processing complained of, ie. processing of personal information in the preparation of a credit scoring of the complainant.

3.
The opescoring license of Creditinfo Lánstraust hf.

Operation of a financial information office and processing of information concerning the financial affairs and creditworthiness of individuals and legal entities, incl. default registration and the preparation of credit scorings, in order to communicate them to others, the license of the Data Protection Authority shall be bound, cf. Article 15 Act no. 90/2018. Creditinfo's operations are to a large extent covered by the above provision and the Data Protection Authority has granted the company an opescoring license in accordance with that, cf. now in the case of individuals regarding Creditinfo's opescoring license for the processing of information on financial matters and creditworthiness, dated. 29 December 2017 (case no. 2017/1541), and a temporary opescoring license for the processing of personal information for the purpose of making a credit scoring, dated 23 August 2018 (case no. 2018/1229).

In view of this, the obligation to obtain an opescoring license due to the preparation of a credit scoring according to Art. Act no. 90/2018 is a novelty and was not found in a comparable provision of Act no. 77/2000 on personal protection and handling of personal information. However, the current temporary opescoring license does not contain provisions that entail changes from the implementation that has been formed in the


4.
Legality of processing

4.1
Registration, retention and use of information in the preparation of credit scorings

All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018. These include point 6. of the provision, cf. point e of the first paragraph. Article 6 of the Regulation, which states that the processing of personal data is permitted if it is necessary due to the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh. The Data Protection Authority considers this provision to apply to the processing of personal information that takes place in Creditinfo's information systems in connection with the preparation of reports on the complainant's credit scoring.

In addition to the authorization according to the above, the processing of personal data must satisfy all the principles of the first paragraph. Article 8 Act no. 90/2018. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (paragraph 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (point 3).

According to the case file, the complainant received information on the general factors that affected his credit scoring, ie. age, relationship with company, number of entries in the default register and credit scoring, information from the tax register, place of residence and marital status. In addition, he received information on the factors that had the greatest effect on downgrading the credit scoring, ie. previous entries in the default register, especially those that were in the last 24 months, searches in the default register by the debt collector and effects due to connections with a specific company that was in the default register. The complainant also received other information which will be discussed in more detail in section 4.2.

In the following, an assessment will be made of Creditinfo's authorization to register and use the above factors, which had the greatest effect on downgrading the complainant's credit scoring.

4.1.1. Deregistered entries in the default register

As stated before, the complainant comments that Creditinfo may have used information about unsuccessful foreclosure of his property for the purpose of making a credit scoring, despite the fact that he has agreed with the relevant creditors, ie. Arion Bank, on the debt. The complainant states that he has repeatedly pointed out to Creditinfo that there was a dispute between him and the bank which was later resolved by agreement.

In light of the above, it should be borne in mind that Creditinfo may, among other things, record information from official documents, such as information on the implementation of expropriation according to case files on expropriation requests held by district commissioners in accordance with Article 4. of Regulation no. 17/1992, Coll. Article 2.2.2. in the opescoring license of Creditinfo (case no. 2016/1626) which was valid when the events of the case originally took place. A similar provision can be found in Article 2.2.2. in the current license of Creditinfo (case no. 2017/1541).

Regarding the complainant's reference to the fact that there was a dispute over Arion Bank's claim, it should be noted that in Article 2.1. in the current opescoring license Creditinfo no. 2017/1541, Coll. the same article in the previous license mentioned above, states that the processing of information on disputed debts is not permitted. It also states that a debt is considered controversial if the debtor has demonstrably objected to the debt to the creditors, informed him of the reasons for the objections and the debt has not been confirmed by an enforceable judgment or an enforceable decision of the district commissioner that has been announced in a public advertisement. Says that if the district commissioner, after making such a decision, agrees with the debtor's objection so that enforcement is not successful, the debt is again considered controversial. The only thing stated in the case is that a decision has been made on unsuccessful foreclosure by the district commissioner and it is therefore clear that the debt in question cannot be considered controversial in the above sense.

As mentioned above, the complainant refers to the fact that an agreement has been reached on the debt. The case file also shows that the complainant had requested information from Creditinfo as to what effect it would have on his credit scoring when the debt in question was paid. In this connection, the first paragraph may be pointed out. in Article 2.7. in Creditinfo's current opescoring license, cf. the same article in the opescoring license that was in force before that. It states, among other things, that information on individual debts should be deleted if it is known that they have been returned, as well as information that has become four years old. However, it is also stated that information may be stored for an additional three years if it is subject to strict access restrictions and care is taken to ensure that no one other than the Creditinfo employees who need it for their work is accessed. After that time, they shall be destroyed. It says, among other things, in the second paragraph. in Article 2.7. in Creditinfo's current opescoring license, cf. the same paragraph the same articles in the aforementioned previous opescoring license, that information may be used for the purpose of making a credit scoring at the request of the data subject up to a maximum of four years after the registration of the information and provided that no information about the claims itself is provided but only statistical results.

If the opescoring license provision in question is interpreted exactly according to its wording, all processing of information accordingly by Creditinfo is considered unauthorized if the relevant claim has been submitted. In view of the provisions of the provision that information on such requirements shall be deleted from the register in accordance with the opescoring license, as well as the fact that the authorization for three years of additional custody under strict access restrictions does not apply to them. However, the provisions of Regulation no. 246/2001, but provisions in opescoring licenses from the Data Protection Authority must be within the framework defined by that regulation. The deletion of information is discussed in the third paragraph. Article 5 of the Regulation, which states that information older than four years shall be deleted from the files of the Financial Information Office equally quickly, unless otherwise specifically permitted in an opescoring license from the Data Protection Authority. There is no provision in the Regulation on the deletion of information that has been submitted. Instead, it says in the 2nd paragraph. Article 6 of the Regulation that such information may not be disseminated. It can be concluded that their preservation is still permitted until the four-year deadline has passed, but it must be assumed that such preservation can serve a legitimate purpose, e.g. them to resolve disputes on the grounds of registration. According to this, the Data Protection Authority considers that the instructions of Article 2.7. on the deletion of information that has been submitted shall not be construed as deleting it completely, but in such a way that it shall be deleted from the file used for dissemination. Accordingly, and in accordance with Regulation no. 246/2001, their retention is therefore permitted outside that register until three years have elapsed from delisting, in addition to which they can be used in the calculation of credit scorings of individuals until they have reached the age of four.

Regardless of whether the complainant's registration in the default register was due to the aforementioned foreclosure that took place in 2017 or not, it appears that according to Creditinfo's replies to the complainant, information on deregistered entries in the default register in the last 24 months was one of the company's main factors. making a credit scoring of the complainant. The information was therefore not yet four years old and accordingly the Data Protection Authority considers that its use in making a credit scoring of the complainant according to the opescoring license complies with Act no. 90/2018, Coll. 6. tölul. Article 9 of the law. It will not be seen that the processing otherwise violates the principles of Article 8. the same laws, which deal with, among other things, fairness, proportionality and purpose of the processing in question.

4.1.2. Inquiries by collectors

It must be considered that Creditinfo was not permitted to use information on searches by the debt collector in the manner that the company did when preparing reports on the complainant's credit scoring in 2017, cf. the conclusion of the Data Protection Authority in a ruling in case no. 2016/1138. There, the Data Protection Authority referred to Article 2.9. on references in the opescoring license that was then in force and included a further elaboration of the second paragraph. Article 6 of Regulation no. 246/2001. The regulation provision states that information on the name and address of the enquirer should always be recorded, as well as who the enquirer had looked up, but in addition it was stated that data on this should be kept for a.m. two years. The Data Protection Authority also stated that in para. Articles 2.9. provided that the traceability of searches should be ensured so that each time a search took place, or an inquiry was made, it was recorded who did it, what information was processed, how and when. The Data Protection Authority subsequently referred to the fact that such registration was intended to ensure the security of personal information, ie. ensure their traceability to counteract searches without sufficient cause and enable them to respond. In assessing whether the use of the information in the preparation of creditworthiness reports was considered to take place for a purpose that was originally consistent with it, cf. 2. tölul. Paragraph 1 Article 7 Act no. 77/2000 (now point 2 of the first paragraph of Article 8 of Act no. 90/2018), it should be considered that the registration of actions could lead to information being registered with the responsible party in question that was in excess of what could normally be assume he builds over. The agency referred to the fact that this included information that a claim against an individual was in default collection, but had been stated by Creditinfo that it was the first and deadline of the collection of debt collectors that affected the results of credit reports. Such parties would be bound by a duty of confidentiality according to Article 13. Act no. 95/2008 and the first paragraph. Article 22 Act no. 77/1998 on lawyers. It also follows that Creditinfo should not have information on arrears collection against an individual except for the reason that according to the action register, the debt collector had looked it up in the register in question. Finally, the Data Protection Authority pointed out that the scope for processing such information, as well as other information that would be created during the registration of an action, beyond what is involved in monitoring the legality of searches in the register, should be interpreted narrowly. One would then have to consider, among other things, whether provisions in laws and rules based on them provided the basis for such processing, but that provisions that provided for authorization were not to be distributed.

Regarding the use of disclosure information now, it appears that according to information on the Creditinfo website, the company has made an update regarding disclosures as an influential factor in the calculation of a credit scoring that it no longer automatically matters in the calculation, but a registered individual must approve the use such additional information when calculating the credit scoring on the company's service website. Such additional information may be reduced or increased. The Data Protection Authority is of the opinion that this can authorize such processing, ie. where the consent of the person in question is behind it, cf. 1. tölul. Article 9 Act no. 90/2018. The Creditinfo website states that a registered individual must check a special box to approve the processing in question, as well as that he can revoke the approval at any time, and with that, his credit scoring is updated again based on previous criteria. However, it should also be borne in mind that for a time access to credit scorings had to be paid for if the above was not accepted. According to point 8. Article 3 Act no. 90/2018, approval is not valid unless a statement to that effect is unenforceable. In light of the demand for payment, it is a special issue whether the requirements for approval were met there. As the complaint does not relate to this issue, no position will be taken on it here, but the matter is being examined by the Data Protection Authority.

4.1.3. Relationships with companies on the default register

Creditinfo is authorized to collect and register information concerning financial matters and creditworthiness of companies, according to the opescoring license of the Data Protection Authority, dated December 29, 2017 (Case No. 2017/1541). This opescoring license is subject to the condition that the provisions of Regulation no. 246/2001. In Article 3 of that regulation deals with personal information that a financial information agency may process. In the first paragraph. of that article states that a financial information agency may only process information that, by its nature, is of decisive importance in assessing the data subject's finances and creditworthiness. In the second paragraph. The same article states that a financial information office may, among other things, process information about the name of a person or legal entity. Tests here whether Creditinfo could have used information about the complainant's relationship with the company [X] ehf., About which information had been registered in the default register in accordance with the above, when preparing reports on his credit scoring. According to the case file, it is clear that the complainant is one of the owners of the company in question.

As such, it is important that Creditinfo's credit scoring reports are intended to be used in credit scorings on the basis of Article 10. Act no. 33/2013, which will be discussed in more detail later. That law was enacted, inter alia, to implement Directive 2008/48 / EC on consumer credit agreements, but according to para. Article 8 of that Directive, it shall be ensured that, before concluding such a contract, the lender assesses the creditworthiness of the consumer on the basis of adequate information obtained from the consumer and, if necessary, by searching the relevant database, if necessary. Section 26 of the preamble to the Directive deals in more detail with such a credit scoring, stating, inter alia, that appropriate measures should be taken to promote responsible conduct in all aspects of lending. It is stated that the risks associated with arrears and debt accumulation are important in this connection, and that it is especially important that lenders do not engage in irresponsible lending activities or provide loans without having previously received a credit scoring. It is clear that the above that a reliable credit scoring is made in the run-up to a consumer loan agreement. It is also clear, as previously stated, that Creditinfo's reports are intended to be useful in making such an assessment. As is the case here, the complainant's ownership of the company must be considered to mean that it is not unnatural for its financial position to be taken into account when assessing the complainant's willingness to pay and the efficiency of the payment itself. The Data Protection Authority therefore considers that such information is of significant importance in assessing the complainant's finances and creditworthiness, cf. the above wording in the first paragraph. Article 3 of Regulation no. 246/2001 and their use in preparing reports on the complainant's credit scoring in accordance with the above purpose of preparing a credit scoring.

With reference to the above, the Data Protection Authority considers that Creditinfo's processing of the information in question has been based on point 6. Article 9 Act no. 90/2018. In other respects, it cannot be seen that the requirements of Article 8 have been violated. the same law on, among other things, fairness, proportionality and reliability in processing.

4.1.4. Information from the tax register

As stated before, the complaint comments on the fact that Creditinfo has access to information about the complainant from the tax register, which the company then uses to calculate its credit scoring.

