Recover AS – €17,400 Fine (Norway, 2022)

The Norwegian DPA (Datatilsynet) investigated a complaint from a data subject who had been credit rated by a company they had no relationship with. The company admitted they had no cooperation, customer relationship or any form of connection with the data subject, but argued that the credit rating was a mistake. A project manager at the company had used Google to find the invoicing address to a new customer and then mixed up this person with the data subject when conducting the actual credit rating. The company claimed that the DPA should not impose a fine, because they had not been registered with any prior violations. The DPA held that the company had conducted an unlawful credit rating in violation of Article 6(1)(f) GDPR, issued a €20,000 fine and ordered them to implement internal controls of their credit rating process in line with Article 24 GDPR. Despite the controller's arguments against a fine, the DPA noted the following aggravating factors in support of a fine: * Credit ratings are a significant intrusion into data subjects' private life. * The significant number of credit ratings the controller conducts. * Lack of sufficient routines for conducting credit ratings (that would likely have prevented the mistake). * The mistake could have been easily avoided by confirming the address directly with the new customer.