Blog

2015. September 29.

Résumé of the resolution of the National Authority for Data Protection and Freedom of Information on data processing in course of lending


Resolution

The National Authority for Data Protection and Freedom of Information (hereinafter referred to as: “Authority”), has imposed a fine of HUF 2,000,000 on (_________) company (hereinafter referred to as: “Defendant”) in its resolution (no. NAIH/2015/328/20/H) as a result of its unlawful data processing activities. Furthermore, it has prohibited the unlawful processing of data by the Defendant and ordered the publication of its resolution, indicating the identification data of the Defendant as well.

According to the resolution the Defendant shall perform the following obligations:

  • In the absence of statutory authorization, even if in possession of the data subject’s express consent, processing of data involving gathering copies of personal identification documents of clients appearing personally in the Defendants premises, breaches the principle of purpose limitation, therefore the Defendant is obliged to cease its practice of document copying and destroy the copies of personal identification documents which were gathered from the clients.
  • In the absence of statutory authorization even if in possession of the data subject’s express consent, the application of the contract condition related to clean criminal record of the loan applicants breaches the principle of purpose limitation, therefore the Defendant is obliged to refrain from the application of this condition in its business regulations and general contract conditions resulting in the processing of special data for the future.
  • The Defendant is also obliged to delete the data content of the loan applications rejected in 2015 and to amend its processing method for the future in order to comply with the provisions of the Privacy Act.
  • Due to the infringement of the disclosure obligation prior to the commencement of data processing, the Defendant is obliged to amend its disclosure process regarding data processing according to the provisions of the Privacy Act. In the future, it shall give proper information to the clients about the legal basis adn the aim of information gathering and data processing, (in particular, it shall make a difference between personal data provided voluntarily or mandatory), about the rights of data subjects and legal remedies when personal data is recorded in its business regulations, in its forms, and in course of providing information through telephone or internet as well.
  • In the future any data processing not aiming lending (direct marketing purpose) shall be performed by the Defendant based on the voluntary, informed and express prior consent granted by the data subjects.
  • The Defendant shall notify its data processing operation to the Authority in order to be registered.

Establishments

  1. The Authority has established that the Defendant processes data of a wider range in course of its general procedural practice than needed for evaluating the loan applications, concluding contracts, enforcing claims arising out of the lending.
  2. The business regulations and general contract conditions of the Defendant contained the provision that “By signing the contract the Client shall declare that he/she has no criminal record”. The Authority has considered that the aforementioned declaration has not served the objective of the reduction of risks of lending, since the lending could have taken place without processing special data related to clean criminal record because special data had to be declared not in course of the credit assessment but upon concluding the contract. Therefore the Defendant breaches the principle of purpose limitation.
  3. The Authority has furthermore established that copying of personal identification documents of the clients appearing in person breaches Section 4 para. (2) of the Privacy Act. Copying of personal identification documents cannot serve the objective of preventing fraud or more effective enforcement of claims, because in the absence of direct suspicion the indirect, remote possibility of abuse cannot be a basis for data processing.
  4. Upon acceptance of the loan application, the Defendant asks the debtor’s consent in the Declaration about client information to be authorized to receive data about the result of the enforcement of claims, which contains data about the debtor to be qualified as bank secrets, for the purpose of risk management and analysis, in case the Defendant confers its claims to an assigned third party. These data are relevant in case of evaluating a new loan application of the debtor, but this occurrence is unforeseeable and occasional, therefore it cannot serve as basis for data processing.
  5. The Authority has established several types of problems regarding the provision of information. The Defendant breaches its disclosure obligation in its business regulations since it does not provide complete and unambiguous information for the data subjects. Therefore consents granted by the data subjects cannot be deemed as informed consents.
  6. With regard to the obligatory data processing, the Authority has established that the Defendant (and all financial institutions) shall record the data of the credit agreement, or any contracts related to leasing, securities, lending etc. to the Central Credit Information System of consumer credit agreements (hereinafter referred to as “KHR”). However accessing of these data from the KHR depends on the consent granted by the client. The positive occurrence about the data subject can only be known from the KHR if the data subject provides its consent thereto, while the negative occurrence can be known from the KHR without any restriction.
  7. Pursuant to the Act No. CCXXXVII of 2013 on Credit Institutions and Financial Enterprises the Defendant (as well as all financial institutions) is obliged to record the telephone conversations about costumer complaints between the financial institution or independent intermediary and the client,and shall retain this recording for a period of one year. This rule is not applicable to the telephone conversations between the financial institution and the client which are not deemed as complaints.
  8. The Authority has established that the practice of the Defendant is unlawful when by signing the contract, the loan applicant provides his/her consent automatically to data processing having different aims, because the Defendant does not ensure the possibility of voluntary consent for the client, therefore it breaches Section 3 point 7 of the Privacy Act.

In the course of applying sanctions, the Authority has to consider all the circumstances of the case, including the range of data subjects affected by the infringement, the significance of the infringement, and whether it has been a recurring breach. In this case, it has established that data processing has affected several thousands of persons, which has caused serious and recurring infringement, since the Defendant has unlawful data processing practice.

Applicable laws and basic regulations

  • Data Protection Directive 95/46/EC
  • Constitution of Hungary
  • Act CXII of 2011 ("Privacy Act")
  • Act V of 2013 (“New Civil Code”)
  • Act CLXII of 2009 on Consumer Credits
  • Act CXII of 1996 on Credit Institutions and Financial Enterprises (“Old Hpt.”)
  • Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises („New Hpt.”)
  • Act CXXXVI of 2007 on the Prevention and Combating of Money Laundering and Terrorist Financing (“Pmtv.”)
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (“Grt.”)

Government Decree 361/2009 (XII. 30.) on the conditions of prudent retail lending and the examination of creditworthiness