eCommerce 2020 ApS – €51,000 Fine (Iceland, 2023)

A company offering so-called "small loans" - eCommerce 2020 ApS (eCommerce) – sent information about non-payments of loans for registration at a credit scoring company - Creditinfo Lánstrausti hf. The Icelandic DPA issued a decision (case no. 2020061901 – see summary on [https://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_(Island)_-_2020061901 GDPRHub]) against Creditinfo Lánstrausti hf. after the consumers' association of Iceland filed a complaint against it. Following the investigation in that case, it was revealed that the loan terms of eCommerce did not include any provision stating that non-payment (for 40 days) leads to registration of non-payment at Creditinfo Lánstrausti hf. However, in this case eCommerce 2020 disputed the fact that such provision was missing and argued that regardless of the wording in the company's loan terms at any given time, borrowers were always informed of the consequences of non-payments on their loans. Furthermore, eCommerce claimed that there was always some kind of provision in the company's loan terms stating that if a loan defaulted, the company has the right to entrust a third party to collect the loan. It was also revealed that information on non-payments were registered on behalf of eCommerce 2020 ApS despite the fact that the amount of the payment default was below the minimum amount that could be registered according to the terms of the business license of Creditinfo Lánstrausti hf. In light of the above, the Icelandic DPA considered that there may be grounds for imposing an administrative fine on eCommerce 2020 ApS, and initiated an investigation. Firstly, the Icelandic DPA concluded that eCommerce is responsible as the controller for the processing of the personal data in question when eCommerce sends the information on non-payments to Creditinfo Lánstrausti hf. for registration. Moreover, the DPA stated that eCommerce is liable for ensuring that the conditions of the loan terms are met for the registration of non-p