Stichting Bureau Krediet Registratie – Court Ruling (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Dutch court ruled that Stichting Bureau Krediet Registratie (BKR) can keep credit data for five years, even if it affects a person's ability to get investors. This matters because it shows that credit agencies can retain data if they have a legitimate interest. Companies should understand how long they can keep personal data and ensure they have a valid reason.
What happened
The court ruled that BKR's retention of credit data for five years is lawful under GDPR.
Who was affected
Individuals with credit data registered by BKR, including those with autism facing challenges in securing investment due to their credit history.
What the authority found
The court found that BKR has a legitimate interest in processing and retaining credit data for five years, which does not violate GDPR's data minimization and necessity principles.
Why this matters
This ruling affirms that credit agencies can retain data for legitimate interests, setting a precedent for data retention practices. Businesses should ensure their data retention policies are justified and compliant with privacy laws.
GDPR Articles Cited
The controller is Stichting Bureau Kredietregistratie (BKR), which manages the credit registration register (CKI). This register provides an overview of creditworthiness of people. Data subject has autism and has several registrations in the CKI, because of numerous payment arrears and neglected payment obligations, with several credit providers. These registrations make it impossible for them to find investors for their company, because investors find data subject not to be creditworthy enough. On 3 May 2021, data subject requested the BKR to remove all registrations relating to them from the CKI. The BKR rejected this request because it is only responsible for correct processing of the personal data it receives from the credit providers, and data subject had to submit their request to the providers. Data subject brought the action before Court, claiming that personal data were processed unlawfully. In particular, (1) the BKR processes their personal data without a legal basis, (2) the retention period of the registrations is too long, (3) the manner of registration of special codes referring to the registration is inadequate, (4) the accessibility of their personal data is insufficiently verifiable, and (5) the CKI does not meet the necessity requirement. Moreover, they requested the Court to order the BKR to remove all registrations relating to them from the CKI, because their interests overrode the interests of the BKR. Lastly, they claimed the BKR cannot simply refer them to the credit providers because the BKR is also a controller. Regarding the first claim that personal data is processed unlawfully First, the Court stated that, referring to a recent judgement of the Dutch Supreme Court, it is clear that the BKR has a legitimate interest to process data subject’s personal data, pursuant to Article 6(1)(f) GDPR. Second, the Court found that, although it is not laid down in law, the retention period of 5 years does not violate Article 5(1)(c) GDPR, because
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Stichting Bureau Krediet Registratie in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Stichting Bureau Krediet Registratie - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: