Jump to content
House Price Crash Forum
Sign in to follow this  
Goodafterbad

Implication of GDPR on credit checks

Recommended Posts

I work in web development and all my clients are worrying about the EU's new GDPR regulations which come into effect in under two weeks. There is an enormous amount of opinion out there at the moment, but very little in the way of clear guidance, from either the EU or the Information Commissioner's Office, who are responsible for the GDPR in the UK.

As far as I understand, it boils down to making sure you have 'Lawful basis for processing' someone's personally identifying information. This can be obtained in a number of ways, such as explicit connect or needing to process the individuals data in order to fulfil a contract you have with them.

One of the points I'm worrying about is that connect can be withdrawn at any time. For me this means I have to help my clients remove individual customer data from their databases. However, I saw commentard on another forum making the point that this would mean you could ask credit rating agencies to remove information they held on you. Clearly things like CCJs are a matter of public record and so I don't think they could be expunjed, but I'm wondering if this new regulation will cover other information held by the credit rating agencies.

My thoughts are that this is another ill-considered law and will be generally ignored in the same way the cookie policy directive has been. However, I'd be really interested on other peoples take on this subject.

Share this post


Link to post
Share on other sites

You can't ask credit checking companies to remove legitimately held data under GDPR. Companies can hold and process data if they can provide a valid reason to do so, a requirement to keep credit records for 6 years is one of them.

Share this post


Link to post
Share on other sites
On 12/05/2018 at 16:07, Goodafterbad said:

I work in web development and all my clients are worrying about the EU's new GDPR regulations which come into effect in under two weeks. There is an enormous amount of opinion out there at the moment, but very little in the way of clear guidance, from either the EU or the Information Commissioner's Office, who are responsible for the GDPR in the UK.

As far as I understand, it boils down to making sure you have 'Lawful basis for processing' someone's personally identifying information. This can be obtained in a number of ways, such as explicit connect or needing to process the individuals data in order to fulfil a contract you have with them.

One of the points I'm worrying about is that connect can be withdrawn at any time. For me this means I have to help my clients remove individual customer data from their databases. However, I saw commentard on another forum making the point that this would mean you could ask credit rating agencies to remove information they held on you. Clearly things like CCJs are a matter of public record and so I don't think they could be expunjed, but I'm wondering if this new regulation will cover other information held by the credit rating agencies.

My thoughts are that this is another ill-considered law and will be generally ignored in the same way the cookie policy directive has been. However, I'd be really interested on other peoples take on this subject.

Gdpr is about 3rd parties hovering up personal info without consent.

Credit checks are about checking info that customers have actively consented too.

Share this post


Link to post
Share on other sites
5 minutes ago, Peter Hun said:

You can't ask credit checking companies to remove legitimately held data under GDPR. Companies can hold and process data if they can provide a valid reason to do so, a requirement to keep credit records for 6 years is one of them.

Part of the GDPR specifies the lawful bases for processing data, which, according to the ICO are: consent, contract, Legal obligation, vital interests, public tasks and Legitimate interests. I thought that when you sign up for a line of personal credit, you are asked to give consent for the creditor to share you data with the credit rating agencies, but under GDPR, you have the right to withdraw consent at any point in the future.

I can see that the company who you took out your line of credit from has a legal basis to process your data, under the legal obligation basis. But what would be the legal basis for the third party credit rating agency to process your data after you'd withdrawn consent?

Share this post


Link to post
Share on other sites
10 minutes ago, spyguy said:

Gdpr is about 3rd parties hovering up personal info without consent.

Credit checks are about checking info that customers have actively consented too.

If you take a look at it, the GDPR is about a whole lot more than just third parties eating your data, but I agree that this is probably what the ICO will focus on.

I understand that you give consent to have your data shared for credit checking purposes, but the GDPR specifically gives you the right to withdraw that consent. That is the aspect which I think could get interesting.

Share this post


Link to post
Share on other sites
45 minutes ago, Goodafterbad said:

the GDPR specifically gives you the right to withdraw that consent. That is the aspect which I think could get interesting.

Not if there is a legitimate reason to hold the data. Having a previous loan agreement is about as legitimate reason as you can get. Many companies have take the view that being a previous customer entitles them to hold their data.

