Datatilsynet (Norway) - 20/02225
Datatilsynet - 20/02291 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(2) GDPR Article 6(1)(f) GDPR Article 24 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 300000 NOK |
Parties: | n/a |
National Case Number/Name: | 20/02291 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | n/a |
Datatilsynet held that a credit rating of the complainant, initiated by the company Aquateknikk, did not satisfy the requirements under Article 6(1)(f) GDPR. In addition, the company was required to evaluate and improve their internal guidelines for initiating credit ratings, pursuant to Article 24 GDPR.
English Summary
Facts
The company Aquateknikk AS credit rated the complainant without any connection between the company and the complainant. According to the complainant, this was done due to the fact that the complainant operates a competing business. Aquateknikk stated that the credit rating of the complainant was a mistake, as the intended target of the credit rating was the complainant's business.
Datatilsynet decided to issue a request for the logs of the company's credit rating history to Bisnode, the company issuing the credit ratings. In the logs it was clear that both the complainant and the complainant's company was credit rated by Aquateknikk.
Dispute
The issue at hand was whether Aquateknikk had a legitimate interest in rating the credit worthiness of the complainant, pursuant to Article 6(1)(f) GDPR.
Holding
Datatilsynet held that Aquateknikk did not have a legitimate interest in rating the credit worthiness of the complainant. In particular, Datatilsynet highlighted that there were no prior existing relationship between the company and the complainant. On the contrary, the complainant operated a competing business. As such, the complainant could also not have any reasonable expectations that the company would process his personal credit rating.
In addition to a breach of Article 6(1)(f) GDPR, the lack of organisational measures pursuant to Article 5(2) GDPR was weighted when concluding on the size of the fine.
Comment
The controller was fined on the basis of breaches to Articles 6(1)(f) and 5(2) GDPR.
While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4) GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.