Datatilsynet (Norway) - 21/02293

From GDPRhub
Datatilsynet - 21/02293
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Article 58(2) GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 15.06.2021
Decided: 25.08.2022
Published: 09.09.2022
Fine: 200000 NOK
Parties: Recover AS
National Case Number/Name: 21/02293
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined a company €20,000 for an unlawful credit rating of an incorrect person with a similar name to their customer, and instructed them to implement new routines for credit ratings.

English Summary[edit | edit source]

Facts[edit | edit source]

The Norwegian DPA (Datatilsynet) investigated a complaint from a data subject who had been credit rated by a company they had no relationship with. The company admitted they had no cooperation, customer relationship or any form of connection with the data subject, but argued that the credit rating was a mistake. A project manager at the company had used Google to find the invoicing address to a new customer and then mixed up this person with the data subject when conducting the actual credit rating.

The company claimed that the DPA should not impose a fine, because they had not been registered with any prior violations.

Holding[edit | edit source]

The DPA held that the company had conducted an unlawful credit rating in violation of Article 6(1)(f) GDPR, issued a €20,000 fine and ordered them to implement internal controls of their credit rating process in line with Article 24 GDPR.

Despite the controller's arguments against a fine, the DPA noted the following aggravating factors in support of a fine:

  • Credit ratings are a significant intrusion into data subjects' private life.
  • The significant number of credit ratings the controller conducts.
  • Lack of sufficient routines for conducting credit ratings (that would likely have prevented the mistake).
  • The mistake could have been easily avoided by confirming the address directly with the new customer.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

RECOVER AS
Kristoffer Robins vei 13 Except for the public:

0978 OSLO Official § 13, cf. Personal Data Act § 24 first paragraph
                                                  2nd period







Your reference Our reference Date
                        21/02293-10 25/08/2022



Decision on order and infringement fee - Credit assessment without legal proceedings
basis - Recover AS


1 Introduction
We refer to our notice of decision on order and infringement fee of 28 February 2022. We

received your comments on the notice on March 14, 2022. Our comments on the comments follow
below.

2. Decision on orders

The Norwegian Data Protection Authority adopts the following order:

1. Pursuant to the Personal Protection Regulation article 58 no. 2 letter i, Recover AS is ordered,
Company No. 995 761 440, to pay an infringement fee to the Treasury of NOK 200,000 for having

obtained credit assessment without a legal basis, cf. the data protection regulation article 6 no. 1
letter f.

2. Pursuant to the Personal Protection Regulation article 58 no. 2 letter d, Recover AS is ordered to

improve internal control and routines for credit assessments, cf. the personal data protection regulation article
24.

Our authority for making orders is the Personal Protection Regulation article 58 no. 2.

The deadline for carrying out the orders appears in section 11 of the decision.

3. More about the facts of the case

On 15 June 2021, we received a complaint from hereinafter "complainant"), that
Recover AS had carried out a credit assessment of her on 27 May 2021.

The complainant states that the person in question has had no cooperation, customer relationship or other

connection to their business.

In your response to our demand for an explanation, you confirm that the complainant is neither a customer of yours,
or has another relationship with Recover AS. The credit assessment was carried out on the basis of a

assignment you had with a new customer. You state that your project manager did a search on

Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLOGoogle to find the invoice address of the customer. The project manager used Google because the assignment
was at the customer's cottage, and you did not have the address. You also describe that complaints had

roughly the same name as your customer.

Based on the transmitted dialogue between you and the complainant, we have assumed that the complainant
made you aware of the incident.

The Norwegian Data Protection Authority sent a notice of decision on orders and infringement fees on 28 February 2022.
Recover AS sent comments to this notice on 14 March 2022.

4. Legal background

4.1 Processing of credit information


Obtaining and storing credit information about individuals and sole proprietorships constitutes a
processing of personal data, cf. the Personal Protection Ordinance Article 4 No. 2 and Act on
processing of personal data of 15 June 2018 No. 38 (Personal Data Act) § 1.


Article 6 No. 1 of the Personal Data Protection Regulation requires that all processing of personal data has a

legal basis. When a business must obtain credit information about the registered person without
that there is consent, or the credit assessment is strictly necessary to carry out one
agreement with the data subject, Article 6 no. 1 letter f is the most relevant legal basis.


According to the old Personal Data Act of 2000, an additional requirement applied that the business
must have a "genuine need" to obtain credit information. This is evident from
                                                                  1
§ 4-3 of the personal data regulations, which according to the transition rules have been continued as applicable
straight.

The new Credit Information Act also continues the requirement of "substantial need" for disclosure

of credit information. The new law has been adopted and entered into force on 1 July 2022.

However, the Personal Data Protection Regulation does not provide national room for action to specifically regulate it

individual recipients' processing of credit information. The new Credit Information Act has
therefore, only the credit reporting companies are subject to the obligation, and not the individual
the business that orders credit information.


The consequence of this is that "actual need" is not directly an additional condition for the individual
the business that collects credit information. Their collection is thus regulated by
the personal protection regulation article 6 no. 1 letter f. Assessments related to a business

has a "factual need" according to the Personal Data Regulations § 4-3 is, however, closely related
with the assessment according to Article 6 no. 1 letter f. Previous practice related to "actual need" is
therefore still relevant when assessing "legitimate interest" as a basis for processing.

1
2Transitional rules on the processing of personal data (FOR-2018-06-15-877).
 Act on the processing of information in credit reporting activities (LOV-2019-12-20-109).



                                                                                                24.2 The Personal Data Protection Regulation article 6 no. 1 letter f – "legitimate interest"

Article 6 no. 1 letter f requires that the collection of credit information is "necessary" to
look after a "legitimate interest" which, after a balance of interests, outweighs the consideration of

the individual's privacy.

The legitimate interest must be legal, clearly defined in advance, real and factually justified
in the business. Recital 47 of the personal data protection regulation states that in the assessment of whether

an interest is justified, among other things, account must be taken of the data subject's expectations based on
the relationship between the controller and the data subject. Emphasis must also be placed on that
if, at the time of collection, it was foreseeable to the data subjects that the information would be

processed for the relevant purpose.

Which interests fulfill this depends on an overall assessment of, among other things, which
benefits the business obtains from the processing, how important the interest is to the business,

whether the processing is in the public interest or safeguards the non-profit interests that come more
for good, see the Article 29 Group's statement.3

Furthermore, the relevant processing of personal data must be necessary for this

the interest. This means that the business must assess whether it can achieve its purpose in a way that
better safeguards privacy. You must therefore choose the treatment that is least invasive.


The business must then carry out a balancing of interests to decide whether the individual's
privacy outweighs the business's legitimate interest. What type of information
it is a question of whether there are relevant points for the balancing of interests, e.g. whether these are
worthy of protection and whether the person has an expectation of having the personal data in

peace. It is also relevant to consider the disadvantages of processing personal data
inflicts on the person, whether the processing of the personal data is perceived as offensive,
whether the treatment is suitable for creating fear or anxiety, and what measures the company has in place
implemented to reduce the privacy consequences.



4.3 Relevant practice linked to the Personal Data Regulations § 4-3 – "actual need"

According to § 4-3 of the Personal Data Regulations, a credit assessment can only be obtained when a
business has a "factual need" for the information, for example in connection with a purchase
on credit. As a general rule, there must therefore be a credit element. This will typically be when

the business must provide credit to a customer and needs to see if the person in question is creditworthy.




3
 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive
95/46/EC, pages 24 and 25.



                                                                                                3 The Privacy Board has elaborated on the additional condition of factual need in several cases, among other things
PVN-2006-03 KLP, PVN-2010-05 Credit assessment and PVN-2017-02 Bertram Bil. IN
the latter case referred the tribunal to the following statement from PVN-2006-03 KLP:


        "The purpose of a credit assessment is normally to map whether a potential
        customer is creditworthy, and thus whether the company wishes to enter into an agreement with

        the person concerned. This means that when credit information is requested, the objective requirement will apply
        be fulfilled when the orderer is to use the credit information in connection with his
        assessment of credit risk, for example in the case of a commitment for a loan or an agreement on a current account
        services that are billed in arrears, typically mobile phone subscriptions, subscriptions to

        satellite television etc.”

The tribunal also referred to the statement in PVN-2010-05 Credit assessment, where it was stated that the
the opposite of "actual need" is "curiosity and a peeping tom".


4.4 About the duty to implement suitable technical and organizational measures
According to Article 24 of the Personal Data Protection Regulation, the data controller must carry out appropriate
technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance with

the Personal Data Act and the Personal Data Protection Ordinance.

If it is in a reasonable relationship with the processing activities, the business must take action
suitable guidelines for the protection of personal data.


Credit assessment is an intrusive processing of personal data and constitutes a large
interference with individuals' right to privacy. Businesses that implement
credit ratings must therefore document their internal routines or processes (internal control),

which safeguards the requirement for objectivity in credit assessment. The routines must describe when and how
credit information can be obtained and how access is to be granted. The routines must ensure that
credit information is not obtained without the requirement of factual need having been met.


5. The Norwegian Data Protection Authority's assessment

5.1. Processing responsibility
The person who determines the purposes and means for the processing of personal data is
data controller, cf. the personal data protection regulation article 4 no. 7. The data controller
is responsible for the processing of personal data taking place in line with the fundamentals

the principles in the Personal Data Protection Regulation and must be able to demonstrate this, cf. the Personal Data Protection Regulation
Article 5 No. 2.

A business is responsible for the processing of personal data carried out by an employee when
the processing has taken place through the company's activities. It is Recover AS that has


4
 The European Privacy Council's guidelines, EDPB Guidelines 07/2020 on the concept of controller and
processor in the GDPR, p. 10.



                                                                                                4 agreement with Bisnode and which, in our opinion, has determined the purpose and means of
the credit rating.

It is our assessment - and also not in dispute - that Recover AS is responsible for processing
the relevant credit check of complaints.

5.2. The duty of internal control and the principle of accountability
Recover AS has presented its routine for credit assessments, but this is very general
formulated. Among other things, it provides no guidance on when there is a justified interest in undertaking
credit check. The routine is therefore not suitable to ensure that the credit assessments you carry out take place in

compliance with Article 6 no. 1 letter f.

Their routine also does not state who can carry out credit assessments internally
the business. It is clear that the finance department is responsible. In this case was

however, it was a project manager who carried out the credit check. In our opinion, the routine is not
suitable for creating an understanding of when and who can carry out a credit check. The routine gives rather
lack of clarity as to why a credit check is being carried out.


In our opinion, better written routines would have a preventive effect against the illegal
the credit assessment carried out in our case, and such routines will ensure that future
Credit assessments are only carried out by Recover AS when the conditions in
the data protection regulation is met, and that the company credit assesses the right person. After spring
assessment, the defective routines constitute a breach of Article 24


In its comments to the Norwegian Data Protection Authority's notice, Recover AS first refers to extracts from our website.
The extract is primarily intended as a guide for private individuals who have had a credit assessment,
while other parts of the website are intended for businesses.


We understand that Recover AS believes that the information on our website is not good enough. We
emphasizes that our websites are only intended as general guidance. We have by the way
updated information regarding internal control for businesses.


