In late March, the Spanish Data Protection Agency (AEPD) issued a report (the “Report”) objecting to the adoption of the draft code of conduct of the media and information sector (the “Code”)proposed by the Multisectoral Information Association (ASEDIE). After reviewing the Code, the AEPD concluded that it was not in line with the General Data Protection Regulation (GDPR) or the Organic Act on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD).
The Report first recalls that codes of conduct play a central role because they are closely related to the accountability principle and are a way to prove compliance with data protection rules. Therefore, the AEPD considers that all codes must be reviewed under the European Data Protection Board Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). Jointly interpreting the Guidelines and articles 40 and 41 of the GDPR, it concludes that codes of conduct must be monitored by a body accredited by the supervisory authority, except for codes promoted by public authorities and bodies.
In September 2020, the General Subdirectorate of the Data Protection Registry issued a report on the draft Code. That report focused on the processing activities to which the AEPD objects:
- Credit information systems with data on the fulfillment of payment, financial or credit obligations (positive credit files).
- Positive credit files versus negative credit files: first, the AEPD distinguishes between the processing of personal data concerning existing or fulfilled payment obligations (positive credit files) and that relating to non-fulfillments (negative files). Since positive files have a greater impact on data subjects’ rights and interests and there are no statutory rules in this regard, the AEPD considers that the processing of positive files requires the consent of data subjects, but the Code does not mention it. Regarding negative files, there is a statutory presumption that the controller has a legitimate interest in the processing unless proven otherwise, and there are additional safeguards for the controller’s legitimate interest. The Report then examines if, as proposed by the Code, the controller’s legitimate interest prevails and allows for the processing of positive files under article 6(1)(f) GDPR.
- Legitimate interest of the controller or third parties: in the Code, legitimate interest means the need of credit institutions to know about the fulfillment of payment, financial or credit obligations to mitigate the risk attached to lending decisions. The Code also construes this legitimate interest as the “general social interest in the financial system’s stability and strength, which is essential in a modern economy.” According to the AEPD, this interpretation of legitimate interest does not apply, because (i) the processing of credit files has a greater impact on the rights and interests of the parties concerned; and (ii) although the Code tries to give greater weight to the legitimate interest argument, claiming that it is in the general interest to strengthen the financial system, no such legitimate interest exists. The AEPD notes that there would only be a general interest if there was a specific statutory provision stating it, which there is not.
- The interests, rights and freedoms of data subjects. According to the AEPD, the Code’s analysis is too brief and restrictive, since it does not even consider (i) that the data may be inaccurate or outdated; or (ii) the actual or potential negative consequences of data processing (e.g., discrimination or prevention of access due to blacklisting). The AEPD states that the Code (i) should have considered additional circumstances; and (ii) regarding the few aspects it does consider, reaches incorrect conclusions, since there can be a significant impact on data subjects’ interests.
- The safeguards provided. The AEPD states that wrongly assessing the impact on the data subjects’ interests, rights and freedoms leads to an incorrect definition of the appropriate safeguards to minimize that impact. The Code does not include (i) an evaluation of the potential risks of data processing; or (ii) any impact assessment, providing only an abstract analysis with overly general and inappropriate safeguards that do not mitigate the impact on data subjects. One of the main risks relates to the accuracy and updating of data, which is hard to mitigate through a system based on voluntariness and reciprocity. Finally, although it covers processing activities involving profiling to know customers better and to customize the products, the Code does not include a comprehensive analysis of the right to object.
- Information on creditworthiness with data publicly available or manifestly made public by the data subject.
The AEPD underlines that the Code makes a major mistake by giving prevalence to the controller’s legitimate interest solely because data comes from public sources or because the data subject manifestly made them public. The Report adds that the Code (i) does not identify which data are subject to processing; and (ii) includes a broad definition of public sources, without considering the purpose for which data were stored in those sources.
According to the AEPD, there is no legal definition of public sources (or publicly available data). The AEPD adds that data being publicly available can be one of the aspects to consider when weighing the relevant rights and interests, but it does not exclude compliance with the remaining principles, including purpose limitation, data minimization and maximum storage or usage periods to fulfill the initial purpose of the processing.
The Report carefully examines the use of publicly available data subject to the purpose limitation principle of article 5 GDPR. It notes that using publicly available data for purposes other than those initially pursued requires (i) the data subject’s consent; or (ii) a specific EU or Member State enabling provision, as long as these purposes are compatible and there are standards for assessing that compatibility. Regarding credit files, the AEPD considers that there are no compatible purposes justifying further processing to assess the data subject’s creditworthiness, thus concluding that this processing would interfere with the data subject’s fundamental right to data protection.
The Report concludes that these incompatible purposes make it unlawful to process publicly available data to assess the data subject’s creditworthiness.
See below a summary of the AEPD conclusions:
Due to the above reasons, and other minor issues, the AEPD considers that the Code must not be adopted because its content does not comply with the GDPR or the LOPDGDD.
Authors: Adaya Esteban y Paula Conde