Persónuvernd - 2020010738

From GDPRhub
Persónuvernd - 2020010738
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law:
Type: Complaint
Outcome: Rejected
Decided: 12.03.2020
Published: 25.03.2020
Fine: None
Parties: Creditinfo Lánstraust
National Case Number/Name: 2020010738
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: DPA Webpage (in IS)
Initial Contributor: n/a

Icelandic DPA held that a credit report agency lawfully processed the personal data of the complainant.

English Summary[edit | edit source]

Facts[edit | edit source]

The Icelandic credit report agency "Lánstraust" is the data controller. The complainant had debts in the past which he paid. Therefore, he argues that the data controller is not authorized to use his payment history information when making a credit rating.

Dispute[edit | edit source]

Whether the data controller was lawfully processing payment history data of the complainant.

Holding[edit | edit source]

The DPA held that the data controller was authorized to process the payment history data on the basis of legitimate interests which outweigh the fundamental rights and freedoms of the data subject. The court emphasized that the issue in question is subject of the implementation of the Data Protection Act and of resolved case. Further, applicable Icelandic law requires that a consumer's creditworthiness be assessed prior to the granting of a consumer loan and state, inter alia, that information from the financial information databases may be used for this purpose. According to the applicable law, the processing of personal data relating to four years from the date of its registration is permitted.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


On 12 March 2020, a data protection decision of March 2020010738 was decided on (ex 2018020224): 

Complaint and facts

On 24 January 2018, the data protection of a complaint by [A] (hereinafter referred to as the applicant) has received a complaint from [A] (‘the applicant’) to the processing of his personal data by their Cditinfo creditworthiness of credit ratings. It states that, for the period 27 February 2017 and January 2018 during the period between January and during the period during which a non-default was not in default, its credit assessments were identified as reduced between its credit ratings between February and 22 January. 

At the same time, the complaint that an applicant has complied with all of its obligations over a period of hash of a period of four years, with the exception that there had been a outcome of the liability for fiscal training for the tax liability. Drawing up the financial training shall, however, in accordance with that agreement, draw up the debt and draw up the debt in accordance with that agreement. 
As in the notes, given the notes, in the notes, in the notes below, the investee’s credit ratings, which had been included in the company’s default of credit, a budget had been recorded on the company’s default results, but continue to have an impact on the applicant’s credit rating after derecognition following a payment of the liability.


By letter dated 15 February 2018, was invited to provide explanations on the complaint for the purpose of the complaint. A reply has been given by letter, date. 1 March 2018. States that pursuant to Article 10 of Law No 33/2013 on consumer credit the lender should an assessment of the creditworthiness of consumers prior to the conclusion of the consumer credit agreement. The Act addresses the implementation of credit ratings. The concept of credit rating is defined in point (k) of Article 5 of the Act in which the credit assessment of the borrower’s creditworthiness is based on information that is appropriate to provide reliable evidence of the likelihood whether the borrower is able to conclude a credit agreement. At the same time, credit ratings should be based on a transaction history between parties and/or information obtained from databases on financial issues and credit worthiness. Regulation (EC) No 920/2013 on credit and payment assessments should further address the issue of credit ratings and conclude Article 5 of that Regulation that credit ratings should be based on commercial history between the lender and the borrower and/or information contained in their financial database and credit rating. Moreover, where there is no transaction history to distribute between the lender and the borrower, in the event that the lender, with the consent of the borrower the lender may, in accordance with the consent of the borrower, be allowed to distribute. Point 1. Paragraph 1. Article 8 of Law No 77/2000, on data protection and the processing of personal data, to base their assessment solely on the financial and credit databases of a third party. 

Many creditors have not provided their own information in order to build a credit rating on which is not a to spread of business history in the expected borrower. Therefore, creditors should increasingly make use of a reliable statistical model that would assess the probability of a payment transaction and recording the default record for the following 12 months. The risk classes are displayed on a scale of type A E, where in A they are at least equal to the likelihood of a payment transaction than E, the highest likelihood of any payment falls. All persons aged 18 and over through the registered domicile in Iceland and without any active listing of credit ratings are given for the calculated and published credit ratings. The grounds for the credit rating are not disclosed to those that it applies but only the risk category of the prospective borrower. Customers of Creditfo creditworthiness of a hf. pension are only authorised to use the company’s credit assessments if the data subject has requested to have been registered and granted his or her consent to such processing. 

The credit assessment of professional appreciation hf. is based on data accessed by the company and may be used to prepare credit ratings at any given time. In the authorisation, the date. 29 December 2017 (Case No 2017/1541 in data protection) provides that the data from default files in favour of credit ratings may be used to the data subject’s request, provided that they are not disclosed with no information about the data requirements themselves but by a maximum period of four years from the record of the data, as per the subject. Article 2.7 (2) 

Of the availability of credit ratings and the use of credit ratings with regard to credit ratings which can be used to make credit ratings information about the historical default of winding among the most important determinants of the model but their weighting will increase the extent to which the information will be greater. The draft which became applicable under the law No 33/2013 states that one of those on which credit ratings can be based is a credit indicator and a payment history. 

Regularly updates of the assessment as a whole are subject to regular updates of its creditworthiness., as a whole, with updates of its reliability and updates, as far as possible, the significance of the individual components underlying the basis of which will reduce or increase. Following the ruling of the data protection in Case No 2016/1138, day. As of 28 September 2017, an update of the credit rating has undergone updating of the credit rating by which data protection has reached the conclusion that the use of knowledge about creditworthiness in terms of creditworthiness reporting was not in compliance with the preparation of the creditworthiness reports in accordance with the provisions of point 2. Paragraph 1. Article 7 of Law No 77/2000. Before this time, the consultation of personal credit ratings has been completed among the factors in the credit rating of persons, but there has been information that has provided at that time the company’s judgement about whether or not an individual would have a default in the next 12 months. Information on the consultation for collection purposes has been able to have a negative impact on a credit rating but also positive. The consultation of the consultation by the collecting party with strong evidence of default while at the same time would have the effect that the person who had not been consulted by the collecting party or for the collection has indicated that it is unlikely to be fully consulted for its obligations. 

The reason for a reduction in the credit rating of the complainant has been linked with the result of data protection in case No 2016/1138, that the weighting of past records of a default record has been increased in the assessment, i.e. that they can no longer be disclosed from those who would have left the record of their registration to the data default. In the case of a complainant indicator, the applicant has expressed its commitment that it has left the valuation, but is nevertheless reduced in the said period. You do not have the right to make use of information on payment history in the making of credit ratings and do not have access to such data. 

By letters, date. On 3 May 2018, 1 August 2018 and 3 October 2019, the applicant was given the opportunity to comment on the above explanations of Creditinfo creditworthiness. In the comments of the complainant, 18 October 2019, in particular, states that an applicant refuses to make a reliable judgment in the assessment of his/her knowledge about creditworthiness, including because of the fact that the company does not have information about the history of the natural persons. In the letter indicated in the letter that the applicant considers a single deviation of its finding when assessing its creditworthiness assessment with the company, and that it considers the company to consider its payment history with regard to its consideration. The letter also represents a general criticism of the functioning of Creditinfo creditworthiness of creditworthiness.

Considerations and conclusion

Conflict of laws

This matter relates to a complaint relating to incidents which occurred prior to the entry into force of the present Act No 90/2018 on the protection of data protection and the processing of personal data on 15 July 2018. The examination and content of this ruling therefore be limited to the provisions of historical law, No 77/2000 on the data protection and the treatment of personal data, the rules of which are not subject to substantive amendment by Law No 90/2018. 
Scope of Law No 77/2000 and issue

Law No 77/2000 applicable to all electronic processing of personal data and manual processing of personal data which were or were to be included in a register, Paragraph 1. Article 3 of the Act Personal data were defined in point 1. Article 2 of the law that any identified or identifiable information about the data subject, that is to say, information that was attributable directly or indirectly to a particular person, deceased or living. The concept of processing was defined as any operation or set of operations which had been processed with personal data, whether process manual or electronic, as per Point 2. Article 2 of the Act.
There is evidence that reports of the identity credit of the complainant were used to include information about the inclusion of recorded hf. for financial issues and credit rating of individuals, i.e. such credit record to be registered. The above is clear that it concerns the processing of personal data regarding the complainant who is subject to data protection to data protection. 

The person responsible for the processing of personal data was in conformity with the Law No 77/2000 called the responsible person. As indicated in (4). Article 2 refers to the person who decided the purposes for which the personal data are processed, the equipment used, the method of processing and any other disposal of that information. In one of the fields to be considered as Credittowards creditworthiness hf., there is a controller to process the processing complained of, i.e. the processing of personal data in the preparation of credit ratings of the complainant.

On the obligation to obtain authorisation

The collection and recording of information relating to financial matters as well as to the creditworthiness of individuals for the purpose of providing them with the others, the authorisation of data protection needs to be used; Paragraph 1. Article 2 of Regulation No 246/2001 on the collection and dissemination of information on financial matters and of creditworthiness, set out in Article 45 of Law No 77/2000. The activities of validation hf. activities are largely covered by the above provisions and are granted a level of data protection granted to the undertaking by virtue of the current date. 29 December 2017 (Case 2017/1541). 

However, concerning the processing in question, paragraph 1 must be understood as a reference to paragraph. Article 1 of the said Regulation, which states that it does not include activities for issuing creditworthiness reports. This is not the case for such activities and is not covered by the said licence. However, it should be noted that information entered on the basis of the certificates may not make use of activities excluded from their scope, unless it is compatible with the applicable law, and given that no individual permit provision is therefore a road.

Lawfulness of processing

In this case it is necessary to include information about the creditworthiness report of the complainant if they have been reported on the basis of an authorisation to the registry’s operation on the basis of an authorisation to operate that record on the basis of the record that the liability had been committed. For this purpose, there was a need for use of the processing but could, in particular, therefore take account of point 7. Article 7 (1) of Law No 77/2000 on data protection and the processing of personal data that processing personal data may be processed on the basis of a legitimate interest which outweigh the fundamental rights and freedoms of the data subject. Otherwise, it shall be noted that the question of issue has already been the subject of data protection with regard to which the relevant facts were comparable and in the case in question. Please refer to this decision, date. 28 September 2017, in Case No 2016/1138 and decree, date. 31 May 2018, in Case 2017/537. In the said rulings, reference was made, inter alia, to the provisions on deletion of registered information that are the purpose of that processing in the event of a period of validity of all processing which was in force when that processing was made to the case. These provisions are comparable to Article 2.7 of the current authorisation day. 29. December. (case No 2017/1541). 

The said data protection was also referred to in paragraph 3. Article 5 of Regulation No 246/2001 on the collection and dissemination of information on financial matters and of creditworthiness, cf. Whereas Article 45 of Law No 77/2000 allows for information which is no longer to be communicated to subscribers may nevertheless be preserved on the basis of a specific authorisation. In this connection, such authorisation had been given to Creditto fo creditworthiness of hf., i.e. for three years ancillary retention, including through the settlement of disagreements that may arise over the reasonableness of its inclusion. In addition, provision was made in the Law No 33/2013 on consumer credit, namely, point (i) (now subparagraph (k)) of Articles 5 and 10 which require a credit assessment for a consumer before a consumer credit is granted and also states that information from the databases of financial information files may be used for that purpose. In that respect, the provisions of Directive 2008/48/EB on consumer credit agreements focusing on the provision of credit granting services pursuant to the Directive should also be made clear that credit under the Directive should not be provided without prior assessment of creditworthiness and that the means necessary to impose the sanctions on creditors should be determined. 
With reference to this notes in the judgment in question:

‘For the purposes of this, it is clear that high levels of credit ratings are made to provide a reliable credit rating over the leading to a consumer credit agreement. As well as, similarly, reported hf reports should also be available for reporting in the preparation of such assessments. Moreover, the disclosure of information on default requirements established in return shall not be considered as affecting the outcome of the creditworthiness reports, provided that the information itself is not received from the recipients. In this regard, the data protection from the processing hf. for that information about derecognised transactions is considered as relevant for that period and carried out during the period of validity of the said authorisation, taking into account that information about derecognised transactions. Until 28 December 2015, the said provisions have been adopted by 7 December. Paragraph 1. Article 8 of Law No 77/2000, in addition, the institution finds that the requirements of other provisions of the Act have not been complied with, including paragraph 1. Article 7 of the same Code of fairness, proportionality, reliability and retention period of the processing of personal data. Thus the processing has to be deemed to have been compatible with the law. 

Secondly, it is considered that the operations in question are deemed to have been allowed after the current authorisation period and the date of authorisation. 28 February 2017 (Case 2016/1626), became applicable. In providing this, the foregoing considerations were attributed, as outlined in Article 2.7, of the authorisation addressed to the deletion of information. Whereas, in particular, the fact that an indication of individual liabilities should be deleted, and in addition to the reasons for the deletion of data relating to the credit quality of the other listed information at a time of four years of age; Although information may be stored for an additional period of not more than three years, provided that it is subject to strict access restrictions and in the event of no access to persons other than those to whom the necessary professional needs to do so. In the course of its maintenance, they may be used to accede to requests from data subjects on the processing of personal data relating to the processing of their personal data and in order to [...] settle disagreements on the validity of the registration. A maximum of four years from the date of registration of the data may also make the use made of credit ratings for the purpose of making a request from the data subject, without prejudice to any information concerning the data subject themselves, but may not only have statistical results. No other use of the information is permitted.’

A level of data protection to be satisfied is the same as that in which case the case is present in the present case. There is a lack of compliance with the authorisation order and the date of application of this Article in order to comply with this Article; 29 December 2017, arising from the referenced text. In view of the fact, as well as by reference to the earlier of the resulting legal and regulatory provisions, the act concerned considers that information about the derecognised entry in respect of a register under authorisation had been duly authorised under the said provisions of point 7. Paragraph 1. Article 8 of Law No 77/2000. 

It is clear that processing had to be compatible with the basic rules of paragraph 1. Article 7 of the same law, including that the personal data of the obligation to be reliable, and updated as necessary, and that personal data that would be inaccurate or incomplete function relative to the purposes for which they are processed should be erased or corrected; Point (4) of the provision. A data protection level does not consider that the provisions have been infringed. Also, the Authority considers that processing has been in conformity with the laws in question, in other respects. 
No r s k u r is a r o r: 
The processing of ‘A’ personal data relating to [A] relating to the type of report of his creditworthiness was in conformity with Law No 77/2000, on the protection of data protection and the processing of personal data.