“Where did you get my phone number from? You are processing my personal data. You have to have my consent to collection. I demand an immediate removal of my data from your database.”
Collectors are forced to listen to those and similar manifestations of outrage almost every day. They are often accompanied by promises to file a complaint to the Personal Data Protection Bureau, which is allegedly flooded with such claims.
In the meantime, collection agencies and law offices have done their homework on personal data protection, even before the new regulations became effective in May 2018, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
Given the fact that such companies process tens of thousands of personal data, they were forced to implement exceptionally strict procedures, so that data could be processed safely and entirely in accordance with the law.
Collectors carry out claim recovery services on behalf of their client, on commission, where they act as processors of the data or in their own name, after being assigned with debts to collect from the primary creditor, where they act as controllers of the data.
- In the first case, when collector is recovering debt on commission of the creditor, who acts as debtor’s personal data administrator, the collector operates on the basis and within the agreement of entrusting personal data protection with the aim of recovering assets. He processes personal data with a specific goal and usually has a right to entrust it to other parties helping with the recovery. The processor is obliged to cooperate with controller in the event of debtor notifying requests concerning processing of his data. Any request made by debtor is registered and forwarded to administering entity, that eventually makes a decision on what should be done in the specific situation. It can oblige collection agency to change its scope of processing personal data and can correct mistakes within provided data.
- In the second case, GDPR regulations impose on the controller a responsibility of obtaining consent to process personal data from the subject. Article 6 paragraph f creates an exception for the situation in which processing is done due to pursuing a claim. Collection agency that purchased debts of companies and natural persons can use data that is essential in order to recover the assets. For how long? Most often until the final payment or until the claim expires.
In short: Personal data administrator as well as the processing entity have the right to use debtor’s personal data without his consent for the sake of pursuing the claim, up until termination of said claim.
Debtors, questioning legitimacy of personal data processing, often ask the question:
“Where did you get my data from?”
Data used in collection process is gathered with trade partner’s (now debtor’s) consent on the occasion of making a contract regarding, for example, purchasing goods or services. The client provides the data himself and consents to its processing in connection with the agreement. Data saved in creditor’s informatic system can be used for collection purposes, because it was gathered for this, among other, reason (see: GDPR (6f)). The data is often enriched with information obtained from debtor’s websites, social media profiles and especially from public registries.
Then why debtors refuse to pay using excuses concerning personal data protection?
The answer is simple. They do not have enough knowledge in this field, or they give in to persuasion of so called “anti-collectors”, which are agencies helping debtors avoid paying their liabilities.