Have you ever been
refused a credit card contract or only been able to place orders on the
internet if you agree to pay the bill before delivery? Then it is possible that
a credit agency or another body has registered data on your payment history and
disclosed it to third parties.
Overview of bodies that process data on payment history :
Credit agencies
Credit agencies collect information from various sources about the economic activity, creditworthiness and solvency (credit rating) of companies and private individuals. They store the information in data collections and pass it on to requesting agencies and private individuals in writing, by telephone or in an automated procedure for a fee. Anyone who requests credit information must have a legitimate interest in receiving it.
Further information on data processing by credit agencies:
Credit agencies and the credit reports they sell are an integral part of everyday business life. The FADP sets limits on data processing by credit agencies.
Credit agencies collect information on the economic activity, creditworthiness and solvency (credit rating) of companies and private individuals. Some of the information is publicly available. They also obtain some of the data from collection agencies.
The information is stored in data collections and passed on for a fee to requesting agencies, companies or private individuals in writing, by telephone or in an automated procedure. The collected data is also regularly evaluated by calculating a score value, which is a numerical value - the higher this value is, the better the creditworthiness of the person whose data is processed (data subject).
If you are registered as not creditworthy or if your score is low, you may not, for example, be able to conclude certain contracts, or a mail order company may only be willing to deliver if you pay in advance.
The processing of personal data on economic activity, creditworthiness and solvency is not unlawful if it is justified on any of the following grounds:
the data subject has agreed to it, i.e. given consent;
an overriding private or public interest in the data processing (i.e. the interest in processing the data outweighs that of the data subject in preventing it);
it is required or permitted by law.
The FADP mentions in Article 31 paragraph 2 examples of cases in which there may be an overriding interest. These include cases where credit agencies process personal data about a person's creditworthiness and disclose this data to a third party. However, according to the law, the third party may only be provided with data it needs to conclude or fulfil a contract with the data subject. As a result, the third party has to prove a certain interest in receiving these data (e.g. ongoing contract negotiations with the data subject). Just being curious is not enough! The credit agency is responsible for verifying there is a genuine interest.
The credit agency must not process personal data that are sensitive or carry out profiling that poses a high risk to the personality or fundamental rights of the data subject (i.e. profiling that links data and allows essential aspects of a person’s behaviour and personality to be assessed). An exception applies if the data subjects have expressly consented to this data processing. The data must relate to a person who has reached the age of majority, and must not date back more than ten years.
Thus, information about your solvency or creditworthiness may in principle also be processed without your consent and in certain cases disclosed to third parties who demonstrate a legitimate interest.
When collecting and passing on personal data, the credit agency must adhere to the limits set by the FADP. In individual cases, it must not only demonstrate that the processing is justified in accordance with Article 31 FADP, but also comply with the general processing principles of the FADP (Art. 6 ff. FADP).
These principles must be observed:
Principle of proportionality (Art. 6 para. 2 FADP): Any data processing must be proportionate and thus suitable and necessary to achieve the intended purpose. Consequently, a credit agency may only process data that is suitable and necessary to provide information on creditworthiness.
Good faith and transparency (Art. 6 para. 2 and para. 3 FADP): All data processing must be transparent. It must at least be recognisable to the data subject, i.e. the data subject must at least expect the data processing from the circumstances.
Compatibility with the purpose (Art. 6 para. 3 FADP): Data processing must be compatible with the purpose for which the data was obtained.
Data accuracy (Art. 6 para. 5 FADP): The credit agency, as the data processor, must ensure that the personal data is correct.
Appropriate information (Art. 6 para. 6 FADP): If consent is required for data processing, the consent is only valid if it is given voluntarily based on appropriate information.
Data security (Art. 8 FADP): The credit agency must take suitable technical and organisational measures to guarantee that unauthorised persons cannot access and change the data.
In addition, there is a duty to provide information when collecting personal data (Art. 19 FADP). The controller must provide the data subject with at least the following information when collecting the data:
the controller's identity and contact details,
the purpose of processing and
the recipients or categories of recipients to which personal data are disclosed.
If data are not collected from the data subject, the controller must also inform the data subject of the categories of processed personal data.
Credit agencies may only collect information that enables a person to be identified or says something about whether a person is creditworthy or not.
The following personal data may be processed: First name, surname, date of birth, current address (street, postcode and town), debt collection proceedings, bankruptcies, loans outstanding, amount of the loan, instalments, rejected loan applications, etc.
Personal data which is not suitable or necessary for the purpose of a creditworthiness check, is, for example, a person's place of origin, since a potential contractual partner is rarely aware of this and this information is not suitable for identification.
In principle, a credit agency may only process information on the data subject. It is not permitted to provide information on other persons such as spouses, children, etc., unless this information is directly related to the creditworthiness of the person concerned.
