The Norwegian Data Protection Authority has fined Gveik AS EUR 7 500 (NOK 75,000) for having conducted a credit rating without a legal basis.
An individual with no customer relationship or other affiliation with Gveik AS received a notice and became aware that the company had performed a credit rating on them. The individual filed a complaint with the Data Protection Authority.
Credit rating for personal purposes
The General Data Protection Regulation (GDPR) requires that all processing of personal data must have a legal basis. When an organization performs a credit rating, it collects detailed information about an individual’s personal financial situation. A credit rating is a compilation of personal data from many different sources. In certain cases, it will indicate how likely it is that a person will be able to pay their debts, and it will include any payment defaults, the debt-to-income ratio and whether the person has any mortgages.
In this case, the purpose of conducting the credit rating was personal and outside of the business interests of the organization. These types of cases are serious, and the Data Protection Authority normally issues fines for such violations.
Gveik AS may appeal the fine within the term set.
For further information, please contact the Norwegian DPA: email@example.com
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.