Complaintant (data subject - anonymized) – €87,000 Fine (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's data protection authority fined Innovation Norway EUR 87,000 for conducting unauthorized credit checks on an individual. The company had no valid reason for these checks and failed to report the breach. This case highlights the importance of having clear policies and reporting breaches to authorities.
What happened
Innovation Norway conducted unauthorized credit checks on an individual without a valid reason.
Who was affected
An individual who was subjected to multiple unauthorized credit checks by Innovation Norway.
What the authority found
The Norwegian data protection authority found that Innovation Norway lacked a legal basis for the credit checks and failed to report the breach.
Why this matters
This case highlights the need for companies to have clear policies on data processing and to report breaches promptly. It serves as a reminder that unauthorized access to personal data can lead to significant fines.
GDPR Articles Cited
Entities Involved
The complainant was subjected to multiple credit ratings by Innovation Norway*, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings. When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR. * Innovation Norway is state-owned and the Norwegian government's instrument for innovation and development of Norwegian enterprises and industry. Their programs and services are aimed at stimulating entrepreneurship in Norway. Conducting credit scoring of individuals and companies are common practice and not an issue in itself. The issue here was the misuse of credit scoring by one employee. #Did Innovation Norway have a legal basis for conducting credit rating(s) of the complainant? #Did Innovation Norway have sufficient internal controls for conducting credit ratings? #Should Innovation Norway have report the personal data breaches to the DPA, cf. Article 33(1)? #The DPA held that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question. #They also held that Innovation Norway hadn't followed up on their own internal policies and procedures and these were insufficient. #They also held that Innovation Norway breached their duty to notify the DPA three of the (first) personal data breaches (unlawful credit ratings), however they upheld it at the fourth. For these breaches, the DPA fined Inn
Related Enforcement Actions (0)
No other enforcement actions found for Complaintant (data subject - anonymized) in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
4 January 2021
Authority
Datatilsynet (Norway)
Fine Amount
€87,000
1,000,000 NOK
GDPRhub ID
gdprhub-3033About this data
Cite as: Cookie Fines. Complaintant (data subject - anonymized) - Norway (2021). Retrieved from cookiefines.eu
Last updated: