Lithuanian State Data Inspectorate fined an organisation €20,000 for unlawful processing of data on financial commitments

As a result, the applicant considered that the Company is unlawfully processing its credit data rating and its class.

The Inspectorate found during the examination of the complaint that, according to the provisions of the data processing agreement concluded by the Company with the financial institution ("the Agreement"), the data on the applicant's existing financial obligations could not be used for the purpose of compiling the applicant's credit report and the credit rating, as this purpose of use of the personal data is not specified in the Agreement and the Company has not proven that it has controller obligations to process this personal data for the purpose of compiling the credit report and calculating the credit rating. 

Therefore, the Inspectorate found that the Company had exceeded the instructions given by the controllers for the processing of the personal data and, accordingly, when it started using data on existing liabilities for purposes other than those provided for the processing of personal data contracts, it became the controller of those data, which was under an obligation to justify the lawfulness of the processing of personal data. However, the Company did not provide such a justification.

The Inspectorate found that the Company processed data on financial obligations for the purpose of calculating a credit rating and compiling a credit report without fulfilling any of the conditions for lawful processing set out in Article 6(1) of the GDPR, and in violation of the principles of lawfulness set out in Article 5(1)(a) of the GDPR and purpose limitation set out in Article 5(1)(b) of the GDPR. 

It was also assessed the nature and extent of the infringement found and the fact that the infringement was committed by a legal person, one of whose activities is the production of credit reports and credit ratings, for which data on financial obligations were found to have been used unlawfully. On that basis, the Inspectorate decided to initiate the procedure for imposing an administrative fine on the Company. 

Having examined the situation, in the end of 2022 the Inspectorate made a decision to impose a fine of EUR 20 000 on the Company. 

When deciding on the administrative fine and its amount, the Inspectorate took into account that the infringement committed by the company relates to breaches of the fundamental principles of data processing under Articles 5 and 6 of the GDPR and, by its nature, falls within the category of serious infringements (Article 83(5)(a) of the GDPR), and that the infringement found is systemic, does not concern a single person and is of a continuous nature and of a long duration. 

The Inspectorate found that the Company's conduct in processing data on financial liabilities for purposes other than those foreseen and considered this to be intentional and aggravating. The Inspectorate also assessed the other factors referred to in Article 83(2) of the GDPR, which must be taken into account for the imposition of an administrative fine, as well as the turnover of the Company in the previous year.

Decisions taken by the Inspectorate may be appealed to the courts before they enter into force. To date, there is no information that the decision described above has been appealed before a court.