Krokatjønnvegen 15 AS – €26,100 Fine (Norway, 2022)

The Norwegian DPA (Datatilsynet) received a complaint from two data subjects who had been credit rated by a property management company they had no relationship with. The first data subject (data subject 1) recognized, however, the name of a person from the company, as he was the general manager for another company that her friend (data subject 2) had a rental agreement and dispute with. Both data subjects lodged complaints with the DPA and, consequently, the DPA launched an investigation. The DPA unraveled that several companies were involved in the corporate structure, but mainly the case pertained to "Krokatjønnveien 15 AS" (company 1) and "Bildøy Marina AS" (company 2). The companies claimed they shared the subscription for and access to the credit rating system and that it, by accident, had conducted the credit ratings from the incorrect company 1. They also claimed they had policies and procedures for credit ratings in place. They failed, however, to sufficiently demonstrate and convince the DPA that this was indeed the case. The DPA held that company 1 was the controller for the unlawful credit ratings, in violation of Article 6(1)(f) GDPR, issued a €30,500 fine and ordered them to implement internal controls of their credit rating process in line with Article 24 GDPR.