Persónuvernd - 2020010613

From GDPRhub
Persónuvernd - 2020010613
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law:
Type: Complaint
Outcome: Upheld
Decided: 27.05.2020
Published: 05.06.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010613
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: {{{Initial_Contributor}}}

The Icelandic DPA decided that the processing of the Complainant's personal data by Creditinfo Lánstraust hf. in connection with the preparation of a credit report within the four-year period was in compliance with the Icelandic Act no. 90/2018 on Data Protection and the Processing of Personal Data, and did not violate Article 5 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

On April 9 2019, the Icelandic DPA received a complaint from a Complainant regarding the processing of their personal information in connection with credit rating by Creditinfo Lánstrausti hf. (hereinafter, 'Creditinfo'). The registration of a complainant's defaults affects their credit rating for up to four years from registration.

Dispute[edit | edit source]

The Icelandic DPA had to decide whether Creditinfo could use information about the complainant's defaults within the four-year period.

Holding[edit | edit source]

The Icelandic DPA decided that the processing of the Complainant's personal data by Creditinfo Lánstraust hf. in connection with the preparation of their credit report, was in compliance with Act no. 90/2018 on Data Protection and the Processing of Personal Data.

The DPA pointed out that it had previously taken a position on the issue in question with a ruling, cf. January 26, 2017, in case no. 2016/950; on December 6, 2016, in case no. 2016/580; on September 28, 2017, in case no. 2016/1138; and on May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the DPA considered that Creditinfo could use information on the entry of the company's defaults list for four years from the registration of such information.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


Processing Creditinfo Lánstraust hf. with information on previous delinquency registrations when compiling the creditworthiness reports
Case no. 2020010613

05/06/2020

Privacy has ruled that Creditinfo Lánstrausti hf. have been permitted to use information on the former complainant's registration on the default register when compiling the complainant's credit reports. The Data Protection Authority pointed out that the Agency had previously taken a position on the issue in question with a ruling, cf. in that regard, ruling. January 26, 2017, in case no. 2016/950, ruling, date. December 6, 2016, in case no. 2016/580, ruling, date. September 28, 2017, in case no. 2016/1138 and ruling, date. May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the Data Protection Authority considered that Creditinfo could use information on the entry of the company's defaults list when compiling its quarterly credit reports, for four years from the registration of such information.The Data Protection Authority considered the same arguments to be applicable in this case and therefore the processing was authorized with reference to point 6. Article 9 Act no. 90/2018. Furthermore, the Data Protection Authority did not consider the violation to violate the principles of Article 8. Act no. 90/2018. 
ruling


On May 27, 2020, the Data Protection Authority issued a clear ruling in case no. 2020010613 (formerly 2019040838):
I.
procedures

1.
Complaint and correspondence

On April 9, 2019, Privacy Protection received a complaint from [A] (hereinafter the complainant) regarding the processing of personal information by Creditinfo Lánstrausti hf. (Creditinfo), in connection with credit rating.

Specifically, Creditinfo's complainant's use of information on its defaults in making its credit rating, for four years from the registration of the information, is considered illegal. Creditinfo's Complaint Classification Organization does not consider that it is in compliance with the Privacy Act and that it constitutes a violation of all normal business rules.

By letter, date. On August 28, 2019, Creditinfo was notified of the above complaint and given the opportunity to comment on it. Creditinfo's reply was received on September 16, 2019.

By letter, date. On October 2, 2019, the complainant was invited to comment on Creditinfo's replies. Complainant's responses were received by Email, dated. December 21, 2019.

All of the above data have been taken into account in resolving the case, although not all of them are specifically mentioned in the following ruling.
2.
Creditinfo's point of view

Creditinfo refers, among other things, to the fact that the Data Protection Authority considers that it does not involve the unauthorized dissemination of information on defaulted claims that they affect the outcome of the credit reports, provided that specific conditions are met. In this context, reference is made to the fact that the use of the information for the purpose in question must take place within the time limit set by Creditinfo's operating license, the provisions of the Privacy Act and the processing of personal data no. 90/2018 and the provisions of Regulation no. 246/2001 as well as that the information itself may not be received by the recipients of the evaluation.

Creditinfo subsequently deals with, among other things, the relevant provisions of Creditinfo's operating license that deal with the deletion of information, the storage period of information and how long the information can be used for the purposes of a credit rating at the request of the data subject, which is four years from the registration of the information.

