European Union: Implemented Consumer Credit Directive including data protection measures

On 20 November 2026, the Consumer Credit Directive, including data protection measures, was implemented. The Directive outlines the data that covered entities, including creditors, credit intermediaries and providers of crowdfunding credit services, are allowed to process in the creditworthiness assessment process. In particular, the covered entities are able to process only personal data related to the individual's financial and economic situation, such as financial, income, repayment, financial assets and liabilities data. The personal data of individuals posted on social media platforms and health data cannot be processed to determine the individual's creditworthiness. Finally, under the Directive, the Member States require covered entities to inform consumers if they provide personalised offers based on profiling or other automated personal data processing systems.