The challenges of the GDPR for the debt collection industry – what you need to know
GDPR and the debt collection environment - six months after implementation
By ETIENNE VAN DER VAEREN
October 25, 2018
HEVERLEE, Belgium (TCM NEWSROOM) – How has the GDPR affected the debt collection industry? We take stock three months after implementation.
Europe’s General Data Protection Regulation (GDPR) addresses personal privacy issues by limiting how personal data can be obtained, stored, handled, and transferred to other parties. It came into force on 25 May 2018 across all EU countries and the European Economic Area (EEA), of which Iceland, Liechtenstein and Norway are members.
The main features of the GDPR for debt collectors – what you need to know
Processing data for debt collection purposes is based on the legitimate interest of the controller or third party (see article 6f of GDPR). In the debt collection context, a creditor clearly has a legitimate interest and can thus transfer data to a debt collector.
Article 4 of the regulation distinguishes between “data controllers” and “data processors”. In brief, a data processor “processes personal data on behalf of the controller”, while a data controller “determines the purposes and means of the processing of personal data”.
Belonging to either of these two categories has important consequences. Essentially, the “data controller” is responsible for his or her own actions. In the case of “data processor”, however, it is the upstream “data controller” (i.e. the person who provides the data or provides access to the data) who remains the responsible party.
Debt collectors seem to belong to the “data controller” category because they receive data that (1) comes with instructions to collect the debt attached to the named person or institution and (2) is subject to the GDPR. Such instructions require autonomy on the part of the collector as to the means employed and the actions taken. Indeed, during the collection process, the debt collector usually enriches data provided with new information (e.g. by adding a new phone number or address and updating the debtor’s financial situation).
In contrast, a “data processor” does not have autonomy in terms of what is to be done with the data. He or she typically receives limited instructions such as “send a letter with this text to that address.”
Data controllers have various obligations such as
- limiting data handled and stored to useful information (e.g. information on name and address but not on religious affiliations, health status, race or ethnicity)
- securing data (i.e. no access to unauthorized parties)
- ensuring secure data transfer (e.g. a common email could be considered as insufficiently secure for transferring data);
- ensuring private data is not transferred, disclosed, or sold unless there is a legitimate reason and legal obligation for doing so
- informing persons (“data subjects”), upon request, about their personal data as stored by the data controller
- maintaining a register (record of processing activities) for use in demonstrating compliance with the Regulation as stipulated in article 24.
In May, the incidence of email proposals for contracts between creditors and their debt collectors increased. As debt collectors are usually “data controllers”, the situation can be characterized thus:
- Two “data controllers” established in the EU (or EEA) do not need to enter into a contractual agreement, as both parties need to abide by all EU laws and regulations, including the GDPR.
- Two “data controllers” established outside the EU (or EEA) are not obliged to abide by the GDPR.
- Two “data controllers” – one established in the EU (or EEA) and one outside the EU (or EEA) – are constrained to enter into a “controller-to-controller” agreement in which the non-EU partner commits to abide by the EU requirements.
The GDPR is indeed a complex text. But it is also “self-contained” in the sense that the wording of the regulation should not be interpreted according to any one member state’s own legal jurisprudence: it should be understood, rather, in accordance with its own definitions. So although the text may not be readily accessible or eminently readable, it does have its merits as a logical and coherent piece of legisation.
TCM Group members strictly abide by the requirements laid down in the GDPR.
Mr. Etienne van der Vaeren is CEO of TCM Belgium and one of TCM Group’s honourable and distinguished directors.