Datatilsynet - DT-20/02042

From GDPRhub
Datatilsynet - DT-20/02042
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 04.01.2021
Published: 04.01.2021
Fine: 1000000 NOK
Parties: Complaintant (data subject - anonymized)
Innovation Norge
Innovation Norway
National Case Number/Name: DT-20/02042
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) upheld its decision to fine Innovation Norway NOK 1,000,000 (~€98,000) for subjecting the complainant to multiple credit ratings without a legal basis under Article 6(1)(f) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant was subjected to multiple credit ratings by Innovation Norway*, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.

When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.

* Innovation Norway is state-owned and the Norwegian government's instrument for innovation and development of Norwegian enterprises and industry. Their programs and services are aimed at stimulating entrepreneurship in Norway. Conducting credit scoring of individuals and companies are common practice and not an issue in itself. The issue here was the misuse of credit scoring by one employee.

Dispute[edit | edit source]

  1. Did Innovation Norway have a legal basis for conducting credit rating(s) of the complainant?
  2. Did Innovation Norway have sufficient internal controls for conducting credit ratings?
  3. Should Innovation Norway have report the personal data breaches to the DPA, cf. Article 33(1)?

Holding[edit | edit source]

  1. The DPA held that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question.
  2. They also held that Innovation Norway hadn't followed up on their own internal policies and procedures and these were insufficient.
  3. They also held that Innovation Norway breached their duty to notify the DPA three of the (first) personal data breaches (unlawful credit ratings), however they upheld it at the fourth.

For these breaches, the DPA fined Innovation Norway NOK 1,000,000.

Comment[edit | edit source]

The complainant was subjected to a total of ten credit ratings; one on the complainant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.

The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.

Further Resources[edit | edit source]

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Fee to Innovation Norway

The Norwegian Data Protection Authority has sent a decision on an infringement fee of NOK 1 million to Innovation Norway. The case concerns a credit assessment without a basis for processing.
Fee to Innovation Norway

- Innovation Norway has not been able to refer to a customer relationship, or a connection to the complainant and the company in question, which could justify these credit assessments, says senior adviser Ida Småge Breidablikk.

The amount is unchanged after we first sent notice in the case.
Must have a valid treatment basis

A credit rating is the result of compiling personal information from many different sources, and shows a number that indicates the probability that an individual or sole proprietorship will pay a claim. A credit assessment will also show details about the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.

Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships.

Read more about credit rating and privacy
Experienced offensive

- Credit information about sole proprietorships also says something about the owner's personal finances. It is private information that can not be collected by others unless it is objectively justified, says senior adviser Ida Småge Breidablikk.

- We understand that the complainant reacts when the person in question has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, Breidablikk concludes.

Innovation Norway has a three-week appeal period from the time they receive our decision.