In the context of a credit relationship between a creditor and a borrower, in addition to disputes relating to the performance of monetary obligations under the credit agreement, problematic situations may arise concerning the right of access to personal data.
All too often, due to improper storage of their personal records, borrowers lose copies of the credit agreements they have entered into. This largely frustrates the possibility of protecting their rights, as only the content of the contract can be used to assess its legality.
In these cases, data protection legislation guarantees the right of borrowers to have access to the documents containing personal data which the creditor processes as a data controller.
In view of the fact that credit agreements contain personal data, on the basis of Article 15(3) of Regulation (EU) 2016/679 (General Data Protection Regulation), the data controller is obliged to provide a copy of the personal data that is being processed.
To this effect, the Court of Justice of Luxembourg gave a binding interpretation in its judgment of 4 May 2023 in Case C-487/21, which held that „the right to obtain from the controller a copy of the personal data which are being processed requires that the data subject be provided with an accurate and intelligible replica of all those data. This right implies the right to obtain a copy of extracts from documents and even of whole documents or extracts from databases, which in particular contain the data in question, if the provision of such a copy is mandatory in order for the data subject to effectively exercise the rights conferred on him by this Regulation, stressing that the rights and freedoms of others must be taken into account in this respect."
In our practice, we regularly encounter refusals to provide information on personal data processed and copies of the credit agreements concluded between the parties, with the most frequent being lenders stating that the borrower should have kept his copies with the care of a good steward.
It is important to note that whether or not the borrower keeps its copies of the credit agreements is not relevant to the data controller's obligation under the Regulation and the Personal Data Protection Act (PDPA) to provide them when duly requested.
In other cases, creditors only provide general information on the type and category of personal data processed, but not the personal data media themselves - contracts, repayment plans, standard European forms, etc., which constitute the factual basis on which the personal data are processed.
Pursuant to Article 12(1) of Regulation (EU) 2016/679, data controllers have an obligation to provide access to data to the data subject in a form that enables the data subject to inspect the data and verify that it is accurate and processed in accordance with the GDPR, which ensures that the data subject can subsequently exercise other rights protected by the Regulation.
Denial of access to data under Article 15(1) of the GDPR is a violation of the fundamental principles of data processing.
The Personal Data Protection Act regulates at national level two alternative means of protection of the data subject in case of violation of his/her rights under Regulation (EU) 2016/679 and under the PDPA: 1. Referral to a supervisory authority - the Personal Data Protection Commission and 2. Filing a complaint against the actions or acts of the personal data controller, which shall be examined by the competent administrative court.
The material is informative and does not constitute a legal opinion or legal advice. Our team has extensive experience in appealing acts of personal data controllers and in protecting the rights of personal data subjects both administratively and judicially. If you need advice in the field of personal data protection or if your right to access information about the personal data, processed by the controller concerned is violated, you can contact us at tel. + 359 876 267 112 / + 359 897 977 338 or through any of the other contact channels of Vatev & Partners Law Office.