On 19 November 2023, the Consumer Credit Directive, including data protection measures, entered into force, 20 days after its publication in the Official Journal of the European Union. The Directive outlines the data that covered entities, including creditors, credit intermediaries and providers of crowdfunding credit services, are allowed to process in the creditworthiness assessment process. In particular, the covered entities will be able to process only personal data related to the individual's financial and economic situation, such as financial, income, repayment, financial assets and liabilities data. The personal data of individuals posted on social media platforms and health data will not be allowed to be processed to determine the individual's creditworthiness. Finally, under the Directive, the Member States will require covered entities to inform consumers if they provide personalised offers based on profiling or other automated personal data processing systems. Member states are required to transpose the Directive into national legislation by 20 November 2025 and implement the measures by 20 November 2026.
Original source