Elektro & Automasjon Systemer AS – €17,400 Fine (Norway, 2021)

Controller is a company that conducts credit checks. Controller mistakenly conducted a credit check on one of the owners of another company. There was no existing collaboration or customer/vendor relationship between the companies. After finding out about the credit check, this owner (the data subject) lodged a complaint with the Norwegian DPA. In their defence, the controller explained that the credit check had happened on accident and that it had been caused by their lack of familiarity with the system they used for requesting credit reports. First, the Norwegian DPA held that the controller had not implemented appropriate technical and organisational measures to prevent unlawful processing, in violation of Article 24 GDPR. Even though the controller had internal procedures in place regarding its processing of personal data in general, none of these were specifically aimed at conducting credit checks. The DPA held that any company that uses a credit report tool has an obligation to familiarise themselves with the tool and the legal framework to prevent errors from happening. Second, the DPA held that the controller lacked legal basis for the processing, in violation of Article 6(1) GDPR. As a result of the above infringements, the DPA imposed a fine of 200 000 NOK. When determining the size of the fine, the DPA highlighted that credit reports usually contain information about an individual's financial situation, such as information about salary and debt, which especially deserves a high level of protection. As mitigating factors, however, the DPA noted that the breach had only affected one data subject for a short duration.