Blog details

Due to two cases concerning data protection, financial credit company Svea Ekonomi has to improve its practices when it comes to the processing of personal data related to the assessment of creditworthiness, the right of inspect one’s own personal data and notification practices.

One of the cases deals with the personal data of a data subject used to assess creditworthiness and the data subject’s right to inspect data concerning them.

The Office of the Data Protection Ombudsman continued to investigate the matter concerning the company’s notification practices upon its own initiative.  The Data Protection Ombudsman looked at the use of a categorical upper age limit in assessing creditworthiness, and stated that it is notacceptable under the definition of credit information set out in the Credit Information Act.

Svea Ekonomi was ordered to change the processing of personal data related to assessing creditworthiness. The data subject also needs to be provided with information on the logic employed in automatic decision-making, its role in making the credit decision as well as its consequences for the credit applicant, as, according to the Ombudsman, the company’s on-line credit decision service should be considered automatic decision-making of the kind referred to in Article 22 GDPR.

Pursuant to the Article 22 and recital 71 GDPR, “In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.”

Furthermore, Svea Ekonomi’s notification practices related to the automatic decision-making system used to assess creditworthiness, was also investigated. The investigation found that the notification practices is insufficient in specifying the logic of data processing so that the credit applicant could understand the grounds for the decision and ordered that such notification practices be changed.

Svea Ekonomi had until the 30th April 2019 to implement the changes based on the Data Protection Ombudsman’s decision.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.