The company then discusses what information can be registered according to Art. Article 2.2. in the Creditinfo operating license and that, according to that Article, information may be included from the subscriber of a debt if the debtor has agreed to pay the debt through a settlement that is enforceable in accordance with Art. Article 1 Procedure Act no. 90/1989.

Creditinfo stated that it had sent a letter to the complainant about the proposed registration of its legal domicile and that the letter had indicated that it would not be canceled if the company received confirmation of payment of the claim within 17 days of the date of the letter and also the complainant had indicated her right to contest. No objection has been received and the entry has therefore been published on default.

Creditinfo is of the opinion that the complainant's complaint may have been that the claim had proven to be in default and was not unjustified. Creditinfo subsequently examines the nature of the credit rating and refers to the fact that it is inherent in the nature of the statistical prediction of future events to be based on historical information, such as on terms and payment history. If information on default and payment history in the past had no impact on the credit rating, the basis would be undermined by the utility of the rating. Such an assessment would not comply with Article 5. Act no. 33/2013 and contrary to the comments in the comments on Article 10. the bill that became the law that specifies that credit ratings can be based, inter alia, on the considerations stated above. Creditinfo's credit rating model has also confirmed that past delinquency listings have a high default value for future default.

Finally, Creditinfo refers to the fact that registration of a complainant's defaults affects its credit rating for up to four years from registration. The effect of previous listings decreases as the date of registration decreases and expires no later than four years.

The company therefore considers that it has complied with the provisions of an operating license issued by the Data Protection Authority, the Data Protection Act and the processing of personal information, as well as rules set on the basis of that law.
II.
Assumptions and conclusion

1.
Scope - Guarantee

Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the powers of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of partially or fully automated personal data and the processing of methods other than automatic processing of personal data that is or should become part of a file.

Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.

Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.

This case concerns the registration and use of Creditinfo for information on the complainant's defaults. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.
The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. Item 7 Article 4 Regulation. Creditinfo Lánstraust hf. be the guarantor of the complaint being processed, ie. the processing of personal information when making a credit rating.
2.
Creditinfo Lánstraust hf.

The operation of a financial information agency and the processing of information relating to financial affairs and creditworthiness of individuals and legal entities, including defaults and credit rating for the purpose of disseminating them to others, shall be subject to the permission of the Data Protection Authority, cf. Article 15 Act no. 90/2018. Creditinfo's activities are to a large extent subject to the above provisions, and the Data Protection Authority has granted the company an operating license accordingly, cf. now operating license Creditinfo Lánstraust hf. due to processing of information about individuals, date. December 29, 2017 (Case No. 2017/1541) and now a provisional operating license for the processing of personal data for the purposes of a credit rating, dated. August 23, 2018 (Case No. 2018/1229).

For that purpose, reference is made to Article 15. Act no. 90/2018 for the processing of information that is carried out in the form of a credit ratingand that such processing must be based on the Privacy Policy is a novelty and was not found in the comparable provisions of the applicable Act no. 77/2000 on privacy and processing of personal information. Regulation no. 46/2001 on the collection and dissemination of financial and credit information, which was based on Article 45. Act no. 77/2000, only for processing in order to disseminate information to others on financial issues and creditworthiness and therefore does not cover activities that involve the issuance of credit reports. However, the above provisional authorization does not change the fact that Creditinfo is obliged to ensure that the information recorded on the basis of an operating license granted by the Data Protection Authority cannot be used for the purposes of a credit rating in a manner that violates the issued licenses or applicable laws in general. .
3.
Legality of processing

In this case, it is tested whether the complainant's credit reports were used if Creditinfo had been able to use information on the company's defaults that had been deleted from that list on the basis of the license for operating the record for the reason that the debt had been settled.

All processing of personal data must be subject to any of the provisions of Article 9. Act no. 90/2018. This is most likely to be considered here in item 6. Article 9 of the Act, cf. paragraph 1 e. Article 6 of the Regulation, which states that the processing of personal data is permissible if it is necessary for legitimate interests that the guarantor or third party may prescribe unless the interests or fundamental rights and freedoms of the data subject require the protection of personal data outweighs. The Privacy Policy considers this provision to be applicable to the processing of personal information that is carried out in Creditinfo's information systems in connection with the preparation of a report on the creditworthiness of the complainant.

