Background information
- Date of decision: 27 June 2023
- Cross-border case or national case: National case
- Controller: A.I.C. ehf.
- Legal references: Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing)
- Decision: Administrative fine
- Key words: Administrative fine, Lawfulness of processing, Transparency, Credit information agency
Summary of the Decision
Origin of the case
In June 2020 the Icelandic DPA received a complaint from the Consumers’ Association of Iceland regarding the processing of personal data by the credit information agency Creditinfo Lánstraust hf. According to Article 15 of the Icelandic Data Protection Act the operation of credit reference agencies and the processing of information concerning financial matters and the credit ratings of individuals in order to disclose it to others requires a licence from the Icelandic DPA. According to Creditinfo Lánstraust hf.’s licence it is permitted to register defaults when the loan or debt document from which the debt is derived clearly stipulates the authorization to register defaults that have lasted for a minimum of 40 days. Following the investigation of that case, the DPA started an own volition investigation against the debt collection agency Almenn innheimta ehf. (now A.I.C. ehf.), which was collecting debts on behalf of the loan company eCommerce 2020 ApS, and found that the collection agency had sent information regarding defaults and personal data to the credit information agency, from June 2018 to May 2019, without the necessary provisions on the effect of default having been included in eCommerce 2020 ApS’s loan terms and conditions.
Key Findings
- Failure to demonstrate a lawful ground for all processing operations (Article 6 (1) GDPR)
- Failure to comply with the obligation to process personal data lawfully, fairly and in a transparent manner (Article 5(1)(a) GDPR)
Decision
No provision that clearly stipulates the authorization to register defaults that have lasted for 40 days was to be found in eCommerce 2020 ApS’s loan terms and conditions. The Icelandic DPA considered that the registration of defaults on the loans in question could only have been justified by a provision like that. Therefore, the Icelandic SA concluded that the collection agency Almenn innheimta ehf. (now A.I.C. ehf.) had processed data unlawfully and against Articles 5(1)(a) and 6(1) GDPR, as the agency could not rely on any legal basis. Furthermore, the Icelandic SA imposed a fine of app. EUR 24,141 (ISK 3,500,000) on A.I.C. ehf.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.