Datatilsynet - 20/02220
|Datatilsynet - Odin Flissenter AS|
|Relevant Law:||Article 4(1) GDPR|
Article 6(1) GDPR
|National Case Number/Name:||Odin Flissenter AS|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
The Norwegian DPA (Datatilsynet) has issued the company Odin Flissenter with a fine of NOK 150 000 (approx 13700 EUR) for the credit rating of a single-person enterprise with no legal basis for such processing.
English Summary[edit | edit source]
Facts[edit | edit source]
An individual company was subjected to a credit rating by Odin Flissenter, despite having no customer relationship or any other affiliation with the latter.
Dispute[edit | edit source]
Are the actions by Odin Flissenter a violation of the GDPR? Can credit information about a company be considered personal data for the purposes of Article 4(1)(GDPR)?
Holding[edit | edit source]
The Datatilsynet held that there must be a valid legal basis for the processing of personal data involved in a credit rating; to process without one would be a violation of the GDPR.
Credit information about an individual company was considered to be personal data in this instance, since the owner was directly identified with the company and the company was directly linked to the owner's personal finances. as the company was a type of sole proprietorship.
This meant that the credit information could be used to derive information about the owner's personal finances, which the owner could expect not to be collected by businesses without a lawful justification.
Datatilsynet found that there was no legal basis to process the personal data under Article 6(1)(f) GDPR.
Comment[edit | edit source]
Due to the impact of Covid-19 on the company's financial situation, Datatilsynet found that the aims of imposing the fine could still be achieved by imposing a lower fine. The fine was therefore reduced to 150 000 NOK, down from the issued notice of 300 000 NOK.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Alerts fee to Odin Flissenter AS The Norwegian Data Inspectorate has sent Odin Flissenter a notice of order and violation fee of NOK 300,000. The case concerns the credit rating of a single-person enterprise with no basis for treatment. An individual company was credit rated without having any kind of customer relationship or other affiliation with Odin Flissenter. Must have a valid treatment basis Credit information about an individual company is also personal information, since the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that you have to have a treatment basis in order to credit individual companies. A credit rating is the result of compiling personal data from many different sources, and shows a number that indicates the probability that a person or individual company will pay a claim. A credit rating will also show details of the company's finances, such as any payment remarks, voluntary mortgages and debt ratio. - Credit information about individual companies can be used to derive information about the owner's personal finances. Therefore, it is private information that the owner expects that it will not be collected by businesses unless it is objectively justified, says legal counsel Ole Martin Moe.