Persónuvernd - 2020010613: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=20200105...")
 
No edit summary
 
(One intermediate revision by the same user not shown)
Line 7: Line 7:
|DPA_With_Country=Persónuvernd (Iceland)
|DPA_With_Country=Persónuvernd (Iceland)


|Case_Number_Name=2020010591
|Case_Number_Name=2020010613
|ECLI=
|ECLI=


|Original_Source_Name_1=Personuvernd
|Original_Source_Name_1=Personuvernd
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/alit-um-ofullnaegjandi-oryggi-personuupplysinga-sem-unnt-var-ad-midla-i-gegnum-vefsidu-umbodsmanns-borgarbua.
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/vinnsla-creditinfo-lanstrausts-hf.-med-upplysingar-um-fyrri-skraningar-a-vanskilaskra-vid-gerd-skyrslna-um-lanshaefi
|Original_Source_Language_1=Icelandic
|Original_Source_Language_1=Icelandic
|Original_Source_Language__Code_1=IS
|Original_Source_Language__Code_1=IS
Line 17: Line 17:
|Type=Complaint
|Type=Complaint
|Outcome=Upheld
|Outcome=Upheld
|Date_Decided=05.03.2020
|Date_Decided=27.05.2020
|Date_Published=16.03.2020
|Date_Published=05.06.2020
|Year=2020
|Year=2020
|Fine=None
|Fine=None
|Currency=
|Currency=


|GDPR_Article_1=Article 5(1)(f) GDPR
|GDPR_Article_1=Article 5 GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1f
|GDPR_Article_Link_1=
|GDPR_Article_2=Article 32 GDPR
|GDPR_Article_2=
|GDPR_Article_Link_2=Article 32 GDPR
|GDPR_Article_Link_2=






|Party_Name_1=
|Party_Name_1=
|Party_Link_1=
|Party_Link_1=Creditinfo Lánstrausti hf.
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
Line 48: Line 48:
}}
}}


The Icelandic DPA decided that the electronic complaint form on the webpage of the Citizens' Ombudsman violated Articles  5 (1)(f) and 32 GDPR. The use of HTTPS protocols must be used to minimise the risk of unauthorized access to information shared through websites.
The Icelandic DPA decided that the processing of the Complainant's personal data by Creditinfo Lánstraust hf. in connection with the preparation of a credit report within the four-year period was in compliance with the Icelandic Act no. 90/2018 on Data Protection and the Processing of Personal Data, and did not violate Article 5 GDPR.


==English Summary==
==English Summary==


===Facts===
===Facts===
In Iceland, any person who feels unfairly treated by the authorities may lodge a complaint with the Ombudsman. The complainant in the concerned case states that the electronic submission for a complaint to the Ombudsman does not comply with the GDPR. The electronic form requests sensitive personal information about complainants, but the form was only accessible on the official website that supported the HTTP protocol and not the HTTPS protocol. The complainant said she had sent an ombudsman on this issue but had not responded to it until several months later.
On April 9 2019, the Icelandic DPA received a complaint from a Complainant regarding the processing of their personal information  in connection with credit rating by Creditinfo Lánstrausti hf. (hereinafter, 'Creditinfo'). The registration of a complainant's defaults affects their credit rating for up to four years from registration.  
 
The Ombudsman responded that the website has been updated and is now supported by HTTPS protocols.


===Dispute===
===Dispute===
The Icelandic DPA had to decide whether an appropriate security of information on individuals could be ensured through an electronic complaint form on the Citizens' Ombudsman's website.  
The Icelandic DPA had to decide whether Creditinfo could use information about the complainant's defaults within the four-year period.  


===Holding===
===Holding===
The Icelandic DPA assessed the requirements of the Articles 32, 5 (1)(f) GDPR. According to the provision laid down, appropriate security measures may include, inter alia, the use of artificial identifiers and encrypted personal information and the ability to ensure the continued confidentiality of processing systems.  
The Icelandic DPA decided that the processing of the Complainant's personal data by Creditinfo Lánstraust hf. in connection with the preparation of their credit report, was in compliance with Act no. 90/2018 on Data Protection and the Processing of Personal Data.  
HTTP protocols are the rules for unencrypted data transfer between each user's hardware browser and a web server hosting e.g. website, through the Internet. HTTPS protocols are the rules for encrypted data transfer in such cases.
 
