In question is data Equifax acquired from the Spanish Official State Gazette, and different releases and debtors lists from other public bodies such as the General Tax Administration and city councils' gazettes, and put in its File on Judicial Complaints and Public Bodies, obtained through public sources.

In response to deletion requests, Equifax refused to delete the information, saying the data was public or is part of the legitimate interest of the entities that use their services, which need to have information about the debts and monetary claims regarding their clients.

Key Points from the AEPD Decision

Purpose Limitation

• The starting point for the analysis is the origin of the data, and the purposes for which such data was collected and later published.
• The controller must assess whether the purposes were compatible and comply with the regulation.
• In this case, there was no connection between one purpose (a public notification that constitutes a guarantee to preserve a fundamental right of the data subject, and that therefore overrides their right to data protection) and Equifax's purpose (providing potential harmful or negative information about the data subjects to different businesses). There could not have been any reasonable expectation of the data subjects for their data to be processed in such a way, given the context.

Lawfulness of Processing

According to Article 5(a) GDPR, Recital 39 and Article 6(1)(f), an interest can only be legitimate if it is lawful in the first place. However, as explained above, the processing carried out by Equifax was not lawful, and therefore its interest can never be legitimate.

Even if you carry out the legitimate interest balancing text, the balance fails:

• The fundamental right to data protection would override the legitimate interests of the controller (and third parties). The convenience of the actors that represent any economic sector is not proportional to the violation that such processing would incur.
• The legitimate interests alleged by Equifax were double: (1) an interest (from the controller and the third parties to be recipients of the data) linked to the assessment of the financial solvency of the data subjects, (2) an interest linked to fraud prevention.

Per the AEPD:

• The processing was not strictly necessary to achieve the purpose alleged and such purpose can be achieved by other means. The terms "convenience" and "necessity" are not interchangeable.
• The processing was not adequate, given that the data collected were not updated, inaccurate and only represented a small (not representative) part of the population.
• There was no balance between the interests of the controller and the negative consequences posed to the data subjects, that additionally could in any way have a reasonable expectation for such processing to happen.

Accuracy

• A controller shall not process data if it is not able to ensure the accuracy of the data, and that it is kept up to date.
• If the purposes for which the data was collected are different, it is also possible that the level of accuracy required is different. In this case, the level of accuracy necessary to notify a data subject of a debt is not the same as the level of accuracy necessary to assess the financial reliability of a person.
• The notification of debt exists in a particular moment. It is highly probable that such situation will change in the future, for example because the person fulfills their obligation and cancels the debt. The nature of the files created by the collection of data by the controller is completely different: they intend to asses the financial situation of the data subjects in a moment that is different from the moment of the notification. Therefore, it is impossible for the controller to keep the data up to date, as once the precise moment of the notification passes, the data may not already be current.
• Without properly being able to identify the subjects to which the data belong, it is unlikely that the controller can adequately achieve the interests that they allege. In this case not all the data collected can be attributed to a person without doubt, given that two persons can have the same name, and ID numbers are not always published, or published only partially. The address that is also used to distinguish persons is not always available either.

Data Minimization:

• Processed personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. If it constitutes an inference on rights and fundamental freedoms, it will be considered excessive.
• Once the purpose limitation principle has been violated, it is impossible to comply with the other principles as it relies on it.

Duty to Inform:

• Equifax did not notify all the data subjects about what data it was processing as required by Art 14 GDPR. While the database contained data of more than 4 million persons, the controller had only notified around 340,000 data subjects.
• Given that the addresses of the notified persons were not published, the controller was not able to access them and therefore could not notify the data subjects.

Read a summary of the decision.