Creditinfo Lánstrausts – Dismissed (Iceland, 2022)

Following, complaints about the processing of personal data by Creditinfo Lánstrausts to issue reports on creditworthiness, for Netgíró ehf to use these reports, as well as the dissemination of personal data by the IL fund in the Creditinfo debt ranking system. The Icelandic DPA found that a credit assessment took place in accordance with articles 5 and 6 GDPR. In December 2020, the DPA received a complaint by the complainant that their authorisation had been invoked by Netgíró ehf. (the controller) due to credit rating information given by Creditinfo Lánstrausts without prior to informing the claimant i.e. data subject of data transmission. The data subject argued that to gain access to Creditinfo's information about themself, they had to agree to the company's use of certain additional information from its debt position system when calculating their credit rating. Additionally, Creditinfo allegedly used incorrect information from the debt position system in the calculation, as the IL fund communicated information to the system about the complainant's debt to the fund even though they had already paid the debt in question. Netgíró ehf. have been prohibited from using information about Creditinfo's credit rating, which has been incorrectly calculated, and that the company is obliged to notify the borrower (this case the complainant) in advance when it intends to cancel the borrower's authorization due to changes in Creditinfo's credit rating. The defendants in this case argued that the data subject had in fact been notified and reminded that they can withdraw their consent at any point and that Creditinfo was considered a processor in the debt position system. The DPA held that the processing of financial data is considered personal data and falls under the authority of the DPA. The DPA is responsible for monitoring the implementation of Act No. 90/2018, on Data Protection and the Processing of Personal Data, Regulation (EU) 2016/679 (General Data Protection Re