Datatilsynet (Norway) - 20/04401
|Datatilsynet (Norway) - 20/04401-11|
|Relevant Law:||Article 6(1) GDPR|
Article 24 GDPR
Personopplysningsforskriften § 4-3
|Parties:||Elektro & Automasjon Systemer AS|
|National Case Number/Name:||20/04401-11|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
The Norwegian DPA imposed a fine of about €20,000 (NOK 200,000) on Elektro & Automasjon Systemer AS for not implementing appropriate technical and organisational measures to prevent unlawful processing, and therefore mistakenly conducting a credit check without legal basis.
English Summary[edit | edit source]
Facts[edit | edit source]
Controller is a company that conducts credit checks. Controller mistakenly conducted a credit check on one of the owners of another company. There was no existing collaboration or customer/vendor relationship between the companies. After finding out about the credit check, this owner (the data subject) lodged a complaint with the Norwegian DPA. In their defence, the controller explained that the credit check had happened on accident and that it had been caused by their lack of familiarity with the system they used for requesting credit reports.
Holding[edit | edit source]
First, the Norwegian DPA held that the controller had not implemented appropriate technical and organisational measures to prevent unlawful processing, in violation of Article 24 GDPR. Even though the controller had internal procedures in place regarding its processing of personal data in general, none of these were specifically aimed at conducting credit checks. The DPA held that any company that uses a credit report tool has an obligation to familiarise themselves with the tool and the legal framework to prevent errors from happening. Second, the DPA held that the controller lacked legal basis for the processing, in violation of Article 6(1) GDPR.
As a result of the above infringements, the DPA imposed a fine of 200 000 NOK. When determining the size of the fine, the DPA highlighted that credit reports usually contain information about an individual's financial situation, such as information about salary and debt, which especially deserves a high level of protection. As mitigating factors, however, the DPA noted that the breach had only affected one data subject for a short duration.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.