Creditinfo – Complaint Upheld (Iceland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Icelandic company, Creditinfo, wrongly used outdated information to give someone a bad credit score. The Icelandic data authority agreed with the person who complained, saying the company should have started counting the four-year limit from the court judgment date, not when the bank registered the information.
What happened
Creditinfo used information older than four years to assign a negative credit score.
Who was affected
The individual who received a negative credit score based on outdated information.
What the authority found
The Icelandic data authority upheld the complaint, stating Creditinfo should have calculated the four-year period from the judgment date.
Why this matters
This decision emphasizes the need for companies to carefully track data timelines and respect limits on how long they can use information. Businesses should ensure their data practices align with licensing terms and legal requirements.
GDPR Articles Cited
National Law Articles
Creditinfo is an Icelandic company assigning credit scores to individuals and companies, based on verifiable information entered by creditors or third-parties in Creditinfo's default register. According to the operating license granted to Creditinfo, Creditinfo is not allowed to assign credit scores on the basis of information which is older than 4 years old. In this context, a data subject (the Complainant) was recognized in default of payment in a judgment of the Icelandic Supreme Court following legal proceedings opposing the Complainant to a creditor, Landsbankinn hf (hereafter, the Bank). The Bank however registered this information in Creditinfo's default register only two years after the judgment was rendered. Based on this entry, Creditinfo assigned a negative credit score to the Complainant. In January 2020, the Complainant sent an email to Creditinfo to object to the processing of his personal data, arguing that the information on the basis of which his credit score had been calculated was more than 4 years old. In parallel, he also requested Creditinfo to erase his personal data. Creditinfo however rejected this request, arguing that the information in question was still valid and relevant, as it had been registered by the Bank less than 4 years ago. On 5 February 2020, the Complainant decided to file a complaint with the Icelandic DPA. The dispute brought to the attention of the Icelandic DPA therefore mainly concerned the date from which the four years period provided in the operating license of Creditinfo must be calculated. On the one hand, the Complainant was arguing that this date should be the date when he had been recognized in default of payment (i.e. the date of the judgment). On the other hand, Creditinfo was arguing that this date should be the date on which the Bank registered the information in its default register. After reviewing the facts of the case and the operating licence of Creditinfo, the Icelandic DPA considered that the proce
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Creditinfo in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Creditinfo - Iceland (2021). Retrieved from cookiefines.eu
Last updated: