Debt collection is among the enforcement priorities of the Hungarian Data Protection and Freedom of Information Authority (“Hungarian DPA”) since several years a significant proportion of the Hungarian DPA decisions and court cases involving the judicial supervision of the Hungarian DPA’s decisions relate to debt collection and the handling of debtors’ complaints. In the past years, the Hungarian DPA blacklisted several practices by debt collection agencies, and the Hungarian DPA confirmed that relative to the debt collection it is illegal if debt collectors contact any third parties (i.e. the debtors’ neighbours), process the debtors’ close relatives’ personal data, process the debtors’ health related personal data (i.e. sickness or other medical condition) and any other sensitive information relative to the debtors’ whereabouts (i.e. whether the debtor is imprisoned or in pre-trial detention) or collect personal data beyond the purposes that are strictly necessary for debt collection.
In the past, debt collection companies in Hungary broadly relied on the contractual legal basis of Article 6(1)(b) GDPR when they processed debtors’ personal data for debt enforcement purposes. The Hungarian DPA, however, took a different approach on this issue and asserted on the basis of the Article 29 Working Party’s and the EDPB’s guidance that the contractual legal basis of Article 6(1)(b) GDPR must be narrowly interpreted and this legal basis may only apply to data processing activities objectively necessary for the performance of a contract. In contrast, the Hungarian DPA asserted that debt enforcement activities may only be performed based on legitimate interests (Article 6(1)(f) GDPR). This approach of the Hungarian DPA also had an impact on the applicable data subject rights because the right to object against the data processing does not apply in case of contractual necessity as a legal basis. Therefore, the Hungarian DPA also concluded that debt collection companies must notify debtors about their right to object under Article 21 GDPR.
The Hungarian Kuria (i.e. the Supreme Court of Hungary) in its recently released decision (105.K.700.451/2019/9., “Case”) handed down an important judgement on this particular issue confirming the interpretation of the Hungarian DPA on the qualification of debt enforcement activities and the applicable legal basis to such activities under the GDPR’s provisions.
Facts of the Case
The natural person debtor concluded a loan agreement with a credit institution, and the credit institution effected the early termination of the agreement. The credit institution voluntarily assigned and contractually subrogated the creditor's rights to a third-party debt collection company and discharged the debt. The debtor made a complaint to the Hungarian DPA to order the debt collection company to delete the debtor’s personal data, because the debtor asserted that he already paid the debt, and the debt collection company was illegally processing his personal data.
The debt collection company stated that it processed the debtor’s data for debt enforcement purposes on the contractual legal basis of Article 6(1)(b) GDPR; and also, for complaint management purposes and credit reference purposes involving the disclosure of the data to the Central Credit Information System (KHR) under Article 6(1)(c).
The Hungarian DPA established in its decision Nr NAIH/2019/2566/8. that the debt collection company was not authorized to process the debtor’s data based on the contractual legal basis of Article 6(1)(b) GDPR and ordered the company as the data controller to provide proof to the debtor that the company has a prevailing legitimate interest to process the debtor’s personal data or to delete it. The Hungarian DPA refused in all other respects the debtor’s compliant.
The Hungarian DPA concluded that the debt collection company was not able to invoke the contractual legal basis, because according to the Hungarian DPA data processing relative to debt collection is only permissible based on the legitimate interest of claim enforcement under Article 6(1)(f) GDPR as a legal basis.
Decision of the first instance court
The debt collection company challenged the Hungarian DPA’s decision before court and filed judicial supervision request arguing that the voluntary assignment of the claim and the contractual subrogation of the creditor's rights does not alter the nature of the debt. According to the argumentation of the debt collection company, debt enforcement as a data processing activity is based on the enforcement of claims deriving from the loan agreement following a contract’s termination. The assignment of the relevant claim and the contractual subrogation of the creditor's rights does not change the legal basis of data processing, because the legal basis remains the contract and the debt management company may only assert the rights from the basic contract. The debt collection company argued therefore that the restrictive interpretation of contractual necessity under Article 6(1)(b) GDPR cannot be accepted.