Having said that, the accountability principle requires a strong anchoring of the regulations in
the company's management, cf. the personal protection regulation article 5 no. 2. Companies are with others
word responsible for familiarizing themselves with the privacy regulations, including assessing when they legally can
carry out a credit assessment, and adapt its guidelines and internal control to this, cf. art. 24

In its routines, Recover AS should highlight Article 6. No. 1 letter f as relevant
processing basis for their business, as well as ensure organizational measures that ensure that
the requirements in the Personal Protection Regulation are met before credit information on private individuals and

sole proprietorships are obtained.
The Norwegian Data Protection Authority has the competence to order the data controller to ensure that

the processing activities take place in accordance with the provisions of the Personal Data Protection Ordinance, cf.





                                                                                                  5personal protection regulation article 58 no. 2 letter d. This is the background for the order to
improve routines for credit assessment.

Recover AS must improve the routines to ensure that credit assessment only takes place when the conditions in
the data protection regulation is fulfilled.

5.3. Processing basis for obtaining credit information
The question is whether Recover AS had a legal basis according to Article 6 no. 1 letter f then you
credit assessed complaints.

The first condition that must be met for the processing to be legal is that Recover AS
had a "legitimate interest" in obtaining the information.

Recover AS has confirmed that the complainant has no customer relationship or other connection

the business. You write that the collection took place as a result of a mix-up of names.
Regardless of whether it was done deliberately or not, Recover AS has caught up
credit information about an individual without any kind of customer relationship, supplier relationship
or other connection to the business.

There is agreement between the parties that the credit assessment should not have been carried out. Complaints had
no expectation that Recover AS would process the complainant's credit information and it was

nor can it be expected that the business would obtain the information.

Our assessment is that the requirement for "legitimate interest" in the Personal Data Protection Regulation Article 6 No. 1
letter f is not fulfilled.

As the company has not fulfilled the first condition, we do not consider it appropriate to
assess the last two conditions of necessity and the specific balancing of interests in the article
6 no. 1 letter f.

Based on this, our conclusion is that Recover AS has obtained the complainant's information
credit information without a legal basis, cf. the data protection regulation article 6 no. 1.

6. Violation fee
6.1. General information on infringement fees

The Personal Protection Regulation article 58 no. 2 letter i gives the Norwegian Data Protection Authority the authority to impose
infringement fee in accordance with Article 83.

Violation fees are to be considered punishment according to the European Convention on Human Rights

(ECHR) article 6. A clear preponderance of probability for an offense is necessary so that we
shall be able to impose an infringement fee.

Section 46 first paragraph of the Public Administration Act states:


        When it is stipulated in law that an administrative sanction can be imposed on an enterprise,
        the sanction can be imposed even if no individual has proven guilty.





                                                                                                6 However, the Supreme Court has determined that the objective responsibility for corporate punishment in the Criminal Code
is not compatible with the ECHR. The Supreme Court has stated that the person who has acted on behalf of the company
must have proven guilty, and that general negligence is sufficient to fulfill the culpability requirement.

The Ministry of Justice and Emergency Preparedness has specified in a letter of 12 May 2021 that the same applies

as a starting point in cases of administrative sanctions, and the ministry has stated that
the Supreme Court judgment must be used as a basis for imposing infringement fees on undertakings.

6.2. Our assessment of the fault claim
In order for the Data Protection Authority to be able to impose an infringement fee on Recover AS, the person who has acted must
have proven guilty on behalf of the company. Ordinary negligence is sufficient.

You write that the credit assessment of complaints occurred as a result of a confusion of names.

The company was actually supposed to credit another new customer, but didn't know hers
address. You therefore looked up the complainant's name on Google, but confused the new customer's name

with the complainant's name and thus credit assessed the wrong person.

In our opinion, Recover AS could have avoided the credit check by having more thorough procedures
for credit assessment. The confusion was due, among other things, to a search on Google instead of a search at
credit reference agency.

Our assessment is that this must be characterized as clearly negligent by the project manager, as we are
considered to have acted on behalf of the company in the credit assessment of complaints.

