Norwegian DPA issues fine to Lindstrand Trading AS

Feb 10, 2021

Source: European Data Protection Board

The Norwegian Data Protection Authority has decided to issue a fine of EUR 10 000 (NOK 100,000) to Lindstrand Trading AS for conducting a total of four credit ratings of individuals and sole proprietorships without a legal basis.

This fine was issued in response to a complaint filed by an individual who discovered she had been subjected to credit ratings without having any form of customer relationship or other association with Lindstrand Trading.

The General Data Protection Regulation requires that all processing of personal data must have a legal basis. Credit ratings are a type of personal data subject to special protections.

 “As a credit rating includes detailed information about one’s personal financial situation, it feels very intrusive when an organization unlawfully gains access to this information,” says Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

Directly linked to the owner’s personal financial situation

Credit ratings of a sole proprietorship are also considered personal data, as this type of business enterprise is directly linked to the owner and thereby also the owner’s personal financial situation. This means that a legal basis is required to subject sole proprietorships to a credit rating.

A credit rating compiles personal data from many different sources and estimates how likely it is that a person will be able to pay what they owe. A credit rating will also include detailed information concerning the personal financial situation of individuals, such as any payment defaults, debt-to-income ratio and whether the person has any mortgages.

Serious violation

The Data Protection Authority finds that these credit ratings were conducted for personal purposes, completely disconnected from the organization’s business activities. On this basis, we have concluded that the credit ratings were conducted without a legal basis, thus constituting a violation of the provisions of the General Data Protection Regulation.

“We receive many complaints concerning credit ratings, and we see that many organizations have insufficient knowledge of the rules that apply. These types of cases are serious offences, and we normally issue fines for such violations,” Bjørn Erik Thon concludes.

Lindstrand Trading AS has appealed the fine.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

 

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more