Datatilsynet (Norway) - 20/02220

From GDPRhub
Revision as of 19:52, 15 October 2020 by Kb (talk | contribs) (Updated to reflect the changed fine in the final order)
Datatilsynet - Odin Flissenter AS
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 4(1) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 02.07.2020
Fine: 150000 NOK
Parties: n/a
National Case Number/Name: Odin Flissenter AS
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA (Datatilsynet) has issued the company Odin Flissenter with a fine of NOK 150 000 (approx 13700 EUR) for the credit rating of a single-person enterprise with no legal basis for such processing.

English Summary

Facts

An individual company was subjected to a credit rating by Odin Flissenter, despite having no customer relationship or any other affiliation with the latter.

Dispute

Are the actions by Odin Flissenter a violation of the GDPR? Can credit information about a company be considered personal data for the purposes of Article 4(1)(GDPR)?

Holding

The Datatilsynet held that there must be a valid legal basis for the processing of personal data involved in a credit rating; to process without one would be a violation of the GDPR.

Credit information about an individual company was considered to be personal data in this instance, since the owner was directly identified with the company and the company was directly linked to the owner's personal finances. as the company was a type of sole proprietorship.

This meant that the credit information could be used to derive information about the owner's personal finances, which the owner could expect not to be collected by businesses without a lawful justification.

Datatilsynet found that there was no legal basis to process the personal data under Article 6(1)(f) GDPR.

Comment

Due to the impact of Covid-19 on the company's financial situation, Datatilsynet found that the aims of imposing the fine could still be achieved by imposing a lower fine. The fine was therefore reduced to 150 000 NOK, down from the issued notice of 300 000 NOK.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Alerts fee to Odin Flissenter AS

The Norwegian Data Inspectorate has sent Odin Flissenter a notice of order and violation fee of NOK 300,000. The case concerns the credit rating of a single-person enterprise with no basis for treatment.

An individual company was credit rated without having any kind of customer relationship or other affiliation with Odin Flissenter.
Must have a valid treatment basis

Credit information about an individual company is also personal information, since the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that you have to have a treatment basis in order to credit individual companies.

A credit rating is the result of compiling personal data from many different sources, and shows a number that indicates the probability that a person or individual company will pay a claim. A credit rating will also show details of the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.

- Credit information about individual companies can be used to derive information about the owner's personal finances. Therefore, it is private information that the owner expects that it will not be collected by businesses unless it is objectively justified, says legal counsel Ole Martin Moe.