Norway: Datatilsynet fines EAS NOK 200,000 for having assessed data subject's credit without legal basis
The Norwegian data protection authority ('Datatilsynet') published, on 7 January 2022, its decision in case No. 20/04401-11, as issued on 13 December 2021, in which it imposed a fine of NOK 250,000 (approx. €24,950) to Elektro & Automasjon Systemer AS ('EAS'), which was subsequently reduced to NOK 200,000 (approx. €19,960), for violations of Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint regarding the processing of personal data in a credit assessment without legal basis.
Background to the decision
In particular, the Datatilsynet stated that it had, on 18 November 2020, received a complaint from the data subject concerning the fact that EAS had carried out a credit assessment of the data subject even though the data subject had no cooperation, customer relationship, or other connection to EAS's business and hence had no expectation to be credit rated by EAS. In addition, the Datatilsynet noted that EAS had confirmed that the data subject was not a customer and had no other direct relationship with EAS, and that the credit check of the data subject must have taken place by mistake due to the general manager's lack of understanding of Bisnode AB's credit assessment tool. Furthermore, the Datatilsynet stated that the EAS had reported that it had been in contact with Bisnode to explain the credit assessment tool after the EAS had received the Datatilsynet's requirement for a report. Moreover, the Datatilsynet stated that it had sent a notice of a decision on orders and fees on 17 June 2021 and that EAS had submitted comments to this notice on 20 July 2021.
Findings of the Datatilsynet
In particular, the Datatilsynet stated that the requirement of legitimate interest in Article 6(1)(f) of the GDPR was not met, hence EAS did not have a legal basis to process the data subject's credit information. In addition, the Datatilsynet clarified that even though EAS did not store the credit information in the company, the damage occurs the moment credit information is collected and processed by someone without a legal basis for processing. Furthermore, the Datatilsynet highlighted that credit information is a type of personal information that is particularly worthy of protection and individuals have an expectation that such data is not collected by companies, unless it is objectively justified in their relationship with them. Thus, the Datatilsynet clarified that EAS's violation was serious in nature since the data subject did not have any relationship with EAS that would have made it foreseeable that EAS would process credit information about the data subject. Moreover, the Datatilsynet stated that EAS, through its general manager, has shown negligence in obtaining credit information. Lastly, the Datatilsynet highlighted that other aggravating factors included, among other things, the lack of technical and organisational measures for compliance with the privacy regulations, and lack of knowledge about the credit assessment tool and guidelines for when credit assessment can be carried out.
The Datatilsynet reduced the fine due to EAS's financial situation as a result of the COVID-19 pandemic and imposed the aforementioned fine of NOK 200,000 (approx. €19,960) to the EAS for having obtained credit information without a legal basis. In addition, the Datatilsynet ordered the EAS to improve its internal control and routines for credit assessments to prevent illegal credit checks from occurring again.
EAS has three weeks to appeal the decision.
UPDATE (6 July 2022)
Datatilsynet publishes English summary of its decision to fine EAS NOK 200,000 for having assessed data subject's credit without legal basis
The Datatilsynet published, on 6 July 2022, an English summary of its decision to fine EAS NOK 200,000 (approx. €19,960) for having assessed data subject's credit without legal basis.
You can read the summary here.