Datatilsynet (Norway) - 20/02220: Difference between revisions
(Updated to reflect the changed fine in the final order) |
m (Cp moved page Datatilsynet - Odin Flissenter AS to Datatilsynet - 20/02220) |
Revision as of 16:02, 26 November 2020
Datatilsynet - Odin Flissenter AS | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 4(1) GDPR Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 02.07.2020 |
Fine: | 150000 NOK |
Parties: | n/a |
National Case Number/Name: | Odin Flissenter AS |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | n/a |
The Norwegian DPA (Datatilsynet) has issued the company Odin Flissenter with a fine of NOK 150 000 (approx 13700 EUR) for the credit rating of a single-person enterprise with no legal basis for such processing.
English Summary
Facts
An individual company was subjected to a credit rating by Odin Flissenter, despite having no customer relationship or any other affiliation with the latter.
Dispute
Are the actions by Odin Flissenter a violation of the GDPR? Can credit information about a company be considered personal data for the purposes of Article 4(1)(GDPR)?
Holding
The Datatilsynet held that there must be a valid legal basis for the processing of personal data involved in a credit rating; to process without one would be a violation of the GDPR.
Credit information about an individual company was considered to be personal data in this instance, since the owner was directly identified with the company and the company was directly linked to the owner's personal finances. as the company was a type of sole proprietorship.
This meant that the credit information could be used to derive information about the owner's personal finances, which the owner could expect not to be collected by businesses without a lawful justification.
Datatilsynet found that there was no legal basis to process the personal data under Article 6(1)(f) GDPR.
Comment
Due to the impact of Covid-19 on the company's financial situation, Datatilsynet found that the aims of imposing the fine could still be achieved by imposing a lower fine. The fine was therefore reduced to 150 000 NOK, down from the issued notice of 300 000 NOK.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Alerts fee to Odin Flissenter AS The Norwegian Data Inspectorate has sent Odin Flissenter a notice of order and violation fee of NOK 300,000. The case concerns the credit rating of a single-person enterprise with no basis for treatment. An individual company was credit rated without having any kind of customer relationship or other affiliation with Odin Flissenter. Must have a valid treatment basis Credit information about an individual company is also personal information, since the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that you have to have a treatment basis in order to credit individual companies. A credit rating is the result of compiling personal data from many different sources, and shows a number that indicates the probability that a person or individual company will pay a claim. A credit rating will also show details of the company's finances, such as any payment remarks, voluntary mortgages and debt ratio. - Credit information about individual companies can be used to derive information about the owner's personal finances. Therefore, it is private information that the owner expects that it will not be collected by businesses unless it is objectively justified, says legal counsel Ole Martin Moe.