Balancing of interests: data collection by CRAs without consent - 16 november 2004 
[doc. web n. 1671380]
Balancing of interests: data collection by CRAs without consent - 16 november 2004
GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, in the presence of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi, and Mr. Mauro Paissan, members, and Mr. Giovanni Buttarelli, Secretary General,
Having regard to the provisions adopted on this day by the Garante, whereby the code of conduct and professional practice applying to information systems that are controlled by private entities and used with a view to granting consumer credit and/or in connection with reliability and timeliness in payments was found to be compliant with laws and regulations and ordered to be published in the Official Journal (under Section 20(2), letter e) of legislative decree no. 467/2001, and Section 117 of the Personal Data Protection Code);
Having regard to the provisions previously adopted by the Garante in this regard on April 10, 2002 (published in the Official Journal no. 106 of May 8, 2002) and July 31, 2002 (published in the Garante´s Bulletin no. 30/2002, p. 47) and considering it necessary for this Authority to lay down appropriate, effective implementing mechanisms in respect of the provisions contained in the Code that set out the preconditions for processing to be lawful, also in the light of the information acquired during the preparatory work related to adoption of the aforementioned code of conduct;
Having regard to the considerations submitted by the Secretary General on behalf of the Office, pursuant to Section 15 of the Garante´s Regulations no. 1/2000;
Acting on the report submitted by Prof. Gaetano Rasi,
1. Credit Information Systems
Information systems managed by private entities with a view to granting consumer credit and/or assessing applicants´ reliability and timeliness in payment are not regulated specifically, unlike
a) centralised systems or services for the assessment of – mainly major – credit risks as set up pursuant to the consolidated statute on banks and credit institutions via resolutions adopted by CICR, which are regulated and supervised by the Bank of Italy, and
b) other publicly available registers, databases and files that are also used with a view to granting credit and operated in accordance with specific provisions (e.g. computerised register of protests, land register offices, etc.).
In Italy, privately run information systems developed prior to the enactment of data protection legislation, in the absence of standard rules and criteria, and in accordance with different arrangements. This occurred either within the framework of associations and consortia set up by financial operators or in connection with paid services and/or activities carried out by specialised companies – usually on the basis of agreements and/or contracts between system managers and participating private entities.
Said systems are used by credit and financial operators – i.e., banks and financial brokers such as, for instance, financial and leasing companies – to share and exchange information on loans, including small loans, and payments by instalments. They are aimed at protecting credit and reducing the relevant risks, also in connection with the need to enhance stability of the banking and financial system and develop production activities, as per the sector-related requirements, by supporting the demand for consumer goods and services. This applies, in particular, to consumer credit, which is taken into account only indirectly and/or partially within the framework of publicly run "credit referencing agencies", the latter being the subject of specific legislation.
The private systems in question, which are currently referred to as private "credit referencing agencies", are now regulated by the aforementioned code of conduct and professional practice, where they have also been termed "credit information systems".
2. Consent and Other Lawfulness Preconditions
With regard to the processing of personal data, including data related to credit relationships evolving "flawlessly", the private entities managing the aforementioned information systems must obtain the data subjects´ free, informed consent – possibly by the agency of the participating entities -, which must be given specifically in connection with the individual processing operations pursuant to both the Code (Section 23) and the aforementioned code of conduct and professional practice.
With a view to affording a high level of protection to data subjects (as per Section 2 of the Code), the latter should be enabled to make an informed decision as to whether their data may be recorded in the aforementioned information systems – e.g. to facilitate the granting of future loans – without being exposed to influence, including de facto influence, and/or concerned about the negative consequences possibly resulting from this decision as for their current or future relationships with financial operators.
As an alternative to consent, the controller of the processing operations that are performed to grant consumer credit and assess applicants´ reliability and timeliness in payments can avail itself, in some cases, of other lawfulness preconditions referred to in the Code. This applies if the processing in question
a) is necessary to comply with specific requests made by the data subject, prior to entering into the contract (e.g. in connection with the preparatory activity related to a financing application lodged with a bank or financial company: see Section 24(1), letter b), of the Code);
b) concerns data related to the performance of economic activities by companies, self-employed professionals, and single-member companies pursuant to the limitations set out in the Code (see Section 24(1), letter d) );
c) is necessary in order to defend a claim for no longer than is absolutely necessary therefor, as well as in connection with requests lodged by either data subjects or competent public authorities under the law (see Section 24(1), letters a) and f) );
d) concerns anonymous data that are processed for statistical purposes, which fall outside the scope of application of the Code.
The relevant actors can avail themselves of the above preconditions by complying with the respective limitations. Therefore, it is necessary to establish whether, in view of the forthcoming application of the code of practice, the processing of some personal data relating to payment delays and/or defaults within the framework of the aforementioned private information systems may be based on an additional lawfulness precondition to be used by the actors concerned as an alternative to the data subjects´ free, explicit, and documented consent (Section 23 of the Code).
A suitable alternative to consent can be found in the provisions on balancing of interests, which were re-affirmed in the Code and appropriately supplemented by the reference to the experience gathered (see Section 24(1), letter g) ).
This provision is meant to implement the balancing of interests regulations by specifying – further to the principles set out in Section 11 of the Code – the cases in which some personal data relating to credit relationships may be processed within the framework of the aforementioned information systems also without the data subjects´ consent for the sole purpose of pursuing the data controller´s and/or third party recipients´ legitimate interests, in accordance with the mechanisms laid down herein as well as in the aforementioned code of conduct and professional practice.
3. Individuals´ Rights and Legitimate Interests of the Credit and Financial Sector
In carrying out said implementing exercise, it should be considered that the complex processing operations involving personal data that are performed in the aforementioned contexts do entail risks for data subjects´ fundamental rights and freedoms, as they may negatively affect private life, legitimate access to the purchase of goods and/or the delivery of services, and ultimately individuals´ dignity and repute, social and professional relations, and private enterprise.
Given that private credit information systems impact considerably on production and commerce via the assessment that is carried out in order to grant consumer credit and/or gauge applicants´ reliability and timeliness of payments, it is necessary to avoid duplication and overlapping of databases as well as the proliferation of multiple-industry databases whether centralised or interconnected, which may give rise to an excess of information that is aimed at the most diverse purposes, concerns a high number of people, and may end up being especially intrusive because of the many opportunities for matching data.
On the other hand, it should be noted that acquisition and exchange of significant information relating to delayed and/or defaulting payments in connection with consumer credit, also by means of information systems managed by private entities, can play an important role in order for banks, financial companies and other intermediaries – which are required to ensure sound, prudential management of loans – to appropriately assess an applicant´s creditworthiness and financial status, as well as in order to reduce the data subjects´ excessive indebtment and/or overexposure in respect of the debtors´ income, and to prevent deceptive practices.
4. Balancing of Interests in Case Data Related to Negative Information Are Processed
Facilitating the acquisition of the information referred to above may therefore be especially useful in connection with the assessment carried out by industry operators prior to granting loans and/or credit. This is without prejudice to the need for the data to be processed in the aforementioned systems exclusively for as long as specified in the said code of conduct and professional practice by taking account of several factors – such as sector-related evolution, functions discharged by said information systems, retention periods set out for other types of risk assessment as regulated and supervised by the Bank of Italy, and terms currently applying to retention of the data concerning indebtment as stored in different public registers for purposes other than those typically related to credit risk assessment (such terms are expected to be harmonised shortly in pursuance of Section 119 of the Code).
Based on the principles whereby data should be relevant, complete and not excessive, and having regard to the new framework rules and safeguards developed by the code of conduct and professional practice, the Garante considers that the following processing operations concerning personal data are necessary to pursue the legitimate interests of the controllers of the processing carried out within the framework of the said information systems insofar as the processing operations relate to:
a) delays in reimbursement of loans, which data may be retained in the said systems for twelve months or twenty-four months as of the date on which the information related to their having been remedied is recorded if the reimbursement is delayed by two instalments/months or by a longer period, respectively;
b) credit relationships that have been affected by delays and/or defaults and have not been remedied, which data may be kept in the aforementioned systems for no longer than thirty-six months as of the date of expiry of the relevant contract; if other events occur that are relevant to the payment, the period in question starts running as of the date on which it was last found to be necessary to update said data, or on which the relationship was terminated. In the latter instance, the personal data related to positive credit information that are contained in the information system may also be retained further, even though they concern other credit relationships with the same data subject, by having regard to the requirement that the data should be complete in respect of the purposes to be achieved (see Section 11(1), letter d), of the Code).
In the cases mentioned herein, it shall be therefore lawful to process the personal data in question for the purposes referred to above also without the data subjects´ consent, pursuant to Section 24(1), letter g), of the Code, as of January 1, 2005 – i.e. as of the date on which the aforementioned code of conduct and professional practice comes into force.
This decision only applies to the entities that are referred to as "managers" and/or "participants" in Article 1 of the aforementioned code of conduct and professional practice.
HAVING REGARD TO THE ABOVE PREMISES
1) hereby specifies the cases in which processing of personal data within the framework of the information systems addressed by the code of conduct and professional practice referred to above may be carried out by managers of and/or participants in said systems under the terms set out in the above premises, by complying with the limitations and conditions specified therein, for the sole purpose of pursuing the aforementioned legitimate interests and without requesting the data subjects´ consent;
2) orders that this provision be published in the Official Journal of the Italian Republic.
Done at Rome, this 16th day of November 2004
THE SECRETARY GENERAL