Data Pro­tec­tion Com­mis­sio­ner North Rhi­ne-West­pha­lia: FAQ on debt coll­ec­tion agencies

The Sta­te Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on of North Rhi­ne-West­pha­lia has in a Docu­ment (as of Novem­ber 2018) Fre­quent­ly Asked Que­sti­ons on “Data Pro­ce­s­sing in Coll­ec­tion Com­pa­nies ans­we­red. Among other things, the fol­lo­wing notes are interesting:

May my data be trans­fer­red to a coll­ec­tion agen­cy wit­hout my consent?

It is the free decis­i­on of a com­pa­ny to use the ser­vices of a lawy­er or a debt coll­ec­tion agen­cy in cases of dis­pu­te regar­ding an – even if only alle­ged – out­stan­ding debt. In the­se cases, the (ori­gi­nal) cre­di­tor may and must pass on per­so­nal data of the debtor (in par­ti­cu­lar name and address, the rea­son for the cla­im, the amount and the due date of the cla­im, etc.) to the coll­ec­tion agen­cy. Only with this data is it pos­si­ble for the coll­ec­tion com­pa­ny to approach the debtor and assert the cla­im. Your con­sent for the trans­fer of data to a legal ser­vice pro­vi­der is not requi­red, as it is based on the legal facts of Art. 6 para. 1 sen­tence 1 lit. b) and lit. f) DS-GVO (Data pro­ce­s­sing for con­tract per­for­mance, data pro­ce­s­sing based on legi­ti­ma­te inte­rest of the cre­di­tor.) are supported.

[Note: Also wel­co­me here is the cla­ri­fi­ca­ti­on that legal bases are cumulative].

Does a debt coll­ec­tion agen­cy have to check whe­ther a cla­im actual­ly exists befo­re taking on the mandate?

When taking over a man­da­te, the coll­ec­tion agen­cy must be able to trust that the cla­im han­ded over by the (ori­gi­nal) cre­di­tor actual­ly exists. A con­clu­si­ve­ness check / plau­si­bi­li­ty check by the coll­ec­tion agen­cy befo­re cont­ac­ting the (alle­ged) debtor is suf­fi­ci­ent. An audit with regard to the actu­al exi­stence of a receiva­ble is neither neces­sa­ry nor pos­si­ble at this point in time.

The pro­ce­s­sing of your data by a debt coll­ec­tion agen­cy would only be inad­mis­si­ble if the asser­ted cla­im cle­ar­ly does not exist. Howe­ver, this is Only conceiva­ble in rare excep­tio­nal cases and not alre­a­dy when the debtor and cre­di­tor dis­agree as to whe­ther the cla­im exists or not.

Is a coll­ec­tion agen­cy obli­ga­ted to dele­te my data if I ask them to do so?

It is true that you, as a so-cal­led “data sub­ject”, have a right to have your per­so­nal data dele­ted from Artic­le 17 (1) of the GDPR under the con­di­ti­ons spe­ci­fi­ed the­r­ein. Howe­ver, this right does not exist if the com­pa­ny has dele­ted your Data pro­ce­s­sed for the asser­ti­on, exer­cise or defen­se of legal claims. This results from Artic­le 17 (3) e) DS-GVO. Per­so­nal data may the­r­e­fo­re con­ti­n­ue to be stored as long as the­re are still out­stan­ding receiv­a­bles and they are pro­ce­s­sed as part of the coll­ec­tion acti­vi­ty. Once the coll­ec­tion pro­ce­du­re has been dis­con­tin­ued, the data is no lon­ger requi­red to ful­fill the coll­ec­tion pro­ce­du­re and would in prin­ci­ple have to be dele­ted in accordance with Art. 17 (1) a).

Howe­ver, instead of a dele­ti­on, a Limi­t­ed pro­ce­s­singif legal, sta­tu­to­ry or con­trac­tu­al obli­ga­ti­ons Reten­ti­on peri­ods pre­clude dele­ti­on (Art. 17 para. 3 lit. b) DS-GVO in con­junc­tion with. § 35 para. 3 BDSG). Per­so­nal data may have to be stored fur­ther due to com­mer­cial or tax regu­la­ti­ons; howe­ver, this is only done for this pur­po­se. The­se peri­ods may vary. The Ger­man Fis­cal Code (AO) and the Ger­man Com­mer­cial Code (HGB) pro­vi­de for dele­ti­on peri­ods of up to 10 years.

