Can a bank double register a defaulter with the National Bank?

A defaulter can be registered in two different National Bank of Belgium databases, and this double registration is permissible. However, the bank must specifically inform its customer about each registration and use the correct legal qualification of the credit. This is what the Litigation Chamber of the Data Protection Authority decided on 30 April 2026 in decision no. 96/2026, and it reprimanded a Belgian bank for two violations of the General Data Protection Regulation (GDPR): inadequate provision of information and incorrect qualification of the credit.

The facts

A self-employed natural person had two investment credits with a Belgian bank. As of the end of February 2020, he could no longer repay both credits. The bank sent registered formal notices informing him of the need to forward the details of the default to the National Bank of Belgium.

The bank then registered the default in two different files. At the Central Corporate Credit Register (since 2022, the Corporate Credit Register), the credit was qualified as a term loan. At a second file, the Non-regulated registrations (ENR) file, the same credit was designated as an “installment loan.” The ENR file is part of the Individual Credit Register, but was created by the National Bank itself through private conventions with banks to fill a gap: registering defaults by individuals who took out credit professionally.

In October and November 2021, the client again fell into arrears and a second registration in both files followed. He pursued several procedures (summary proceedings, proceedings on the merits) and finally filed a complaint with the DPA.

The decision

The Litigation Chamber examined successively four principles from the GDPR: purpose limitation, legality, transparency and accuracy.

Purpose limitation and legality: no infringement

The Litigation Chamber first considered whether the transfer to National Bank for ENR registration constituted processing for a purpose other than the original collection. The bank argued that the data was collected to manage, monitor and declare credit risks. Since the transfer to the ENR record occurred precisely because of non-payment - and thus reflected the customer's debt situation - it fell within that original purpose. No further processing, no violation of Art. 5.1(b) and 6.4 GDPR.

It follows logically that no separate legal basis for the ENR registration needed to be examined: the legal basis of the original collection suffices (recital 50 GDPR). On the legality of that original collection itself, the bank did not have to defend itself, so that issue remained outside the decision.

Transparency: bank had to specifically inform about ENR registration

Here the Litigation Chamber did find a violation. The bank's general terms and conditions only mentioned a possible registration with the Central Corporate Credit Register - no word about the ENR file. The privacy statement complied in general terms with Art. 13 GDPR, but did not mention the ENR either. The registered formal notices did announce the transfer to the National Bank, but did not specify that this included separate ENR registration.

Decisive was the determination that the ENR file had no legal basis at the time. No law provided for its establishment; no law required the bank to register its customer in that file. The ENR existed only by virtue of a convention between the National Bank and a number of credit institutions. When the legal basis of a processing is so weakly entrenched, the Litigation Chamber said, the duty to inform the data subject is all the more onerous: the bank should have explicitly informed its customer of the possibility of ENR registration, so that he could reasonably have expected such processing. Violation of Art. 5.1(a), 12 and 13 GDPR.

Correctness: an incorrect legal qualification

Finally, the Litigation Chamber noted that the bank had referred to the credit in the ENR file as an “installment loan.” That term is reserved by law for consumer loans: art. I.9, 48° Code of Economic Law (CEL) explicitly defines it as a credit contract to a consumer. Thus, by definition, an independent natural person who takes out a credit professionally cannot have an installment loan.

The bank defended that in banking practice and some legal doctrine, the term “installment loan” is sometimes used more broadly, including for professional loans. The Litigation Chamber rejected that defense: practice and doctrine cannot stretch legal qualifications. A data controller must record its data under the legally correct designation, especially when that designation is defined by law. By way of illustration, the Litgation Chamber noted that the bank did correctly register the credit in the Central Corporate Credit Register file as a “term loan.” Violation of art. 5.1, d) GDPR.

The Litigation Chamber issued a reprimand for the two identified violations. The grievances on purpose limitation and legality were filed without action.

Legal analysis and interpretation

The weaker the legal basis, the more explicit the information must be

In this decision, the Litigation Chamber makes explicit a principle that has played a role in GDPR practice for some time without always being expressed so clearly: the obligation to provide information is not equally onerous for every processing operation. When a processing relies on an explicit legal basis - a law requiring registration in a central file, for example - the data subject can reasonably expect that processing and a rather general provision of information is sufficient.

However, as soon as the legal basis is weaker - a private convention, an internal regulation, a general interest that itself does not derive from a specific law - the foreseeability for the data subject becomes less obvious. The Litigation Chamber deduces from this an aggravated duty to inform: the data controller must compensate for what it loses in legal clarity through explicit and targeted information.

