Finland: Ombudsman orders Bisnode Finland to rectify its credit information register
The Office of the Data Protection Ombudsman ('the Ombudsman') published, on 10 January 2022, its decision in Decision No. 4356/532/19, as issued on 9 November 2021, in which the Ombudsman ordered Bisnode Finland Oy to rectify its credit information register, for failing to comply with its obligations under Article 25(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Article 5(1)(3) of the Credit Information Act (527/2007), following an individual's complaint.
Background to the decision
In particular, the Ombudsman noted that it had investigated Bisnode Finland's activities regarding the processing of data on payment defaults based on final judgments following an individual's complaint that Bisnode Finland had refused to remove from its credit register default entries based on judgments in civil cases.
Findings of the Ombudsman
In particular, the Ombudsman stated that data based on final judgments in civil cases should not have been included as a default entry in the credit information register, since, according to Section 6(1) of the Credit Information Act, only information that adequately reflects a person's ability or willingness to pay may be used as credit information. In addition, the Ombudsman noted that it agrees with the Parliamentary Ombudsman's view in EOAK/945/2016 that, in cases where the obligation to pay is justifiably contested, there is no legal basis for the registration of a payment default notice. Furthermore, the Ombudsman stated that Bisnode Finland's processing of data on payment defaults based on final judgments does not comply with Article 25(1) of the GDPR and Article 5(1)(3) of the Credit Information Act. Moreover, the Ombudsman highlighted that the disclosure of default information and the resulting label has a significant impact on the individual's rights and freedoms.
In accordance with Section 35 of the Credit Information Act, the Ombudsman ordered Bisnode Finland to rectify the information in the credit information register for all default entries that were the subject of the data subject's request for rectification, as the conditions set out in the Credit Information Act for default notices were not met. In addition, the Ombudsman ordered Bisnode Finland to delete from its credit register all incorrect default entries resulting from its inadequate practices, and to modify its policy on the registration of default entries based on final judgments. Furthermore, the Ombudsman issued a warning to Bisnode Finland, pursuant to Article 58(2)(b) of the GDPR, and ordered the same to bring its data processing operations into compliance with the provisions of the the GDPR, pursuant to Article 58(2)(d) of the GDPR.