Experian might have beaten off claims its marketing practices breach UK data protection laws but when it comes to the credit reference business it seems the Dutch authorities are having none of it, with a new ruling not only sparking a €2.7m GDPR fine but also resulting in the firm shutting up shop in the Netherlands.
In a decision published late last week, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) ruled that the company violated GDPR by improperly using personal data it collected on negative payment behaviour, outstanding debts, and bankruptcies.
Experian also failed to adequately inform individuals about how it was using this information.
As is common practice in most markets, Experian created credit reports on individuals at the request of clients such as telecom companies, online retailers, and landlords.
This resultant score indicates a person’s ability to pay their bills and whether there is a risk of default. Experian’s clients use the credit score to decide whether and how individuals are eligible to purchase a product.
Experian collected data about people from various sources, both public and private. These included the Chamber of Commerce’s Trade Register, as well as telecom and energy companies that sell customer data. This allowed Experian to build a database containing information on a vast number of people in the Netherlands.
However, the Autoriteit Persoonsgegevens (AP) launched an investigation following a number of complaints from Dutch nationals about Experian’s practices.
AP chair Aleid Wolfsen explained: “People contacted us after they could no longer pay by instalments, or because they suddenly had to pay a high deposit when switching energy suppliers.
“Only afterwards did it become clear that this could be due to Experian’s credit scores. Because people weren’t aware of the credit check, they couldn’t check in time whether the information they used was accurate. I can imagine that’s incredibly frustrating.”
The investigation found that Experian had failed to adequately explain why this data collection was necessary. The company also admitted it had not properly considered that using sensitive data could have significant consequences for the individuals involved.
Experian has acknowledged violating the law and has said it will not appeal the fine.
Not only that, but the company has already ceased operations in the Netherlands and has said it will delete the database containing all this personal data later this year.
Related stories
ICO left with egg on its face as Experian sees off appeal
ICO appeals Experian ruling; ‘Tribunal got law wrong’
Experian ruling: ‘Industry can keep calm and carry on’
Experian claims victory as Tribunal blasts ‘flawed’ ICO
Experian lawyers set for long battle against ICO ruling
Experian given ultimatum to delete dodgy data or else
Be the first to comment on "Experian closes down Dutch operation after €2.7m fine"