Persónuvernd - 2020010708

From GDPRhub
Persónuvernd - 2020010708
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Rejected
Decided: 27.04.2021
Published: 27.04.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020010708
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personunvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA held that a credit rating company was permitted to use information on previous entries in the default register when preparing the credit ratings.

English Summary[edit | edit source]

Facts[edit | edit source]

On 18 December 2019, the DPA received a complaint from regarding the processing of personal information about a data subject by a credit rating company Creditinfo, in connection with the preparation of reports on his credit rating.

According to the complainant, for the purposes of the credit rating, Creditinfo stored and used information about his previous defaults with a bank, despite the fact that they have been settled for a long time. The complainant had requested a correction of the assessment, as he found information on his previous defaults unreliable and misleading. He demanded to stop the processing in the Creditinfo default register and requested information on the method used to calculate his credit rating.

According to Creditinfo, its current operating license states that information on individual debts should be deleted if it is known that they have been returned. Information from the register shall be deleted when it is four years old. The company may store information for additional three years and may use the information to comply with requests from registered individuals. The previous registrations that had affected the complainant's credit rating at the time the complaint was filed were dated 27 June 2017 and 14 June 2018 and were therefore less than four years old. Creditinfo's credit rating assesses the probability of default and registration in the default register over the next twelve months. Statistical predictions for future events must be based on historical information, such as returns and payment history.

Holding[edit | edit source]

The DPA had several times before that Creditinfo was permitted to use information on previous entries in the default register when preparing credit ratings for individuals. Creditinfo was not obliged by law to consider the income and assets of individuals when preparing reports on the creditworthiness of individuals. Regarding the complainant's demands to stop the processing of information about him by Creditinfo, the DPA had previously ruled that such a claim cannot be complied with.

In view of the above, the conclusion of the DPA is that Creditinfo's processing of information on the complainant's previous entries in the default register when making a credit rating about him was in accordance with Act no. 90/2018 on personal protection and processing of personal information.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                   Creditinfo processing
Lánstraust hf. in connection with the preparation of credit reports
      Case no.
2020010708
     
      
        27.4.2021
        
      
      Privacy has ruled that
Creditinfo has been authorized to use information on previous registrations on
defaults in the preparation of credit ratings for individuals with reference to previous precedents
on the same subject. Furthermore, the Data Protection Authority ruled that Creditinfo did not
required by law to consider the income and assets of individuals in making
reports on the credit rating of individual data Privacy can not be met
the complainant's request that the processing of information about him by Creditinfo be stopped and
registration of the company's default register would be terminated unless he authorized it.

    
    
