Legal basis for registration in Credit System Summary Our remarks A data subject took out a loan with Hoist Finance which • Before using Article 6(1)(c) of the GDPR, it is was registered in the Central Credit Information System essential to ensure that there is a legal obligation (CKI) of the Credit Registration Office (BKR) with a to process the personal data. This means that there special code ”A” due to payment arrears. After the debt must be a legal provision that explicitly requires the was settled, the data subject requested that the entry processing of personal data for a specific purpose. be removed from the BKR registration, but the controller did not comply. • In this case the legal provisions did not provide clarity on which personal data could be registered The District Court of Amsterdam referred preliminary in the CKI, the conditions for registration, and questions to the Dutch Supreme Court, asking whether the time limits for the deletion of data. The CKI the processing of personal data in the CKI must be regulations, which were not based on a legal assessed in accordance with GDPR, Articles 6(1)(c) and basis, governed these aspects. Personal data 6(1)(f), or both provisions, and whether the data subject was registered in the CKI through an agreement is entitled to the right to erasure and right of objection between the BKR and credit providers. under GDPR. • If the processing of data is based on GDPR, Article 6(1)(c) the data subjects do not have the right to The decision of the Dutch Supreme Court erasure. Therefore, the legal basis relied on by the • The Supreme Court ruled that the processing of controller is important in regards to data subjects’ personal data in the CKI must be examined in rights. accordance with the legitimate interest of the controller (GDPR, Article 6(1)(f)), rather than a processing necessary for complying with a legal obligation (GDPR, Article 6(1)(c)). It also stated that the data subject is entitled to the right to erasure and right of objection under the GDPR. Published: 03-12-2021 , Journal number: 21/00241 Tags: 01 Legal basis and principles of processing 30