Debt collection in Italy

Award-winning debt collection

For a FREE quotation call 01920 481467

Articles on debt collection written by legal executive, Carlo Pegna

GDPR and Debt Collection

The Implications of GDPR on debt recovery

GDPR is an extension of rules already in place to among other things keep a pace with developments in technology that infringe on the privacy of individuals. I have long said the Data Protection Act is the most misinterpreted Act in the country, even by Judges. I remember at a court hearing I produced a Credit Report of the Defendant that was a corporate body, when I did the judge looked down her nose at me remarking ‘Did you get consent from the Defendant to carry out a credit check and produce that document today.’ I quickly replied, ‘I don’t have to because the Data Protection Act applies to individuals not companies as is the Defendant.’

So, let’s not get carried away with desperately scrambling for consent from your customers without fully understanding GDPR.

Legitimate Interest

While GDPR is designed to protect the privacy of an individual, checks and balances are in place to avoid disruption to the operation of your business.

Providing the processing of data is for a legitimate interest there is no need to obtain prior consent from the individual. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.

The legitimate interests provision does incorporate three key elements. Article 6(1)(f) breaks down into three parts:

“processing is necessary for……the purposes of the legitimate interests pursued by the controller or by a third party, ……except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

It makes most sense to apply this as a test in the following order:

  • Purpose test – is there a legitimate interest behind the processing?
  • Necessity test – is the processing necessary for that purpose?
  • Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?


GDPR and Debt Recovery

At first sight passing on information without prior consent of a sole trader’s name and address to a debt collection agency to collect an outstanding balance infringes on the sole trader’s privacy. But it is extremely unlikely the sole trader would consent to the processing of their data for the purposes of a commercial debt recovery. If the processing might have a negative impact on the sole trader, this does not automatically mean that their interests always override yours.


A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of their new address.

The finance company wants to engage a business debt collection agency to find the customer and seek repayment of the debt. It wants to disclose the customer’s personal data to the agency for this purpose.

The finance company has a legitimate interest in recovering the debt it is owed and to achieve this purpose it is necessary for them to use a debt collection agency to track down the customer for payment owed.

The finance company considers the balancing test and concludes that it is reasonable for its customers to expect that they will take steps to seek payment of outstanding debts. It is clear that the interests of the customer are likely to differ from those of the finance company in this situation, as it may suit the customer to evade paying their outstanding debt.

However, the legitimate interest in passing the personal data to a debt collection agency in these circumstances would not be overridden by the interests of the customer. The balance would be in favour of the finance company.

The above example has been replicated from the Information Commissioner’s Office (ICO).

Legitimate Interest Assessment (LIA)

Although there is no obligation in the GDPR to do a LIA, ICO recommends you do so, because it is best practice to conduct one and it is difficult to meet your obligations under the accountability principle without it.

Indeed, accountability is one of the data protection principles - it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance. There is no one-size-fits-all approach to a LIA. Sometimes your LIA might be quite short, but in other situations it may be much more detailed or identify the need for a Data Protection Impact Assessment (DPIA).

For a sample of a LIA as recommended by ICO.

Click the link below:

Carlo Pegna LL.B (Hons), FCILEx, MCICM
The Debt Collection Master
Master Collections Legal Manager and Director

Want to find out more?

If you are owed more than £650 from a sole trader or individual and need help collecting the same call award winning credit professional and Legal Executive Carlo Pegna on 01920 481467 for a FREE 30 minute consultation.