In its response the Hungarian DPA indicated that Article 6(1)(b) GDPR must be interpreted narrowly as attested by the European Data Protection Board’s 2/2019 Guidelines and stated that the contractual legal basis only applies to data processing being objectively necessary for the performance of a contract and as such, this does not apply to all further actions triggered by the non-compliance with or to any other defaults in the execution of a contract. The Hungarian DPA noted that certain actions can be reasonably foreseen and are necessary within a normal contractual relationship, such as sending formal reminders about outstanding payments or correcting errors or delays in the performance of the contract. However, Article 6(1)(b) may only cover processing of personal data which is objectively necessary in relation to such actions. Complex data processing activities that involve the use of third persons, such as debt collection companies and claim enforcement before court may not be considered as an activity being within the ordinary course of contractual performance, therefore such third persons may not rely on contractual necessity as a legal basis.
In its decision, the first instance court refused the debt collection company’s claim and confirmed the Hungarian DPA’s interpretation that debt collection companies may not rely on Article 6(1)(b) GDPR as a legal basis for debt enforcement. With the voluntary assignment of the claim and the contractual subrogation of the creditor's rights, the claim’s ownership is transferred and therefore the claim gets separated from the original contractual relationship and the new claim owner will have no further rights stemming from the original contract as the assignment does not result in the change of the original contracting parties. Because the contract is terminated with the claim’s assignment to the debt collection company, thus the related data processing activities can no longer be based on contract performance as there is no contractual relationship between the debtor and the debt collection company and the debt collection company is not authorized to process the debtor’s personal data for contractual performance purposes. The first instance court confirmed that the debt collection company may rely on the contractual legal basis to send payment reminders or perform similar tasks which aim to return the legal relationship into normal contractual performance. However, this does not apply to the debt collection company’s activities performed after the assigned contract’s termination.
Procedure before the Kuria
The debt collection company filed a judicial supervision request to the Hungarian Kuria and asserted that the first instance interpreted incorrectly the applicable civil law and data protection legal provisions in its decision. The debt collection company stated that the assignment of the claim does not change the contractual legal basis of the data processing, because the claim’s assignment should be interpreted as the creditor’s contractual subject change and that the contractual relationship “survives” both the termination and the assignment of the claim and the existence of the claim cannot be separated from the original contract. The debt collection company also argued that relying on legitimate interests as a legal basis and the handling of debtor objections would likely cause significant administrative costs to the company and the success of the objection would not result in the deletion of data, because the company would be anyway compelled to process the related debtors’ data due to the company’s legal obligations to disclose data to the Central Credit Information System (KHR) for credit reference purposes under Article 6(1)(c) GDPR.
The Hungarian DPA argued for the approval of the first instance court decision on its merits. The DPA considered that the debtors’ right to object provide adequate guarantees to data subjects relative to debt enforcement activities and the debt collection company must conduct a legitimate interest assessment to be able to enforce debt claims. Furthermore, the Hungarian DPA stated that debt claim enforcement legal compliance costs cannot be invoked in that regard. The Hungarian DPA argued if the debt collection company was authorized to process the debtor’s data based on Article 6(1)(b) GDPR, then there would be no reasonable time limit for such processing.
The Kuria refused the judicial supervision request and approved the first instance court decision and emphasized that following the original contract's termination data processing does not involve the performance of a contract, but to enforce the debt collection company’s legal claim for the payment of a debt, which may not be considered as contractual necessity. The Kuria confirmed that after the contract’s termination contractual legal basis only include activities that are necessary for the direct performance of the original contract, such as sending payment reminders and simple administrative tasks. Following the Article 29 Working Party’s and the EDPB’s interpretation, the Kuria considered that it is particularly important whether the company’s activities are directly related to the contractual performance or such activities occur separately (in time). The Kuria also emphasized that even if the debt collection company lacks any contractual legal bases for data processing, it may still process the data based on its legitimate interest. However, the debt collection company must conduct a legitimate interest assessment to establish the prevailing nature of its interest. The Kuria also confirmed that the reference to legal compliance costs relative to handling data subject objections are irrelevant in the actual case.
The Kuria’s decision is no surprise, because the court’s decision corresponds to the EDPB’s narrow interpretation that limits data processing activities to operations that are objectively necessary for contract execution.
Debt collection companies may not therefore rely on contractual necessity regarding debt enforcement activities. Because debt collection companies are not authorized by any sector specific legal provisions to process debtors’ personal data, operators of this sector are strongly advised to review their data protection compliance measures and conduct legitimate interest assessments, if necessary. It is likely that the Kuria’s decision will significantly increase data privacy related compliance costs, because debt collection companies may expect the rise in the numbers of debtor’s objections, thus debt collection companies may also need to reshape and automate their internal processes relative to handling data subject requests and debtor’s objections.
By Adam Liber, Partner, and Tamas Bereczki, Partner, Provaris