For the ENR file, this meant that the bank could not suffice with a general notification of “passing on to the National Bank.” It had to mention the existence of the ENR file itself and specifically explain that a non-payment could lead to a separate registration in that file. This principle extends beyond the banking sector: any controller who bases a processing operation on Art. 6.1(c) or (e) GDPR without an explicit legal basis must tailor its transparency efforts accordingly.

Duty of correctness is autonomous: practice use does not stretch legal concepts

At first glance, the second finding seems more trivial - a misnomer in a form - but the Litigation Chamber's reasoning is principled. The bank argued that in banking practice and in some legal doctrine, the term “installment loan” is sometimes used more broadly than the legal definition strictly allows. That kind of industry commonplace was explicitly brushed aside by the Litigation Chamber as irrelevant.

Thereby, the decision confirms that Art. 5.1(d) GDPR imposes an autonomous obligation: data must be correct with respect to legal reality, not with respect to what is considered common among peers. When the law attaches a particular term to a specific category - as the CEL reserves “installment loan” for consumer loans - that legal qualification remains the only correct one. A data controller who retains a broader reading for practical reasons risks a violation of the correctness principle, even if its registration is in line with industry customs. Nor was the defense that “the essence of the registration was the default, not the qualification of the credit” accepted: correctness must be guaranteed for every piece of data, not just the core data.

Specifically, what does this mean?

For banks and lenders. The general terms and conditions, the privacy statement and the default notices should together give a complete picture of every register in which a default can be recorded. Both legally established registers (such as the Corporate Credit Register) and those based on private convention (such as the ENR file) should be explicitly mentioned. In addition, the duty of accuracy requires an internal check on the legal qualification of the registered data - in accordance with the legal designations, not the readily used sector terms.

For the self-employed and entrepreneurs with credit. You have the right to clear and specific information about any file in which you may be included. If you run into financial difficulties, you can request information about all processing operations that relate to you on the basis of Art. 13 GDPR and access what has been recorded about you on the basis of Art. 15 GDPR. Incorrect registrations - for example, a wrong qualification of your credit - can be corrected via art. 16 GDPR. If refused, the way is open to a complaint to the DPA.

For data controllers in other industries. The principle of aggravated disclosure in the event of a weak legal basis also applies outside the banking sector. Sectors that work with sector conventions, codes of conduct or internal regulations that do not have an explicit legal basis - think of some fraud databases, sector registers or risk databases - must take extra care in providing information to data subjects. The rule of thumb: the further away the legal basis is from a formal law, the more explicit the explanation of the processing in the privacy notice should be.

Frequently asked questions (FAQ)

Can a bank report you as a defaulter to the National Bank without your permission?
Yes, in principle this can be done without consent, based on a legal obligation (Art. 6.1, c) GDPR) or a task of general interest (Art. 6.1, e) GDPR). For consumer loans, registration with the Individual Credit Register is regulated by law. For professional credits, registration is done with the Corporate Credit Register or, for the self-employed, possibly also with the ENR file. However, the bank must inform you specifically about each of these registrations - otherwise it violates the principle of transparency.

What information must a bank tell you before it registers you as a defaulter?
Pursuant to Art. 12 and 13 GDPR, the bank must clearly inform you at the time of the conclusion of the credit about the identity of the controller, the purposes of the processing, the legal basis, the recipients of the data, the retention period and your rights. Specifically, this means that the privacy statement, the general terms and conditions or a specific appendix must state in which files you can be included in the event of default - not only the legally required registers, but also those relying on private convention.

How do you get an incorrect National Bank registration corrected?
Under Art. 16 GDPR, you can request the bank - as the data controller who made the transfer - to rectify an incorrect registration. If refused, you can file a complaint with the DPA, or take the matter to court (summary proceedings when urgent intervention is necessary to prevent a new credit denial, for example). The Litigation Chamber may impose a reprimand, a rectification or, where appropriate, a fine, among other things.

Conclusion

The DPA confirms that dual notification of a defaulter to the National Bank may itself be compatible with the purpose limitation principle, but builds two clear frameworks around the practice. First: the weaker the legal entrenchment of a processing, the more explicitly banks (and by extension, all data controllers) must inform their customers about it. Next: the duty of accuracy is an autonomous obligation - industry habits cannot stretch legally defined concepts.

For banks, a concrete drafting task for privacy statements and general terms and conditions follows. For customers in payment difficulties, the importance of auditing what is registered about them - and with which agency - follows.