Etterforsker1 Gruppen AS fined
The Norwegian Data Protection Authority has fined Etterforsker1 Gruppen AS NOK 50,000 (EUR 5,000) for performing an unwarranted credit rating on a private individual.
The Norwegian Data Protection Authority has fined Etterforsker1 Gruppen AS NOK 50,000 (EUR 5,000) for performing an unwarranted credit rating on a private individual.
The background for the fine is a complaint from a private individual who was subjected to a credit rating without any form of customer relationship or other connection to Etterforsker1.
In this case, Etterforsker1 performed the credit rating on behalf of a client, who believed they had a claim for compensation against the complainant. Etterforsker1 claimed that the purpose of the credit rating was performance of its contract with its client and exploration of the complainant’s financial situation in an evaluation of potential legal action.
When a credit rating is performed for the purpose of exploring a client’s creditworthiness prior to contract formation, the business normally has a legal basis for performing the credit rating. While there was a credit element to this case, the Data Protection Authority found that Etterforsker1 did not have a strong enough connection to the complainant in this case.
In its assessment, the Data Protection Authority emphasised that the activities of a private investigator must be held to a different standard than regular legal services, where a lawyer represents a client.
Etterforsker1 acknowledges that they lacked a legal basis for the credit rating they performed in this case. A credit rating is the result of a compilation of personal data from many different sources and shows the likelihood of a person being able to pay an outstanding claim. A credit rating will also reveal details about the person’s financial status, such as any overdue payments/defaults on loans, mortgages and debt-to-income ratio.
The General Data Protection Regulation requires that all processing of personal data must have a legal basis.
For the party being assessed, the performance of a credit rating can feel invasive. The process involves types of personal data that the individual concerned has a special interest in protecting. It is therefore important that enterprises which use credit ratings as a tool in their operations familiarise themselves with how this tool works and establish good procedures for when and how to use it. In this way, they will avoid performing credit ratings on private individuals in violation of the regulations.