Implementation of non-performing loans Directive: GDPR implications
- Articles and memoranda
- Posted 23.07.2024
What happened?
On 18 July 2024, the Law of 15 July 2024 on the transfer of non-performing loans1 (the “NPL Law”) transposing Directive (EU) 2021/2167 on credit servicers and credit purchasers2 (the “NPL Directive”) was published in Luxembourg’s Official Gazette and is now in force.
A key implementation point is that credit institutions operating under Article 28-3 of the Law of 5 April 1993 on the financial sector engaged in credit management activities in Luxembourg as at 30 December 2023 are allowed to continue these activities until 29 June 2024 or until they obtain a license under the new Article 28-14 of the same law, whichever is the earlier.3
That said, we will focus in this article on the interplay between, on the one hand, the obligation of the new NPL Law to provide information to prospective NPL buyers and, on the other hand, the obligations of data protection under the GDPR.4
Transparency obligation
The NPL Directive aims at fostering the development of secondary markets for non-performing loans.
Therefore, before transferring non-performing loans, credit institutions must provide potential buyers with certain information on the creditor’s rights under a non-performing credit agreement or the non-performing credit agreement itself, and the related guarantees as applicable. Such information should enable prospective credit purchasers to assess the value of the creditor’s rights under the non-performing credit agreement or the non-performing credit agreement itself, and the likelihood of recovery of the value of that agreement.
Data protection implications
According to Article 3 §2 of the NPL Law, credit institutions are obliged to provide the information only once during the process, but in any event before the conclusion of the transfer or assignment agreement. Potential buyers are obliged to ensure the confidentiality of the information made available and of business data.
However, in addition, Article 3 §2 of the NPL Law clearly states that, for the avoidance of doubt, the provision of the information concerned by credit institutions to potential buyers applies “in accordance with” the GDPR. In other words, credit institutions cannot rely on their obligation to provide the information alone to justify compliance with the GDPR.
To ensure that prospective buyers have all the information they need to make informed decisions, credit institutions must use the templates provided in the Commission Implementing Regulation 2023/20835 laying down implementing technical standards (“ITS”) with regard to these templates. The recitals of the Commission Implementing Regulation mention that the information should only be provided to prospective buyers who are seriously interested in purchasing the NPL agreement concerned. The ITS specify which fields of the template are mandatory and provide explicit guidance on the treatment of personal data and confidential information.
More specifically, credit institutions must identify information that is to be considered confidential or subject to banking secrecy and ensure that it remains adequately protected. In addition, the ITS mandate credit institutions and prospective buyers, before the information is provided, to:
- enter into confidentiality agreements; and
- share personal data only insofar as necessary before entering into a contract for the transfer or sale of non-performing credit agreements.
Accordingly, personal data should only be shared insofar as necessary before the contract for the transfer or sale of non-performing credit agreements is entered into. In line with the principle of data minimization of the GPPR, which requires that personal data be adequate, relevant, and limited to what is necessary for the purposes for which they are processed, the latter requirement means that only personal data that meets the necessity test can be shared. However, the Commission Implementing Regulation is silent about when and according to which criteria the sharing would be necessary. The criteria for determining when the sharing of information is necessary would be left to the discretion of the parties involved. Nevertheless, it is important to note that some of the mandatory fields include personal data about borrowers who are individuals, such as for example their name, type, postal code, country code, whether or not their residency is in the same country of the credit institution, identifiers internal to the credit institution, some information about the proceedings to which they are subject and some information about the loans themselves and their guarantees.
The necessity test
Therefore, for the moment, the question of the exact necessity test to carry out remains open (except in relation to the mandatory fields mentioned above). That said, the concept of “necessity” is central to GDPR compliance as it is used in 5 out of the 6 available general legal bases for processing personal data. In this context, “necessity” means that the processing of personal data must be strictly necessary (as opposed to simply useful) in light of the legal basis concerned. The concept of “necessity” is also an integral part of the “three-step test” for assessing the principle of proportionality, which plays a key role in the interpretation of the NPL Directive and Commission Implementing Regulation. The necessity criterion requires that any measure taken to achieve a legitimate objective must be necessary, meaning that there are no more protective alternatives that could achieve the same result. By analogy, one could consider that the necessity test to be carried out in the context of the NPL Law is similar. Therefore, the question to consider is the following: how relevant and necessary is it for that prospective buyer to obtain a particular piece of information and consequently for the seller to provide the same to comply with its information obligation?
Subject to concrete assessment of the specific situation at hand, practical examples of possible necessity may include:
- Risk assessment: personal data may be necessary according to the particular credit agreements concerned to assess the risk profile of an NPL portfolio. In certain situations, knowing certain information about the borrower or their credits can be essential for reviewing their repayment and defaults history.
- Due diligence: as part of their due diligence, buyers may, under certain circumstances, need to receive information about certain borrowers to understand their financial status and repayment capacity. This may include, for example, income and employment status, recent bank statements, tax returns or other financial documents that provide insight into the borrower’s financial situation.
- Legal and regulatory compliance, including anti-money laundering and counter terrorist financing laws (AML-CTF): a buyer may need to ensure that acquiring the NPL portfolio complies with legal and regulatory requirements in the country where it is located. This may include the necessity to receive records or documentation to perform AML checks.
In each case, the necessity assessment should be documented and the personal data possibly shared should be limited to what is “necessary” for the intended purpose in relation to those individuals in relation to which it is necessary. Irrelevant personal data should be excluded.
The above examples of situations where information sharing could be deemed necessary are for illustration purposes only and a thorough in concreto assessment should be carried out in each case to ensure compliance with the necessity test.
Other key considerations
- GDPR compliance beyond the necessity test: where personal data are processed, all other requirements of the GDPR must still be complied with.
- Secure channels for information sharing: credit institutions should ensure that all confidential information is shared through secure channels. Virtual data rooms or similar electronic means may be used as long as they meet the applicable industry standards for confidentiality and data security.
- Machine-readable form: the information should be provided in electronic and machine-readable form, unless credit institutions and prospective buyers agree otherwise.
- Additional information sharing: any information that the credit institution wishes to provide which is not identified in the ITS template should not, as a rule, contain any further personal data, in line with the principle of data minimization and the data protection by design and by default.
Key takeaway
The entry into application of the NPL Law marks a significant step towards financial stability by aiming to ensure that prospective buyers have the necessary information to conduct their due diligence. Nevertheless, this progress also requires careful adherence to the principles of the GDPR. This requires credit institutions to share with prospective buyers of NPLs only the personal data that is strictly necessary. It is however not entirely clear yet what personal data may be considered as strictly necessary in this context, except for the data that is mandatory as per the ITS. The credit institutions acting as controllers will have to make and document their assessment in this respect to remain compliant with the requirements of the GDPR while abiding to their obligation of information towards potential buyers.
For more details on the general content of this law, please find our article on the Bill of law No. 8185 here, complemented with this article about the passage of the bill into law.
1 | Mém. A, No 292, 18 July 2024. | |||
2 | Directive (EU) 2021/2167 of the European Parliament and of the Council of 24 November 2021 on credit servicers and credit purchasers and amending Directives 2008/48/EC and 2014/17/EU. | |||
3 | The dates reflect those in Article 57 of the NPL Law, transposing Article 32 of the NPL Directive. This provision aimed to create a temporary grandfathering clause. However, due to the delay in the transposition of the NPL Directive into Luxembourg law, this grandfathering clause became obsolete at the national level. The Directive does not provide for the possibility of extending the grandfathering period beyond the deadlines specified in Article 32. | |||
4 | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). | |||
5 | Commission Implementing Regulation (EU) 2023/2083 of 26 September 2023 laying down implementing technical standards for the application of Article 16(1) of Directive (EU) 2021/2167 of the European Parliament and of the Council with regard to the templates to be used by credit institutions for the provision to buyers of information on their credit exposures in the banking book | |||