Without prejudice to the obligations of reporting institutions, the National Bank of Belgium (hereinafter “the NBB") is the controller of the personal data recorded in the Central Individual Credit Register (hereinafter "the Register”) for receiving data provided by reporting institutions, organising and storing those data, using those data within the limits of the law, disclosing those data in cases where it is authorised to do so by the law and for protecting, erasing or destroying personal data under the conditions set out in the law.
The NBB processes personal data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR), with Articles VII.148 to VII.157 of the Code of Economic Law (hereinafter “CEL”) and with the Royal Decree of 23 March 2017 organising the Central Individual Credit Register. The CEL and the Royal Decree of 23 March 2017 constitute the legal basis for the processing of personal data in the Register.
Personal data are recorded in the Register with the aim of managing the Register to provide reporting institutions with information that enables them to properly assess the risks associated with their debtors and to provide the NBB, as supervisory authority, with the data it needs to properly assess the risks of the financial sector and to perform its scientific or statistical activities or the other activities it carries out pursuant to the Law of 22 February 1998 establishing the Organic Statute of the Bank, such as monetary and other policies and prudential supervision.
The persons recorded in the Register are informed of the processing of their personal data through:
- a specific mention in the text of the credit agreement concluded;
- a letter concerning the first recording of an overdue debt in their name in the Register.
Data retention periods are as follows:
- for credit agreements without overdue debt: three months and eight working days after the expiry date of the credit agreement;
- for overdue debts:
- in case of non-regularisation: ten years from the date of the first overdue debt;
- in case of regularisation: in principle one year from the regularisation date. Under no circumstances may this period exceed the ten-year retention period calculated from the date on which the overdue debt was first recorded.
When the NBB processes the data for scientific or statistical activities or for the other activities it carries out pursuant to the Law of 22 February 1998 establishing the Organic Statute of the Bank, the data can be stored for a longer period when encoded.
All persons recorded in the Register can:
- personally access the data recorded in their name free of charge;
- request the rectification of data proven to be inaccurate;
- file a complaint with the Data Protection Authority if they believe that the processing infringes on the relevant legislation and regulations.
The NBB has appointed a data protection officer who can be contacted by e-mail (email@example.com) or by post (National Bank of Belgium, Data Protection Officer, de Berlaimontlaan 14, 1000 Brussels) if necessary.