Experian Nederland B.V. – €2,700,000 Fine (Netherlands, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller is Experian Nederland B.V.. It offered, among other things, the Credit Check service, from where its clients could obtain information about the creditworthiness of a consumer and take it into consideration it in a decision about entering into a contract with that consumer. On 6 December 2023, the DPA (AP), after investigations, imposed a fine in the amount of €2,700,000 on Experian for the violation of Article 5(1)(a) in conjunction with Article 6(1) GDPR and the violation of Article 12(1) in conjunction with Article 14(1) and Article 14(2) GDPR. Experian, then, lodged an internal appeal against the decision before the DPA, claiming that it processed personal data under legitimate interest, the offering of its creditworthiness assessment service. In January 2025, Experian terminated its services as a credit information agency, and therefore no longer processed personal data for this purpose. First, the DPA found that since personal data have not been obtained from data subjects, it was up to Experian to inform them about the processing, its purposes, the legal grounds for the processing, the legitimate interests involved and the rights a data subject has to access, rectification and data erasure (Article 14(1) and Article 14(2) GDPR). The DPA highlighted that it should have taken active steps in this regard. The DPA concluded that Experian failed to provide proof that it met the information obligations, in violation of Article 12(1) GDPR and Article 14 GDPR. It also found that Experian violated the principles of transparency and fairness (Article 5(1)(a) GDPR). Second, it found that the legitimate interest that Experian claimed failed the balancing test. More specifically: •Regarding the legitimate interest pursued, the DPA acknowledged that it was lawful. •With regard to the necessity of processing criterion, the DPA held that Experian had not made sufficiently clear why the processing of certain personal data was strictly necessary, and not m
GDPR Articles Cited
The controller is Experian Nederland B.V.. It offered, among other things, the Credit Check service, from where its clients could obtain information about the creditworthiness of a consumer and take it into consideration it in a decision about entering into a contract with that consumer. On 6 December 2023, the DPA (AP), after investigations, imposed a fine in the amount of €2,700,000 on Experian for the violation of Article 5(1)(a) in conjunction with Article 6(1) GDPR and the violation of Article 12(1) in conjunction with Article 14(1) and Article 14(2) GDPR. Experian, then, lodged an internal appeal against the decision before the DPA, claiming that it processed personal data under legitimate interest, the offering of its creditworthiness assessment service. In January 2025, Experian terminated its services as a credit information agency, and therefore no longer processed personal data for this purpose. First, the DPA found that since personal data have not been obtained from data subjects, it was up to Experian to inform them about the processing, its purposes, the legal grounds for the processing, the legitimate interests involved and the rights a data subject has to access, rectification and data erasure (Article 14(1) and Article 14(2) GDPR). The DPA highlighted that it should have taken active steps in this regard. The DPA concluded that Experian failed to provide proof that it met the information obligations, in violation of Article 12(1) GDPR and Article 14 GDPR. It also found that Experian violated the principles of transparency and fairness (Article 5(1)(a) GDPR). Second, it found that the legitimate interest that Experian claimed failed the balancing test. More specifically: •Regarding the legitimate interest pursued, the DPA acknowledged that it was lawful. •With regard to the necessity of processing criterion, the DPA held that Experian had not made sufficiently clear why the processing of certain personal data was strictly necessary, and not m
Related Enforcement Actions (0)
No other enforcement actions found for Experian Nederland B.V. in NL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
16 August 2025
Authority
Autoriteit Persoonsgegevens
Fine Amount
€2,700,000
Enforcement Tracker ID
ETid-2908
GDPRhub ID
gdprhub-9554About this data
Cite as: Cookie Fines. Experian Nederland B.V. - Netherlands (2025). Retrieved from cookiefines.eu
Last updated: