Persónuvernd - nr. 2020010678

From GDPRhub
Persónuvernd - nr. 2020010678
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1) GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Rejected
Decided: n/a
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: nr. 2020010678
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) ruled that a credit agency (Creditinfo) is permitted to use information on the complainant's previous entries in the default register when preparing reports on the complainant's credit rating.


English Summary[edit | edit source]

Facts[edit | edit source]

The complainant filed a complaint with the Persónuvernd because their personal data was processed by a credit agency for the purpose of making a report on the complainant's creditworthiness. The complainant argued that because Creditinfo's rating was based on, among other things, information that was up to four years old, including information on the complainant's temporary financial difficulties, the processing involved in the making of the rating did not comply with data protection rules. Creditinfo disputed this argument.


Dispute[edit | edit source]

Was the processing by Creditinfo a violation of the GDPR?

Holding[edit | edit source]

The Persónuvernd held that the processing was lawful for several reasons. Regarding the GDPR, it held that Article 6(1)(f) applied as a lawful basis for the processing, on the basis that Creditinfo had a legitimate interest in processing the information for the preparation of a report on the complainant's credit rating. It also held that the Article 5(1) principles of transparency, purpose limitation and data minimisation were not violated in this case.

The Persónuvernd also cited several of its earlier decisions where it also decided that Creditinfo was allowed to use information on the entry in the company's default register when preparing reports on the complainants' credit ratings, for four years from the registration of such information.

Comment[edit | edit source]

The previous rulings by the Persónuvernd that were cited include the following:

  • case no. 2016/950
  • case no. 2016/580
  • case no. 2016/1138
  • case no. 2017/537.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Processing of Creditinfo Lánstraust hf. on information on previous entries in the default register when preparing reports on the complainant's credit rating

08/17/2020

The Data Protection Authority has ruled that Creditinfo Lánstrausti hf. had been allowed to use information on the complainant's previous entries in the default register when preparing reports on the complainant's credit rating. The Data Protection Authority referred to the fact that the institution had previously taken a position on the issue in question with rulings, cf. in this connection ruling, dated. 26 January 2017, in case no. 2016/950, ruling, dated 6 December 2016, in case no. 2016/580, ruling, dated 28 September 2017, in case no. 2016/1138 and ruling, dated 31 May 2018, in case no. 2017/537. In all the above rulings, the Data Protection Authority considered that Creditinfo was allowed to use information on the entry in the company's default register when preparing reports on the complainants' creditworthiness, for four years from the registration of such information. The Data Protection Authority considered that the same arguments applied in this case and therefore the processing was permitted with reference to point 6. Article 9 Act no. 90/2018. The Data Protection Authority did not consider that the law requires Creditinfo to take into account information on individuals' income and assets when preparing reports on creditworthiness of individuals, but it is rather up to the lender in question to take such information into account when examining the borrower's solvency. credit assessment. Finally, the Data Protection Authority considered that the processing had not violated the principles of Article 8. Act no. 90/2018.
ruling


On 22 June 2020, the Data Protection Authority issued a ruling in case no. 2020010678 (formerly 201901852):
I.
procedures
1.

Complaints and correspondence

On October 3, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as the complainant) regarding the processing of personal information by Creditinfo Lánstraust hf. (Creditinfo) for the benefit of a report on creditworthiness.

By letter dated On 9 November 2019, Creditinfo was invited to submit objections to the complaint. Creditinfo's reply letter was received by the Data Protection Authority on 28 November.

By letter dated On 4 December 2019, the complainant was invited to comment on Creditinfo's answers. The complainant's replies were received by e-mail the same day.

In resolving the case, all the above-mentioned documents have been taken into account, although not all of them have been prepared in a particularly detailed manner.
2.

The complainant's views

The complaint alleges that although the complainant experienced temporary difficulties, he always paid his debts without final enforcement, he never went bankrupt, owned real estate directly or indirectly through holding companies for about thirty years, had a high financial income. in 2018 and that no defaults have been recorded on it in Creditinfo's data. Despite the above, he had a registered credit rating almost all of 2019 in category D, which excludes almost all bank facilities. Registration has changed at the end of September. in category C3 that there is a possible likelihood of default and that this registration exists despite the fact that there is no information on default or obligations on which to base such information.