The Data Protection Authority has previously taken a position on the issue in question with a ruling, cf. in that regard, ruling. January 26, 2017, in case no. 2016/950, ruling, date. December 6, 2016, in case no. 2016/580, ruling, date. September 28, 2017, in case no. 2016/1138 and ruling, date. May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the Data Protection Authority considered that Creditinfo could use information on the entry of the company's defaults list when compiling its quarterly credit reports, for four years from the registration of such information. In one of the abovementioned privacy protections case no. In 2016/1138, among other things, reference was made to the provisions on the deletion of recorded information to households' retention periods in the relevant operating permits that were in effect at the time of the processing in question. Are those provisions comparable to Article 2?7 of the current license, dated. December 29th (Case No. 2017/1541). In addition, the provisions of Act no. 33/2013 on consumer loans, ie (i) (now point (k)) Article 5 and Article 10. which require that a consumer's credit rating be assessed before a consumer loan is granted and it is stated, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.which require that a consumer's credit rating be assessed before a consumer loan is granted and it is stated, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.which require that a consumer's creditworthiness be assessed prior to the granting of a consumer loan and state, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, which emphasize that credit operations should be guaranteed, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.

With reference to this, the ruling in question states:

"From the above it is clear that a strong emphasis is placed on making a reliable credit rating in anticipation of a consumer credit agreement. It is also stated, as previously stated, that the reports of Creditinfo Lánstraust hf. is intended to be useful in making such an assessment. Furthermore, it will not be considered that it involves unauthorized dissemination of information on defaulted claims that they affect the outcome of the credit reports, as it is clear that the information itself is not received by the recipients of the assessment. In view of this, the Privacy Protection considers Creditinfo Lánstraust hf. on the information on delisted entries in the said file, which is relevant in this case and which took place during the period of validity of the said operating license, dated. December 28, 2015, have been based on the above provisions of point 7. Paragraph 1 Article 8 Act no. 77/2000,in addition, the Agency does not believe that the requirements of other provisions of the Act have been violated, viz. on m. Paragraph 1 Article 7 the same Act on fairness, proportionality, reliability and retention times for the processing of personal information. The processing is therefore considered to be in accordance with the law.

Second, here is an examination of whether the processing in question was considered permissible after the current operating license, dated. February 28, 2017 (Case No. 2016/1626), entered into force. In granting it, the views outlined above were considered, cf. Article 2.7 of the license which deals with the destruction of information. Says, inter alia, that information on individual debt should be erased when it is known to have been deposited, as well as information that measures against the creditworthiness of the registered person when it is four years old. However, information may be stored for an additional three years, as they are subject to strict access restrictions and care is taken that no one else has access but the employees who need it for their work.During such retention, they may be utilized to respond to requests from registered individuals for knowledge of the processing of personal data and to […] resolve disputes over the validity of registration. A maximum of four years have elapsed since the registration of the information may also be used for the purposes of a credit rating at the request of the data subject, as no information about the claims themselves is provided but only statistical results. Other use of the information is prohibited. "Other use of the information is prohibited. "Other use of the information is prohibited. "

The Privacy Policy considers the same arguments as the foregoing to apply in the present case. Furthermore, it is not clear that these operating instructions were violated, cf. now Article 2.7 of the said license, dated. December 29, 2017, traced in quoted text. In view of the above, and with reference to the earlier legal and regulatory provisions, the Agency considers that the processing of the information on the delisting of a register under the operating license has been based on a satisfactory authorization pursuant to the aforementioned clause 6. Article 9 of the Act, cf. paragraph 1 e. Article 6 Regulation.

In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Provisions include, inter alia, that personal data should be processed in a legitimate, fair and transparent manner towards the data subject (point 1); that they are obtained for clearly stated, legitimate and objective purposes and are not further processed for other and incompatible purposes (point 2) and that they are sufficient and not more than necessary for the purpose of the process (point 3) . It will not be seen that this provision has been violated. The Agency also considers that the processing in question has been complied with Act no. 90/2018 in other respects.

Findings:

Processing Creditinfo Lánstraust hf. on personal information about the complainant in connection with the preparation of her credit report, was complied with Act no. 90/2018, on privacy and processing of personal information.

In Privacy, May 27, 2020


Helga Þórisdóttir Þórður Sveinsson