Equifax was fined one million euros by the AEPD for publishing a file containing alleged debts of users with the Public Administration.
The multinational company which has a subsidiary in Spain has been fined one million euros by the AEPD and has been forced to eliminate its File of Judicial Claims and Public Bodies (FIJ), a file of defaulters created as a result of official journals and which includes alleged debts of users with the Public Administration.
More than 97 complaints have been filed by users due to the inclusion of their personal data without their consent, due to the impossibility of contracting credits or loans because they are included in the aforementioned file of defaulters.
The information included in the FIJ is extracted from the Single Edictal Board of the BOE (TEU-BOE), from the official newspapers of the autonomous communities, from the Provincial Bulletins (BOP) and from the electronic or physical headquarters of Public Law organizations.
The data protection authority has shown that it would have infringed several precepts of the GDPR, and this is because the debts that were reflected in this file could become uncertain and even nonexistent. In this regard, several of the injured parties had already settled their debts. Likewise, the failure to notify users of their inclusion in such file with the consequent processing of their data for a purpose other than that for which they were collected.
The AEPD has prohibited Equifax from continuing the processing of data that it carries out in the FIJ and has imposed the obligation to delete all personal data that have been associated with alleged debts and that were obtained by the defendant from the publication of notification notices inserted in the BOE and the different official publications. In this sense, the entity will no longer be able to collect personal data of users appearing in official newspapers.
Unlawful data processing
On the one hand, the principle of purpose limitation of the processing contained in Article 5.1.b of the GDPR, which states that personal data shall be “collected for specified, explicit and legitimate purposes, and shall not be further processed in a way incompatible with those purposes”, has been violated.
The current processing of personal data is considered lawful only when the further processing is compatible with the purposes for which they were collected. However, the AEPD confirms that there is no relationship between the purpose of the processing carried out through the publications in bulletins and official journals that include personal data of the affected parties, which are the public interest connected with the right to effective judicial protection of the administrated parties and the effective exercise by the Public Administrations of the powers attributed to them, and the purpose for which Equifax processes the data, which according to the entity would be the prevention of fraud.
Principle of accuracy and data minimization
On the other hand, Equifax would also have breached the principle of accuracy of processing, contained in Article 5.1.d of the GDPR, which requires that the data must be accurate, and if necessary, updated, and reasonable steps must be taken to erase or rectify without delay personal data that are inaccurate in relation to the purposes for which they were processed. Likewise, the GDPR establishes in its Article 5.1.c that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
In this sense, the information collected by the entity and included in the FIJ is neither updated nor contrasted with any reliable means to guarantee that the debts are true. Thus, more than 25% of the claimants had already provided Equifax with documents showing that inaccurate information associated with their data was being published in the FIJ, and that personal data was being associated with settled debts.
Duty to inform
Finally, it should be noted that Equifax is in breach of the obligation under Article 14 GDPR to inform users that their personal data is being processed when it has not been collected from them.
This is stated by the AEPD: “Suffice it to compare the figures provided: in 2018, the persons whose data were processed by the FIJ exceeded four million and yet the number of notifications made that year does not reach three hundred and forty thousand.”