The culpability requirement for imposing an infringement fee has thus been fulfilled.


6.3. Assessment of whether an infringement fee should be imposed
When assessing whether a fee should be imposed and when measuring, the Norwegian Data Protection Authority must take this into account

to the points in the Personal Data Protection Regulation article 83 no. 2 letter a) to k). The Norwegian Data Protection Authority can
impose an infringement fee after a discretionary overall assessment, but those listed
the elements guide the exercise of discretion by highlighting elements that must
is given particular weight.


Here, we will assess the relevant points continuously.

a) the nature, severity and duration of the infringement, taking into account it

the nature, extent or purpose of the processing concerned as well as the number of registered persons who are affected, and
the extent of the damage they have suffered

The principle of legality in the Personal Protection Regulation Article 5 No. 1 and the requirement for a legal basis i

Article 6 is one of the basic requirements that must be met when a business processes
personal data.






                                                                                                7Credit information is a type of personal information that is particularly worthy of protection, and
as private individuals have an expectation not to be obtained by businesses unless that
is factually justified in their relationship with them. The violation is therefore serious, and indicates that
an infringement fee is imposed.


A credit rating is the result of a compilation of personal data from many different sources
sources, and shows a number indicating the probability that a person will pay a claim. One
credit assessment will also show details of individuals' private finances, including any
payment notices, voluntary pledges and debt ratio. This is private information

as private individuals have an expectation not to be obtained by businesses unless that
is factually justified in their relationship with them. The violation is therefore serious, and this indicates that
an infringement fee is imposed.

Recover AS submitted objections to our application and understanding of Art. 58. You think we must
provide other corrective measures in lieu of infringement fees.

Personal data protection regulation art. 83 nos. 4 and 5 indicate which violations can be sanctioned
with an infringement fee. The highest maximum amount for infringement fees can be found in No. 5, which
includes, among other things, violations of basic privacy principles, cf. letter a. You

lacked processing grounds for the credit assessment, and this constitutes a breach of
the legality principle, which is one of these basic privacy principles, cf. art. 5
letter a, cf. art. 6.

When Art. 83 no. 5 sets the highest maximum fine level for such violations, it is precisely intended to
reflect the seriousness of such violations. According to article 58 (2) letter i, the Norwegian Data Protection Authority has
authority to, "[…] depending on the circumstances of each individual case", to impose

infringement fee according to species. 83 "[…] in addition to, or instead of" other measures. Our assessment
is that the circumstances warrant the imposition of an infringement fee. This is also in line with ours
administrative practice, see, among other things, case 20/04401, 20/02042 and case 20/02220, which all concerned
credit ratings without a legal basis.

The Norwegian Personal Protection Board has also on a number of occasions upheld decisions on the imposition of fees in cases

on credit assessment without a legal basis, see e.g. PVN-2019-15 and PVN-2020-21. IN
in the latter case, the tribunal stated the following:

        The tribunal agrees with the Norwegian Data Protection Authority that an infringement fee should be imposed and finds
        after an assessment of the various points that a fee of NOK 150,000 in any case not

        is too high. The tribunal has below reference to section 34 third paragraph of the Public Administration Act
        limited access to set the fee higher. In its assessment, the tribunal has placed emphasis on
        the following conditions:


        This is a serious breach of the data protection regulation.
        The principle of legality in Article 5 No. 1 and the requirement for processing grounds in Article 6
        represents basic requirements for the processing of personal data. These are
        broken. Private individuals have an expectation that businesses do not catch up




                                                                                                 8 credit information about them without this being justified by a legitimate interest of
        the business as a result of a real customer relationship.