    Ruling
On March 18, 2021, the Data Protection Authority issued a ruling in case no.
2020010708 (former case no. 2019122373): I. Proceedings 1. Abstract
case On December 18, 2019, the Data Protection Authority received a complaint from [A] (hereinafter)
complainant) over the processing of personal information about him by Creditinfo Lánstraust
hf. (Creditinfo) in connection with the preparation of reports on his credit rating. By e-mail, dated April 14, 2020, the Data Protection Authority requested further information
information from the complainant. The complainant's reply was received by e-mail the same day. With
letter, dated. June 23, 2020, the Data Protection Authority requested further information from
complainant. The complainant's reply was received by two emails on 7 July 2020 and 3.
October s.á. By letter dated November 2, 2020, Creditinfo was notified of the above
complaint and given the opportunity to comment on it. Creditinfo's reply was received
Privacy 23 November s.á. All of the above have been taken into account in resolving the case
data, although not all of them are specifically described in the following
ruling. The handling of this case has been delayed due to heavy work at the Data Protection Authority. 2. Perspectives
complainantComplains about it
that Creditinfo stores and uses information about the complainant's previous defaults
to Arion Bank when preparing credit rating reports for four years
registration, even though they have long been settled. Creditinfo does not accept
based on solvency and solvency, incl. the complainant's equity position at that time
as credit rating reports are retrieved from Creditinfo's system
financial institutions and other parties. The complainant states that he has requested
correction of the assessment, but Creditinfo aims to preserve these
information, through Arion Bank. The complainant considers that
information about his previous defaults is unreliable and misleading. He refers to
that can not be considered normal to defaults, which were not due
bankrupt or advertised in Lögbirtingarblaði, live for years after they have
have been settled with a financial institution or other parties. Requires its complainant
that the processing will be stopped and registration in Creditinfo's default register will be stopped unless
the person registered is her home. Wishes complaining
also after receiving information on the method used for calculations
on his credit rating. It will not be seen what quality control is going on already
credit rating calculations are performed. Then it is reprehensible to use information about
defaults that have long since been settled in this way against interests
of the individual. The complainant was in no way able to influence
calculations or receive information in a transparent way about how it was calculated
was that he had the credit rating that Creditinfo had sold to a third party
party. 3. Perspectives
Creditinfo Lánstraust hf. Creditinfo refers to
that according to Act no. 33/2013 on consumer loans, great emphasis is placed on doing so
is a reliable credit rating in the run-up to the consumer loan agreement and reports
Creditinfo is intended to be useful in preparing such an assessment. Privacy has
consider that it does not constitute an unauthorized disclosure of information
default claims that have been submitted, that they affect the outcome
credit rating reports, within the time limits provided by Creditinfo's operating license, provisions
Act on Personal Data Protection and Processing of Personal Data no. 90/2018 and provisions
of Regulation no. 246/2001 set, provided that the information itself is available
does not reach the recipients of the assessment. It is referred to that in para. Articles 2.7. í
the current operating license of Creditinfo from 29 December 2017 (case no. 2017/1541), which
was renewed on 28 June 2019 (case no. 2019/1202), is discussed
deletion of information. It states, among other things, that information on
individual debts are known to have been repaid. Then it should be deleted
information from the register when they are four years old. In the article replaced
also stated that the company may store information for an additional three years and may
use the information to comply with requests from registered individuals
knowledge of the processing of personal information about themselves and to resolve disputes about
the validity of the registration. A maximum of four years have elapsed since registration
information on the default register may also be used for preparation
credit rating at the request of the data subject, provided that no information is provided
the requirements themselves only hold statistical results, cf. Paragraph 2
Articles 2.7. The previous registrations which had affected the complainant's credit rating,
at the time the complaint was filed, was dated 27 June 2017
and June 14, 2018 and therefore be less than four years old. Credit rating
Creditinfo assesses the probability of default and registration in the default register for the next twelve
months. The statistical prediction of future events must be based on historical
information such as the return and payment history. No default information
and the history of payment in the past does not affect the credit rating is the basis
pulled away from the usefulness of the assessment. Such an assessment would not satisfy the provisions of Article 5.
Act no. 33/2013 on consumer loans and would run counter to comments on Article 10. í
a bill that became that law, which states that a credit rating can
among other things, based on punctuation and payment history. It has proven to be historic
information on returns, defaults and payment history has great predictive value
probability of default in the future. II.Conditions
and conclusion1. Scope
Guarantor Scope of Act no.
90/2018, on the protection of personal data and the processing of personal data, and Regulation (EU)
2016/679, Coll. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf.
Paragraph 1 Article 39 of the Act, covers the processing of personal information that is automatic
part or whole and processing by methods other than automatic on
personal information that is or should be part of a file. For personal information
information about an identified or personally identifiable individual and
an individual is considered personally identifiable if it is possible to personally identify him / her directly
or indirectly, by reference to his identity or one or more elements which
are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4
of the Regulation.With processing means
in an action or sequence of actions in which personal information is processed, either
which the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2.
Article 4 of the Regulation.This case relates to
processing of the complainant's personal data when preparing his credit rating
Creditinfo. In that respect
and having regard to the above provisions, this case concerns processing
personal information that falls within the competence of the Data Protection Authority. There is also a complaint
request information on the method used to calculate credit ratings
complainant. In that regard, it is worth looking at