The complainant points out that according to information from Creditinfo, the company's credit rating is based, among other things, on older information or up to four years back in time. The complainant considers that the above does not comply with the rules on personal data protection, as it is normal for the assessment to be based on the most accurate information at any given time.

With reference to the above, Creditinfo's procedure for processing credit ratings is complained about and the Data Protection Authority is required to ensure that when issuing Creditinfo's operating license, new information is used as a basis for processing the complainant's credit rating, limits how old information may affect the rating and may not be to register a person with no arrears and a person who does not have loan agreements or debts in arrears below a certain category.

The complainant considers that the Data Protection Authority must first ensure transparency in the processing of credit ratings so that they are available; what information may be used, in what manner and how old information may be used and, secondly, what effect the payment of claims or defaults shall have on the preparation of a credit rating.
3.

Creditinfo's views

Creditinfo reviews the obligations imposed on lenders according to Act no. 33/2013 on consumer loans, which, among other things, aims to prevent lending to individuals who are likely to fall into arrears. Creditinfo points out that lenders should have a responsible lending policy and use reliable information to prevent over-indebtedness of individuals, which is reflected in arrears and write-offs of claims. The above views are reflected in Article 10. of the Act, which specifies the principle that a lender is not permitted to grant a loan if a credit rating and / or payment assessment indicates that the borrower does not have the financial means to repay the loan.

Creditinfo refers to the fact that in Art. Regulation on credit ratings and credit ratings no. 920/2013 states that a credit rating shall be based on the business history between the lender and the borrower and / or information from a database on financial matters and creditworthiness. It further states that in cases where there is no business history to be distributed between the lender and the borrower, the lender may, with the consent of the borrower, base its assessment solely on information from a third-party database on financial matters and creditworthiness.

In the letter, Creditinfo discusses the changes that have taken place in the credit market in recent years in such a way that more parties offer consumers access to credit. In many cases, there is therefore almost no business history to be distributed by the lender and to fulfill its legal obligation according to Art. According to the Consumer Credit Act, a lender must seek information from a database on financial matters and creditworthiness, obtain public information and, as the case may be, request further information from the borrower with his consent, cf. what is said in Article 5. of the Regulation on credit ratings and credit ratings. The lender is required to use reliable information to assess creditworthiness, so it is clear that credit ratings must be based on data and information that can reliably assess the likelihood that the borrower in question will be able to meet its obligations. Both lenders and borrowers have an interest in the information and data used to assess creditworthiness being as detailed and objective as possible.

Creditinfo bases the processing of a credit rating on the authorization in point 1. Article 9 Act no. 90/2018, but Creditinfo subscribers cannot obtain a credit rating without the consent of the individual in question.

Creditinfo refers to the fact that the company's credit rating assesses the probability of default and registration in the default register for the next twelve months. Those who have an active registration in the default register will therefore not receive a credit rating. Creditinfo considers that the complainant's assertion that he was allowed to endure a registration that still exists despite the fact that no obligations existed, was incorrect, as the registrations were deregistered from the default register. Information on previous entries in the default register, which affects the credit rating, is, however, available to individuals, e.g. inside the service website mitt.creditinfo.is. The individual can only obtain the information himself, but the lender who applies for a credit rating on the basis of approval will only receive information on the risk category and percentage that indicates the probability of defaulting over the next twelve months.

Creditinfo discusses that the company is authorized according to Article 2.7. in its operating license to use previous registrations in making a credit rating for up to four years from registration. Information on historical defaults is one of the most important variables in the model and has a high predictive value, but its weight decreases as the information gets older.

It is pointed out that, as stated in Creditinfo's answers to the complainant's ombudsman at the beginning of October 2019, historical defaults were one of the main influencing factors in the complainant's credit rating at that time. Due to the comments of the complainant's ombudsman in a complaint to the Data Protection Authority and in communication with Creditinfo that no income was taken into account when making the credit rating, it is stated that Creditinfo does not have access to such information but such information is collected by lenders perform, as well as perform or apply for a credit rating, cf. Article 10 Act no. 33/2013, the loan amount exceeds certain amount limits. As stated in the explanatory memorandum to the Act, the lender with a credit rating shall seek to verify the borrower's ability to pay, but the willingness to pay with a credit rating, and in that rating, e.g. look at efficiency and payment history.

With reference to the above, Creditinfo considers that the company has complied with the provisions of the operating license issued by the Data Protection Authority, the Act on Personal Data Protection and the Processing of Personal Data, as well as rules set on the basis of that Act.

II.
Assumptions and conclusion
1.

Scope - Responsible party

Scope of Act no. 90/2018, on personal data protection and processing, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is automatic in part or in full and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 Regulation.

Processing refers to an operation or series of operations in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 Regulation.

This case concerns the processing of personal information about the complainant in the preparation of a credit report on him. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 Regulation. As such, Creditinfo Lánstraust hf. be responsible for the processing complained of, ie. processing of personal information in the preparation of a credit rating of the complainant.
2.

The operating license of Creditinfo Lánstraust hf.

Operation of a financial information office and processing of information concerning the financial affairs and creditworthiness of individuals and legal entities, incl. defaults and the preparation of credit ratings, in order to communicate them to others, shall be subject to the permission of the Data Protection Authority, cf. Article 15 Act no. 90/2018. Creditinfo's operations are to a large extent covered by the above provision and the Data Protection Authority has granted the company an operating license in accordance with that, cf. now the operating license of Creditinfo Lánstraust hf. for the processing of information about individuals, dated 29 December 2017 (case no. 2017/1541) and now a temporary operating license for the processing of personal information for the purpose of making a credit rating, dated 23 August 2018 (case no. 2018/1229).

It should be noted that the reference to Art. Act no. 90/2018 for the processing of information that takes place during the preparation of a credit rating and that such processing must be based on a license from the Data Protection Authority is a novelty and was not found in a comparable provision of the then applicable Act no. 77/2000 on personal protection and handling of personal information. Regulation no. 46/2001 on the collection and dissemination of information on financial matters and creditworthiness, which was established on the basis of Article 45. Act no. 77/2000, only for processing for the purpose of disseminating information to others on financial matters and creditworthiness and therefore does not cover activities that involve the publication of credit rating reports. However, the above-mentioned temporary license does not change the fact that Creditinfo must still ensure that the information registered on the basis of operating licenses granted by the Data Protection Authority may not be used for the purpose of making a credit rating in a way that violates issued licenses or applicable law in general. .
3.

Legality of processing

In this case, it is being examined whether, in preparing the complainant's creditworthiness reports, Creditinfo could have used information on the entry in the company's default register that had been deleted from that register on the basis of a license to operate the register for the reason that the debt had been repaid. In this connection, it is also examined what significance the complainant's income and his current position have in general in Creditinfo's credit rating of the complainant.

All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018. These include point 6. Article 9 of the Act, cf. point e of the first paragraph. Article 6 of the Regulation, which states that the processing of personal data is permitted if it is necessary due to the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh. The Data Protection Authority considers this provision to apply to the processing of personal information that takes place in Creditinfo's information systems in connection with the preparation of a report on the complainant's credit rating.

In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, lawful and objective purposes and not further processed for other and incompatible purposes (paragraph 2) and that they shall be sufficient and not in excess of what is necessary for the purpose of the processing (paragraph 3); .

The Data Protection Authority has previously taken a position on the issue in question, cf. in this connection ruling, dated. 26 January 2017, in case no. 2016/950, ruling, dated 6 December 2016, in case no. 2016/580, ruling, dated 28 September 2017, in case no. 2016/1138, and ruling, dated 31 May 2018, in case no. 2017/537. In all the above rulings, the Data Protection Authority considered that Creditinfo was allowed to use information on the entry in the company's default register when preparing reports on the complainants' credit ratings, for four years from the registration of such information. In one of the above-mentioned rulings of the Data Protection Authority, case no. 2016/1138, reference was made, among other things, to provisions on the deletion of registered information after the retention period has expired in the relevant operating licenses that were in force when the processing in question took place. Are those provisions comparable to Article 2.7 of the current license, dated December 29, 2017 (Case No. 2017/1541). In addition, the provisions of Act no. 33/2013 on consumer loans, ie. Article 5 (now k) Article 5 and Article 10. which stipulate that the consumer's credit rating is assessed before a consumer loan is granted, and it is stated, among other things, that information from the databases of the financial information office may be used for this purpose. In this connection, provisions were also traced from Directive 2008/48 / EC on consumer credit agreements, which emphasized that lending activities should be responsible, that loans under the Directive should not be granted without a credit rating having previously been obtained and that provide for the necessary measures to impose sanctions on those lenders who do not do so.

With reference to this, the ruling in question states:

"From the above, it is clear that great emphasis is placed on a reliable credit rating in the run-up to the consumer loan agreement. It is also known, as previously stated, that the reports of Creditinfo Lánstraust hf. is intended to be useful in the preparation of such an assessment. Furthermore, it will not be considered that it involves the unauthorized disclosure of information on default claims that have been submitted, that they affect the conclusion of credit rating reports, as it is clear that the information itself does not reach the recipients of the assessment. In view of this, the Data Protection Authority considers the processing of Creditinfo Lánstraust hf. on the information on deregistered entries in the register in question, which is in question in this case and took place during the validity of the aforementioned operating license, dated 28 December 2015, have been based on the aforementioned provision of point 7. Paragraph 1 Article 8 Act no. 77/2000, but in addition the Office does not consider that it has been stated that the requirements of other provisions of the Act have been violated, e.g. á m. Paragraph 1 Article 7 the same law on, among other things, fairness, proportionality, reliability and retention time in the processing of personal information. The processing is therefore considered to have complied with the law.

Secondly, it is tested here whether the processing in question is considered to have been permitted after the current operating license, dated. 28 February 2017 (case no. 2016/1626), entered into force. In granting it, the views outlined above were taken into account, cf. Article 2.7 of the license, which deals with the deletion of information. It states, among other things, that information on individual debts should be deleted if it is known that they have been repaid, in addition to which information that measures against the creditworthiness of the data subject should be deleted when they are four years old. However, information may be stored for an additional three years, as it is subject to strict access restrictions and care is taken to ensure that no one else has access other than those employees who need it for their work. During such retention, they may be used to comply with requests from data subjects for knowledge of the processing of personal data about them and to [skrá] resolve disputes over the validity of registration. A maximum of four years have elapsed since the registration of the information, it may also be used for the purpose of making a credit rating at the request of the data subject, provided that no information is provided about the requirements themselves, but only statistical results. Other uses of the information are not permitted. "


The Data Protection Authority considers the same arguments as above to apply in the case that is currently being resolved. It is also not clear that the operating license instructions were violated, cf. now Article 2.7 of the aforementioned license, dated December 29, 2017, which are traced in the quoted text. In light of this, as well as with reference to the legal and regulatory provisions previously outlined, the Agency considers that the processing of information on deregistered entries in a register under the operating license has relied on a satisfactory authorization under the aforementioned provision of point 6. Article 9 of the Act, cf. point e of the first paragraph. Article 6 Regulation.

The complaint also comments on the fact that the complainant's income and assets are not taken into account when making a credit rating with Creditinfo. In this connection, it is considered that the lender is obliged to carry out a payment assessment in parallel with the credit rating before a contract for a consumer loan is entered into if certain conditions are met, cf. Article 10 Act no. 33/2013. Payment assessment refers to the calculation of the borrower's solvency, based on assets, liabilities, expenses and income, which i.a. based on official consumption criteria, cf. Article 5 (e) the same law. In the comments on Article 10 in the bill that became Act no. 33/2013 states that with a credit rating an attempt is made to verify the willingness to pay, but solvency with a credit rating. In view of the above, it cannot be seen that the law requires Creditinfo to take into account information on individuals 'income and assets when preparing reports on individuals' credit ratings. It is rather the responsibility of the lender in question to take such information into account when examining the borrower's solvency in connection with the preparation of a payment assessment. The lender in question is thus responsible for assessing the borrower's willingness to pay and solvency in a comprehensive manner in accordance with the above-mentioned provision of Article 10. Act no. 33/2013, before a decision on a loan is made.

In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly stated, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient and not in excess of what is necessary for the purpose of the processing (point 3). It will not be seen that these claims have been violated. The Agency also considers that the processing in question has complied with Act no. 90/2018 in other respects.
U r s k u r ð a r o r ð:

Processing of Creditinfo Lánstraust hf. on personal information about [A] in connection with the preparation of a report on his credit rating complied with Act no. 90/2018, on personal protection and processing of personal information.

In Privacy, June 22, 2020

Helga Þórisdóttir  Þórður Sveinsson