Without the express consent of the data subject, a credit agency may not process any sensitive personal data - such as data on social assistance measures - and may not carry out any high-risk profiling (see Art. 31 para. 2 let. c FADP).
Credit agencies process information on the economic activities, creditworthiness and solvency (credit rating) of companies and private individuals. In turn, companies and private individuals have various rights to ensure that data protection is complied with.
To comply with data protection law, credit agencies must observe data processing principles and show that any processing of personal data is justified in accordance with Article 31 of the Federal Act on Data Protection (FADP).
Everyone has the following rights so as to ensure that their personal data is processed lawfully:
Credit agencies check your creditworthiness by collecting your personal data; usually not from you directly, but from publicly available sources or from third parties.
Under the revised FADP, you have a right to be informed in an appropriate manner by the controller about the collection of personal data. The minimum information that the controller must provide to you is specified in Article 19 FADP.
You can ask at any time, without having to give a reason, for a credit agency to inform you within 30 days whether and what personal data about you is being processed. If the credit agency does not provide you with this information within this time limit, you can legally enforce your right to it by filing an action with the civil court in your place of residence.
The information the credit agency must provide you with is specified in Article 25 FADP. If the credit agency assesses your creditworthiness by means of a score value, i.e. a numerical value calculated on the basis of the data collected about you, it must in principle also inform you of the methodology used to calculate the score value in order to ensure transparent data processing. In all cases, the underlying assumptions of the algorithm such as the amount and type of information used and its weighting, must be given.
As a data subject, you can request that any inaccurate data about you are corrected. This can entail adding missing data or deleting incorrect data and, if need be, replacing them with correct data. If necessary, you can legally enforce your right to correction by filing an action with the civil court at your place of residence.
Credit agencies often tell people asking about their personal data that they received the incorrect information from a specific third party (i.e. a private person or a company) and that you must contact this third party directly in order to have it corrected; the credit agency will claim that it is unable to do anything because it only ever acts on the this third party's instructions. However, you can choose to take action against either the credit agency or the third party involved, or indeed both. Under the Data Protection Act, all data processors are individually responsible for the processing of personal data.
If you believe that a credit agency is processing your data unlawfully, e.g. processing data that is not required or storing data for too long, write to them requesting that your data is deleted If the credit agency is not willing to delete the data, you can file an action at the civil court in your place of residence.
A violation of the duty to provide information under Article 19 FADP and of the right to information under Article 25 FADP are both offences under Article 60 FADP. Prosecution is the responsibility of the cantons. These are offences prosecuted on complaint, which means that the actual ‘victim’ of the offence must file a criminal complaint with the local police or public prosecutor's office.
Switzerland's Central Office for Credit Information (ZEK)
The Central Office for Credit Information (Zentralstelle für Kreditinformationen, ZEK) is not a credit agency in the sense mentioned above. It is a private association that maintains a database on prospective borrowers, leasing and credit card customers, as well as on the debts and creditworthiness of borrowers, leasing customers and credit cardholders. Companies that may be admitted as members of the association include those which commercially finance credit sales, grant loans, conclude rental and leasing contracts for movable goods or issue credit cards and payment cards. Typical ZEK members are banks.
The ZEK database only contains data that ZEK members have registered. Unlike a credit agency, only ZEK members are entitled to use the data, i.e. they can access it online. In its regulations, the ZEK has defined exactly which data its members may or must process in the ZEK database.
Switzerland's Consumer Credit Information Office (IKO)
The Consumer Credit Information Office (Informationsstelle für Kreditinformationen, IKO) is an institution established by commercial lenders as required by Article 23 of the Consumer Credit Act (CCA; SR 221.214.1). The IKO processes data relating to persons who have applied for consumer credit. Leasing agreements, credit and customer cards and overdraft facilities may also fall under the Consumer Credit Act (Art. 1 para. 2 CCA).
Before consumer credit is granted to a private individual, the individual's creditworthiness must be checked and a request must be sent to the IKO for this purpose (see Art. 28 para. 3 let. c CCA). The purpose of the creditworthiness check is to prevent the consumer from becoming over-indebted (Art. 22 CCA). The creditor is obliged to report the consumer credit it has granted to the IKO (Art. 25 CCA).
Access to the data collected by the IKO is essentially only granted to creditors operating on a commercial basis, and only in cases where they require the data to fulfil their obligations under the Consumer Credit Act (Art. 24 CCA). The Consumer Credit Act and the associated ordinance specify exactly what information about borrowers may be processed.
Collection agencies may also have information about your payment habits. Collection agencies are private companies that collect outstanding debts. Collection agencies may pass on information from their business activities to credit agencies. Credit inquiry and debt collection services are often offered by the same company.