The Icelandic DPA is of the opinion that when sharing personal information through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use HTTPS protocols.
The DPA pointed out that it had previously taken a position on the issue in question with a ruling, cf. January 26, 2017, in case no. 2016/950; on December 6, 2016, in case no. 2016/580; on September 28, 2017, in case no. 2016/1138; and on May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the DPA considered that Creditinfo could use information on the entry of the company's defaults list for four years from the registration of such information.
According to the above, the Icelandic DPA considered that the processing of personal data by means of the electronic complaint form was not compliant with the GDPR. However, the Citizens' Ombudsman website now supports HTTPS protocols. Therefore, the Icelandic DPA did not consider grounds for further action on the matter.


==Comment==
==Comment==
Line 76: Line 73:


<pre>
<pre>
Opinion on inadequate security of personal information that could be disseminated through the Citizens' Ombudsman's website


03/16/2020
Processing Creditinfo Lánstraust hf. with information on previous delinquency registrations when compiling the creditworthiness reports
Case no. 2020010613


Privacy has given an opinion as to whether the Citizens' Ombudsman has provided appropriate security of information on individuals that could be disseminated through an electronic complaint form on the official website that supported the HTTP protocol. Among other things, the opinion states that when personal information is disseminated through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use encrypted communications. The Data Protection Authority considered that the processing of the citizen ombudsman did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.
05/06/2020
opinion


Privacy has ruled that Creditinfo Lánstrausti hf. have been permitted to use information on the former complainant's registration on the default register when compiling the complainant's credit reports. The Data Protection Authority pointed out that the Agency had previously taken a position on the issue in question with a ruling, cf. in that regard, ruling. January 26, 2017, in case no. 2016/950, ruling, date. December 6, 2016, in case no. 2016/580, ruling, date. September 28, 2017, in case no. 2016/1138 and ruling, date. May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the Data Protection Authority considered that Creditinfo could use information on the entry of the company's defaults list when compiling its quarterly credit reports, for four years from the registration of such information.The Data Protection Authority considered the same arguments to be applicable in this case and therefore the processing was authorized with reference to point 6. Article 9 Act no. 90/2018. Furthermore, the Data Protection Authority did not consider the violation to violate the principles of Article 8. Act no. 90/2018.
ruling


On March 5, 2020, provided Privacy, with reference to point 2. Article 43 Act no. 90/2018, on privacy and processing of personal information, as follows: 2020010591 (formerly 2019020444):
 
On May 27, 2020, the Data Protection Authority issued a clear ruling in case no. 2020010613 (formerly 2019040838):
I.
I.
procedures
procedures


1.
1.
Complaint and Procedure
Complaint and correspondence
 
On April 9, 2019, Privacy Protection received a complaint from [A] (hereinafter the complainant) regarding the processing of personal information by Creditinfo Lánstrausti hf. (Creditinfo), in connection with credit rating.
 
Specifically, Creditinfo's complainant's use of information on its defaults in making its credit rating, for four years from the registration of the information, is considered illegal. Creditinfo's Complaint Classification Organization does not consider that it is in compliance with the Privacy Act and that it constitutes a violation of all normal business rules.


On February 25, 2019, the Privacy Complaint received from [A] (hereinafter referred to as the complainant) an incomplete security measure on the website of the Office of the Citizens. Specifically, the complaint is that the Ombudsman's electronic complaint form was not available on a Web site that supported HTTPS protocols (which stands for HyperText Transfer Protocol Secure), but only HTTP protocols (which stands for HyperText Transfer Protocol). The complaint was followed by a screenshot of the Citizens' Ombudsman's website as well as a copy of a complainant's email communication with the staff of the bureau, which included information security on the bureau's website.
By letter, date. On August 28, 2019, Creditinfo was notified of the above complaint and given the opportunity to comment on it. Creditinfo's reply was received on September 16, 2019.


By letter, date. May 6, 2019, reiterated by letter, dated On June 14, the Citizens' Ombudsman was notified of the above complaint and given the opportunity to comment on it. A reply was sent by the Ombudsman by letter, dated. July 11th By letter, date. On August 28, the complainant was invited to comment on the citizen ombudsman's reply. The complainant replied by email on September 2nd.
By letter, date. On October 2, 2019, the complainant was invited to comment on Creditinfo's replies. Complainant's responses were received by Email, dated. December 21, 2019.


All of the above data have been taken into account in resolving the case, although not all of them are specifically explained in the following opinion.
All of the above data have been taken into account in resolving the case, although not all of them are specifically mentioned in the following ruling.
2.
2.
Complainant's point of view
Creditinfo's point of view
 
Creditinfo refers, among other things, to the fact that the Data Protection Authority considers that it does not involve the unauthorized dissemination of information on defaulted claims that they affect the outcome of the credit reports, provided that specific conditions are met. In this context, reference is made to the fact that the use of the information for the purpose in question must take place within the time limit set by Creditinfo's operating license, the provisions of the Privacy Act and the processing of personal data no. 90/2018 and the provisions of Regulation no. 246/2001 as well as that the information itself may not be received by the recipients of the evaluation.


The complaint is based on the fact that the arrangement for electronic submission of complaints to the Ombudsman has violated the provisions of Act no. 90/2018, on Privacy and Processing of Personal Information, on Security in the Processing of Personal Information. The Office's electronic form requests sensitive personal information about complainants, but the form was only accessible on the official website that supported the HTTP protocol and not the HTTPS protocol. The complainant said she had sent an ombudsman on this issue but had not responded to it until several months later.
Creditinfo subsequently deals with, among other things, the relevant provisions of Creditinfo's operating license that deal with the deletion of information, the storage period of information and how long the information can be used for the purposes of a credit rating at the request of the data subject, which is four years from the registration of the information.


In addition, the alternate way in which the City Ombudsman instructs the complainant to send complaints to the office via e-mail is not secure as e-mail passes through various servers.
The company then discusses what information can be registered according to Art. Article 2.2. in the Creditinfo operating license and that, according to that Article, information may be included from the subscriber of a debt if the debtor has agreed to pay the debt through a settlement that is enforceable in accordance with Art. Article 1 Procedure Act no. 90/1989.
3.
 
The views of the city's ombudsman
Creditinfo stated that it had sent a letter to the complainant about the proposed registration of its legal domicile and that the letter had indicated that it would not be canceled if the company received confirmation of payment of the claim within 17 days of the date of the letter and also the complainant had indicated her right to contest. No objection has been received and the entry has therefore been published on default.
 
Creditinfo is of the opinion that the complainant's complaint may have been that the claim had proven to be in default and was not unjustified. Creditinfo subsequently examines the nature of the credit rating and refers to the fact that it is inherent in the nature of the statistical prediction of future events to be based on historical information, such as on terms and payment history. If information on default and payment history in the past had no impact on the credit rating, the basis would be undermined by the utility of the rating. Such an assessment would not comply with Article 5. Act no. 33/2013 and contrary to the comments in the comments on Article 10. the bill that became the law that specifies that credit ratings can be based, inter alia, on the considerations stated above. Creditinfo's credit rating model has also confirmed that past delinquency listings have a high default value for future default.
 
Finally, Creditinfo refers to the fact that registration of a complainant's defaults affects its credit rating for up to four years from registration. The effect of previous listings decreases as the date of registration decreases and expires no later than four years.


The aforementioned Resident Ombudsman Response Letter states that the Office's website has been updated and is now supported by HTTPS protocols and that the Ombudsman now considers the Web site to meet all of the most stringent security requirements.
The company therefore considers that it has complied with the provisions of an operating license issued by the Data Protection Authority, the Data Protection Act and the processing of personal information, as well as rules set on the basis of that law.
II.
II.
Assumptions and conclusion
Assumptions and conclusion


1.
1.
Demarcation of case - membership
Scope - Guarantee


This case concerns whether the appropriate security of information on individuals, which could be disseminated through an electronic complaint form on the Citizens' Ombudsman website, was ensured.
Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the powers of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of partially or fully automated personal data and the processing of methods other than automatic processing of personal data that is or should become part of a file.


According to the first sentence of Art. Paragraph 2 Article 39 Act no. 90/2018, any registered individual has the right to file a complaint with the Data Protection Authority if he / she considers that the processing of personal data about him / her violates Regulation (EU) 2016/679 or the provisions of the Act. The Privacy Statement then determines whether a violation has occurred.
Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.


The complaint does not state that the complainant filed a complaint with the Citizens' Citizen through the Office's Web site before the Office introduced additional security measures on its Web site. Accordingly, it cannot be seen that the complainant's personal information was processed in the manner that his complaint relates to. In addition, in order for a complainant to be involved in the Protection of Privacy, he must also fulfill the conditions of having direct, substantial, specific and legitimate interests, in accordance with the principles of administrative law. When very many people have similar interests in resolving a case, the interests are classified as general, rather than specific, and therefore not conducive to creating a party position in the case. In all of the above, the Data Protection Authority does not consider material to render a ruling on whether a violation has occurred in the processing of the complainant's personal information, cf. Paragraph 2 Article 39 Act no. 90/2018.
Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.


