I have a report of suffering a loss that only appears in the bank of Italy: thirty-six months have passed since the assignment of the credit. Can I request a cancellation? To whom and how should this cancellation be requested?
Unable to settle debt
There is the talk of suffering when the client is assessed in a state of insolvency even if this has not been established in court. The non-performing classification is the result of the assessment of the client’s overall financial situation by the bank or financial intermediary. Banks and financial intermediaries must inform in writing the client and any co-obligors the first time they report it to “non-performing”.
The data in Central Risks are displayed backward, including a thirty-six-month time window. If the report is still visible and not obscured, assuming that the assignee Bank has renewed it, and if indeed more than three years have elapsed since the assignment of the credit made by the original creditor, it is probably an anomaly of the management software of the electronic archive, which must be notified to the Bank, since it is not possible to trace the problem to the intermediary subject who made, or renewed, the report.
Protection of personal data
Furthermore, the Authority for the protection of personal data has recently clarified that the visualization of the data present in the risk centers cannot extend beyond a backward time window of more than five years (which originates from the first report – even if the same was subsequently renewed by a transferee).
The 5 years established recently by the Privacy Guarantor to cancel any report (right to be forgotten), must be calculated from the date of first notification (which as regards the bank of Italy cannot be deduced from the visual), or from the date of the end of loan relationship?
As is known, the information relating to non-regularized non-compliance can be retained in the SIC no later than thirty-six months from the contractual expiry date of the relationship or, in case of other events relevant to the payment, from the date on which it was necessary their last update, or in any case from the date of termination of the relationship.
With the interpretive provision, the Authority for the protection of personal data has admitted that the aforementioned standard makes it uncertain the identification of the starting date of the term of retention of data relating to non-regularized non-compliance.
Term of thirty-six months
In fact, if, on the one hand, we want to avoid that the term of thirty-six months from the expected termination of the contractual relationship automatically entails the cancellation of information relating to non-compliance (yet) regularized, on the other hand the generality of the text that, at To this end, it considers relevant a plurality of events risks making it impossible to determine ex ante the moment in which personal data will be deleted, with consequent uncertainty for the interested parties and for the sector operators. In fact, the experience of these years has revealed the existence of diversified operational practices among the various Sic, confirming the opportunity of a clarification intervention of the Guarantor.
Therefore, in accordance with the general principles established on the processing of personal data (Article 11 of the code of ethics), the Authority considers it appropriate that the maximum term of retention of data relating to non-compliance not later regularized (without prejudice to the reference deadline 36 months from the contractual expiry or termination of the relationship), can never, in any case, exceed five years from the date of expiry of the relationship, as shown in the loan agreement.
This corresponds to the need not to make the final data retention term random and indefinite. In the sense of a less discretionary determination of this term, the new regulation concerning the protection of personal data contained , which, in the matter of disclosure to be provided to the interested party, provides that in order to guarantee a correct and transparent treatment, the holder indicates, inter alia, the retention period of personal data or, if this is not possible, the criteria used to determine this period.