Personal Data Protection in the Context of Assignment of Receivables (Cession) Agreement
Pursuant to the assignment of receivables agreement the creditor under a certain receivable assigns it to a third party. As the assignment procedure involves the processing of personal data of a third party – a debtor that is not a party to the agreement, a thorough examination of the personal data protection rules and their applicability to the assignment of receivables is required.
Pursuant to the assignment of receivables (cession) agreement the creditor under a certain receivable (assignor) assigns it to a third party (assignee). As the assignment procedure involves processing of personal data of a third party – a debtor that is not a party to the agreement, thorough examination of the personal data protection rules and their applicability to the assignment of receivables is required. The present analysis examines a situation where the debtor is a natural person. The conclusions outlined below can be applied by analogy to assignments where the debtors are legal entities, taking into account the specifics of the relationship between legal entities (i.e. exchange of information about their legal representatives, proxies, etc.).
Is the debtor’s consent required for the purposes of assigning their receivables?
The consent under an assignment agreement may be approached from two perspectives:
Consent for the transaction itself – the debtor is not a party to the assignment agreement and their consent is not required for the transaction to take effect.
Consent as a basis for processing the debtor’s personal data – consent might also be viewed as a one of the legal grounds for processing personal data under Regulation 2016/679 (GDPR). As the debtor needs be able to assess whether, for what purposes and for what period of time to give their consent, it is an inappropriate legal grounds for personal data processing under assignment agreements. This is explained by the fact that if processing is based on consent, it would allow the debtor to block the creditor from disposing of their receivables by preventing the creditor from processing the personal data contained in the debt documentation or debt related documents – information about who the debtor is and what his contact details are, where his obligation arises from, what is its amount and maturity, etc.
What is the basis for the personal data processing under the assignment agreement?
Other legal grounds, equal and alternative to the consent, may serve as basis for processing the debtor’s personal data, namely:
Regarding the assignor:
Compliance with a legal obligation – to provide the assignee with the debt documentation, i.e. to carry out the related processing of the personal data contained therein;
Existence of legitimate interest– to dispose of its receivable as it deems appropriate.
Regarding the assignee, besides the legitimate interest to collect their receivable, there is additional legal grounds for the personal data processing – the performance ofacontract to which the data subject is a party (this is the contract under which the receivable has arisen). This ground, however, may be relevant, provided that the assignment has lead an action against the debtor by notification under Art. 99, Para. 3 and 4 of the Contracts and Obligations Act.
According to the Commission for Personal Data Protection (CPDP), the legal fact which makes the personal data processing admissible is the assignment of the receivable, not the notification of the debtor. This means that the assignee may lawfully process the debtor’s personal data even prior to this notification.
Other requirements for the personal data protection in the case of assignment of receivables
An essential requirement to be fulfilled in case of an assignment is the notification of the debtor of the processing of their personal data, since the data controller – assignee obtains the personal data not directly from the data subject, but from another source – the assignor. In order to ensure transparent data processing, the data subject needs to be provided with information under Art. 14 of the GDPR, namely:
the identity and the contact details of the controller;
the contact details of the data protection officer, where applicable;
the purposes and legal basis for the processing;
the categories of personal data concerned;
the recipients of the personal data;
the period for which the personal data will be stored;
where applicable, the controller’s intention to transfer the personal data to a third country or international organisation, as well as additional information related to such data transfer;
the legitimate interests pursued by the controller or by a third party when the processing is carried out on this ground;
information on the rights of the data subject with respect to the processing;
the source of the personal data;
additional information in case the data is used for automated decision-making, including profiling.
The GDPR requires the controller to provide this information as follows:
within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject;
if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
In practice, there are numerous cases where assignees have been sanctioned specifically for non-compliance with the above requirement to inform the data subject. The GDPR, as a rule, allows exceptions to the above obligation to provide information if the receipt or disclosure of data is expressly permitted by EU law or the laws of a Member State, which provides for appropriate measures to protect the legitimate interests of the data subject. It is unclear how CPDP will interpret this rule in the context of the assignment agreement (under which the disclosure and receipt of data is explicitly regulated by the Bulgarian legislation). Given the above practice of imposing sanctions, a safer approach for assignees would be to expressly notify the data subjects.
It is permitted to inform the data subject of the processing in parallel with notifying the debtor of the assignment by the assignee. This is explicitly recognized in the case law.
Is it possible that the expired limitation period of the assigned receivable affects the lawfulness of the personal data processing?
Whether the prescribed limitation period for the receivable has expired or not, whether the debtor’s objection to the expired limitation period has been duly exercised, etc., are all issues within the jurisdiction of the civil court and do not affect the lawfulness of the personal data processing.