Datatilsynet - 20/02225

From GDPRhub
Datatilsynet - 20/02291
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: n/a
Fine: 300000 NOK
Parties: n/a
National Case Number/Name: 20/02291
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

Datatilsynet held that a credit rating of the complainant, initiated by the company Aquateknikk, did not satisfy the requirements under Article 6(1)(f) GDPR. In addition, the company was required to evaluate and improve their internal guidelines for initiating credit ratings, pursuant to Article 24 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The company Aquateknikk AS credit rated the complainant without any connection between the company and the complainant. According to the complainant, this was done due to the fact that the complainant operates a competing business. Aquateknikk stated that the credit rating of the complainant was a mistake, as the intended target of the credit rating was the complainant's business.

Datatilsynet decided to issue a request for the logs of the company's credit rating history to Bisnode, the company issuing the credit ratings. In the logs it was clear that both the complainant and the complainant's company was credit rated by Aquateknikk.

Dispute[edit | edit source]

The issue at hand was whether Aquateknikk had a legitimate interest in rating the credit worthiness of the complainant, pursuant to Article 6(1)(f) GDPR.

Holding[edit | edit source]

Datatilsynet held that Aquateknikk did not have a legitimate interest in rating the credit worthiness of the complainant. In particular, Datatilsynet highlighted that there were no prior existing relationship between the company and the complainant. On the contrary, the complainant operated a competing business. As such, the complainant could also not have any reasonable expectations that the company would process his personal credit rating.

In addition to a breach of Article 6(1)(f) GDPR, the lack of organisational measures pursuant to Article 5(2) GDPR was weighted when concluding on the size of the fine.

Comment[edit | edit source]

The controller was fined on the basis of breaches to Articles 6(1)(f) and 5(2) GDPR.

While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4) GDPR.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.