Nonetheless, it is clear that there is a question of whether it is sufficient that the government offers that personal information be sent to the government through electronic complaint forms on websites that use HTTP protocols. According to paragraph 2. Article 43 Act no. 90/2018, the Data Protection Authority may, on its own initiative or upon request, submit opinions to the government or other parties on any matter relating to the protection of personal data. The Data Protection Authority has decided to examine the above issues on the basis of a cited provision.
This case concerns the registration and use of Creditinfo for information on the complainant's defaults. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.
The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. Item 7 Article 4 Regulation. Creditinfo Lánstraust hf. be the guarantor of the complaint being processed, ie. the processing of personal information when making a credit rating.
2.
Creditinfo Lánstraust hf.
 
The operation of a financial information agency and the processing of information relating to financial affairs and creditworthiness of individuals and legal entities, including defaults and credit rating for the purpose of disseminating them to others, shall be subject to the permission of the Data Protection Authority, cf. Article 15 Act no. 90/2018. Creditinfo's activities are to a large extent subject to the above provisions, and the Data Protection Authority has granted the company an operating license accordingly, cf. now operating license Creditinfo Lánstraust hf. due to processing of information about individuals, date. December 29, 2017 (Case No. 2017/1541) and now a provisional operating license for the processing of personal data for the purposes of a credit rating, dated. August 23, 2018 (Case No. 2018/1229).
 
For that purpose, reference is made to Article 15. Act no. 90/2018 for the processing of information that is carried out in the form of a credit ratingand that such processing must be based on the Privacy Policy is a novelty and was not found in the comparable provisions of the applicable Act no. 77/2000 on privacy and processing of personal information. Regulation no. 46/2001 on the collection and dissemination of financial and credit information, which was based on Article 45. Act no. 77/2000, only for processing in order to disseminate information to others on financial issues and creditworthiness and therefore does not cover activities that involve the issuance of credit reports. However, the above provisional authorization does not change the fact that Creditinfo is obliged to ensure that the information recorded on the basis of an operating license granted by the Data Protection Authority cannot be used for the purposes of a credit rating in a manner that violates the issued licenses or applicable laws in general. .
3.
3.
Scope - Guarantor
Legality of processing


Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of methods other than automatic processing of personal data that is or should be part of a file.
In this case, it is tested whether the complainant's credit reports were used if Creditinfo had been able to use information on the company's defaults that had been deleted from that list on the basis of the license for operating the record for the reason that the debt had been settled.


Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.
All processing of personal data must be subject to any of the provisions of Article 9. Act no. 90/2018. This is most likely to be considered here in item 6. Article 9 of the Act, cf. paragraph 1 e. Article 6 of the Regulation, which states that the processing of personal data is permissible if it is necessary for legitimate interests that the guarantor or third party may prescribe unless the interests or fundamental rights and freedoms of the data subject require the protection of personal data outweighs. The Privacy Policy considers this provision to be applicable to the processing of personal information that is carried out in Creditinfo's information systems in connection with the preparation of a report on the creditworthiness of the complainant.
 
Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.


As previously stated, this issue is concerned with whether appropriate security of information on individuals could be ensured through an electronic complaint form on the Citizens' Ombudsman's website. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.
The Data Protection Authority has previously taken a position on the issue in question with a ruling, cf. in that regard, ruling. January 26, 2017, in case no. 2016/950, ruling, date. December 6, 2016, in case no. 2016/580, ruling, date. September 28, 2017, in case no. 2016/1138 and ruling, date. May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the Data Protection Authority considered that Creditinfo could use information on the entry of the company's defaults list when compiling its quarterly credit reports, for four years from the registration of such information. In one of the abovementioned privacy protections case no. In 2016/1138, among other things, reference was made to the provisions on the deletion of recorded information to households' retention periods in the relevant operating permits that were in effect at the time of the processing in question. Are those provisions comparable to Article 2?7 of the current license, dated. December 29th (Case No. 2017/1541). In addition, the provisions of Act no. 33/2013 on consumer loans, ie (i) (now point (k)) Article 5 and Article 10. which require that a consumer's credit rating be assessed before a consumer loan is granted and it is stated, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.which require that a consumer's credit rating be assessed before a consumer loan is granted and it is stated, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.which require that a consumer's creditworthiness be assessed prior to the granting of a consumer loan and state, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, which emphasize that credit operations should be guaranteed, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.


