This time, I will present a new, secret weapon that debtors use while contacting collector – pleading breaching personal data protection regulations.
“Where did you get my phone number? I won’t pay, because you are processing my personal data. I demand an immediate removal of my data from you database.”
“How dare you are using my data? I do not want my data to be processed by anyone. You have to have my consent to collection.”
Collectors are forced to listen to this and similar manifestations of outrage almost every day. They are often accompanied by promises to file a complaint to the Personal Data Protection Bureau, which is allegedly flooded with these claims.
In the meantime, collection agencies and law offices have done their homework on personal data protection well, even before the new regulations became effective in May 2018, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
Given the fact that they are mass processing debtor’s personal data (around 2 million of Polish citizens), they were forced to implement exceptionally strict procedures and security, so that data could be processed safely and entirely in accordance with the law. No professional collector would allow himself to act against GDPR regulations, because the possible sanctions for breaching are very high. Besides, collection agencies affiliated in the industry organizations, such as Polish Credit Management Association (Polski Związek Zarządzania Wierzytelnościami), are subject to internal corporate regulations and are obliged to follow Ethic Rules of Collection Industry (Zasady Etyki Branży Windykacyjnej) under a threat of being excluded from the organization and losing its recommendation.
Collectors carry out claim recovery services on behalf of their client (on commission) or in their own name, after purchasing debts from primary creditor. According to GDPR regulations, in the first situation they act as processors and in the second they act as controllers.
As a general rule, GDPR regulations impose on the controller a responsibility of obtaining consent to process personal data from the subject, whom this data apply to. Article 6 paragraph f creates an exception for the situation in which processing is done due to pursuing a claim. Collection agency that purchased debts of companies and natural persons can use data that is essential in order to recover the assets. For how long? Most often until the final payment or until the claim expires.
In the situation when collector is recovering debt on commission of the client who acts as debtor’s personal data administrator, the collector operates on the basis and within the agreement of entrusting personal data protection with the aim of recovering assets. He is not burdened with information responsibilities that are controller’s obligation. He processes personal data with a specific goal and usually has a right to entrust it to other parties helping with the recovery. Processor is obliged to cooperate with controller in the event of debtor notifying requests concerning processing of his data. Any request made by debtor is registered and forwarded to administering entity, that eventually makes a decision on what should be done in the specific situation. It can oblige collection agency to change its scope of processing personal data and can correct mistakes within provided data.
Summing up: personal data administrator as well as the processing entity have the right to use debtor’s personal data without his consent for the sake of pursuing the claim, up until termination of this claim.
Debtors, questioning legitimacy of personal data processing, often ask childish questions: “Where did you get my data?”
Data used in collection process, such as: company’s name, name and surname, address, phone number, e-mail address, is gathered with trade partner’s consent (now debtor) on the occasion of making a contract regarding, for example, purchasing goods or services. Client provides this and other data himself, for example, in a mercantile credit application and consents to its processing in connection with the agreement. Data saved in creditor’s informatic system can be used for collection purposes, because it was gathered for this, among other, reason. Such data is often enriched with information obtained from debtor’s websites, social media profiles and especially from public registries.
While consenting to processing personal data in order to make and execute an agreement, client is actually giving his consent to processing it during negotiations, preparations, making and executing the agreement, performing service, pursuing the claim deriving from agreement itself. However, even without this consent, as mentioned above, creditor has a right to use data in order to recover assets. This is what regulations say, GDPR (6f).
Then why debtors refuse to pay using excuses concerning personal data protection? The answer is simple. They do have enough knowledge in this topic or they give in to persuasion of so called “anti-collectors”, which are agencies helping debtors to avoid paying their liabilities.
We have a piece of advice for debtors avoiding payments due to alleged, illegal usage of their personal data. It is best to pay off the debt and then submit a request to stop processing data to administrator. This method proves to be the best.