Background information
Date of final decision: 21 September 2021
Cross-border case or national case: National case
Controller: Ultra-Technology AS
Legal Reference: Lawfulness of processing (Article 6), Responsibility of the controller (Article 24)
Decision: Infringement declared and fine imposed, Order to comply
Key words: credit rating, legal basis
Summary of the Decision
Origin of the case
The background to the fine is a complaint from a private individual who has undergone a credit assessment without any form of customer relationship or other connection to the company Ultra-Technology AS.
Key Findings
Upon investigating this matter, The Norwegian Data Protection Authority have concluded that the credit rating was performed without a legal basis, in violation of the requirements of the General Data Protection Regulation. The undertaking did not have a legitimate interest in performing a credit rating.
The General Data Protection Regulation requires all processing of personal data to have a legal basis. Credit information is a type of personal data that is especially worthy of protection.
Decision
The Norwegian Data Protection Authority has fined Ultra-Technology AS EUR 12,500 for performing a credit rating on a private individual without any legal basis. The company was also ordered to prepare written routines for credit ratings in accordance with Article 24.
For further information:
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/gebyr-til-ultra-technology-as/ (NO)
https://www.datatilsynet.no/en/news/2021/ultra-technology-as-fined/ (EN)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned