Norwegian DPA issues fine to Gveik AS

Feb 10, 2021

Source: European Data Protection Board

The Norwegian Data Protection Authority has fined Gveik AS EUR 7 500 (NOK 75,000) for having conducted a credit rating without a legal basis.

An individual with no customer relationship or other affiliation with Gveik AS received a notice and became aware that the company had performed a credit rating on them. The individual filed a complaint with the Data Protection Authority.

Credit rating for personal purposes

The General Data Protection Regulation (GDPR) requires that all processing of personal data must have a legal basis. When an organization performs a credit rating, it collects detailed information about an individual’s personal financial situation. A credit rating is a compilation of personal data from many different sources. In certain cases, it will indicate how likely it is that a person will be able to pay their debts, and it will include any payment defaults, the debt-to-income ratio and whether the person has any mortgages.

In this case, the purpose of conducting the credit rating was personal and outside of the business interests of the organization. These types of cases are serious, and the Data Protection Authority normally issues fines for such violations.

Gveik AS may appeal the fine within the term set.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

Norwegian DPA issues fine to Aquateknikk AS

The Norwegian Data Protection Authority has fined Aquateknikk AS EUR 10,000 (NOK 100,000) for having performed a credit rating on a private individual without legal basis. This case came in response to a complaint from a person who discovered that Aquateknikk had...

read more

Swedish DPA: Police unlawfully used facial recognition app

The Swedish Authority for Privacy Protection finds that the Swedish Police Authority has processed personal data in breach of the Swedish Criminal Data Act when using Clearview AI to identify individuals. Upon news in the media of the Swedish Police Authority using...

read more