The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. Item 7 Article 4 Regulation. As is the case here, the Citizens' Ombudsman is considered responsible for the processing of the transfer of personal information, which is entered into an electronic complaint form to the office, through its website.
With reference to this, the ruling in question states:
2.
Legal environment and opinion


The processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Among other things, it is stipulated that they should be processed in such a way as to ensure the appropriate security of personal information, cf. Item 6 provision. According to the first paragraph. Article 27 The Act requires the responsible party to take appropriate technical and organizational measures to ensure the adequate security of personal information, taking into account the latest technology, costs, nature, scope, context and purpose of the processing and the risks, misconduct and misrepresentation, for the rights and freedoms of individuals, Article 32 Regulation. In the first paragraph. the regulatory provision lays down that appropriate measures may include, inter alia, the use of artificial identifiers and encrypted personal information and the ability to ensure the continued confidentiality of processing systems. Then the second paragraph of Art. the provision that, when assessing acceptable security, should in particular take into account the risks involved in processing, in particular as regards, inter alia, the publication or access to personal information of unauthorized persons. Furthermore, paragraph 39 of the preamble to the Regulation states that the processing of personal data should be such as to ensure appropriate security and confidentiality of information, including: to prevent unauthorized access or use of personal information and the equipment used in the processing.
"From the above it is clear that a strong emphasis is placed on making a reliable credit rating in anticipation of a consumer credit agreement. It is also stated, as previously stated, that the reports of Creditinfo Lánstraust hf. is intended to be useful in making such an assessment. Furthermore, it will not be considered that it involves unauthorized dissemination of information on defaulted claims that they affect the outcome of the credit reports, as it is clear that the information itself is not received by the recipients of the assessment. In view of this, the Privacy Protection considers Creditinfo Lánstraust hf. on the information on delisted entries in the said file, which is relevant in this case and which took place during the period of validity of the said operating license, dated. December 28, 2015, have been based on the above provisions of point 7. Paragraph 1 Article 8 Act no. 77/2000,in addition, the Agency does not believe that the requirements of other provisions of the Act have been violated, viz. on m. Paragraph 1 Article 7 the same Act on fairness, proportionality, reliability and retention times for the processing of personal information. The processing is therefore considered to be in accordance with the law.


HTTP protocols are the rules for unencrypted data transfer between each user's hardware browser and a web server hosting e.g. website, through the Internet. HTTPS protocols are the rules for encrypted data transfer in such cases.
Second, here is an examination of whether the processing in question was considered permissible after the current operating license, dated. February 28, 2017 (Case No. 2016/1626), entered into force. In granting it, the views outlined above were considered, cf. Article 2.7 of the license which deals with the destruction of information. Says, inter alia, that information on individual debt should be erased when it is known to have been deposited, as well as information that measures against the creditworthiness of the registered person when it is four years old. However, information may be stored for an additional three years, as they are subject to strict access restrictions and care is taken that no one else has access but the employees who need it for their work.During such retention, they may be utilized to respond to requests from registered individuals for knowledge of the processing of personal data and to […] resolve disputes over the validity of registration. A maximum of four years have elapsed since the registration of the information may also be used for the purposes of a credit rating at the request of the data subject, as no information about the claims themselves is provided but only statistical results. Other use of the information is prohibited. "Other use of the information is prohibited. "Other use of the information is prohibited. "


Privacy is of the opinion that when sharing personal information through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use HTTPS protocols, but then encryption is encrypted. Furthermore, the sponsors are rather slow to make websites so that they support HTTPS protocols without much cost.
The Privacy Policy considers the same arguments as the foregoing to apply in the present case. Furthermore, it is not clear that these operating instructions were violated, cf. now Article 2.7 of the said license, dated. December 29, 2017, traced in quoted text. In view of the above, and with reference to the earlier legal and regulatory provisions, the Agency considers that the processing of the information on the delisting of a register under the operating license has been based on a satisfactory authorization pursuant to the aforementioned clause 6. Article 9 of the Act, cf. paragraph 1 e. Article 6 Regulation.


According to the above, the Privacy Policy considers that the processing of the Citizens' Ombudsman, which involved the provision of personal information, in connection with complaints to the Office, through an electronic complaint form on a website supported by HTTP protocols, was not compliant with the law no. 90/2018 and Regulation (EU) 2016/679. However, the Citizens' Ombudsman website now supports HTTPS protocols. In all respects, Privacy does not consider grounds for further action on the matter.
In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Provisions include, inter alia, that personal data should be processed in a legitimate, fair and transparent manner towards the data subject (point 1); that they are obtained for clearly stated, legitimate and objective purposes and are not further processed for other and incompatible purposes (point 2) and that they are sufficient and not more than necessary for the purpose of the process (point 3) . It will not be seen that this provision has been violated. The Agency also considers that the processing in question has been complied with Act no. 90/2018 in other respects.