        […]


        Even if the information affected by the breach does not particularly belong to the group
        categories of information in Article 9, then credit information represents about
        individuals information of a private nature that the individual may have reason to
        wish remains private. This, too, is therefore a moment in a tightening direction.


b) whether the infringement was committed intentionally or negligently

The violation was committed negligently, see our assessment of guilt under section 6.2.


c) any measures taken by the controller or data processor to limit
the damage that the data subjects have suffered

Recover AS has not disclosed that measures have been implemented to limit the damage as it is

registered have suffered.

d) the controller's or data processor's degree of responsibility, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32


The principle of responsibility requires a strong anchoring of the regulations in the management of businesses
cf. the personal protection regulation article 5 no. 2


The Norwegian Data Protection Authority emphasizes that Recover AS lacks technical and organizational measures to
ensure that the collection of credit assessments is carried out in accordance with the Personal Data Protection Regulation, cf.
species. 24. We would like to emphasize that credit assessments entail a significant intrusion into the private life of
those who are credit assessed. We have emphasized this in a stricter direction. We have also emphasized

that Recover has approx. 37,000 assignments a year. You have stated that you always credit check new ones
customers and thus carries out a significant number of credit assessments.

You object that you have no previously registered infringements, and that this speaks against

impose an infringement fee. Our assessment is that the deficient routines, in light of the high
the number of credit ratings as well as the fundamental error committed through
the confusion in the case suggests imposing an infringement fee.

We also emphasize that adequate routines for obtaining the correct invoice address could be had

averted the incident in question.

e) any previous violations committed by the data controller or
the data processor




                                                                                                  9 The Norwegian Data Protection Authority is not aware of any previous violations.
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it

the possible negative effects of it

We do not consider this point to be relevant.
g) the categories of personal data affected by the breach

Special categories of personal data (sensitive personal data) are not affected

the violation in our case. However, information about salary, debt and creditworthiness is
information that has a special need for protection due to its private nature.

This speaks for the imposition of an infringement fee, and there is also established practice for imposing
infringement fee for corresponding offences.

h) in what way the supervisory authority became aware of the infringement, in particular if and where applicable
to what extent the data controller or data processor has notified
the violation

We were informed about the case through the inquiry from the complainant

i) if measures mentioned in Article 58 no. 2 have previously been taken against the person concerned
data controller or data processor with regard to the same subject matter, that mentioned

measures are observed

You point out that the Norwegian Data Protection Authority has not previously made a decision against you, especially in light of
the amount of credit assessments you carry out, and that this point advocates not imposing
infringement fee. We do not share this opinion. On the contrary, we mean the deficient ones

the routines show that you have not implemented suitable technical and organizational measures, cf. art.
24. We believe this is taken seriously considering the large number of credit assessments you have
performs annually, and consequently strengthens our assessment of imposing an infringement fee. That earlier
measures have not been taken against you with regard to the same subject matter, therefore not added

special weight.

j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms pursuant to Article 42

The Norwegian Data Protection Authority does not find this aspect relevant.

k) and any other aggravating or mitigating factor in the case, e.g. financial benefits
gained, or loss avoided, directly or indirectly, as a result of the breach

The Norwegian Data Protection Authority cannot see that Recover AS has obtained any benefits as a result of the infringement.
The fact that you have not obtained any benefits as a result of the breach is one of many factors in

the assessment, and does not preclude the imposition of an infringement fee.






                                                                                                10 Based on the assessment above, the Norwegian Data Protection Authority concludes that an infringement fee should be imposed. The
the next question is the amount of the fee.

6.4. Assessment of the size of the fee

In calculating the fee, the elements in point 7.2 above must be weighted, cf. article 83 no.

2.
In accordance with Article 83 no. 1, the infringement fee must be effective and be reasonable
relation to the infringement and act as a deterrent. This means that the supervisory authority must
make a concrete, discretionary assessment in each individual case.

The Personal Protection Ordinance provides for a higher level of fine than that which applied thereafter

the Personal Data Act from 2000, and it follows from the regulation's article 83 no. 1 that
infringement fee must be determined concretely so that it is effective in each individual case, it says
in a reasonable proportion to the infringement and acts as a deterrent. The main purpose of
infringement fees are prevention, i.e. that the risk of being charged a fee should work
                                                                        5
deterrent and thereby contribute to increased compliance with the regulations.

