Datatilsynet (Norway) - 20/02066

From GDPRhub
Datatilsynet - 20/02066
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 24 GDPR
Article 58(2)(i) GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.12.2019
Decided: 27.05.2022
Published: 02.08.2022
Fine: 300000 NOK
Parties: Krokatjønnvegen 15 AS
National Case Number/Name: 20/02066
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a property management company €30,500 for two unlawful credit ratings, in violation of Article 6(1)(f) GDPR, of two people they had no relationship with, but that a linked company had a dispute with.

English Summary


The Norwegian DPA (Datatilsynet) received a complaint from two data subjects who had been credit rated by a property management company they had no relationship with. The first data subject (data subject 1) recognized, however, the name of a person from the company, as he was the general manager for another company that her friend (data subject 2) had a rental agreement and dispute with. Both data subjects lodged complaints with the DPA and, consequently, the DPA launched an investigation.

The DPA unraveled that several companies were involved in the corporate structure, but mainly the case pertained to "Krokatjønnveien 15 AS" (company 1) and "Bildøy Marina AS" (company 2). The companies claimed they shared the subscription for and access to the credit rating system and that it, by accident, had conducted the credit ratings from the incorrect company 1. They also claimed they had policies and procedures for credit ratings in place. They failed, however, to sufficiently demonstrate and convince the DPA that this was indeed the case.


The DPA held that company 1 was the controller for the unlawful credit ratings, in violation of Article 6(1)(f) GDPR, issued a €30,500 fine and ordered them to implement internal controls of their credit rating process in line with Article 24 GDPR.


Interestingly, the DPA assessed that company 2 likely had legitimate reasons for credit rating both data subjects. However, since they determined that it was company 1 that actually conducted them, this was irrelevant.

The DPA also noted in their decision that the incorrect information from the companies was misleading and lead to unnecessary complications and delays, which ultimately was seen as an aggravating factor (also for measuring the fine).

The fine was about 2% of the company's total revenue from the preceding year.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Fee to Krokatjønnvegen 15 AS

The Norwegian Data Protection Authority has given Krokatjønnveien 15 AS an infringement fee of NOK 300,000 for two credit assessments without a legal basis. The company has also received an order to create written routines for credit assessments.

The reason for the fee is a complaint from two people who had been credit assessed without any kind of customer relationship or other connection to the company.

The Personal Data Protection Regulation requires that all processing of personal data has a processing basis. Credit information is a type of personal information that is particularly worthy of protection.

Lacks a legal basis

A credit rating is the result of a compilation of personal information from many different sources, and indicates the probability that a person will be able to pay for themselves. A credit assessment will also show details of individuals' personal finances such as any payment notices, voluntary mortgages and debt levels.

After investigating the case in more detail, the Norwegian Data Protection Authority has concluded that the credit assessment was carried out without the requirement for a legal basis in the Personal Data Protection Regulation being met. The company did not have a legitimate interest in credit rating the complainant.

Read more about credit assessment and privacy


The Danish Data Protection Authority's privacy survey 2020/2021 showed that people perceive information about their private finances as particularly worthy of protection.

- Since a credit assessment contains details about personal finances, it is perceived as offensive when a business uses the information without a legal reason, says legal adviser Ole Martin Moe.

- We generally receive many complaints concerning credit assessments, and we see that many businesses do not know the rules well enough. It follows from long practice at the Norwegian Data Protection Authority and the Personal Data Protection Board that the general manager cannot use the company's credit assessment tool for private purposes. We take this type of case seriously, and usually respond with an infringement fee to this type of offence, concludes Moe.

Published: 02/08/2022