The entry into force of the General Data Protection Regulation, also known in Bulgaria as the GDPR, aimed to provide new opportunities. For the clients, which are data subjects, this is the opportunity to have control over their personal information – who, where, how and why uses it. The GDPR has made it more difficult for businesses to meet the accountability principle, but it also created a new opportunity for them to position themselves more effectively with its clients. After all, it is easier to gain new clients if your business is transparent about the processing of clients’ personal data and processes data lawfully.
The above trends combined with the threat of large financial penalties have provoked all market players – from multinational companies to small family businesses – to review their processes, to start providing information on personal data processing, to obtain consents and to put rules and policies about data processing in place. In short, everyone has tried to be GDPR compliant.
Today, however, almost four years after the GDPR became part of our daily lives, more and more cases cast doubts on whether the protection of personal data indeed creates such balanced opportunities. The disputes before the competent data protection authority and the Bulgarian courts regarding the application of the GDPR are now increasing in their number. It appears that the decisions as rendered are often exotic in their interpretations and as such cause concerns for the normal functioning of the business environment.
For instance, most recently, the Bulgarian Supreme Administrative Court issued an interesting final and binding decision. According to it, the legitimate interest of the controller is not a valid legal ground to process debtors’ personal data when receivables are assigned. Ever since the legal concept of transfer of receivables exists, the law does not require the debtor’s consent. It has always been sufficient to notify the debtor so that there is clear information about who is entitled to receive payment. In this case, however, the Court held that the debtor had to give his explicit consent for the processing of this data in connection with the assignment. So, a question pops-up: whether any sober-minded debtor would ever give such consent? And if the debtor has accidentally made a mistake in giving it, isn’t it reasonable to expect that he will withdraw it following the first call he receives to pay his debt.
The Supreme Administrative Court addressed the matter in the light of a sanction imposed by the Commission for Personal Data Protection (“CPDP”) on a Bulgarian bank that decided to assign its receivable to a third party. Of course, in connection with the assignment, transfer of client’s personal data was necessary – otherwise how would the parties be individualized in this purely contractual relationship! The client was duly notified of the assignment, as required by law.
In the light of the personal data protection rules, the bank was of the opinion that it had legitimate interest to process the data – namely, to satisfy its proprietary interests as a creditor. However, the CPDP disagreed because it considered that the assignment of the receivable was a completely new and different purpose for which the data were processed. This purpose was unrelated to the contractual loan relationship itself, according to the CPDP. Therefore, the collection of a specific new consent was required.
Although both the CPDP and the Supreme Administrative Court do not dispute the creditor’s right to transfer its receivables to third parties without the debtor’s consent, both authorities accept that “this right could not be relied on against the bank’s obligation to process the data in a fair and lawful manner”. The Court accepts that the bank could have protected its proprietary interest in other ways, which did not involve the transfer of the receivable. Yet, the Court does not provide examples about those other options the bank had. And even if such ideas were given, does it mean that the controller can be required to rely on only one legal ground for data processing, if the facts of the case allow different options? Thus, although with some inconsistencies in its motives, the Court concluded that in the case of assignment the only possible legal ground for data processing is the debtor’s consent.
So, the binding interpretation set now in the case-law confirms that it is not legally required to have the debtor’s consent for the assignment of a receivable. Yet, the debtor must always explicitly consent to have his personal data processed for the transfer the receivable.
Of course, this consent on data processing must meet all the requirements set out in the GDPR. Respectively, such consent when collected can then be freely revocable at any time. It also raises concerns whether such consent will be considered freely given if the bank’s client will not otherwise receive a loan (after all, which financial institution will agree to lend at the risk of never being able to transfer the receivable?).
This decision of the Court undoubtedly sets a precedent, especially in the context of the provision of financial services. It further raises the question whether the case-law does not deviate from the objectives and balances set by the European legislator.
For further information contact:
Ilya Komarevski, Partner
Mileslava Bogdanova-Misheva, Senior Associate