- Debt collection companies may receive personal debtor data from the creditor without consent; the legal basis is Art. 6 (1) (b) and (f) GDPR.
- A plausibility check is sufficient before accepting the mandate; processing is only inadmissible if the claim obviously does not exist.
- The right to erasure does not apply as long as legal claims are being pursued; retention periods (e.g. under commercial or tax law) may extend storage.
The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia has in a Document (as of November 2018) Frequently Asked Questions on “Data Processing in Collection Companies answered. Among other things, the following notes are interesting:
May my data be transferred to a collection agency without my consent?
It is the free decision of a company to use the services of a lawyer or a debt collection agency in cases of dispute regarding an – even if only alleged – outstanding debt. In these cases, the (original) creditor may and must pass on personal data of the debtor (in particular name and address, the reason for the claim, the amount and the due date of the claim, etc.) to the collection agency. Only with this data is it possible for the collection company to approach the debtor and assert the claim. Your consent for the transfer of data to a legal service provider is not required, as it is based on the legal facts of Art. 6 para. 1 sentence 1 lit. b) and lit. f) DS-GVO (Data processing for contract performance, data processing based on legitimate interest of the creditor.) are supported.
[Note: Also welcome here is the clarification that legal bases are cumulative].
Does a debt collection agency have to check whether a claim actually exists before taking on the mandate?
When taking over a mandate, the collection agency must be able to trust that the claim handed over by the (original) creditor actually exists. A conclusiveness check / plausibility check by the collection agency before contacting the (alleged) debtor is sufficient. An audit with regard to the actual existence of a receivable is neither necessary nor possible at this point in time.
The processing of your data by a debt collection agency would only be inadmissible if the asserted claim clearly does not exist. However, this is Only conceivable in rare exceptional cases and not already when the debtor and creditor disagree as to whether the claim exists or not.
Is a collection agency obligated to delete my data if I ask them to do so?
It is true that you, as a so-called “data subject”, have a right to have your personal data deleted from Article 17 (1) of the GDPR under the conditions specified therein. However, this right does not exist if the company has deleted your Data processed for the assertion, exercise or defense of legal claims. This results from Article 17 (3) e) DS-GVO. Personal data may therefore continue to be stored as long as there are still outstanding receivables and they are processed as part of the collection activity. Once the collection procedure has been discontinued, the data is no longer required to fulfill the collection procedure and would in principle have to be deleted in accordance with Art. 17 (1) a).
However, instead of a deletion, a Limited processingif legal, statutory or contractual obligations Retention periods preclude deletion (Art. 17 para. 3 lit. b) DS-GVO in conjunction with. § 35 para. 3 BDSG). Personal data may have to be stored further due to commercial or tax regulations; however, this is only done for this purpose. These periods may vary. The German Fiscal Code (AO) and the German Commercial Code (HGB) provide for deletion periods of up to 10 years.
I have objected to the processing of my data by the collection agency. Nevertheless, the company continues to process my data. Is the company obliged to stop the data processing?
The exercise of the right to object to the processing of data on the basis of a balance of interests (Art. 6(1)(f) DS-GVO) pursuant to Art. 21(1) DS-GVO requires that the data subject provides the company with specific reasons arising from his or her particular situation. This means that the data subject must state that and why, in his or her particular case, it is an atypical constellation which lends particular weight to their interests. It is not sufficient, for example, to deny the claim (e.g., “I have not entered into a contract”) or notification that the (originating) creditor’s performance was defective or did not occur.
However, according to Article 21 (1) of the GDPR, the right to object does not apply if the processing of the data of the Assertion, exercise or defense of legal claims serves. In the typical case constellations in the context of debt collection (collection of outstanding debts), an objection to data processing is therefore likely to ultimately come to nothing.
May a collection agency obtain a credit report about me?
Debt collection companies may request creditworthiness data from credit agencies on the basis of Art. 6 (1) p. 1 lit. f) DS-GVO if an legitimate interest in this data collection exists. Such an interest is to be affirmed, for example, if an Decision on the initiation of further measures is associated with a financial default risk – also in terms of the recovery costs incurred.
Is a debt collection agency allowed to report (allegedly) unpaid receivables to a credit reporting agency?
The registration of unpaid receivables in a credit agency is Possible in principlebut only under certain conditions. In § Section 31 (2) of the Federal Data Protection Act (BDSG), the law regulates in which cases outstanding debts may be used by a credit agency for scoring. This is permitted, for example, if the debt is acknowledged by the debtor, if it has already been titled by a court decision or as part of judicial dunning proceedings, or if, in the case of an ongoing contract, the conditions for termination without notice due to payment arrears exist. Another common reason for reporting a claim to a credit agency is that at least two written reminders have been sent for payment, at least four weeks have passed since the first reminder, the debtor has been notified of the impending report to a credit agency, and the debtor has not disputed the claim.
Since the current version of the BDSG came into force, however, there has been a discussion about the purpose of this standard. The Data Protection Conference has therefore – taking up the idea of a restrictive registration practice – developed a Resolution on this topic which you will find in the appendix to this brochure.