Newsletter 3 – December 2024
Welcome to the third issue of the PACE Newsletter! This newsletter aims to share updates and insights on data protection in the context of civil enforcement, tailored for enforcement agents, judicial officers, and GDPR experts across the European Union and candidate countries. Stay tuned for the latest project activities, including cross-border training events, resources on GDPR procedures, and more.
Agenda
17th January 2025: Final pan-European PACE seminar
The final event of the PACE project will include a one-day workshop (12:00-17:45) on data protection in civil enforcement addressed to enforcement agents from all EU member states. This concluding seminar will aim to capitalize the achievements and the findings of the PACE project and the transnational capacity building events and to identify the next steps for enforcement agents and national enforcement chambers.
Participants can register HERE until January 10th. Early registrations are welcome.
Three PACE e-courses on GDPR and civil enforcement
Three e-courses are being finalised in the course of the PACE project. They deal with:
- Becoming and effective trainer
- Principles of data protection in civil enforcement
- Data protection in digital enforcement
The e-courses will be finalized and opened for piloting soon. Registration for the piloting will start from 31 January. In case you are interested in the pilot, you can already contact us: projects@cecl.gr or j.uitdehaag@uihj.com
After the end of the project the e-courses will be available free of charge to all interested parties and will be available for the national Chambers to use as part of their own training resources.
Recent achievements
A team of 33 trainers on DGPR in civil enforcement
The PACE project selected and trained, in a 3-day intensive Train the trainers course, a team of 33 trainers from 15 EU member states (Belgium, Bulgaria, Cyprus, Czech Republic, Estonia, France, Greece, Hungary, Italy, Latvia, Lithuania, Malta, the Netherlands, Poland and Portugal), 3 candidate states (North Macedonia, Montenegro and Serbia) and Scotland. The PACE trainers are equipped with knowledge, Training of trainers (ToT) skills and materials to conduct trainings for enforcement agents in their jurisdictions.
517 Enforcement Agents trained in data protection in civil enforcement
In the context of the PACE project, a series of transnational seminars were organized offering applied GDPR knowledge to enforcement agents from across the EU. Until December 2024, seven transnational seminars had been organised involving a total of 517 enforcement agents, 434 from EU member states and 83 from three candidate countries (Georgia, Moldova and Northern Macedonia).
2nd Transnational Roundtable – Paris, 28 November 2024
SUMMARY OF DISCUSSIONS
Introduction
The GDPR is a complex Regulation consisting of more than 99 articles. Due to its general nature the GDPR applies in a number of situations including civil enforcement. How does it affect the work of enforcement agents at the individual, office or chamber level? What do they need to know? And what do they need to do differently? There are some of the questions that the PACE project aimed to explore.
This brief summarizes the discussions of the 2nd Transnational Roundtable, held in Paris on 28 November 2024 in the framework of the EU-funded programme Creating Privacy Awareness in Civil Enforcement – PACE (101090018 – PACE – JUST-2022-JTRA), and provides examples of promising practices and measures implemented by European national enforcement authorities, and, beyond, authorities from non-EU MS. The aim is to assist both national enforcement authorities and individual enforcement agents to carry out their work in a GDPR-compliant manner.
The 2nd Transnational Roundtable included two panels on the results of the PACE project; promising practices and challenges (Panel I) and the international standards on enforcement and their privacy provisions versus the provisions of the GDPR (Panel II). The roundtable was attended by the President and Vice-President of the International and the European Union of Judicial Officers, Marc Schmitz (Belgium) and Jos Uitdehaag (Netherlands), the president of the European Council of Bar Associations (CCBE) as well over 70 delegates from EU (candidate) Member States. The roundtable was further attended by a substantial number of participants from non-EU MS (including Africa, Asia and America). In a number of these countries (e.g. Brazil), the GDPR has been the inspiration for the development of privacy legislation.
What do enforcement agents know about the GDPR?
A key finding of the Training Needs Assessment conducted at the beginning of the PACE project[1] is that a surprising number of Enforcement Agents (EAs) report uncertainty about the application of the GDPR in their day-to-day practice. 55% of respondents to the survey rated their knowledge as poor or fair, 32% as good and only 13% as very good or excellent. Their concerns mainly relate to the lawful processing of parties’ data, available from different sources, especially in relation to the principles of purpose limitation and data minimisation. This also includes the use of data available to the enforcement agent from other cases against the same debtor and the data used in past cases on the same debtor. These uncertainties were confirmed in the webinars that were organised.
How is the GDPR relevant to Enforcement Agents?
Personal data is any information relating to an identified or identifiable natural person (‘data subject’). This includes both simple personal Data for example the name, date of birth, address, age, tax registration number etc but also special categories of personal data, such as racial or ethnic origin (e.g., nationality), health or other data.
Enforcement Agents mainly deal with simple personal data that they have to process in the context of their duties. Processing’, according to GDPR, includes any operation or set of operations performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available.
Examples of data processing by Enforcement Agents include:
- writing a service report which includes personal data
- inventory record of debtor’s possessions
- copies from a service report
- keeping record of service reports
- writing a report after conducting an inspection of mortgage
- publishing an abstract of a legal document (lawsuit, decision) when the opponent’s address is not known.
- searching and collecting data in public registers
- transmission to authorities such as the police or the court
- sending copies of reports to clients or lawyers.
What principles need to guide the work of Enforcement Agents with data?