 

Share this post


Link to post
Share on other sites

How can the credit reference agencies hold your personal data, legally, without your prior consent?

A company, like a bank or building society cannot give consent on your behalf to give permission to a third party, like a credit reference agency, to hold your data. All they can do is use your consent as part of a credit application to access data from a third party.

Share this post


Link to post
Share on other sites
1 hour ago, Peter Hun said:

Having a previous loan agreement is about as legitimate reason as you can get

Yes, that's a legitimate reason for a bank to keep you data, but I'd question if its legitimate for a third party credit agency to keep that date after you explicitly withdraw your consent. Under the GDPR, what legal basis would you say the credit agency has to process your data if you withdraw your consent?

1 hour ago, Peter Hun said:

Many companies have take the view that being a previous customer entitles them to hold their data.

I know that's the view being taken, but I'm not sure its compatible with the GDPR. I think everything is up in the air at the moment and companies are just copying one an other. I've had a huge number of emails through recently showing me how I can opt out if I choose to, and a couple which say I'm now opted out unless I specifically choose to opt in.

Share this post


Link to post
Share on other sites

The GDPR legislation is actually very good, but like any legislation needs case law to confirm application. In this case I think you could withdraw consent for the Credit Reference Agencies to hold your data, it may be that you need to withdraw consent from each, or alternatively that a loan which has been repaid to a bank you can demand they remove that data if the courts see the banks as a data controller and the agencies as data processors. 

Either way whilst possible it is required to keep a record of withdrawn consent, therefore they could simply refuse a loan to someone on that list, or more likely and almost certainly more legally if you remove your data you have no credit history and hence no ability to get credit. Seems like a good way to cut off your nose to spite your face, but maybe has a use if people want to cut themselves off?

Share this post


Link to post
Share on other sites
Guest

edit: d'oh! Didn't read Peter Hun's comments that credit agencies can deny GDPR deletion requests.

Please ignore!

Edited by Guest

Share this post


Link to post
Share on other sites
4 hours ago, Cryptotrader said:

How can the credit reference agencies hold your personal data, legally, without your prior consent?

A company, like a bank or building society cannot give consent on your behalf to give permission to a third party, like a credit reference agency, to hold your data. All they can do is use your consent as part of a credit application to access data from a third party.

You don't need consent to hold and process personal data. However, you must have a reason (for each individual type of processing). Consent is just one possible reason you could give for processing data. As posted earlier in the thread, other valid reasons are: contract, legal obligation, vital interests, public tasks and legitimate interests. So, as long as a credit reference agency has a valid reason in the above list, they do not need consent. Legitimate interests is a rather broad category, but basically means that you have a strong argument that the benefits (to the public or to the customer) of processing outweigh the privacy risks.

In effect, consent is required only in those cases where another reason for processing does not exist. For example, if you order a product from a retailer, then they can process your personal data for the purposes of fulfilling your order, and also completing their tax returns, under the contract and legal obligations reasons.  However, if they wish to send you marketing bumf, then that does not fall under any other reason, hence explicit consent would be required for processing for the purpose of marketing.

In the case of credit reference, there are strong arguments that legal obligations and legitimate interests exist:

Banks and other financial institutions lending money are legally obliged by the FCA to verify that any credit they offer is affordable and avoids over-indebtedness. Part of this includes checking an individual's other credit commitments, hence there is a strong argument that credit reference agencies are processing personal data as part of this legal obligation.

CRA data is also potentially valuable for detecting and preventing financial fraud, as a result there is a strong argument that there is a legitimate interest in processing the data, for the purposes of crime detection and prevention. Similarly, CRA data is potentially useful for the tracing and recovery of bad debt, so there is a further argument of legitimate interest.

Edited by ChumpusRex

Share this post


Link to post
Share on other sites
1 hour ago, ChumpusRex said:

In the case of credit reference, there are strong arguments that legal obligations and legitimate interests exist:

Banks and other financial institutions lending money are legally obliged by the FCA to verify that any credit they offer is affordable and avoids over-indebtedness. Part of this includes checking an individual's other credit commitments, hence there is a strong argument that credit reference agencies are processing personal data as part of this legal obligation.