At l i t s o rð:
Findings:


Processing of the Citizens' Ombudsman for personal data, which consisted of transferring them, through a website that was supported by HTTP protocols, did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.
Processing Creditinfo Lánstraust hf. on personal information about the complainant in connection with the preparation of her credit report, was complied with Act no. 90/2018, on privacy and processing of personal information.


In Privacy, March 5, 2020
In Privacy, May 27, 2020


Björg Thorarensen
chairman


Adalsteinn Jónasson Ólafur Garðarsson
Helga Þórisdóttir Þórður Sveinsson


Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson
</pre>
</pre>

Latest revision as of 10:42, 22 June 2020

Persónuvernd - 2020010613
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law:
Type: Complaint
Outcome: Upheld
Started:
Decided: 27.05.2020
Published: 05.06.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010613
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA decided that the processing of the Complainant's personal data by Creditinfo Lánstraust hf. in connection with the preparation of a credit report within the four-year period was in compliance with the Icelandic Act no. 90/2018 on Data Protection and the Processing of Personal Data, and did not violate Article 5 GDPR.

English Summary

Facts

On April 9 2019, the Icelandic DPA received a complaint from a Complainant regarding the processing of their personal information in connection with credit rating by Creditinfo Lánstrausti hf. (hereinafter, 'Creditinfo'). The registration of a complainant's defaults affects their credit rating for up to four years from registration.

Dispute

The Icelandic DPA had to decide whether Creditinfo could use information about the complainant's defaults within the four-year period.

Holding

The Icelandic DPA decided that the processing of the Complainant's personal data by Creditinfo Lánstraust hf. in connection with the preparation of their credit report, was in compliance with Act no. 90/2018 on Data Protection and the Processing of Personal Data.

The DPA pointed out that it had previously taken a position on the issue in question with a ruling, cf. January 26, 2017, in case no. 2016/950; on December 6, 2016, in case no. 2016/580; on September 28, 2017, in case no. 2016/1138; and on May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the DPA considered that Creditinfo could use information on the entry of the company's defaults list for four years from the registration of such information.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


Processing Creditinfo Lánstraust hf. with information on previous delinquency registrations when compiling the creditworthiness reports
Case no. 2020010613

05/06/2020

Privacy has ruled that Creditinfo Lánstrausti hf. have been permitted to use information on the former complainant's registration on the default register when compiling the complainant's credit reports. The Data Protection Authority pointed out that the Agency had previously taken a position on the issue in question with a ruling, cf. in that regard, ruling. January 26, 2017, in case no. 2016/950, ruling, date. December 6, 2016, in case no. 2016/580, ruling, date. September 28, 2017, in case no. 2016/1138 and ruling, date. May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the Data Protection Authority considered that Creditinfo could use information on the entry of the company's defaults list when compiling its quarterly credit reports, for four years from the registration of such information.The Data Protection Authority considered the same arguments to be applicable in this case and therefore the processing was authorized with reference to point 6. Article 9 Act no. 90/2018. Furthermore, the Data Protection Authority did not consider the violation to violate the principles of Article 8. Act no. 90/2018. 
ruling


On May 27, 2020, the Data Protection Authority issued a clear ruling in case no. 2020010613 (formerly 2019040838):
I.
procedures

1.
Complaint and correspondence

On April 9, 2019, Privacy Protection received a complaint from [A] (hereinafter the complainant) regarding the processing of personal information by Creditinfo Lánstrausti hf. (Creditinfo), in connection with credit rating.

Specifically, Creditinfo's complainant's use of information on its defaults in making its credit rating, for four years from the registration of the information, is considered illegal. Creditinfo's Complaint Classification Organization does not consider that it is in compliance with the Privacy Act and that it constitutes a violation of all normal business rules.

By letter, date. On August 28, 2019, Creditinfo was notified of the above complaint and given the opportunity to comment on it. Creditinfo's reply was received on September 16, 2019.

By letter, date. On October 2, 2019, the complainant was invited to comment on Creditinfo's replies. Complainant's responses were received by Email, dated. December 21, 2019.

All of the above data have been taken into account in resolving the case, although not all of them are specifically mentioned in the following ruling.
2.
Creditinfo's point of view

Creditinfo refers, among other things, to the fact that the Data Protection Authority considers that it does not involve the unauthorized dissemination of information on defaulted claims that they affect the outcome of the credit reports, provided that specific conditions are met. In this context, reference is made to the fact that the use of the information for the purpose in question must take place within the time limit set by Creditinfo's operating license, the provisions of the Privacy Act and the processing of personal data no. 90/2018 and the provisions of Regulation no. 246/2001 as well as that the information itself may not be received by the recipients of the evaluation.