The Data Protection Authority has previously taken a position on whether Creditinfo is authorized to process information from the tax register for the purpose of making credit scorings for individuals. This was a ruling in case no. 2016/1138 and ruling in case no. 2017/537. In both rulings, the Data Protection Authority came to the conclusion that Creditinfo was allowed to use information from the tax register when preparing the company's credit scoring reports. In this connection, the Data Protection Authority referred to the second paragraph. Article 98 Act no. 90/2003 on income tax, which states that when the assessment of taxes and the processing of appeals are completed, the Director of Internal Revenue shall prepare and submit a tax register for each municipality, which shall specify the income tax levied on each taxpayer and other taxes according to the decision of the Director of Internal Revenue. It also states, among other things, that the tax register shall be available for inspection for two weeks in a suitable place. The Data Protection Authority then referred to the fact that, unlike what applied to tax registers, cf. Paragraph 1 Article 98 of the same Act, authorized the second paragraph. the same provision in addition to the official publication of information on taxes levied, which appeared in the tax register, as well as the publication of the information in whole or in part. The Data Protection Authority subsequently pointed out that points 1 and 2 should also be considered. Paragraph 2 Article 6 of Regulation no. 920/2013, on credit scorings and payment assessments, but it was stated in these regulations that when performing a credit scoring for processing an application for a consumer loan, the lender should, among other things, obtain a certified copy of the last tax return, as well as confirmation of income for the last three months. With reference to the above, the Data Protection Authority therefore did not consider it unreasonable for a party that operated a database on financial matters and creditworthiness and provided information for the purpose of making the assessment, cf. Article 5 (i) Act no. 33/2013, carried out its assessment on the basis of tax register information which by law was public. In the light of the above, as well as on the basis of, among other things, point 7. Paragraph 1 Article 8 Act no. 77/2000 (cf. point 6 of Article 9 of the current Data Protection Act no. 90/2018), the Data Protection Authority came to the conclusion that the use of information from the tax register when preparing Creditinfo's credit scoring reports was in accordance with Act no. 77/2000.

In connection with the above, it should be considered that Art. of Regulation no. 920/2013 deals with what constitutes a payment assessment and what information the lender must obtain during its implementation. Upon closer examination, it can therefore not be seen that the provision can be relevant in assessing Creditinfo's authorization to process information from the tax register when making a credit scoring, despite the fact that the information in question is public according to the aforementioned provision of Article 98. Act no. 90/2003.

In Article 10 Act no. 33/2013 deals with the obligation to carry out a payment assessment in parallel with a credit scoring, provided that certain conditions are met, but in the comments on the provision in the bill that became Act no. 33/2013 states that with a credit scoring an attempt is made to verify the willingness to pay, but solvency with a credit scoring. A credit scoring is then defined in Article 5 (k). Act no. 90/2013 as the lender's assessment of the borrower's creditworthiness based on information that is conducive to providing reliable indications of the likelihood of the borrower being able to fulfill a loan agreement. It also states that a credit scoring shall be based on the business history between the parties and / or information from databases on financial matters and creditworthiness. Finally, it states that a credit scoring does not include a credit scoring unless required to do so. Payment assessment is defined in Article 5 (e). the same law as the calculation of the borrower's solvency, based on assets, liabilities, expenses and income, which is based, among other things, on public consumption criteria. The information that the lender must obtain during the implementation of a payment assessment is further discussed in the aforementioned provision of Article 6. of Regulation no. 920/2013 and states, among other things, that he shall obtain a certified copy of the last tax return and confirmation of income for the last three months, cf. Points 1 and 2 of the provision.

In light of the above, it is the opinion of the Data Protection Authority that Creditinfo was not permitted to use information from the tax register when calculating the complainant's credit scoring. The Data Protection Authority considers this to be relevant and in accordance with the above provisions of Act no. 33/2013 and Regulation no. 920/2013 that such information should rather be relevant when the solvency of the borrower in question is examined in connection with the preparation of a payment assessment. Creditinfo therefore had no legitimate interest, cf. 6. tölul. Article 9 Act no. 90/2018, by carrying out the processing in question.

