DATA PROTECTION ISSUES COMBINING OF PERSONAL DATA

STORED IN DIFFERENT INSTITUTIONS

9th Meeting of Central and Eastern European Commissioners

June 4-6th 2007Zadar

Neringa Kaktaviciute

State Data Protection Inspectorate

of the Republic of Lithuania

2

CONTENTS

Data combining by state institutions Data combining by private institutions Case law

3

DATA COMBINING BY STATE INSTITUTIONS: Interdepartmental Storage of

Tax Data - database is dedicated for:

- collecting of tax data which are processed by institutions supervised and analyzed the tax;- preparing of actual and high quality information according to the collected data;- providing combined information to the data recipients. Database stores data (without personal data) from Ministry of Finance, State Tax Inspectorate, Customs

Department, State Social Insurance Fund Board, Statistical Department, Financial Crime Investigation Service

4

INTERDEPARTMENTAL STORAGE OF TAX DATA (cont.)

Close future – personal data in Interdepartmental Storage of Tax Data

Data protection problems: a) duplication of personal data;b) using of personal data for different purposes;

c) lawfulness of purposes.

5

DATA COMBINING BY STATE INSTITUTIONS: State Data Control Centre

State Data Control Centre which:- will enable automatically to exchange data between state registers,

information systems;- will provide electronic public services, which will be provided by principle

of “single window”;- will provide integrated and actual information pursuant to data received from

state registers, information systems.

This centre will have Interdepartmental Storage of Tax Data.

6

STATE DATA CONTROL CENTRE (cont.)

Data protection problems: a) duplication of personal data;b) using of personal data for different

purposes; c) quality of data.

7

DATA COMBINING BY PRIVATE

INSTITUTIONS: Credit bureaus -

will store data about financial obligations, performances of these obligations, persons’ salaries, settlements.

The data will be received from banks, credit agencies, other financial institutions and institutions which do not provide financial services.

8

CREDIT BUREAUS (cont.)

Advantages:- Each data recipients may apply directly to the credit

bureaus, but not to all banks, credit agencies and other institutions.

- Major circle of data recipients may get data.- Economy of extent.- Effective and safety data processing.

9

CREDIT BUREAUS (cont.) The Law on Legal Protection of Personal Data:- Banks and other financial institutions may apply to

each other when a data subject wants to get credit, leasing;

- Received data may be stored only for 2 working days;- Received data may not be combined with other data;- Banks and other financial institutions may get data of

the data subjects who have taken out credit, leasing: name, surname, PIN, the type of the credit, its amount and the deadline for the repayment of the credit.

10

CREDIT BUREAUS (cont.)

Law on Financial Institutions establishes that:

a) Before taking decision each financial institution must make sure that client’s financial and economic state allows expecting that client will be able to perform obligations.

b) After concluding a contract financial institution must constantly supervise whether client performs contractual commitments.

11

CREDIT BUREAUS (cont.)Business The Inspectorate:

Only the banks and other financial institutions according to the Law on Financial Institutions

Banks and other financial institutions may apply to each other, but not get combined data from credit bureau

Only data about provided financial services related to risk-taking, obligations to financial institutions

Data may be combined but not processed for other purposes

More institutions have to have possibility to get combined data for evaluation of creditworthiness

Data combining is necessary All data about persons’ financial and

business activities have to be processed

12

CASE LAW Genealogical tree – combining of personal data which are obtained from Population Register using software tool.

Police institutions, intelligence services use this software tool which allows getting genealogical tree for the purposes of those institutions.

Using of software tool is not legitimize.

13

CASE LAW (cont.) Instruction to Police Department – to destroy the software tool which allows to combine personal data obtaining from Population Register and create

genealogical tree.

Police department appealed against Inspectorate’s instruction to court.

Vilniaus region administrative court decided that using of mentioned software tool conformed the legitimate interest of police institutions – exercise of police tasks determined in the laws.

14

CASE LAW (cont.)

The Vilnius region administrative court’s decision was appealed against to Lithuanian supreme administrative court.

Lithuanian supreme administrative court decided: a) mentioned software tool is not legal;b) software tool may be used for purposes of operational activities.

Thank you!

n.kaktaviciute@ada.lt