The data of the debtor who is a natural person is protected in accordance with the provisions of the GDPR. According to the definition in Article 4 of the Regulation, personal data includes information about an identified or identifiable natural person. It is worth emphasizing that the provision does not designate a closed catalog of information that can be considered personal data. Moreover, the legislator pointed out that the concept also includes factors determining the economic identity of a natural person.
In connection with the above, it should be assumed that information such as: amount of debt, nature of the claim or solvency of the debtor are protected personal data. It follows that creditors must ensure that the above data is used by them in a lawful manner.
Principles of personal data protection in debt collection
The GDPR allows the processing of personal data on the basis of the premise for achieving legitimate purposes. The aforementioned condition falls within the catalog of conditions for the lawful processing of personal data. This means that for the purposes of pursuing a claim, the debtor’s personal data may also be used by a creditor who has not obtained consent from the debtor person to process his data. This applies to entities that have obtained the right to a given claim on the basis of e.g. assignment of receivables or universal succession.
Good To Know
It should be emphasized that the Regulation allows the processing of personal data only as long as there is a justification for it. This means that the creditor should delete the debtor’s personal data after recovering the claim sought. In debt recovery this is important.
Entrusting debt collection with external entities
It happens that creditors decide to outsource debt collection to third parties specializing in collecting debts. Such an action fulfills the conditions for entrusting the processing of personal data, which means that it must meet the requirements set by the GDPR for such activities. Pursuant to the Regulation, entrusting processing should be based on a contract. Public authorities responsible for the protection of personal data will create a catalog of clauses that should include a contract for entrusting processing.
The debt collection company whose data will be entrusted is obliged to comply with the obligations that the GDPR imposes on the data processor. This means that it will be obliged to respond to the debtors’ requests for access to data and, if it is justified, to requests to limit data processing or rectification.
It is worth emphasizing that a debt collection company entrusted with personal data of debtors – can use it only and exclusively for the purposes specified in the contract it concluded with the creditor.
Practical advice
The creditor entrusting recovery to third parties should ensure that the contract is properly drawn up and that the contract contains provisions regarding the processing of personal data in accordance with legal requirements. Such a contract should define the sets of processed data, the scope of the transfer and be based on clauses drawn up by the relevant office. In addition, proper definition of the purposes of processing will allow creditors and debt collectors to avoid sanctions for failure to comply with their obligations regarding the processing of personal data.
summarizing
The day on which GDPR will come into force is fast approaching. It is worth discerning your rights and obligations arising from the above fact. Other articles on personal data protection that can be found on the LTCA Academy website can definitely help!