In their activities, Enforcement Agents are guided and limited by 6 specific principles for dealing with personal data (Article 5.1-2 GDPR):
- Lawfulness, fairness and transparency which means that processing must be lawful, fair, and transparent to the data subject;
- Purpose limitation which means that data can be processed ONLY for the legitimate purposes specified explicitly to the data subject when collected
- Data minimization which means that Enforcement Agents can collect and process ONLY as much data as absolutely necessary for the purpose specified;
- Accuracy which means that personal data needs to be accurate and up to date;
- Storage limitation which means that personal data can be stored only FOR AS LONG AS NECESSARY for the specified purpose; and
- Integrity and confidentiality which means that processing must be done in a way to ensure security, integrity, and confidentiality (e.g. by using encryption).
What is the current state of play?
The first panel of the PACE roundtable discussed the results and findings of the PACE project, including promising practices and challenges. The first panel revealed:
- Discrepancy between international standards, GDPR and national legislation
According to the GDPR, the personal data that are collected need to be specified, explicit and serve legitimate purposes. It is not allowed to further process data incompatible with such provisions (purpose limitation). The purpose for which the data need to be legitimate and determined at the time of the collection of the data. When it comes to enforcement, this approach does not seem to be in line with international enforcement principles. For example, Council of Europe’s Committee for the Efficiency of Justice (CEPEJ) explicitly mentions in its 2009 Guidelines on enforcement (Guideline 46): Member states are invited to consider allowing enforcement agents to reuse information on the defendant’s assets in subsequent procedures that involve the same defendant. The reuse of information should however be subject to clear and precise legal framework (i.e. setting strict timeframes for data retention, etc.). In line with this CEPEJ Guideline, it is recommended that countries will develop a clear and precise legal framework on the re-use of information.
- E-service of documents
For e-service of documents to be successful, the recipient of the judicial or extra-judicial document (private individual or legal entity) should hold an “electronic judicial address” or, failing this, an “elected electronic address for service”. With a view to good justice, it is important that there is an authentic source for all records of notification and service: all notifications are recorded there with all the necessary additional information. This could be effected through the establishment of an e-service platform and/or the use of DLT – What is DLT ?. Here there is a key-role of the judicial officer under whose responsibility and liability such authentic source could be developed. An example of such source in practice is Belgium.
- e-Access to information
The enforcement environment is rapidly changing (e.g. enforcement of digital assets). In that respect it is important that there are sufficient legal mechanisms to enable the judicial officer to collect information on the domicile and assets of parties also cross-border. Cross border cooperation between enforcement authorities increasingly involves exchange of data. The competent authorities must take the necessary security measures to protect personal data against any unlawful form of processing.
Promising practices and examples
- The Portuguese example – Use of digital tools
In Portugal, EAs are justice officials subject to strict requirements in the performance of their duties, including in relation to personal data protection. They are prohibited from carrying out any activity that is not forensic or incompatible with their mandate and must maintain confidentiality regarding the identity of the parties to the enforcement proceedings and the data to which they have access. In addition, EAs must maintain and update digital records on the status of the cases assigned to them, as well as an archive of documents related to the cases, use digital means of communication and signature, and maintain appropriate IT systems and resources in their offices.
In order to facilitate the effective enforcement of claims, the EAs have direct access to public databases on civil identification, tax administration, social security, immovable and commercial property, vehicle registers and the Bank of Portugal. EAs are organised under the Order of Solicitors and Enforcement Agents, which acts as the data controller for civil enforcement cases and implements technical and organisational measures, including the implementation of appropriate data protection policies.
SISAAE is an IT platform developed for the management of legal proceedings by enforcement agents. It was created in 2003 as part of a major reform of the Portuguese judicial system, which saw the creation of the role of the Enforcement Solicitor, now known as the Enforcement Agent (AE). The platform interacts automatically with the IT systems of the courts and other competent authorities and is constantly being improved with updates and new features. Enforcement Agents must record all procedural and data processing acts in the SISAAE platform. Interoperability with other IT systems or platforms is prohibited.
- The Dutch example – Proactive, step-by-step guidance
The Royal Professional Organisation of Judicial Officers (KBvG) is the representative body of judicial officers in the Netherlands, with a mandate to uphold their prestige, dignity and rights, to ensure that they act in good conscience and in accordance with the law, and to improve their professional skills and qualifications.
In line with its mandate, the KBvG proactively issued concrete step-by-step guidelines and adopted a privacy handbook within the first two quarters of 2018 (the year the GDPR came into force). This included a step-by-step plan for the necessary implementation measures, guidance on the appointment and tasks of DPOs – What are DPOs?, sample data requests and privacy policies, instructions on how to create and maintain a record of processing activities in accordance with Article 30 of the GDPR, procedures for registering and notifying personal data breaches, guidance on storage restrictions and withdrawal of consent, etc. The guidance provided by the KBvG has been exceptionally well received by the Dutch EAs, and is being used to promote GDPR compliance and analyse trends.
Other policy ideas and suggestions
- The importance of awareness and capacity building
Enforcement Chambers / Agencies / Authorities should raise awareness of the obligation of EAs to notify and communicate data breaches and the consequences of failing to do so. EAs should be encouraged to notify DPAs and communicate with data subjects in a timely and transparent manner in order to reduce potential fines.
- Exploring insurance tools for non-compliance fines.
The Chamber of Enforcement Agents of Thessaloniki recently purchased private insurance for its members against potential fines imposed on them for GDPR violations. This could provide an additional layer of security, especially for smaller offices that could face potentially devastating consequences in the event of a fine.
Co-funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them.