I have objec­ted to the pro­ce­s­sing of my data by the coll­ec­tion agen­cy. Nevert­hel­ess, the com­pa­ny con­ti­nues to pro­cess my data. Is the com­pa­ny obli­ged to stop the data processing?

The exer­cise of the right to object to the pro­ce­s­sing of data on the basis of a balan­ce of inte­rests (Art. 6(1)(f) DS-GVO) pur­su­ant to Art. 21(1) DS-GVO requi­res that the data sub­ject pro­vi­des the com­pa­ny with spe­ci­fic rea­sons ari­sing from his or her par­ti­cu­lar situa­ti­on. This means that the data sub­ject must sta­te that and why, in his or her par­ti­cu­lar case, it is an aty­pi­cal con­stel­la­ti­on which lends par­ti­cu­lar weight to their inte­rests. It is not suf­fi­ci­ent, for exam­p­le, to deny the cla­im (e.g., “I have not ente­red into a con­tract”) or noti­fi­ca­ti­on that the (ori­gi­na­ting) creditor’s per­for­mance was defec­ti­ve or did not occur.

Howe­ver, accor­ding to Artic­le 21 (1) of the GDPR, the right to object does not app­ly if the pro­ce­s­sing of the data of the Asser­ti­on, exer­cise or defen­se of legal claims ser­ves. In the typi­cal case con­stel­la­ti­ons in the con­text of debt coll­ec­tion (coll­ec­tion of out­stan­ding debts), an objec­tion to data pro­ce­s­sing is the­r­e­fo­re likely to ulti­m­ate­ly come to nothing.

May a coll­ec­tion agen­cy obtain a cre­dit report about me?

Debt coll­ec­tion com­pa­nies may request cre­dit­wort­hi­ness data from cre­dit agen­ci­es on the basis of Art. 6 (1) p. 1 lit. f) DS-GVO if an legi­ti­ma­te inte­rest in this data coll­ec­tion exists. Such an inte­rest is to be affirm­ed, for exam­p­le, if an Decis­i­on on the initia­ti­on of fur­ther mea­su­res is asso­cia­ted with a finan­cial default risk – also in terms of the reco­very costs incurred.

Is a debt coll­ec­tion agen­cy allo­wed to report (alle­gedly) unpaid receiv­a­bles to a cre­dit report­ing agency?

The regi­stra­ti­on of unpaid receiv­a­bles in a cre­dit agen­cy is Pos­si­ble in prin­ci­plebut only under cer­tain con­di­ti­ons. In § Sec­tion 31 (2) of the Fede­ral Data Pro­tec­tion Act (BDSG), the law regu­la­tes in which cases out­stan­ding debts may be used by a cre­dit agen­cy for scoring. This is per­mit­ted, for exam­p­le, if the debt is ack­now­led­ged by the debtor, if it has alre­a­dy been tit­led by a court decis­i­on or as part of judi­cial dun­ning pro­ce­e­dings, or if, in the case of an ongo­ing con­tract, the con­di­ti­ons for ter­mi­na­ti­on wit­hout noti­ce due to payment arre­ars exist. Ano­ther com­mon rea­son for report­ing a cla­im to a cre­dit agen­cy is that at least two writ­ten remin­ders have been sent for payment, at least four weeks have pas­sed sin­ce the first remin­der, the debtor has been noti­fi­ed of the impen­ding report to a cre­dit agen­cy, and the debtor has not dis­pu­ted the claim.

Sin­ce the cur­rent ver­si­on of the BDSG came into force, howe­ver, the­re has been a dis­cus­sion about the pur­po­se of this stan­dard. The Data Pro­tec­tion Con­fe­rence has the­r­e­fo­re – taking up the idea of a rest­ric­ti­ve regi­stra­ti­on prac­ti­ce – deve­lo­ped a Reso­lu­ti­on on this topic which you will find in the appen­dix to this brochure.




Rela­ted articles