Creditinfo subsequently deals with, among other things, the relevant provisions of Creditinfo's operating license that deal with the deletion of information, the storage period of information and how long the information can be used for the purposes of a credit rating at the request of the data subject, which is four years from the registration of the information.

The company then discusses what information can be registered according to Art. Article 2.2. in the Creditinfo operating license and that, according to that Article, information may be included from the subscriber of a debt if the debtor has agreed to pay the debt through a settlement that is enforceable in accordance with Art. Article 1 Procedure Act no. 90/1989.

Creditinfo stated that it had sent a letter to the complainant about the proposed registration of its legal domicile and that the letter had indicated that it would not be canceled if the company received confirmation of payment of the claim within 17 days of the date of the letter and also the complainant had indicated her right to contest. No objection has been received and the entry has therefore been published on default.

Creditinfo is of the opinion that the complainant's complaint may have been that the claim had proven to be in default and was not unjustified. Creditinfo subsequently examines the nature of the credit rating and refers to the fact that it is inherent in the nature of the statistical prediction of future events to be based on historical information, such as on terms and payment history. If information on default and payment history in the past had no impact on the credit rating, the basis would be undermined by the utility of the rating. Such an assessment would not comply with Article 5. Act no. 33/2013 and contrary to the comments in the comments on Article 10. the bill that became the law that specifies that credit ratings can be based, inter alia, on the considerations stated above. Creditinfo's credit rating model has also confirmed that past delinquency listings have a high default value for future default.

Finally, Creditinfo refers to the fact that registration of a complainant's defaults affects its credit rating for up to four years from registration. The effect of previous listings decreases as the date of registration decreases and expires no later than four years.

The company therefore considers that it has complied with the provisions of an operating license issued by the Data Protection Authority, the Data Protection Act and the processing of personal information, as well as rules set on the basis of that law.
II.
Assumptions and conclusion

1.
Scope - Guarantee

Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the powers of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of partially or fully automated personal data and the processing of methods other than automatic processing of personal data that is or should become part of a file.

Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.

Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.

This case concerns the registration and use of Creditinfo for information on the complainant's defaults. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.
The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. Item 7 Article 4 Regulation. Creditinfo Lánstraust hf. be the guarantor of the complaint being processed, ie. the processing of personal information when making a credit rating.
2.
Creditinfo Lánstraust hf.

The operation of a financial information agency and the processing of information relating to financial affairs and creditworthiness of individuals and legal entities, including defaults and credit rating for the purpose of disseminating them to others, shall be subject to the permission of the Data Protection Authority, cf. Article 15 Act no. 90/2018. Creditinfo's activities are to a large extent subject to the above provisions, and the Data Protection Authority has granted the company an operating license accordingly, cf. now operating license Creditinfo Lánstraust hf. due to processing of information about individuals, date. December 29, 2017 (Case No. 2017/1541) and now a provisional operating license for the processing of personal data for the purposes of a credit rating, dated. August 23, 2018 (Case No. 2018/1229).

For that purpose, reference is made to Article 15. Act no. 90/2018 for the processing of information that is carried out in the form of a credit ratingand that such processing must be based on the Privacy Policy is a novelty and was not found in the comparable provisions of the applicable Act no. 77/2000 on privacy and processing of personal information. Regulation no. 46/2001 on the collection and dissemination of financial and credit information, which was based on Article 45. Act no. 77/2000, only for processing in order to disseminate information to others on financial issues and creditworthiness and therefore does not cover activities that involve the issuance of credit reports. However, the above provisional authorization does not change the fact that Creditinfo is obliged to ensure that the information recorded on the basis of an operating license granted by the Data Protection Authority cannot be used for the purposes of a credit rating in a manner that violates the issued licenses or applicable laws in general. .
3.
Legality of processing

In this case, it is tested whether the complainant's credit reports were used if Creditinfo had been able to use information on the company's defaults that had been deleted from that list on the basis of the license for operating the record for the reason that the debt had been settled.

All processing of personal data must be subject to any of the provisions of Article 9. Act no. 90/2018. This is most likely to be considered here in item 6. Article 9 of the Act, cf. paragraph 1 e. Article 6 of the Regulation, which states that the processing of personal data is permissible if it is necessary for legitimate interests that the guarantor or third party may prescribe unless the interests or fundamental rights and freedoms of the data subject require the protection of personal data outweighs. The Privacy Policy considers this provision to be applicable to the processing of personal information that is carried out in Creditinfo's information systems in connection with the preparation of a report on the creditworthiness of the complainant.

The Data Protection Authority has previously taken a position on the issue in question with a ruling, cf. in that regard, ruling. January 26, 2017, in case no. 2016/950, ruling, date. December 6, 2016, in case no. 2016/580, ruling, date. September 28, 2017, in case no. 2016/1138 and ruling, date. May 31, 2018, in case no. 2017/537. In all of the foregoing rulings, the Data Protection Authority considered that Creditinfo could use information on the entry of the company's defaults list when compiling its quarterly credit reports, for four years from the registration of such information. In one of the abovementioned privacy protections case no. In 2016/1138, among other things, reference was made to the provisions on the deletion of recorded information to households' retention periods in the relevant operating permits that were in effect at the time of the processing in question. Are those provisions comparable to Article 2?7 of the current license, dated. December 29th (Case No. 2017/1541). In addition, the provisions of Act no. 33/2013 on consumer loans, ie (i) (now point (k)) Article 5 and Article 10. which require that a consumer's credit rating be assessed before a consumer loan is granted and it is stated, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.which require that a consumer's credit rating be assessed before a consumer loan is granted and it is stated, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.which require that a consumer's creditworthiness be assessed prior to the granting of a consumer loan and state, inter alia, that information from the financial information databases may be used for this purpose. In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, which emphasize that credit operations should be guaranteed, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.In this context, provisions were also made in Directive 2008/48 / EC on consumer credit agreements, emphasizing that credit operations should be responsible, that loans under the Directive should not be granted without prior credit rating and that the necessary measures should be taken to impose penalties on the lenders.

With reference to this, the ruling in question states:

"From the above it is clear that a strong emphasis is placed on making a reliable credit rating in anticipation of a consumer credit agreement. It is also stated, as previously stated, that the reports of Creditinfo Lánstraust hf. is intended to be useful in making such an assessment. Furthermore, it will not be considered that it involves unauthorized dissemination of information on defaulted claims that they affect the outcome of the credit reports, as it is clear that the information itself is not received by the recipients of the assessment. In view of this, the Privacy Protection considers Creditinfo Lánstraust hf. on the information on delisted entries in the said file, which is relevant in this case and which took place during the period of validity of the said operating license, dated. December 28, 2015, have been based on the above provisions of point 7. Paragraph 1 Article 8 Act no. 77/2000,in addition, the Agency does not believe that the requirements of other provisions of the Act have been violated, viz. on m. Paragraph 1 Article 7 the same Act on fairness, proportionality, reliability and retention times for the processing of personal information. The processing is therefore considered to be in accordance with the law.

Second, here is an examination of whether the processing in question was considered permissible after the current operating license, dated. February 28, 2017 (Case No. 2016/1626), entered into force. In granting it, the views outlined above were considered, cf. Article 2.7 of the license which deals with the destruction of information. Says, inter alia, that information on individual debt should be erased when it is known to have been deposited, as well as information that measures against the creditworthiness of the registered person when it is four years old. However, information may be stored for an additional three years, as they are subject to strict access restrictions and care is taken that no one else has access but the employees who need it for their work.During such retention, they may be utilized to respond to requests from registered individuals for knowledge of the processing of personal data and to […] resolve disputes over the validity of registration. A maximum of four years have elapsed since the registration of the information may also be used for the purposes of a credit rating at the request of the data subject, as no information about the claims themselves is provided but only statistical results. Other use of the information is prohibited. "Other use of the information is prohibited. "Other use of the information is prohibited. "

The Privacy Policy considers the same arguments as the foregoing to apply in the present case. Furthermore, it is not clear that these operating instructions were violated, cf. now Article 2.7 of the said license, dated. December 29, 2017, traced in quoted text. In view of the above, and with reference to the earlier legal and regulatory provisions, the Agency considers that the processing of the information on the delisting of a register under the operating license has been based on a satisfactory authorization pursuant to the aforementioned clause 6. Article 9 of the Act, cf. paragraph 1 e. Article 6 Regulation.

In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Provisions include, inter alia, that personal data should be processed in a legitimate, fair and transparent manner towards the data subject (point 1); that they are obtained for clearly stated, legitimate and objective purposes and are not further processed for other and incompatible purposes (point 2) and that they are sufficient and not more than necessary for the purpose of the process (point 3) . It will not be seen that this provision has been violated. The Agency also considers that the processing in question has been complied with Act no. 90/2018 in other respects.

Findings:

Processing Creditinfo Lánstraust hf. on personal information about the complainant in connection with the preparation of her credit report, was complied with Act no. 90/2018, on privacy and processing of personal information.

In Privacy, May 27, 2020


Helga Þórisdóttir Þórður Sveinsson