Anyone who has clicked “I accept” on a webpage privacy pop-up can as attest to the change that the GDPR has brought to business and commercial life today. However, most data privacy experts will remind you that GDPR is more of an evolution than a revolution though. This is certainly the case in the sphere of debt collection activity, an area that is centred around and dependent upon, the personal data of debtors.
In the run up to the GDPR coming into force in 2018, the focus of creditors was to ensure that appropriate data processing agreements were in place between them, as data controllers, and the collection agent data processors that they engaged. The question of where controlling ended and processing began and vice versa is often not a clear-cut one.
Legal bases for processing a debtor’s personal data
Accepting that debt collection will invariably involve the processing of individuals’, usually debtors’, personal data, means that both data controllers and data processors need to be aware of the basis – or bases – upon which a data subject’s personal data is lawfully processed. Under Article 6 of the GDPR, there are six possible legal bases for processing personal data, namely:
- Contractual necessity
- Compliance with a legal obligation
- Protecting vital interests
- Performance of an official or public task, and
- Legitimate interests, where the interest is not outweighed by that of the data subject.
In certain cases, creditors will obtain the consent of their customer to process data for debt collection purposes. There will be many cases though where a creditor will have to rely on one of the other bases for the processing of a debtor’s personal data, particularly those of contractual necessity or legitimate interest.
Legitimate interest of the creditor
In considering the basis of legitimate interest in the context of debt collection, it is worth setting out the text of Article 6(1)(f) of the GDPR in full, which states:
“1.Processing shall be lawful only if and to the extent that at least one of the following applies:
….(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
No doubt many creditors believe that it is in their legitimate interest to be paid for goods or services supplied, or monies lent, etc. However, it does not automatically follow that this basis provides an absolute right to process their customer’s data, in any manner they please, to obtain payment.
The data controller must demonstrate that their compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject. The GDPR recitals mention, several times, the need to conduct an assessment when relying on this ground, i.e. that the creditor will need to conduct a legitimate interests assessment.
There is no explicit guidance issued by the Irish Data Protection Commissioner on this basis for data processing, post GDPR. However, there is some useful analysis provided by the UK’s Information Commission Office (ICO) and indeed (in 2014) by the EU’s Article 29 Working Party.
Applying the legitimate interest basis
Unlike some of the other bases for processing the personal data of data subjects, legitimate interest is not centred around a particular purpose, e.g. performing a specific contract with the debtor, and as a basis for data processing, is more flexible than some of the others. Though not set out explicitly in the GDPR, ICO gives very good practical guidance in terms of how the test under Article 6(1)(f) is to be applied, and in what order:
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
ICO goes on then to set out a number of examples on its website of the application of the above methodology, the most appropriate one in the collection context being an example of that of a finance company/lender, which example is looked at in more detail below. In this example, ICO considered whether the finance company’s entitlement to process a debtor’s data in order to collect debt, might be overridden by the right of the data subject, not to have his data processed (by way of it being given to a collection agency – which he possibly did not consent to. ICO noted that “the legitimate interest in passing the personal data to a debt collection agency in these circumstances would not be overridden by the interests of the customer. The balance would be in favour of the finance company.”
On the other hand, in terms of carrying out the balancing test, between the competing rights of the finance company controller and the data subject, ICO notes that, if there is a serious mismatch between the interests of the data controller and the interests of the data subject (whose interests are stronger), the data subject’s interests must come first. This occurs in instances where:
- The data subject would not reasonably expect the processing
- They would be likely to object to the processing
- The processing would have a significant impact on them
- The processing would prevent them exercising their rights, or
- The data that the controller is processing is particularly sensitive, for example special category data, criminal offence data, or children’s data
However, the outcome will depend on the circumstances of the case.
ICO – a creditor company who wishes to outsource debt
ICO provides the following example:
- A creditor company is unable to locate a customer who has stopped making payments
- The customer has moved house without notifying their creditor of the new address
- The creditor wants to disclose the customer's personal data to a debt collection agency to locate the customer and recover the debt
ICO notes that the creditor has a legitimate interest in recovering its debt and, to achieve this, it is necessary to use a debt collection agency. While the interests of the customer are likely to differ from those of the creditor, the balance would be in favour of the company. The ICO example relates to a finance lender, but would appear to equally apply to any commercial organisation pursuing a bad debt.
Accordingly, processing the debtor’s data by way of simply referring them to a debt collection agency can be justified on the legitimate interest basis.
Article 29 Working Party – hire purchase company and missed car repayments
The Article 29 Working Party example related to a debtor who fails to pay the instalments due on an expensive sports car purchased on credit, and who then disappeared. The car dealer contracts a third-party collection agent. However, in its example, the third party debt collector carried out an intrusive law-enforcement style investigation using practices such as covert video-surveillance and wire-tapping. Although the interests of the car dealer and third party debt collector are legitimate, the balance does not tip in their favour because of the intrusive methods used to collect information, some of which are explicitly prohibited by law i.e. wire-tapping.
The conclusion would be different if, for instance, the car dealer or the third party debt collector carried out limited checks only to confirm the contact details of the data subject in order to start a court procedure.
Domestic corroboration of this analysis can be seen in terms of some of the results of pre-GDPR prosecutions taken by the DPC against a number of tracing agents/private investigators. The creditors in those cases referred instructions to private investigators to trace current addresses of certain debtors. However, while the initial referral of subject date to a third party did not cause a breach, it was the methods used by the tracing agents, including inappropriate access to State databases, that were found to breach the legislation and, obviously, the rights of the data subjects. Needless to say, the processing methods could not be justified by the legitimate interest exception.
In general terms, it seems clear that the processing of data subject’s personal data via a data controller referring that data to a third party debt collector can be justified under the legitimate interest basis. A creditor/data controller would be very well advised to inform themselves about the exact manner of processing that is then carried out, and to have the appropriate safeguards in place. These might include, for example, a data processing agreement with the third party debt collector.
It is reasonably certain that various European data protection authorities will make findings in accordance with their GDPR powers where data is processed by creditors to obtain collections, and where the creditor has relied on legitimate interests as their basis for that processing. By way of example, in April of 2019, a Hungarian debt collector was fined the equivalent of EUR€9,400 because it was found that the collector did not have a legal basis to process an individual’s personal data.
Findings such as these will no doubt provide guidance and advice about the application of the bases for processing and the balancing of data controller/processor rights versus data subject rights.