Persónuvernd - 2020031243
| Persónuvernd - 2020031243 | |
|---|---|
 | |
| Authority: | Persónuvernd (Iceland) |
| Jurisdiction: | Iceland |
| Relevant Law: | Article 8 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 07.04.2021 |
| Published: | 15.04.2021 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 2020031243 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Icelandic |
| Original Source: | Personuvernd (in IS) |
| Initial Contributor: | n/a |
The Icelandic DPA held that a primary school was not permitted to disclose information about a child to a consulting company after termination of collaboration.
English Summary
Facts
On March 21, 2020, the DPA received a complaint that a primary school had sent an e-mail containing sensitive information about a child to a counseling company after the school's partnership with the company ended.
According to the complainant, the company KVAN was hired by a school to work on the bullying case of the complainants’ child. The municipality’s education department and the complainant decided that the school's bullying team would take over the case from KVAN and that the company would not be further involved in the case.
Three weeks after that decision, a KVAN employee sent an e-mail to a school employee asking about the status of the complainant's child. On the same day, an employee of the school replied to the e-mail and provided information on the status of the case, without the complainants' consent. The e-mail contained the child's name and sensitive personal information about it. The complainants only became aware of this after requesting access to all data about themselves and their child at the school.
According to the school, the employee that had replied to KVAN’s e-mail had not been aware that the collaboration with the company had been terminated and he had therefore been in good faith in his communication. The e-mail did not contain any new personal information that the KVAN employee in question was not already aware of. Despite this, the municipality has apologized to the complainants.
Dispute
Holding
The DPA found school’s behavior reprehensible in light of the nature of the documents in question that the school did not ensure that all employees who were involved in the complainant's child's case were informed that the termination of collaboration with KVAN. The fact that the recipient of the e-mail had already been informed of the case and therefore it was not new information except to a limited extend did not matter.
The DPA considered that there was no authorization for the school to pass on personal information about the complainant's child to the consulting company KVAN after the collaboration with it ended. For that reason alone, the DPA held that the processing of personal information about the complainant's child was not in accordance with Act no. 90/2018 on personal protection and processing of personal information and GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Creditinfo processing
Lánstraust hf. in connection with the preparation of credit reports
Case no.
2020010708
27.4.2021
Privacy has ruled that
Creditinfo has been authorized to use information on previous registrations on defaults in the preparation of credit ratings for individuals with reference to previous precedents on the same subject. Furthermore, the Data Protection Authority ruled that Creditinfo did not required by law to consider the income and assets of individuals in making reports on the credit rating of individual data Privacy can not be met the complainant's request that the processing of information about him by Creditinfo be stopped and registration of the company's default register would be terminated unless he authorized it.
Ruling
On March 18, 2021, the Data Protection Authority issued a ruling in case no. 2020010708 (former case no. 2019122373): I. Proceedings 1. Abstract case On December 18, 2019, the Data Protection Authority received a complaint from [A] (hereinafter) complainant) over the processing of personal information about him by Creditinfo Lánstraust hf. (Creditinfo) in connection with the preparation of reports on his credit rating. By e-mail, dated April 14, 2020, the Data Protection Authority requested further information information from the complainant. The complainant's reply was received by e-mail the same day. With letter, dated. June 23, 2020, the Data Protection Authority requested further information from complainant. The complainant's reply was received by two emails on 7 July 2020 and 3. October s.á. By letter dated November 2, 2020, Creditinfo was notified of the above complaint and given the opportunity to comment on it. Creditinfo's reply was received Privacy 23 November s.á. All of the above have been taken into account in resolving the case data, although not all of them are specifically described in the following ruling. The handling of this case has been delayed due to heavy work at the Data Protection Authority. 2. Perspectives complainantComplains about it that Creditinfo stores and uses information about the complainant's previous defaults to Arion Bank when preparing credit rating reports for four years registration, even though they have long been settled. Creditinfo does not accept based on solvency and solvency, incl. the complainant's equity position at that time as credit rating reports are retrieved from Creditinfo's system financial institutions and other parties. The complainant states that he has requested correction of the assessment, but Creditinfo aims to preserve these information, through Arion Bank. The complainant considers that information about his previous defaults is unreliable and misleading. He refers to that can not be considered normal to defaults, which were not due bankrupt or advertised in Lögbirtingarblaði, live for years after they have have been settled with a financial institution or other parties. Requires its complainant that the processing will be stopped and registration in Creditinfo's default register will be stopped unless the person registered is her home. Wishes complaining also after receiving information on the method used for calculations on his credit rating. It will not be seen what quality control is going on already credit rating calculations are performed. Then it is reprehensible to use information about defaults that have long since been settled in this way against interests of the individual. The complainant was in no way able to influence calculations or receive information in a transparent way about how it was calculated was that he had the credit rating that Creditinfo had sold to a third party party. 3. Perspectives Creditinfo Lánstraust hf. Creditinfo refers to that according to Act no. 33/2013 on consumer loans, great emphasis is placed on doing so is a reliable credit rating in the run-up to the consumer loan agreement and reports Creditinfo is intended to be useful in preparing such an assessment. Privacy has consider that it does not constitute an unauthorized disclosure of information default claims that have been submitted, that they affect the outcome credit rating reports, within the time limits provided by Creditinfo's operating license, provisions Act on Personal Data Protection and Processing of Personal Data no. 90/2018 and provisions of Regulation no. 246/2001 set, provided that the information itself is available does not reach the recipients of the assessment. It is referred to that in para. Articles 2.7. í the current operating license of Creditinfo from 29 December 2017 (case no. 2017/1541), which was renewed on 28 June 2019 (case no. 2019/1202), is discussed deletion of information. It states, among other things, that information on individual debts are known to have been repaid. Then it should be deleted information from the register when they are four years old. In the article replaced also stated that the company may store information for an additional three years and may use the information to comply with requests from registered individuals knowledge of the processing of personal information about themselves and to resolve disputes about the validity of the registration. A maximum of four years have elapsed since registration information on the default register may also be used for preparation credit rating at the request of the data subject, provided that no information is provided the requirements themselves only hold statistical results, cf. Paragraph 2 Articles 2.7. The previous registrations which had affected the complainant's credit rating, at the time the complaint was filed, was dated 27 June 2017 and June 14, 2018 and therefore be less than four years old. Credit rating Creditinfo assesses the probability of default and registration in the default register for the next twelve months. The statistical prediction of future events must be based on historical information such as the return and payment history. No default information and the history of payment in the past does not affect the credit rating is the basis pulled away from the usefulness of the assessment. Such an assessment would not satisfy the provisions of Article 5. Act no. 33/2013 on consumer loans and would run counter to comments on Article 10. í a bill that became that law, which states that a credit rating can among other things, based on punctuation and payment history. It has proven to be historic information on returns, defaults and payment history has great predictive value probability of default in the future. II.Conditions and conclusion1. Scope Guarantor Scope of Act no. 90/2018, on the protection of personal data and the processing of personal data, and Regulation (EU) 2016/679, Coll. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal information that is automatic part or whole and processing by methods other than automatic on personal information that is or should be part of a file. For personal information information about an identified or personally identifiable individual and an individual is considered personally identifiable if it is possible to personally identify him / her directly or indirectly, by reference to his identity or one or more elements which are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.With processing means in an action or sequence of actions in which personal information is processed, either which the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.This case relates to processing of the complainant's personal data when preparing his credit rating Creditinfo. In that respect and having regard to the above provisions, this case concerns processing personal information that falls within the competence of the Data Protection Authority. There is also a complaint request information on the method used to calculate credit ratings complainant. In that regard, it is worth looking at The tasks of the Data Protection Authority are described in more detail in Article 39. Act no. 90/2018 and according to therefore, the agency monitors that processing complies with Act no. 90/2018 and Regulation (EU) 2016/679, special provisions in laws concerning the processing of personal data and other rules on the subject. With reference to this, cf. also justification in ruling of the Data Protection Authority, dated 11 September 2020, in case no. 2020010592, will not be seen for inspection The Data Protection Authority will review the mathematical calculation formula and Creditinfo's probability assessment in connection with the calculation of individuals' credit ratings. That part of the complaint must therefore be considered to fall outside the scope of the Data Protection Act and thus the authority of the Data Protection Authority. However, it does fall into place the role of the Data Protection Authority is to assess the proposed criteria basis for making credit ratings for individuals, such as whether Creditinfo is may use information on previous registrations in the default register. The person responsible that the processing of personal information complies with Act no. 90/2018 is mentioned responsible party. According to point 6. Article 3 of the Act refers to an individual, a legal entity, government authority or other party that decides alone or in cooperation with others purpose and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. Creditinfo has over to employ information systems on financial matters and creditworthiness and work with information in them in order to communicate them to subscribers. That processing is on Creditinfo's responsibility and the company is therefore considered to be responsible for that processing which consisted of the use of the complainant's information recorded there made the company's reports on the assessment of the complainant's credit rating. 2. Operating license Creditinfo Lánstraust hf. Operation of a financial information office and processing of relevant information financial issues and creditworthiness of individuals and legal entities, incl. default registration and the preparation of credit ratings, in order to communicate them to others, shall be subject to authorization Privacy, cf. Paragraph 1 Article 15 Act no. 90/2018. Creditinfo's activities is largely covered by this provision and has been granted by the Data Protection Authority the company has an operating license in accordance with it, cf. now in terms of individuals Creditinfo's operating license for the processing of financial information and credit, dated. 29 December 2017 (case no. 2017/1541 with the Data Protection Authority). The Data Protection Authority has also granted the company an operating license for processing information on legal entities, dated 23 December 2016 (case no. 2016/1822 at Privacy), and temporary operating licenses for the processing of personal information in in favor of a credit rating, dated 23 August 2018 (case no. 2018/1229 at Privacy). 3. Legality of processing All processing of personal information must be covered any of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 of the Regulation (ESB) 2016/679. These include point 6. of the provision, cf. point e of the first paragraph. Article 6 of the Regulation, which states that the processing of personal data is permitted if it is necessary for legitimate interests as a guarantor or third party may except the interests or fundamental rights and freedoms of the data subject which require protection of personal data is more important. The Data Protection Authority considers this provision to be applicable on the processing of personal information that takes place in Creditinfo's information systems in in connection with the preparation of reports on the complainant's credit rating. In addition to the authorization according to the above, there will be processing personal data to comply with the principles of the first paragraph. Article 8 Act no. 90/2018. Er among other things, it stipulates that personal information must be processed legally, fair and transparent to the data subject (point 1); that they should obtained for clearly stated, legitimate and objective purposes and not processed rather for other and incompatible purposes (paragraph 2); that they should be adequate, appropriate and not in excess of what is necessary for the purpose of processing (point 3); and that they should be reliable and updated accordingly needs (point 4) In the light of the above, it should be borne in mind that Privacy has several times before taken the position that Creditinfo has may use information on previous entries in the default register preparation of credit ratings for individuals. Please refer to it for a ruling Privacy, dated 11 September 2020, in case no. 2020010592, where the agency came to the conclusion that Creditinfo was allowed to use information on entry in the company's default register when preparing credit rating reports the complainant, for a maximum of four years from the registration of that information, cf. provisions in Creditinfo's operating license thereon. Regarding the rationale of the Data Protection Authority In this regard, reference is made to the above-mentioned ruling of the institution, which the Data Protection Authority considers the same views apply in the case at hand. The complaint also comments that it has not if the complainant's asset position is taken into account when making a credit rating with Creditinfo. In this connection, it is to be considered that the Data Protection Authority has previously taken that position that Creditinfo was not obliged by law to look at income and assets individuals when preparing reports on the creditworthiness of individuals. Refer to it ruling of the Data Protection Authority, dated 22 June 2020, in case no. 2020010678 and ruling, dated 11 September 2020, in case no. 2020010592. Regarding the reasoning of the Data Protection Authority in this regard refers to the above rulings of the institution, but the Data Protection Authority considers the same views to apply in this case. Regarding the complainant's requirements for the processing of information on he at Creditinfo will be suspended and registration on the company's default register will be stopped unless he authorizes it to be considered by the Data Protection Authority previously ruled that such a claim cannot be met. Refer to it and justification for the ruling of the Data Protection Authority, dated January 25, 2016, in case no. 2015/1457, but the Agency considers the same views to apply in this case. In view of the above, the conclusion of the Data Protection Authority is that Creditinfo's processing of information on the complainant's previous entries in the default register in making a credit rating of him has complied with Act no. 90/2018, on privacy and processing of personal information. Ú r s k u r ð a r o r ð: Creditinfo processing Lánstraust hf. on personal information about [A] for the purpose of reporting on his credit rating complied with Act no. 90/2018, on personal data protection and processing personal data, and Regulation (EU) 2016/679. In Privacy, March 18, 2021Helga Þórisdóttir Helga Sigríður Þórhallsdóttir
