Redacted version – Court Ruling (Norway, 2022)

This case is an appeal of a decision by the Norwegian DPA, in which the Norwegian DPA fined a company (the controller) about €12,000 (NOK 125,000) for conducting an unlawful credit rating in breach of Article 6(1) GDPR, and required them to implement a policy for conducting credit ratings per Article 24 GDPR. The controller disagreed with the DPA on the first part of the decision, pertaining to the fine, and asked the supervisory authority to reconsider its position. After the DPA had reviewed the case again, they found no grounds to change their decision and so, as per Norwegian procedures, referred the case to the Privacy Appeals Board. The unlawful credit rating was conducted by the company's managing director, who was in conflict with the data subject in an inheritance dispute. In their comments to the Privacy Appeals Board, the company's attorneys claimed that the managing director had to be seen as a 'third party' and that the credit rating was lawful because he pursued a legitimate interest. The Privacy Appeals Board reviewed the case and agreed, first, with the DPA in that an acquiring company also acquires the prior (acquired) company's controller's responsibilities, even if the breach occurred before the company was acquired. Next, they noted that the relevant lawful basis of the processing in question (the credit rating) is Article 6(1)(f) GDPR, legitimate interests, and that it is the company who has the agreement with the credit rating agency and, thus, a legitimate interest in obtaining credit rating information. The Privacy Appeals Board noted that it is obvious that the managing director obtained credit rating information for use in the private inheritance dispute and not for the company's legitimate interests. They also concluded that the case is not related to a "third party" as defined in Article 4(10) GDPR and that this claim builds upon an obvious misinterpretation of the legal text. The Privacy Appeals Board held that the managing director'