Financial vulnerability data, tracing enquiries, and third-party data — debt collection has some of the most complex GDPR obligations in financial services.
Debt collection agencies sit at a unique intersection of GDPR, FCA regulation, PECR, and consumer credit law. The data you process is financially sensitive — sometimes indicating severe vulnerability — and the people you're processing it about typically didn't choose to deal with you.
1. Why Debt Collection Agencies Face Strict GDPR Obligations
Debt collection sits at the intersection of several serious GDPR risk factors:
Sensitive data types. Debtor files contain names, addresses, employment details, income and expenditure information, vulnerability indicators, payment history, and details of third parties. Some of this approaches special category territory — particularly health data that explains financial difficulty.
Data collected by third parties. When you receive a debt portfolio from an original creditor (a bank, utility, or retailer), you're receiving personal data that the debtor provided to someone else, often years ago. The debtor may not know you have it.
Power imbalance. Data subjects in debt collection processes are often financially stressed, sometimes vulnerable, and have limited ability to negotiate how their data is handled. ICO enforcement and FCA supervision both reflect heightened expectations around fair treatment.
Regulatory overlap. The FCA's Consumer Duty (effective 2023) and its Debt Collection Sourcebook (CONC) sit alongside GDPR obligations.
2. Types of Data You Process
A typical debtor file held by a debt collection agency may contain:
- Identification data: Full name, date of birth, previous names
- Address data: Current and previous addresses, including those obtained through tracing
- Financial circumstance data: Income and expenditure details, bank account information, details of other creditors
- Payment history: Payment dates, amounts, broken arrangements, default dates
- Vulnerability indicators: Notes about mental health disclosures, physical health affecting capacity, financial abuse indicators
Vulnerability indicators carry the most GDPR sensitivity. Notes indicating a mental health condition or cognitive impairment effectively constitute health data — special category data under Article 9.
3. Financial Vulnerability: The Quasi-Special Category Issue
GDPR's Article 9 covers special categories explicitly: health, mental health, racial origin, political opinions, religious beliefs, biometric data. Financial vulnerability isn't listed.
But information about financial vulnerability often reveals or implies special category data. A note that a debtor has been hospitalised for mental health reasons, is receiving disability benefits, or has disclosed a cognitive impairment is, functionally, health data.
The FCA's Consumer Duty framework requires you to actively identify and respond to customer vulnerability — creating records that document vulnerability disclosures. Under GDPR, those records require a lawful basis, appropriate access controls, a documented purpose, and adequate retention limits.
4. Receiving Debts from Original Creditors: Lawful Basis Without Consent
When an original creditor assigns a debt to your agency, they transfer personal data. The debtor didn't consent to this transfer. The correct lawful basis is typically:
- Article 6(1)(b) — Contractual necessity: Processing is necessary to enforce the contractual obligation
- Article 6(1)(f) — Legitimate interests: Your legitimate interest in recovering money lawfully owed
- Article 6(1)(c) — Legal obligation: Where FCA/AML requirements require specific data processing
You don't need the debtor's consent for debt recovery purposes. But you do need to notify them. Article 14 of GDPR requires you to inform the data subject within one month of receiving their data — typically no later than your first contact attempt.
5. Tracing Services: Credit Reference Agencies and Tracing Bureaux
Tracing — locating a debtor whose contact details have changed — raises distinct GDPR issues.
Types of tracing include soft credit file searches through credit reference agencies (Experian, Equifax, TransUnion), electoral roll searches, tracing bureaux, and the Gone Away Information Network (GAIN).
Key GDPR requirements:
- Tracing is justified under legitimate interests — document your LIA
- Every CRA and tracing bureau is a data processor — you need GDPR-compliant DPAs
- Data minimisation applies — you don't need employment details if you only need an address
- Use soft searches that don't affect the debtor's credit file
6. Contact Rules: FCA Limits and PECR Obligations
The FCA's CONC sourcebook makes clear that multiple daily contacts are unlikely to be compliant; contacting debtors at known inconvenient times is prohibited; and ignoring vulnerability disclosures is a Consumer Duty failure.
Under PECR, fully automated calling systems (robocalls) require consent for any purpose including debt collection.
Document each contact attempt — your logs serve as both FCA compliance evidence and GDPR accountability documentation.
7. Third-Party Data
Third-party individuals (employers mentioned by debtors, family members, guarantors) are data subjects too. Contacting an employer directly about a debt without the debtor's consent likely constitutes a data breach — disclosing financial situation to a third party without basis.
8. Debt Sale: Data Obligations When Selling Portfolios
When you sell a debt portfolio, you're transferring personal data. You need:
- A lawful basis for the transfer
- Contractual guarantees that the purchaser will comply with GDPR
- A process for DSARs received after sale
You cannot divest yourself of GDPR obligations by selling the debt. When you purchase a portfolio, Article 14 obligations apply again — notify the debtor you are the new controller.
9. Data Subject Rights During Active Collection
Debtors have full GDPR data subject rights. These don't disappear because they owe money.
SARs: You must provide all personal data, sources, lawful basis, profiling, and retention periods within one month. You cannot delay because an account is in dispute.
Right to rectification: If a debtor disputes the debt amount or claims mistaken identity — investigate and correct inaccurate data before proceeding with collection.
Right to erasure: Debtors cannot simply erase their debt records. You can refuse where processing is necessary for establishing, exercising, or defending legal claims (Article 17(3)(e)).
10. Compliance Checklist
Small Collection Agencies:
- Privacy notice / Article 14 notice in all initial contact templates
- Lawful basis documented for each processing activity
- DPAs signed with all processors (CRAs, tracing bureaux, CRM, call recording)
- Retention schedule covering all account types
- SAR process documented
- Vulnerability policy with access controls
- PECR review of electronic contact
Larger DCAs (50+ staff):
- All of the above, plus:
- DPO appointment if required (Article 37)
- DPIA for tracing, automated decision-making, AI-assisted scoring
- Data sharing agreements with debt sellers (controller-to-controller)
- Training programme covering GDPR and FCA Consumer Duty
- Breach response procedure (financial data breaches are high-risk — ICO notification within 72 hours)
If your agency operates a website for debtor portals or payment gateways, that site also requires GDPR compliance. Custodia scans your website to identify trackers and data flows, generates an accurate privacy policy, and flags consent gaps. Run a free scan at app.custodia-privacy.com/scan.
This guide covers GDPR obligations for debt collection agencies operating in the UK and EU. It is not legal advice.
Top comments (0)