4.2.
The complainant's right to information and access

The complainant considers that he has not received satisfactory information from Creditinfo about his credit scoring and the criteria that the company assumes in making such an assessment. When assessing the complainant's rights, it is necessary to first discuss the process behind the preparation of credit scoring reports by Creditinfo. The Creditinfo website states that the company's credit scoring is based on the largest collection of business information in Iceland and assesses the probability of default twelve months in advance. It also states that the use of a credit scoring ensures that a subjective assessment is not made when making business decisions, but is based on objective information from an independent party. It also facilitates communication with customers because decision-making is justified by statistical data rather than personal assessment. It also states that the creditworthiness of individuals is assessed on a scale of A1-E3, where A1 is the best possible scoring and E3 the worst. In this connection, it should be noted that in point 10. Article 3 Act no. 90/2018, Coll. Number 4 Article 4 Regulation (EU) 2016/679, deals with the creation of a personal profile. Is it defined as any processing of personal data that involves the use of personal data to assess certain aspects of an individual's well-being, in particular to analyze or predict factors relating to his / her job performance, financial situation, health, taste, interests, reliability, behavior, location or mobility.

With reference to the above, the processing of Creditinfo in connection with the preparation of reports on credit scorings of individuals must be considered to involve using their financial information to analyze their characteristics and classify them based on certain scorings. As previously stated, the scorings then include a forecast of the likelihood of default in the next twelve months.

From this it is clear that the processing involves the creation of a personal profile within the meaning of point 10. Article 3 Act no. 90/2018, but such processing can be burdensome for the data subject, especially when he is denied products or services on the basis of the personal profile. In such circumstances, special attention must therefore be paid to the provisions of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 of the Regulation (EU), cf. also the rights guaranteed by the complainant in III. section of Act no. 90/2018, Coll. III. Chapter of Regulation (EU) 2016/679. The above rights in connection with the creation of a personal profile can be exercised by the data subject towards the guarantor who creates the personal profile, in this case Creditinfo, and, as the case may be, the guarantor who makes a decision on the basis of such information from Creditinfo. Tries only on the obligations of Creditinfo in this connection, which is considered the responsible party for the processing complained of, i.e. that Creditinfo did not provide the complainant with satisfactory information on his credit scoring when he requested it.

According to para. Article 17 Act no. 90/2018, a registered individual has the right to access personal information about himself according to the instructions of 13-15. gr. Regulation (EU) 2016/679. As previously stated, it is clear that the complainant requested information about his credit scoring when it was available from Creditinfo. Such rights are governed by Article 15. of the Regulation on the right of a registered individual to access information. That provision stipulates, inter alia, that a registered individual shall have the right to receive confirmation from the responsible party as to whether personal information concerning himself is processed and, if so, the right to access information on, among other things, the following matters: the purpose of the processing (a -item); the relevant categories of personal data (point (b)); if possible, how long the personal data are intended to be kept or, if this is not possible, the criteria used to determine it (point (d)); that there is a right to request the responsible party to have personal data corrected, deleted or restricted for processing by the data subject or to object to processing (item e); if personal data are not obtained from the data subject, all available information on their origin (point (g)); and whether automatic decision-making takes place, incl. the creation of a personal profile and then significant information about the arguments behind it and also the significance of the planned processing for the data subject (item h).

As previously stated, the case file shows the information that the complainant received from Creditinfo following his inquiry about further information about his credit scoring. The information that the complainant received from Creditinfo following his inquiry was provided by e-mail, dated. 31 August 2017. The e-mail contains an explanation of the factors that had most influenced the downgrade of the complainant's credit scoring, which has been, as previously stated, previous entries in the default register, especially those that were in the last 24 months, collections by collectors, and effects due to relationships with companies, ie. [X] ehf., Which was on the default register. There he also received information that an overview of the lookups and shifts was accessible on the company's service website. There is also a brief definition of the company's credit scoring and it is defined as a statistical model that assesses the probability of default and registration in the VOG default register for the next twelve months. Reference is made in this connection to the fact that lenders and other companies engaged in account transactions use e.g. the credit scoring to assess credit risk, such as when assessing credit authorizations and loan amounts. The email then points to a link that links to the company's website for more information on credit scorings. Next, Creditinfo's opescoring license with the Data Protection Authority is discussed, and that it allows the company to process personal information on financial matters and creditworthiness of individuals. The license is issued on the basis of Article 2. of Regulation no. 246/2001 on the collection and dissemination of information on financial matters and creditworthiness of individuals, cf. Article 45 Act no. 77/2000. Subsequently, the legitimacy of the processing is reviewed and reference is made to the fact that the company has considered that the processing of information on financial matters and creditworthiness can e.g. is based on point 7. Paragraph 1 Article 8 Act no. 77/2000 on the grounds that the processing was necessary in the interests of legitimate interests. The complainant's company points out that the parties with whom the complainant does business or is personally responsible for lending or account transactions to secure the borrower's performance, whether credit institutions or other lenders, have a legitimate interest in reviewing the complainant's default status at the beginning of the transaction and to monitor it during the transaction. Collectors also have a legally protected interest in seeking the status of a person in arrears on the default register. Finally, the complainant is reminded that complaints about Creditinfo's procedures and working methods should be directed to the Data Protection Authority.

