Datatilsynet (Norway) - 20/02220

From GDPRhub
Revision as of 08:14, 8 July 2020 by AN (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=Odin Flissen...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - Odin Flissenter AS
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 4(1) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 02.07.2020
Fine: 300000 NOK
Parties: n/a
National Case Number/Name: Odin Flissenter AS
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA (Datatilsynet) has issued the company Odin Flissenter with a fine of NOK 30000 (approx 27000 EUR) for the credit rating of a single-person enterprise with no legal basis for such processing.

English Summary

Facts

An individual company was subjected to a credit rating by Odin Flissenter, despite having no customer relationship or any other affiliation with the latter.

Dispute

Are the actions by Odin Flissenter a violation of the GDPR? Can credit information about a company be considered personal data for the purposes of Article 4(1)(GDPR)?

Holding

The Datatilsynet held that there must be a valid legal basis for the processing of personal data involved in a credit rating; to process without one would be a violation of the GDPR.

Credit information about an individual company was considered to be personal data in this instance, since the owner was directly identified with the company and the company was directly linked to the owner's personal finances. This meant that the credit information could be used to derive information about the owner's personal finances, which the owner could expect not to be collected by businesses without a lawful justification.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details. 

Alerts fee to Odin Flissenter AS

The Norwegian Data Inspectorate has sent Odin Flissenter a notice of order and violation fee of NOK 300,000. The case concerns the credit rating of a single-person enterprise with no basis for treatment.

An individual company was credit rated without having any kind of customer relationship or other affiliation with Odin Flissenter.
Must have a valid treatment basis

Credit information about an individual company is also personal information, since the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that you have to have a treatment basis in order to credit individual companies.

A credit rating is the result of compiling personal data from many different sources, and shows a number that indicates the probability that a person or individual company will pay a claim. A credit rating will also show details of the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.

- Credit information about individual companies can be used to derive information about the owner's personal finances. Therefore, it is private information that the owner expects that it will not be collected by businesses unless it is objectively justified, says legal counsel Ole Martin Moe.
Retrieved from "https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/02220&oldid=10793"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki