A data subject had contacted the DPC as they were not satisfied with the responses to a data subject access request and erasure request. This case was against a debt collector and the data subject raised concerns about how their personal data was obtained. The data subject explained that the debt had been cleared but they still received a letter from a debt collector. This letter referred to an outstanding amount owed to a third party.

The data subject outlined to the DPC that their subject access request was made through an online platform . The data subject did not receive a response to their Article 15 Access request or their erasure request under Article 17 of the General Data Protection Regulation (GDPR) . Prior to the DPC involvement, both parties engaged directly . In their correspondence to the data subject, the debt collector explained that the personal data was obtained from a third party . The personal data was then uploaded to their online system and a letter was issued to the data subject .

As part of its examination, the DPC engaged with the debt collector and requested that they outline their relationship with this third party . The debt collector informed the DPC they were acting as a data processor on behalf of the third party and that a data processor agreement, in line with Article 28(3) of the GDPR, was in place at the time they processed this personal data . The debt collector advised the DPC that this contract was now terminated and they would not be acting on behalf of the third party going forward. The DPC accepted this response and identified the debt collector as a data processor and the third party as the data controller . The data processor, stated that debt collection is in the public interest and as such they had a legitimate interest to process personal data where a data subject’s account has been legally assigned to them, or when they are acting under a legal contract . The data processor stated that the processing of the data subject’s personal data was necessary to collect the debt and is allowed even where the data subject does not consent to the processing; meaning the data processor relied on Articles 6(1)(b) and 6(1)(f) of the GDPR for processing the personal data .

The data processor in this case accepted that the data subject may have paid the outstanding debt but stated they could not be held responsible if the data subject pays the data controller directly and the data controller fails to notify the data processor to close the outstanding debt on their systems . The DPC highlighted that there appeared to be an error in the letter the data subject received . In this correspondence the debt collector referred to themselves as a data controller . The debt collector accepted this error and stated it should have read data processor, this error was caused by an oversight when using a template letter .

With regard to the subject access request, due to their data processor relationship they did not respond directly to the data subject’s access request but did share this with the third party, the data controller . In terms of the erasure request, the data processor informed the data subject that they would be required to retain the personal data for six months for taxation/financial/auditing purposes. The six months had passed prior to the DPC involvement and the data processor assured the DPC that the personal data had now been erased . The data processor apologised directly to the data subject and offered a payment as a gesture of good will.

 The DPC advised the data subject under section 109(5) (c) of the 2018 Act that the data processor and data controller had a legitimate interest to collect debts and disclose personal data in order to collect the debts . The DPC acknowledged the errors in the correspondence provided to the data subject and under section 109(5)(f) of the 2018 Act recommended that the data processor engage in regular testing of organisational and technical processes to ensure compliance with the GDPR in order to comply with Article 28 of the GDPR .