The GDPR has been talked about for several months, but this topic was really loud only at the end of May, when a new law on the protection of personal data began to apply across Europe. The aforementioned Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 introduced a number of restrictions on the trading and storage of personal data, which also affected non-bank loan institutions.
Despite this, borrowers interested in payday loans should not feel the effects of GDPR, and the entire loan procedure is proceeding and will be carried out in exactly the same way as before. It is known, however, that the provisions of the Regulation also covered the debt recovery process. However, did they significantly affect the debt recovery procedure? And can debtors expect a change in their situation?
What does the protection of the debtor’s personal data look like?
When considering how to protect data, you should start with what the GDPR understands by personal data. According to the new regulation, personal data is information that identifies a natural person. Importantly, the GDPR does not exchange permanent information that could be used for this identification – this catalog is an open catalog, therefore, all information about a specific person can be taken up for the term ‘personal data’.
For debtors, however, the most important is the fact that the GDPR contains a provision saying that the data that allows determining the financial situation of a natural person are also personal data. It follows that both the amount of liabilities of natural persons and the amount of debt, the type of debt and the solvency or insolvency of the debtor will also be protected by new provisions. All institutions that process this type of data – banks, loan companies, debt collection companies – will have to act in accordance with the applicable regulation.
Can a loan company provide the debtor’s personal data without his consent?
The current law on the protection of personal data assumed that their processing and disclosure without the consent of the person they refer to is possible in the event that their disclosure is related to the objectives justified by the protection of their own interests and activities. The processing of personal data is therefore possible if it is necessary for:
- implementation of the obligation arising from legal provisions;
- performance of a contract to which the person to whom the personal data relates is a party;
- implementation of tasks serving the public good;
- the implementation of justified purposes, if this purpose does not violate the rights of the person whom the information relates to.
This legitimate purpose may be, for example, an attempt to prevent or compensate for financial damage, such as recovering financial claims from debtors.
In order to be able to legally provide access to debt data, the loan company does not need to obtain the consent of the debtor itself, but must first transfer the right to this claim, e.g. on the basis of an assignment. The debt collection company, as an assignee, therefore has the right to receive all information enabling the debtor to be identified and as a new creditor to process it in order to collect the debt.
How can the debtor’s data be processed?
The processing, but also the storage of data of an indebted person may take place only if it is current data. In practice, this will only be possible until the debtor has repaid all the liability owed. If the debt no longer exists, the creditor must delete all data regarding the debt and the debtor himself.
If the debt is active, the debt collection company may process the debtor’s personal data, but only within the framework set by the GDPR. Therefore, at the request of the person concerned, it must enable access to the processed data, correct the data or delete those data that can be deleted without harming the creditor. In addition, the debt collection company cannot use the data entrusted to it for purposes other than enforcing claims, which should be precisely specified in the assignment of the debt concluded between the loan company and the debt collection company.
It is worth noting that the contract should be constructed in accordance with the guidelines set by the GDPR (i.e. precisely define the scope of processing, its period, as well as indicate the data controller and all rights of the owner of personal data). If the assignment is incomplete or allows data to be processed to a greater extent than permitted, it may be considered illegal and non-binding.