Evropský sbor pro ochranu osobních údajů

Administrative fine of 35 000 EUR imposed on the Swedish website Mrkoll.se

Wednesday, 18 December, 2019
se

The Swedish DPA has issued an administrative fine of 35 000 EUR against Mrkoll.se – a website that publishes personal data of all Swedes above the age of 16 – for infringement of the Credit Information Act and the GDPR. The website has carried out credit information activity in a way that is not in compliance with the law.

The Swedish DPA has issued an administrative fine against the company Nusvar which runs the website Mrkoll.se. This website publishes personal data of all Swedes above the age of 16. In total, the database contains personal data of more than 8 million people. The administrative fine issued amounts to 35 000 EUR.

- The decision addresses the interplay between the legislative frameworks for credit information activity, data protection and the constitutional protection of freedom of expression, says Hans Kärnlöf who led the investigation of the website.

The website in question has been granted a publishing certificate that provides it with a constitutional protection for the majority of its publishing activities, meaning that the GDPR does not apply under those circumstances.

The website did however publish information that a person does not have a record of non-payment. Information about payment defaults is considered to be credit information and for the publishing of such information the Credit Information Act applies, including its references to the GDPR. The website furthermore published information about records of criminal convictions. Such information is regulated in the GDPR and may not be published under the Credit Information Act without prior authorization from the Swedish DPA. The DPA has not issued any such authorization for this website.

- Websites entrusted with a publishing certificate do not need prior authorization from the DPA to carry out credit information activity as such, but they must comply with the rules in the Credit Information Act. This website has not complied with these rules, says Hans Kärnlöf.

The decision concerns unlawful publications from December 2018 to April 2019. As of April 2019, the website no longer publishes information about records of non-payment.  For that reason, the DPA’s decision will not affect how the website publishes information today.

Since May 2018 the Swedish DPA has received more than 750 complaints concerning websites that hold publishing certificates.

For further information, please contact the Swedish SA : datainspektionen@datainspektionen.se  

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.