Clarifications on the management of the SISBON system in connection with the GDPR

05/30/2018 / Press release

The full entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018 has increased interest from the media and the general public in SISBON, the system for exchanging information on the debts of individuals, which is managed by the Bank of Slovenia. Given the erroneous interpretations of law in connection with the GDPR that have arisen in public, a few clarifications are given below.

The SISBON system was put in place by banks and savings banks in 2008 on the basis of the then-valid Banking Act. It was put in place for the purposes of effectively assessing and managing credit risk at lenders in connection with the conclusion and execution of credit operations with retail clients, encouraging policies and measures for responsible lending and sustainable borrowing, and preventing excessive indebtedness on the part of individuals. The Bank of Slovenia took over management of the SISBON system in January 2016 on the basis of the new Banking Act (the ZBan-2).

Since December 2016 the functioning of the SISBON system has been regulated by the Central Credit Register Act (the ZCKR), which represents the legal basis for the processing of personal data on individuals’ debts. The aforementioned law stipulates what data on individual debts may be processed in the SISBON system, who submits the data to the system, what data on an individual may be viewed and when, by whom and for what purpose, the storage period of the data, and the rights of data subjects in connection with their data managed in SISBON.

The full entry into force of the GDPR has brought no changes to the management of the SISBON system and to data processing in the system, as all elements of data collection, data processing and the exercise of individuals’ rights are regulated by the ZCKR. The ZCKR set out stricter protection for individuals even before the entry into force of the GDPR. The law grants system members the right to collect data without the express consent of the data subjects.

The rules with regard to the personal data in the SISBON system are thus clearly defined by the ZCKR.

  • Data on individuals’ income, on transactions executed by individuals via personal accounts, and on arrears in the settlement of individual living expenses (e.g. water bills, electricity bills, heating bills) is not processed in the SISBON system.
  • The SISBON system does not stipulate an individual’s credit assessment, or to put it another way, there is no information in the SISBON system as to who is creditworthy and who is not. A borrower’s credit assessment or creditworthiness is determined by the bank or system member itself, on the basis of its lending policy.
  • An individual’s right to the rectification and erasure of erroneous data or data for which there is no legal basis is not a new feature in SISBON, and was not created by the entry into force of the GDPR. Individuals have been guaranteed these rights, alongside others brought by the GDPR, ever since the SISBON system began operating 
  • Data on credit operations, collateral, personal bankruptcy proceedings, and tax, administrative and judicial enforcement proceedings is visible in the SISBON system for four years after the expiry of the liabilities, following which the data is automatically erased. The date reported to the system by the bank or system member that managed the business relationship with the client is counted as the date of the expiry of the liabilities. 
  • The bank or system member that submitted the data to the system is responsible for ensuring that the data on an individual processed in the SISBON system is correct, accurate and up-to-date. Insofar as an individual does not accept the information submitted, he/she has the right of completion, rectification, blocking, erasure and objection, which is regulated by Article 24 of the ZCKR. It follows from the above that assessing the eligibility of a request for rectification is the responsibility of the bank as the controller of the personal data, and not of the Bank of Slovenia. Insofar as the individual does not accept the bank’s decision on the request for rectification, he/she has recourse to judicial protection in accordance with the ZVOP-1, which is decided on by the competent court.