The Data Protection Authority's survey shows that the service website mitt.creditinfo.is, which the complainant was pointed out in the aforementioned e-mail, is a forum for individuals to obtain an overview and information about their position and the companies they are connected to. Individuals can view the proposed registrations on the default register and also the registrations that are active. If no registrations are active, the registrant will receive a calculated credit scoring. If an individual enters his credit scoring, he can always see what influencing factors affect his credit scoring. If previous registrations affect the assessment, ie. registrations that are less than four years old from registration, then the person in question can see which registrations there are, from which time and which creditors. At the same place, the person in question can see the last six months' views on the look-up summary and all the monitoring that is active on the shift summary. The website also discusses what constitutes a credit scoring and states that it is a matter of purposeful decision-making, more specifically that the use of a credit scoring ensures that a subjective assessment is not used as a basis for business decision-making but is based on objective information from independent party. It is also pointed out that it facilitates communication with customers because decision-making is justified by statistical data rather than personal assessment. The Data Protection Authority's survey also shows that mitt.creditinfo.is contains a more detailed discussion of what determines a credit scoring, how its credit scoring can be improved, as well as information on when the credit scoring is updated.

An assessment must be made as to whether the above information fulfilled the conditions according to Article 15. Regulation (EU) 2016/679. Point 63 of the preamble to the Regulation refers, inter alia, to the fact that every registered person should have the right to be informed and informed of the purpose of the processing of personal data, the processing period of the data if possible, their recipients, the reasons behind automatic processing of personal data and the consequences of such processing, especially when it is based on the type of character. It also states that the responsible party should provide the registered remote access to a secure system that would give him direct access to personal information about himself. It then refers to the fact that this right should not, however, have a negative effect on the rights or freedoms of others, incl. trade secrets or intellectual property rights, and in particular the copyright in the Software. It is pointed out that the conclusion of these matters should not, however, be that a registered person is denied all information.

It is clear that Creditinfo provided the complainant with most of the information that the company is obliged to provide according to Article 15. of the Regulation (EU), cf. also point 63 of the preamble to Regulation (EU) 2016/679, both by e-mail to him and with the information referred to him, on the Creditinfo service area. It cannot be seen, however, that Creditinfo has informed the complainant clearly about his right to request that personal information be corrected, deleted or restricted in its processing, or about his right to object to processing, cf. the conditions of paragraph 1 (e). Article 15 Regulation (EU). It should be noted, however, that when the complainant requested information from Creditinfo, he had already exercised his right under the provision to some extent. As in this case, it cannot therefore be conclusively asserted that the complainant's right under the provision was disregarded. However, it is worth emphasizing the importance of Creditinfo complying with the provisions of Article 15, as well as Articles 13 and 14. of the Regulation as appropriate, in order to ensure that the rights of individuals under the above provisions are henceforth fully respected.

In view of the above, the conclusion of the Data Protection Authority is that the complainant's right to information according to Art. of the Regulation (EU) was respected when he was provided with information on the preparation of reports on his credit scoring. The processing has therefore complied with the second paragraph. Article 17 Act no. 90/2018, on personal protection and the processing of personal information, cf. Article 15 Regulation (EU) 2016/679.

Ruling:

Use of Creditinfo Lánstraust hf. on information on the entry of [A] in the register of financial affairs and creditworthiness of individuals, together with information on his connection with the company [X] ehf., when preparing a report on his credit scoring complied with Act no. 90/2018 and Regulation (EU) 2016/679.
Processing of Creditinfo Lánstraust hf. on information on references to [A] in the aforementioned register, as well as on information about him from the tax register, when making a credit scoring about him did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.

Creditinfo Lánstraust hf. on [A]'s request for access to information on how the processing of personal data about him took place was in accordance with Act no. 90/2018 and Regulation (EU) 2016/679.

In Privacy, September 11, 2020

Björg Thorarensen f.h. Board of Directors Helga Þórisdóttir