By Skullerud et al. (2019), page 347, it is stated:
        Contraception considerations dictate that the fee for an infringement must be set so high that this

        actually experienced as an evil by the transgressor. This means that the offender's
        financial ability should be important in the assessment, so that the fee is all the higher
        stronger carrying capacity the violator has. […] When assessing the financial carrying capacity for a

        company, it may be relevant to look at the company's overall global annual turnover i
        previous financial year, cf. art. 83 No. 4 and 5.

And further:

        The consideration of ensuring an individual assessment in each individual case dictates that
        the supervisory authorities should avoid establishing standardized fee rates. This applies
        even if national law allows for standardized rates, cf. section 43 of the Public Administration Act.

The fee must therefore be measured concretely in each case, and act as a deterrent for the individual
the business.

Article 83 no. 5 of the Personal Data Protection Ordinance sets a higher maximum amount for the fee when the case is reached

deals with violations of the basic principles for the treatment of
personal data in accordance with Articles 5 and 6 of the Personal Data Protection Regulation.

Recover AS lacked processing grounds for obtaining credit information about complaints
(the legality principle). In addition, the business has had inadequate organizational measures for
compliance with the privacy regulations (principle of responsibility). This has drawn in aggravating
direction.




5Skullerud et al. (2019).



                                                                                                11We also emphasize in a stricter direction that the illegal credit assessment with simple means
could have been avoided by verifying the address with the new customer before you applied
the person concerned in Bisnode and was given credit information.

We also emphasize the company's finances. According to publicly available accounting figures,
Recover AS is registered with a turnover of NOK 1,361,138,000 in 2020, and an annual profit of NOK
-609,000. The business is registered with equity of NOK 71,215,000 and a

satisfactory solvency.

The fee must be set so high that it is effective and achieves a sufficient deterrent effect.
After an overall assessment of the facts of the case and the seriousness of the infringement, we have come to the conclusion that a
an infringement fee of NOK 200,000 is considered appropriate.

7. Right of appeal and further proceedings
You can appeal the decision. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will

forward the case to the Privacy Board for complaint processing.

If you do not appeal against the infringement fee order, the deadline for compliance is 4 weeks after
expiration of the appeal period, cf. Personal Data Act § 27.


The deadline for implementing the order point 2 on written routines (internal control) is 4 weeks after
expiry of the appeal period. If you do not appeal against the order in point 2, you must within this deadline
send us a written confirmation, as well as documentation, that the order on internal control is

carried out.

8. Publicity, transparency and confidentiality
We would like to inform you that all documents are basically public, cf.
Public Relations Act § 3. If you believe there are grounds for exempting all or part of

the document from public inspection, we ask you to give reasons for this.

The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal information
relationship. The duty of confidentiality follows, among other things, from the Personal Information Act § 24 and

Section 13 of the Public Administration Act. As a party to the case, you may nevertheless be made aware of such
information from the Norwegian Data Protection Authority, cf. the Administration Act § 13 b first paragraph no. 1. You also have the right
for inspection of the case's documents, cf. section 18 of the Public Administration Act.


We draw your attention to the fact that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority
the complainant's identity, personal circumstances and other identifying information, and that you only
can use this information to the extent necessary to safeguard its interests
theirs in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that

breach of this duty of confidentiality can be punished according to Section 209 of the Criminal Code.






                                                                                                12 If you have any questions about the case, you can contact Marte Lindblad Skaslien at
telephone: 22 39 69 34.





With best regards


Jørgen Skorstad
department director
                                                                Marte Lindblad Skaslien

                                                                senior legal advisor

The document is electronically approved and therefore has no handwritten signatures



Copy to: Complainant



































                                                                                          13