|
The EDPS notes that the proposal involves a number of activities, which have relevance under the EU data protection regime. These are mainly related to the consultation by creditors and credit intermediaries of the ‘credit database’ with the purpose of assessing the creditworthiness of consumers and to the release of information by the consumers to the creditors or credit intermediaries.
Whilst the EDPS is pleased to note that important references to the relevant data protection rules have been included in the current text of the proposal, he suggests some improvements with the aim of clarifying the text and in order to ensure that criteria determining the access rights to the credit database are not mandated to delegated legislation.
Applicability of data protection principles: in order to reflect better the fact that the national laws implementing Directive 95/46/EC are the appropriate references and to emphasise that any data processing operation must be carried out in accordance with those laws, the EDPS suggests introducing a new article with specific wording to that effect: ‘Any processing of personal data performed pursuant to this directive shall be carried out in conformity with the relevant national laws implementing Directive 95/46/EC’.
Creditworthiness of consumers: the proposal introduces an obligation for creditors to carry out a thorough assessment of the creditworthiness of consumers. This assessment should be based on certain criteria, such as the consumer's income, savings, debts and other financial commitments. This obligation could have a significant impact on the privacy of individuals seeking credit, as the type and amount of information that could be accessed to by the creditor is potentially very large. Therefore, the EDPS suggests specifying in a more detailed way the sources from which information on the creditor's creditworthiness can be obtained.
Consultation of the credit database: the EDPS notes that the text does not specify whether the databases should be specifically designed for creditworthiness checks, who is responsible for the database, what kind of information might be contained in the database, what the ‘monitoring’ of consumer compliance entails, etc. Furthermore, the EDPS notes that the proposal states that details of the criteria for harmonised access shall be further specified in delegated acts of the Commission.
The EDPS has already expressed the view that measures that have a substantive impact on the privacy of citizens should not be dealt with in delegated legislation. Certainly details can be elaborated in such legislation. The main implications for the citizens should, however,be clear and agreed upon in the legislation adopted on the basis of the ordinary legislative procedure. From a data protection perspective, the EDPS is particularly concerned about the apparent contradiction between the generalised possibility of consultation by (a not yet identifiable number of) credit operators to the database and the ‘light’ obligation inserted only in a recital, namely that consumers should be informed about the consultation of the database and should have access to the information rectify, erase or block the personal data concerning
them. In the EDPS' view, the concrete possibility of exercising the data subject's rights pursuant to Directive 95/46/EC is connected to the possibility of identifying the possible recipients of the personal data contained in the credit database. The effectiveness of the reference to the rights contained in Directive 95/46/EC could be therefore neutralised by the impossibility for the data subject to clearly and pre-emptively identify the natural or legal persons who can have access to the database.
The EDPS therefore suggests some modifications.
Any access to the database should be subject to the following conditions: