Datatilsynet - DT-20/02042

From GDPRhub
Datatilsynet - DT-20/02042
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 04.01.2021
Published: 04.01.2021
Fine: 1000000 NOK
Parties: Complaintant (data subject - anonymized)
Innovation Norge
Innovation Norway
National Case Number/Name: DT-20/02042
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) notified Innovation Norway that they will be fined €95,000 for subjecting the complainant to multiple credit ratings without a legal basis under Article 6(1)(f) GDPR. Innovation Norway has until January 25 2021 to contest the fine.

English Summary[edit | edit source]

Facts[edit | edit source]

The complaintant was subjected to multiple credit ratings by Innovation Norway*, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.

When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.

* Innovation Norway is state-owned and the Norwegian government's instrument for innovation and development of Norwegian enterprises and industry. Their programs and services are aimed at stimulating entrepreneurship in Norway. Conducting credit scoring of individuals and companies are common practice and not an issue in itself. The issue here was the misuse of credit scoring by one employee.

Dispute[edit | edit source]

Did Innovation Norway have a legal basis for conducting credit rating(s) of the complaintant?

Holding[edit | edit source]

The DPA found that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question, that they hadn't followed up on their own internal policies and procedures and that they should have notified the DPA of the personal data breach cf. Article 33 GDPR.

Comment[edit | edit source]

The complaintant was subjected to a total of ten credit ratings; one on the complaintant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.

The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

__________ PRESS RELEASE __________

Notification of infringement fee to Innovation Norway

The Norwegian Data Protection Authority has sent Innovation Norway a notice of infringement fines of NOK 1 million. The case concerns four credit of an individual and his sole proprietorship without any basis for assessments treatment .
Notification of infringement fee to Innovation Norway

- Innovation Norway has not been able to point to a customer relationship, or a connection to complainants and his company, that could justify these credit assessments, says senior adviser Ida Småge Breidablikk.

Innovation Norway has agreed that they did not have a treatment basis for the four credit assessments. The credit assessments took place over a period of 3 months.
Must have a valid treatment basis

A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person or sole proprietorship will pay a claim. A credit assessment will also show details about the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.

Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships. It is part of the case that the complainant's limited company has also been credit-rated six times. However, this is not covered by the privacy regulations, and the Data Inspectorate cannot sanction this.
Experienced offensive

- Credit information about sole proprietorships also says something about the owner's personal finances. It is private information that can not be collected by other companies unless it is objectively justified, says legal senior adviser Ida Småge Breidablikk. We understand that complaints react when he has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, she concludes.

Innovation Norway has been given a deadline of 25 January to submit comments on the notification.