Norwegian DPA issues fine to Aquateknikk AS

Feb 22, 2021

Source: European Data Protection Board

The Norwegian Data Protection Authority has fined Aquateknikk AS EUR 10,000 (NOK 100,000) for having performed a credit rating on a private individual without legal basis.

This case came in response to a complaint from a person who discovered that Aquateknikk had performed a credit rating on him when he had no customer relationship or any other connection with the company.

The General Data Protection Regulation requires that all processing of personal data must have a legal basis. Credit ratings are a type of personal data subject to special protections.

Lacked legal basis

A credit rating compiles personal data from many different sources for the purpose of indicating how likely it is that the person will be able to pay what they owe. A credit rating will also include detailed information about the person’s personal financial situation, such as debt-to-income ratio, payment remarks, and the person’s mortgages, if any.

Upon investigating this matter, the Data Protection Authority has concluded that the credit ratings were performed without a legal basis, in violation of the requirements of the General Data Protection Regulation. The undertaking did not have a legitimate interest in performing a credit rating on the complainant.

Insufficient knowledge of the rules

“As a credit rating includes detailed information about one’s personal financial situation, it feels very intrusive when an organization unlawfully gains access to this information,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

“We receive many complaints concerning credit ratings, and we see that many organizations have insufficient knowledge of the rules that apply. These types of cases are serious offences, and we normally issue fines for such violations,” Thon concludes.

For further information, please contact the Norwegian DPA:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

EDPB Launches Data Protection Guide for small business

The EDPB has launched a Data Protection Guide to help small business owners on their way to become more data protection compliant. The Guide aims to raise awareness about the GDPR and to provide practical information to SMEs about GDPR compliance in an accessible and...

read more

Europe Day 2023

Every year in early May we celebrate peace and unity in Europe through Europe Day, to commemorate the signing of the 'Schuman Declaration'. This year, on Saturday 6 May, the EU institutions invite you to a wide range of online and on-site activities across the EU...

read more
A look back at the Privacy Symposium 2023

A look back at the Privacy Symposium 2023

For the second time in a row, the EFDPO was one of the Key Partners of the Privacy Symposium in Venice – an international conference for data protection professionals and enthusiasts from around the world. Privacy Symposium aims to bring together data protection...

read more
Generated by Feedzy