Innovation Norway facing sanction for illegal credit checks
The state-owned entity Innovation Norway is the Norwegian government's most important instrument for innovation and development of Norwegian enterprises and industry. Following non-compliant financial assessments of a potential customer, Innovation Norway has received a notice from the Norwegian Data Protection Authority (DPA).
By Jeppe Songe-Møller
Innovation Norway is designed for financial assistance to startups and stimulates entrepreneurship and company growth. According to the notice of 4 January 2021, the DPA intends to issue the largest fine in Norway ever – NOK 1 million – in response to Innovation Norway's illegal financial evaluation. Innovation Norway has until 25 January 2021 to comment the fine before it is formally issued.
A credit bureau informed the sole proprietor of a small company that an assessment had been made on his personal finances and separate assessments had been run on his company on behalf of Innovation Norway. The sole proprietor subsequently complained to the DPA, pointing out that he had no relationship with Innovation Norway and had not applied for any form of credit.
Innovation Norway admitted that the assessments have been made in error, but added that they were carried out because it had been informed that a credit application was pending. However, it provided no evidence of any existing or pending customer relationship. In issuing the notification, the DPA said that the checks had no legal basis under Norwegian privacy rules, which follow the GDPR and certain local transitional regulations. A credit rating will usually show details about a company's finances, such as any payment remarks, voluntary mortgages and debt ratio. Credit information about a sole proprietorship can be seen as personal information, the DPA pointed out, as the company’s finances are often directly linked to the owner's personal finances.
Pursuant to the notice, the size of the fine could potentially change should Innovation Norway offer mitigating information regarding Covid-19.
Investigations by banks and other credit providers into the finances of non-customers are generally illegal pursuant to Norwegian law. The notice from the DPA confirms that a legitimate interest and objective need is required before credit assessments of individuals and sole proprietorships can be made.
Normally, credit checks can be carried out to determine whether a potential customer is creditworthy, for example before making a decision to grant a loan or before a landlord enters into an agreement with a tenant. However, a vague assumption that a person will become a customer is not sufficient grounds to perform such an assessment.
We recommend that banks and other credit providers should always be able to document that they are processing personal data in accordance with the law and that their internal procedures meet the requirements of legitimate interest and objectivity. Control of access to the personal data is an important part of this. An employee with access to credit checks should not share his login details with other employees. Furthermore, we recommend that credit providers always have routines in place for handling personal data breaches.