Innovation Norway fined

“Innovation Norway has been unable to demonstrate a customer relationship or connection with the complainant and their enterprise, to justify these credit ratings,” says Data Protection Authority Director Bjørn Erik Thon.

The fine amount has not changed since the Authority’s first notice in this case.

Valid legal basis for processing required

A credit rating is a compilation of personal data from many different sources and shows the likelihood of a person or enterprise being able or willing to pay an outstanding claim. A credit rating will also reveal details about the enterprise’s financial status, such as any payment remarks, its debt-to-income ratio and whether the enterprise has any mortgages.

Credit information about a sole proprietorship also constitutes personal data, as the owner is immediately identified with the enterprise, and the enterprise is directly linked to the owner’s personal finances. This means that a valid legal basis is required to subject sole proprietorships to a credit rating.

Perceived as invasive

“Credit information about a sole proprietorship also speaks to the owner’s personal finances. This is private information, which cannot be accessed by others unless there is a legitimate reason for it,” says Bjørn Erik Thon.

“We can understand the complainant’s reaction when they have been subjected to credit ratings several times, and also that this could be perceived as invasive. We take these matters seriously, and normally issue fines for this type of violation,” says Bjørn Erik Thon.