The Arnhem-Leeuwarden Court of Appeal, in the Netherlands, recently issued a decision concerning compliance with a legal obligation as legal basis for data processing (Article 6.1(c) of GDPR). The decision builds upon a line of recent court decisions in the Netherlands which allow data controllers to rely on the legal obligation more freely than what the Dutch supervisory authority would permit.
Facts of the case
A Dutch bank, Coöperatieve Rabobank U.A., provided a consumer credit to the petitioner in the appellate court case. Two years later, the petitioner, who had worked as a director of a company, was fired from his job. At the time of dismissal, his outstanding debt to Rabobank was worth EUR 71,000, which he was unable to repay. The petitioner eventually entered into debt settlement scheme with Rabobank and with some other creditors.
Rabobank registered in the Dutch Central Credit Information System (Centraal Krediet Informatiesysteem) (“CKI“) personal data of the petitioner relating to his financial position. The bank included information such as the amount of the debt, payment arrears, and debt settlement into the registration. The Dutch Credit Registration Office, which maintains CKI, has set five years to be the period during which personal data about defaulting creditors are to be kept in the CKI. After that, the data are erased.
The petitioner challenged the registration and retention of the personal data. He claimed that the legal basis for the processing of the data could only be legitimate interest (Article 6.1(f) of the GDPR, not legal obligation (Article 6.1(c)) as Rabobank claimed. The petitioner requested from Rabobank to remove the registration, i.e. erase the personal data, from the CKI, because the balance of interests and rights did not work in the bank’s favour. Rabobank refused to comply with the request and the petitioner brought a court action which eventually reached the Court of Appeal.
Article 6.1(c) does not require a law to describe the data processing in detail
In dealing with the question of legal basis for the processing, the Court of Appeal referred to a judgement of the Court of Appeal of ‘s-Hertogenbosch (“Den Bosch Court“) from 6 August 2020 (“Den Bosch Judgement“). The Den Bosch Court established, following a detailed analysis, that the registration of financial data in the CKI takes place based on Article 6.1(c) of GDPR, i.e. based on a legal obligation stipulated by the Dutch Financial Supervision Act.
The Den Bosch Judgement was especially interesting because it refuted an opinion from the Dutch data protection supervisory authority that, for Article 6.1(c) to be invoked, the statutory provision stipulating the obligation to process personal data must elaborate details concerning the processing. Only in that way, the Dutch supervisory authority reasoned, could the law’s provision be sufficiently “clear and precise”, as required in recital 41 of the GDPR. The supervisory authority acknowledged that the Financial Supervision Act required from credit providers to process financial data of the consumers; that was necessary in order for credit providers to be able to obtain information on a consumer before entering into a credit arrangement or before allowing a significant increase in the credit limit. However, the supervisory authority concluded, the statutory provisions fail to meet the requirements of “clarity and precision” because the provisions are silent on the matters such as data retention periods and access to the data (Den Bosch Judgement, para. 3.5.9). As result, Article 6.1(c) of GDPR, in the opinion of the supervisory authority, cannot serve as legal basis for processing; only Article 6.1(f) can, other conditions being met.
The Den Bosch Court invoked a couple of scholarly works to arrive at a different conclusion – that the GDPR does not require from the laws setting out a legal obligation to specify the details of the concomitant processing of personal data. So long as the data processing is an inseparable part of the broader legal obligation, Article 6.1(c) is applicable, i.e. processing may be said to be necessary for compliance with a legal obligation. The Den Bosch Court further explained that Article 6.3 of the GDPR prescribes that the legislation providing for a legal obligation to process personal data must determine the purpose of the processing, but the GDPR provision does not require legislative details concerning the processing.
Even “legal obligation” as the basis for processing requires a proportionality analysis
The Arnhem-Leeuwarden Court of Appeal concluded that every processing of personal data, including processing based on Article 6.1(c), must be in line with the principles of proportionality and subsidiarity (paras. 4.8 and 4.9 of the judgment). Considering that it was the Dutch Credit Registration Office itself, and not the Financial Supervision Act, to prescribe the five-year retention period of the petitioner’s financial data in the CKI, the court looked into whether the duration was proportionate in relation to the purpose to be served with the retention of financial data. Also, the court had to be satisfied that the purpose could not be reasonably achieved in another way that is less disadvantageous for the petitioner (the principle of subsidiarity).
The court concluded that the principles of proportionality and subsidiarity were observed in the case. The purpose of the CKI registrations is to provide lenders with information for assessment of risk of overfunding. There is no other way for lenders to obtain such information than through the CKI. The petitioner had substantial debts in the past. The registration of the financial data did constrain the petitioner, as he could not get a loan to buy a house that is according to his preferences; however, the registration did not put him in a distressing situation.
Taking all of the above into account, the Court of Appeal concluded that erasure of the financial data from the CKI, before expiry of the retention period, would undermine the purpose of the registration.
Although the judgment of the Court of Appeal gives to data controllers more than what they could expect to get from the supervisory authority – at least in the Netherlands – it might not go as far as it appears from the first reading. The principle of subsidiarity, depending on its interpretation in practice, might to a significant extent limit the usefulness of legal obligation as the basis for data processing.
The principle of subsidiarity, at least in the meaning employed in the judgment, is currently a feature of Dutch law rather than a principle which the GDPR clearly recognises as applicable to every instance of data processing. It could be argued that only a softer version of that principle is justified. In that version, where the data controller can reasonably fulfil the legal obligation in more than one way of processing the personal data, Article 6.1(c) could still apply. That would be the case if the alternative ways are no more than trivially less disadvantageous for the data subject and the alternative ways require use of outdated technologies or are otherwise patently unsuitable.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]