Gveik AS – €6,525 Fine (Norway, 2020)

A representative acting on behalf of Gveik AS conducted a credit rating on the complainant's sole proprietorship, despite the latter having no customer relationship or any other affiliation with either the representative or the company. The representative claimed that the credit rating was conducted by mistake and that they had tried to cancel it, unsuccessfully. The DPA noted that the credit rating seems to have been conducted due to "nosiness". Gveik AS didn't have written routines for credit ratings, because these are only conducted for new customers and customers that "request many new services". Did Gveik AS have legal grounds for processing the personal data of the complainant for a credit scoring, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit scoring in their business? No, Gveik AS did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 75,000. They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA. The DPA also noted that Gveik AS likely didn't have sufficient technical and organizational security measures, but didn't find strong enough evidence to add further penalties for this.