I completely agree with your line of reasoning in the case of a bank, but I'm not convinced that it extends so easily to the third party credit rating agencies. I'm convinced that a bank could argue legal basis to process if it kept internal records of your previous loans and checked your payment history. But the credit rating agency reason to process your data is so that it can make money by providing a service to the banks.

I guess time will tell, but given that the ICO hasn't had teeth in the past, I don't expect to see any action taken any time soon.

Share this post


Link to post
Share on other sites

Landers need CRA's to allow  loan be offered and there is also a legal requirement to store the data for  6 years.  Lenders must submit full details of any loan to the central CAIS database or they will lose access to credit checking.

Without a complete picture of a person's credit history they arn't getting any sort of credit, so it's a moot point; you wont have any personal data to protect as you won't have any credit/accounts.

Share this post


Link to post
Share on other sites
1 hour ago, Goodafterbad said:

completely agree with your line of reasoning in the case of a bank, but I'm not convinced that it extends so easily to the third party credit rating agencies

Processing by third parties is allowed under GDPR. The lender has to maker sure the third party is EEA based and complies with GDPR. 

Share this post


Link to post
Share on other sites
3 hours ago, Goodafterbad said:

I completely agree with your line of reasoning in the case of a bank, but I'm not convinced that it extends so easily to the third party credit rating agencies. I'm convinced that a bank could argue legal basis to process if it kept internal records of your previous loans and checked your payment history. But the credit rating agency reason to process your data is so that it can make money by providing a service to the banks.

I guess time will tell, but given that the ICO hasn't had teeth in the past, I don't expect to see any action taken any time soon.

There is no restriction to 1st party processing; the processing can be carried out by a 3rd party (e.g. where necessary, and where the same protection of the data can be assured). Recital 48 of the GDPR makes this explicit, by stating that sharing of data among multiple data controllers may be a legitimate interest. It is easy to see how this applied to financial institutions and CRAs.

In their guidance, the ICO use this specific example of lenders sharing data with CRAs, and CRAs then sharing that data with 3rd party lenders as an example of acceptable data processing.

Edited by ChumpusRex

Share this post


Link to post
Share on other sites
On 27/05/2018 at 13:02, Peter Hun said:

Not if there is a legitimate reason to hold the data. Having a previous loan agreement is about as legitimate reason as you can get. Many companies have take the view that being a previous customer entitles them to hold their data.

Many companies are wrong. Unless there is a lawful basis for holding the data you can't hold it, and 'was a customer' is not one. Being a bank is likely to work; being a 3rd party credit agency not regonised in law will fail fast and hard.

Share this post


Link to post
Share on other sites

Like many other things the EU tell us to do, GDPR  is just another meddling complicated waste of time, money and energy. The UK government should have rightly told the EU to F. Off, what are they going to do, boot us out of the EU!?? >> Fine us?? Again F off - EU, we are leaving (hopefully if May doesn't fudge it)

Share this post


Link to post
Share on other sites
6 hours ago, DiscoDave said:

Being a bank is likely to work; being a 3rd party credit agency not regonised in law will fail fast and hard.

CRA's are explicitly recognised as legitimate data processors.

If there  is any chance GDPR could close down the banking system then GDPR will be changed

Share this post


Link to post
Share on other sites
20 minutes ago, bear.getting.old said:

Why? What part of we voted to leave the EU don't they understand

The part where anyone  voted on how we would leave or our relationship to the EU.

Share this post


Link to post
Share on other sites

I received a letter from Nectar about GDPR consent.

I've never had a Nectar card, the letter was addressed to "The Occupier".

I'm minded to request they let me know what they have on me, then remove it.

Share this post


Link to post
Share on other sites
On 30/05/2018 at 00:17, DiscoDave said:

Many companies are wrong. Unless there is a lawful basis for holding the data you can't hold it, and 'was a customer' is not one. Being a bank is likely to work; being a 3rd party credit agency not regonised in law will fail fast and hard.

Google must be loving this.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • 302 Brexit, House prices and Summer 2020

    1. 1. Including the effects Brexit, where do you think average UK house prices will be relative to now in June 2020?


      • down 5% +
      • down 2.5%
      • Even
      • up 2.5%
      • up 5%



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.