Etterforsker1 Gruppen AS – €4,350 Fine (Norway, 2022)

The Norwegian DPA (Datatilsynet) received a complaint from a data subject who had been credit rated by a private investigation company, whom had informed in their privacy notice that they should be viewed as the controller as per the GDPR, for any such processing of the personal data of third parties. The controller had been hired by the data subject's former partner. She claimed to have a financial claim against the data subject. He disputed this and also claimed he did not have any funds to pay for such a claim, regardless. Consequently, the controller conducted a credit rating of the data subject, to validate his claims. Following the data subject's complaint, the DPA launched an investigation. The DPA found that the controller lacked a legal basis as per Article 6(1) GDPR, and informs in their decision that the relevant legal basis as per the GDPR, is Article 6(1)(f). The DPA found that the controller had also breached Article 5(2) GDPR, cf. Article 24. For this, the DPA intends to fine the controller NOK 50,000 (€5,000), for conducting a credit rating without a legal basis under Article 6(1) GDPR and for not adhering to the accountability principle as per Article 5(2) GDPR, cf. Article 24. The DPA also requires that the company implement internal controls of their credit rating process. The controller has four weeks to fulfill the penalties, unless they appeal. The controller has three weeks to appeal the decision, otherwise it will take full effect.