Debt collector: Non-compliance with general data processing principles

A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller.

GDPR Articles: Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR
Industry: Finance, Insurance and Consulting