The tasks of the Data Protection Authority are described in more detail in Article 39. Act no. 90/2018 and according to
therefore, the agency monitors that processing complies with Act no. 90/2018 and
Regulation (EU) 2016/679, special provisions in laws concerning the processing of personal data
and other rules on the subject. With reference to this, cf. also justification in
ruling of the Data Protection Authority, dated 11 September 2020, in case no.
2020010592, will not be seen for inspection
The Data Protection Authority will review the mathematical calculation formula and
Creditinfo's probability assessment in connection with the calculation of individuals' credit ratings.
That part of the complaint must therefore be considered to fall outside the scope
of the Data Protection Act and thus the authority of the Data Protection Authority. However, it does fall into place
the role of the Data Protection Authority is to assess the proposed criteria
basis for making credit ratings for individuals, such as whether Creditinfo is
may use information on previous registrations in the default register. The person responsible
that the processing of personal information complies with Act no. 90/2018 is mentioned
responsible party. According to point 6. Article 3 of the Act refers to an individual,
a legal entity, government authority or other party that decides alone or in cooperation with others
purpose and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation.
Creditinfo has over
to employ information systems on financial matters and creditworthiness and work with
information in them in order to communicate them to subscribers. That processing is on
Creditinfo's responsibility and the company is therefore considered to be responsible for that processing
which consisted of the use of the complainant's information recorded there
made the company's reports on the assessment of the complainant's credit rating. 2. Operating license
Creditinfo Lánstraust hf. Operation of a financial information office and processing of relevant information
financial issues and creditworthiness of individuals and legal entities, incl. default registration
and the preparation of credit ratings, in order to communicate them to others, shall be subject to authorization
Privacy, cf. Paragraph 1 Article 15 Act no. 90/2018. Creditinfo's activities
is largely covered by this provision and has been granted by the Data Protection Authority
the company has an operating license in accordance with it, cf. now in terms of individuals
Creditinfo's operating license for the processing of financial information and
credit, dated. 29 December 2017 (case no. 2017/1541 with the Data Protection Authority).
The Data Protection Authority has also granted the company an operating license for processing
information on legal entities, dated 23 December 2016 (case no. 2016/1822 at
Privacy), and temporary operating licenses for the processing of personal information in
in favor of a credit rating, dated 23 August 2018 (case no. 2018/1229 at
Privacy). 3. Legality of processing All processing of personal information must be covered
any of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 of the Regulation
(ESB) 2016/679. These include point 6. of the provision, cf. point e of the first paragraph. Article 6
of the Regulation, which states that the processing of personal data is permitted if
it is necessary for legitimate interests as a guarantor or third party
may except the interests or fundamental rights and freedoms of the data subject which require
protection of personal data is more important. The Data Protection Authority considers this provision to be applicable
on the processing of personal information that takes place in Creditinfo's information systems in
in connection with the preparation of reports on the complainant's credit rating. In addition to the authorization according to the above, there will be processing
personal data to comply with the principles of the first paragraph. Article 8 Act no. 90/2018. Er
among other things, it stipulates that personal information must be processed legally,
fair and transparent to the data subject (point 1); that they should
obtained for clearly stated, legitimate and objective purposes and not processed
rather for other and incompatible purposes (paragraph 2); that they should be
adequate, appropriate and not in excess of what is necessary for the purpose
of processing (point 3); and that they should be reliable and updated accordingly
needs (point 4) In the light of the above, it should be borne in mind that
Privacy has several times before taken the position that Creditinfo has
may use information on previous entries in the default register
preparation of credit ratings for individuals. Please refer to it for a ruling
Privacy, dated 11 September 2020, in case no. 2020010592, where
the agency came to the conclusion that Creditinfo was allowed to use
information on entry in the company's default register when preparing credit rating reports
the complainant, for a maximum of four years from the registration of that information, cf. provisions
in Creditinfo's operating license thereon. Regarding the rationale of the Data Protection Authority
In this regard, reference is made to the above-mentioned ruling of the institution, which the Data Protection Authority considers
the same views apply in the case at hand. The complaint also comments that it has not
if the complainant's asset position is taken into account when making a credit rating with Creditinfo.
In this connection, it is to be considered that the Data Protection Authority has previously taken that position
that Creditinfo was not obliged by law to look at income and assets
individuals when preparing reports on the creditworthiness of individuals. Refer to it
ruling of the Data Protection Authority, dated 22 June 2020, in case no. 2020010678 and
ruling, dated 11 September 2020, in case no. 2020010592. Regarding
the reasoning of the Data Protection Authority in this regard refers to the above rulings
of the institution, but the Data Protection Authority considers the same views to apply in this case. Regarding the complainant's requirements for the processing of information on
he at Creditinfo will be suspended and registration on the company's default register
will be stopped unless he authorizes it to be considered by the Data Protection Authority
previously ruled that such a claim cannot be met. Refer to it and
justification for the ruling of the Data Protection Authority, dated January 25, 2016, in case
no. 2015/1457, but the Agency considers the same views to apply in this case. In view of the above, the conclusion of the Data Protection Authority is that
Creditinfo's processing of information on the complainant's previous entries in the default register
in making a credit rating of him has complied with Act no. 90/2018, on privacy
and processing of personal information. Ú r s k u r
ð a r o r ð: Creditinfo processing
Lánstraust hf. on personal information about [A] for the purpose of reporting on
his credit rating complied with Act no. 90/2018, on personal data protection and processing
personal data, and Regulation (EU) 2016/679. In Privacy, March 18, 2021Helga
Þórisdóttir Helga Sigríður Þórhallsdóttir