Request for a preliminary ruling on lawfulness of personal data processing by credit information agencies
Official publication has been made of a request for a preliminary ruling by the Verwaltungsgericht Wiesbaden (Germany) in FT v Land Hesse (C-552/21), regarding the lawfulness of processing of personal data by credit information agencies from public registers under the General Data Protection Regulation (GDPR).
The case originates in an applicant’s objection to the entry of a discharge from remaining debts (Restschuldbefreiung) in the records of a private credit information agency. The applicant requests the deletion of the entry from the records of the private credit information agency.
In this context, the Court of Justice was asked to answer the following questions:
- Is Article 77(1) of the GDPR to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject has the character of (a) a decision on a petition subject to a limited judicial review or (b) a decision on the merits taken by a public authority with a full substantive judicial review?
- Is the storage of data at a private credit information agency of personal data from a public register stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 and 8 of the Charter of Fundamental Rights?
- Are private databases (in particular databases of a credit information agency) and in which the data from public register are stored for longer than the period provided for within the narrow framework of Insolvency Regulation 2015/848 is permissible or does it follow from the right to be forgotten under Article 17(1)(d) of the GDPR that such data must be deleted where (a) provision is made for a processing period which is identical to that of the public register or (b) provision is made for a retention period which exceeds that provided for in respect of public registers?
- Is storage of data at private credit information agencies with regard to data also stored in public registers pursues legitimate interest under point (f) of Article 6(1) of the GDPR if the public registry data is stored without a specific reason so that those data are then available in the event of a request?
- Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 of the GDPR, and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under point (f) of Article 6(1) of the GDPR?
Read the officially published application here.