Debt collection agencies enforce debts on behalf of their clients and process data on payment behaviour while doing so. They sometimes pass this information on to credit agencies. Here we explain what is allowed under data protection law and what you can do if you believe a debt collection agency is acting unlawfully.
When someone does not pay a debt, the creditor often enlists the services of a debt collection agency to recover the money due. Debt collection agencies are private companies that use various measures on behalf of their clients to make people pay their debts. When they process your personal data, debt collection agencies must comply with the provisions of data protection law.
Debt collection agencies recover debts on behalf of creditors. Debtors only have to pay the contractually owed amount, the real interest on arrears (usually 5% from the due date unless otherwise stipulated in the contract) and the debt enforcement costs. Most debt collection agencies are members of the debt collection association 'Inkasso Suisse' and must therefore adhere to its code of conduct.
When processing personal data, debt collection agencies must comply with the data protection principles set out in Article 6 of the Federal Act on Data Protection (FADP). This means that the data may only be used for a specific purpose – debt collection – and must be processed in good faith and in a manner that is proportionate to that purpose. A debt collection agency violates these principles, for example, if it reports to a credit agency that a debt has not been paid when, in fact, only a first payment reminder has been sent to the debtor.
Under Article 31 FADP, debt collection agencies are allowed to report unpaid monetary claims to credit agencies if there is justification for doing so. Passing on personal data to a credit agency is usually justified if and to the extent that the credit agency is allowed to process the data for the purpose of checking creditworthiness (cf. Art. 31 para. 2 let. c FADP). In such a case, the interest of the credit agency in receiving the data outweighs the interest of the debtor who is affected by the disclosure.
Accordingly, debt collection agencies may only pass on data to a credit agency if the data are suitable and necessary to provide information on the creditworthiness of the person concerned (cf. Art. 31 para. 2 let. c FADP). For example, a debt collection agency is not allowed to demand a fee from the debtor for collecting a debt. If it did so, a debtor's refusal to pay this fee would say nothing about their creditworthiness. The unpaid ‘debt’ must therefore not be reported to a credit agency.
Debt collection agencies are also not allowed to disclose any sensitive personal data, personality profiles with a high risk, data older than ten years or data relating to minors (Art. 31 para. 2 let. c FADP) to credit agencies.
Debt collection agencies must be transparent with their debtors about the conditions under which they pass on their data to credit agencies. They are also obliged to make sure that the data reported to a credit agency is correct. For example, reports on unpaid debts may only be made if they have actually not been paid
If you want to check whether a debt collection agency is processing your data in accordance with data protection law, you have the right to obtain this information from them. You can therefore ask whether data about you are being processed (Art. 25 FADP), and if they are, what the data are. (Article 25 FADP)
If incorrect data about you are being processed, you have a right to the correction of your data held by the debt collection agency (Art. 32 para. 1 FADP). In the event of unlawful data processing, you have the right to have your data deleted (Art. 32 para. 2 let. c FADP). Actions to protect your personality rights are governed by the provisions of the Civil Code and can be filed at the civil court at your place of residence or at the registered office of the defendant. If, for example, there is a risk that a collection agency will disclose your data to a credit agency without meeting the requirements to be able to do so, you can bring an action before the civil court to have disclosure of certain personal data prohibited in order to protect your personality rights (Art. 32 para. 2 lit. b FADP).
The Code of Conduct of the debt collection association 'Inkasso Suisse' sets out the rules for collection activities. In the event of a breach of these rules, you can contact the ombudsman's office.
If you have questions about why a specific debt may be due or about how to repay it, it is best to contact a debt counselling centre.
The debt enforcement register is a public register of private legal transactions. This register and, in particular, access to it and the rights of the persons whose data is processed (data subjects) are primarily governed by the Federal Debt Enforcement and Bankruptcy Act (DEBA; SR 281.1) and not by the FADP (cf. Art. 2 para. 4 FADP).
The debt enforcement register contains data on private persons and companies relating to proceedings for enforcing debts and for bankruptcy. If a person has a legitimate interest, he or she may inspect the register and obtain an extract from it (Art. 8a DEBA). This is the case, for example, if someone wants to conclude a contract with you, e.g. for an apartment, and therefore wants to check your creditworthiness. An extract from the debt enforcement register can be obtained for a fee from the relevant debt enforcement office. The right of third parties (e.g. prospective landlords) to see an entry in the register expires five years after the conclusion of the debt enforcement or bankruptcy proceedings.
The cross-border transfer of personal data is subject to special rules. The following must be considered before data is transferred to other countries.
Video surveillance systems can affect the well-being, mental health and productivity of employees, and should therefore only be considered when less invasive measures are genuinely unsuitable.