The Norwegian Data Protection Authority has fined Gveik AS EUR 7 500 (NOK 75,000) for having conducted a credit rating without a legal basis.
An individual with no customer relationship or other affiliation with Gveik AS received a notice and became aware that the company had performed a credit rating on them. The individual filed a complaint with the Data Protection Authority.
Credit rating for personal purposes
The General Data Protection Regulation (GDPR) requires that all processing of personal data must have a legal basis. When an organization performs a credit rating, it collects detailed information about an individual’s personal financial situation. A credit rating is a compilation of personal data from many different sources. In certain cases, it will indicate how likely it is that a person will be able to pay their debts, and it will include any payment defaults, the debt-to-income ratio and whether the person has any mortgages.
In this case, the purpose of conducting the credit rating was personal and outside of the business interests of the organization. These types of cases are serious, and the Data Protection Authority normally issues fines for such violations.
Gveik AS may appeal the fine within the term set.
For further information, please contact the Norwegian DPA: international@datatilsynet.no
