The Municipal Debt Relief Act ("Wgs") regulates that people with (imminent) problematic debts can turn to municipalities for advice, mediation or credit, for example. Because of recurring privacy law problems, particularly in the context of sharing personal data in early signaling, a number of changes were made in January of this year. The AP offers guidance in that context through its handbook. In this blog you can read what the privacy law concerns are of debt assistance.
The legislature formulated different phases, with corresponding goals, in debt relief:
Early signaling: getting people with (imminent) debts in sight earlier in order to offer debt assistance as early as possible;
Access to debt assistance: not everyone can be helped - the municipality must test whether or not someone qualifies for debt assistance;
Drawing up a plan of action: if help is accepted, the municipality proceeds according to a plan of action to be drawn up.
This blog discusses privacy law concerns that must be considered at each step. It should also be noted that the processing permitted under the Wgs does not relate to debt prevention. According to the legislator, municipalities are not allowed to process personal data in this context. This is therefore specifically about debt assistance.
The legislator's motto in the Wgs is "prevention is better than cure." This is where early signaling comes in; a targeted action to get in touch with citizens with (imminent) debts. In concrete terms, early signaling means that people who are not yet in the picture of the municipality will (can) receive help as soon as possible through the municipality.
In practice, there are 3 forms of early warning:
Internal referral: the municipality signals within its own organization;
External referral: the municipality agrees with companies and institutions that clients who are thought to have (imminent) debts are referred to the municipality;
Third-party signaling: companies and institutions themselves signal to the municipality about a resident.
Basis for exchange?
Since the early detection of debt is not an explicit municipal task, until now it has been difficult to be allowed to exchange information since an appropriate legal basis - and thus a basis for processing - was lacking. The legislature has attempted to remedy that problem by including in the Municipal Debt Assistance Decree ("Decree") signals that are grounds for the college to provide debt assistance on its own initiative.
Thus, the Decree provides a legal basis for the processing of personal data by municipalities. However, this does not mean that every third party may provide data to the municipality without further ado. For now, only housing landlords, health insurers, and drinking water and energy companies are included in the Decree. Data from other parties may in principle not be provided under the Decree at this stage and thus not be processed by municipalities.
Incidentally, a separate regime applies to landlords: the AP states that, in principle, the landlord must request permission to share data with the municipality. Only if the tenant does not respond, then the landlord is still obliged to share the data with the municipality. It is not likely that in this case the basis of consent (Article 6(1)(a) AVG) is actually being referred to, as the legislator has clearly stated in the Explanatory Memorandum that there is a dependency relationship, which makes it impossible to obtain legally valid consent. The Explanatory Memorandum to the Decree also refers to "consent" instead of permission.
Proportionality
Not all data may be shared with a municipality without question. The processing - as with all other processing - must be in proportion to the purpose and thus proportional. This is only the case if it involves signals that reveal a suspicion or knowledge that there is (imminent) problematic debt.
If the data subject accepts assistance, it is permissible for the municipality to feedback that signal to the reporter. According to the AP, it is desirable - partly for reasons of proportionality - that this is done at an aggregate level. If this turns out not to be possible, the municipality should inform the data subject about the feedback.
Not everyone can gain access to debt relief. Access is subject to certain conditions, such as that (i) the person must be lawfully residing in the Netherlands. In addition, (ii) someone may be refused if he or she has previously used such assistance and/or committed fraud in that context. To test this, the municipality must request data. This too is only allowed under certain conditions:
A municipality may request data only if the municipal plan states that recidivism and fraud are relevant to the decision;
The solicitation must comply with the principle of proportionality. A municipality may not request files without complete records.
Legal basis
If the person in question meets the requirements, the municipality may request information from, for example, other municipalities, the UWV, the SVB, DUO and the Tax Office. This is also new with respect to the previous statutory regulation. There the basic principle was that the parties involved had to supply information themselves, but in practice this did not always prove workable. So now a statutory exchange option has been created for this phase as well.
Determining what help is needed requires a personalized approach. More detailed and specific information is likely to be needed for this purpose. The new regulations clarify when consultation of certain information is necessary and what data may be viewed in that context. For example, the municipality may use data that it has processed under other legislation with respect to the person concerned, but may also consult other bodies that can provide insight into debts. The Decree lists several categories of personal data that may be used for this purpose.
The AP also pays general attention in the handbook to the mandating of tasks in the context of debt assistance. Indeed, the Wgs offers the possibility of mandating tasks. In that case, however, the college remains responsible, which means that in some cases a processing agreement must be concluded. The AP seems to argue that there should always be a processing agreement. After all, where there is no legal basis of its own, there cannot be a responsible-principal role either, the AP argues. In this, however, it does not address the principle of actual influence, which according to the EDPB can lead to the qualification of "responsible party" even when there is thus no legal basis.
With that in mind, it remains relevant to look at the actual work and duties of the client when determining the division of roles. After all, this is also important for recording data flows and framing privacy law documents such as a processing register.
Finally, the following topics also deserve adequate attention, according to the AP:
The applicability of professional secrecy and the relevant grounds for breach and the possible need to separate IT systems;
Conducting DPIAs;
The processing of the BSN;
Retention periods;
Informing stakeholders.