The Dutch Data Protection Authority (AP) is fining Experian Netherlands €2.7 million for unlawful use of personal data.
The Dutch Data Protection Authority (AP) has imposed a fine of €2.7 million on Experian Netherlands, which specializes in credit reporting and data analysis. Until January 1, 2025, the company provided credit ratings to clients and used personal data for this purpose, such as information on payment arrears, outstanding debts, and bankruptcies. According to the AP, Experian improperly used this data and did not adequately inform those involved. The company acknowledges the errors and will therefore not appeal.
Credit Rating without Knowledge
Until January 1, 2025, Experian prepared creditworthiness reports for clients such as webshops, telecom companies, and landlords. Based on payment behavior, outstanding debts, and bankruptcies, among other things, the company determined whether a person was creditworthy. These reports played a role in decisions about, for example, allowing payment in installments or entering into a telephone subscription.
The credit scores that Experian drew up had direct consequences for consumers. A high score could lead to more favorable conditions, such as a lower interest rate. A low score could mean that someone was rejected or had to pay a higher deposit.
The Dutch Data Protection Authority (AP) started the investigation into Experian after receiving complaints from consumers. They only discovered afterwards that their credit score was the reason for rejection or higher costs when, for example, changing energy suppliers. According to AP Chairman Aleid Wolfsen, this prevented people from checking whether the information was correct in time.
Insufficient Transparency
The investigation shows that Experian collected personal data from various sources, including the Trade Register and commercial parties such as telecom companies. The company built up an extensive database with this, without sufficiently demonstrating why certain data were necessary. According to the AP, in some cases it concerned sensitive information, the use of which was not sufficiently substantiated.
read also
Sunweb Group Acknowledges Data Breach Following Phishing Attack via External Email Server
In addition, Experian did not adequately inform consumers that their data was being processed for credit ratings. In doing so, the company violated the obligation to provide information under privacy legislation.
Experian acknowledges the errors and will not appeal against the fine. The company has now stopped the activities in question in the Netherlands. Before the end of this year, it will remove the entire database with collected personal data.