Financial companies for fast loans fined for processing personal data without consent from personal data subject
The North Macedonian Personal Data Protection Agency (from now on only “The Agency”) has issued several fines for financial companies for fast loans due to processing personal data contrary to the law i.e. without previous consent from the data subject.
In North Macedonia during the last years, several financial companies for providing fast loans were established where the citizens can apply online for a loan without the usual excessive documentation that is requested by the national banks. For applying, usually, the applicant is requested to submit only his/her personal data and a mobile/phone number, and no personal identification of the data subject is conducted.
As a result, recently several natural persons have reported that their personal data were misused by a third unknown party during the application process for a fast loan. Consequently the financial companies have approved the loans to a third unknown party based on the personal data entered through the online applications provided on the web sites of the financial companies.
Following the submitted complaints by three natural persons, the Agency initiated three extraordinary supervisions. In all three cases, the natural persons claimed that the Financial company/ies approved an online loan to other natural persons who used their personal data and provided mobile/phone numbers that were not theirs and also without verifying their identity when submitting loan applications. In all this cases, financial company/ies as controller/s did not comply with Article 10, paragraph 1, point 1 of the North Macedonian Law on the Protection of Personal Data (article 6, paragraph 1, point 1 from the GDPR) when they although did not have the previous consent for processing personal data from the loan applicant, they have processed personal data for three natural persons (personal data subjects). With this way of dealing with business by the financial companies, the Agency determined that the financial companies did not demonstrate (prove) that the personal data subject really gave his/her consent for his/her personal data to be processed for the purposes of applying for a fast loan and consequently if it was really the personal data subject that has applied for a fast loan.
As a result of the extraordinary supervision, the financial companies and their managers were imposed with a misdemeanor fines in accordance with the North Macedonian Law on the Protection of Personal Data.
These cases have also raised a huge debate in North Macedonia regarding additional regulation of the business of financial companies for fast loans and the process of applaying and granting fast loans.
Article provided by INPLP member: Jasmina Brezovska (Bona Fide, North Macedonia)
Dr. Tobias Höllwarth (Managing Director INPLP)