Data processing and the right to be forgotten in the context of the new European data protection regulation

Helene Mueller
eCollect support team

If an outstanding claim is not paid, the creditor has the right to authorize a debt collection agency to enforce the claim. In order to collect outstanding debts, personal data is transferred to eCollect AG by our clients and processed by our employees. The data processing is based on the current state of legislation. This will not change with the coming into effect of the new European General data protection regulation (GDPR) on 25 May 2018. In providing its services within the European Union, eCollect AG will comply with the requirements of the GDPR with regard to data processing. We have already adapted our data protection policies and the associated procedures to this and are prepared for it.

Why is eCollect AG allowed to process personal data?

Our clients are entitled to authorize eCollect AG as a financial service provider and a debt collection agency to enforce and collect outstanding claims at any time. In this regard, they provide us with the known personal data of the debtors. In the process, clear and legitimate purposes are pursued which include the execution and fulfilment of a contract concluded by our client. We unavoidably use personal data to collect outstanding debts. This data processing is carried out exclusively for the protection of the legitimate interests of our clients, which outweigh the debtor interests when weighing up the interests in the case of debt collection. The granting of consent by the data subject is not required by law. In this regard, the revocation of a given consent does not have any legal consequences, since the processing for the enforcement of claims is directly derived from a legal permission regulation. The legal basis for data processing by eCollect AG has so far resulted from the various national laws on data protection and has now also been included in the new GDPR in Art. 6 para. 1 letters b and f.

Why does the right to be forgotten not apply in the event of a debt collection?

The right to delete stored personal data (the so-called right to be forgotten) is newly regulated in Article 17 of the GDPR. The cases in which the data subject may request the deletion of his/her personal data are exhaustively listed there. In the context of ongoing debt collection, personal data of the respective debtor is indispensable for the purpose of the execution and fulfilment of the contract. The processing by eCollect AG is carried out to enforce the legal claims of our clients against their debtors. In such cases, the right to be forgotten pursuant to Art. 17 para. 3 letter e GDPR does not apply. The right to be forgotten can only be exercised when the storage of data is no longer necessary or when the legal retention periods have expired. In the context of debt collection, the persons concerned still have a comprehensive right to information about their personal data, which is processed by eCollect AG. You may exercise this right safely and at reasonable intervals in order to be aware of the processing and to confirm its legality.

How long is data retained by eCollect AG?

Personal data are stored in the eCollect system in a form that allows the identification of the data subjects only for as long as necessary for the purposes for which they are processed. We limit the retention period for personal data to the absolutely necessary minimum. With regard to our international activities, eCollect AG must comply with various legal retention obligations depending on the individual case and the applicable national law. Thereafter, the criteria for determining the retention period are also established. The storage of personal data generally lasts for a certain period after the end of the debt collection process. The reason for this is that eCollect AG needs this information for the pursuit of legitimate business interests, the performance of checks and inspections, the compliance and proof of legal obligations, the settlement of legal disputes and the enforcement of legal claims. For example, eCollect AG must also observe retention periods of up to 10 years under tax or commercial law when storing some documents. Taking into account the various retention periods prescribed by law, personal data will be kept by us as long as there are retention obligations in this respect.

Personal data is securely stored at eCollect AG

eCollect AG uses modern technical solutions and transparent and secure organisational mechanisms to guarantee data security. We have implemented a high security standard for data protection and information security that is equivalent to that of our corporate group. At the same time, we always take care to be up to date. We only use our own specially designed and developed eCollect system and attach particular importance to a secure network system and reliable communication channels. You can find out more about data protection and information security at eCollect AG in our privacy policy.