Providing personal details to a debt collection agency (data processor) to pursue a debt on behalf of a business or organisation (data controller) does not generally give rise to any data protection concerns. This is covered under the lawful basis of Article 6 (1) (b) of the GDPR “…processing is necessary for the performance of a contract to which the data subject is party”. 

A debt is usually a default, or ‘non-payment’, on a contractual arrangement. Where there has been a default in the repayment of a loan/mortgage or a payment for goods/services by an individual, that service/business provider is lawfully entitled to recover what it is owed. However, there should be an acceptable data protection processing agreement under Article 28 of the General Data Protection Regulation (GDPR) between the data controller and the debt collection agency that is acting as a data processor. The clauses in this agreement should outline at a minimum, instructions on how the personal data is to be processed. Any processing by a debt collection agency outside of this data processing contract is likely to be unlawful processing of personal data. The data controller should also comply with all the requirements as set out in the Article 5 principles of the GDPR for any personal data that is disclosed to the data processor.