Data protection fine for a Swedish company
Responsible body: Nusvar as operator of the site Mrkoll.se
Nature of the data protection breach: Incorrect processing of credit information
Data protection fine for Swedish company Mrkoll.se by the Swedish data protection supervisory authority - a website which individual-related data of all Swedes aged 16 and over published - a data protection fine of 35,000 euros for breach of the Credit Information Act and the GDPR imposed. The website has processed credit information in a manner that does not comply with the law.
The decision addresses the interplay between the legal framework for credit information activities, the Data protection and the constitutional protection of freedom of expression, says Hans Kärnlöf, who led the investigation into the website.
The website in question was provided with a publication certificate which grants it constitutional protection for the bulk of its publication activity, so that the GDPR is not applicable in these circumstances.
However, information was published on the website that a person is insolvent. Information about financial difficulties is considered credit information and the publication of this information is governed by the Credit Information Act, including its references to the GDPR. Information on criminal records has also been published on the website. This information is regulated by the GDPR and, according to the Credit Information Act, may not be published without prior permission from the Swedish Data Protection Agency. The Swedish Data Protection Agency has not given any such permission for this website.
The decision concerns unlawful publications from December 2018 to April 2019, and from April 2019 onwards no information on solvency was published on the website. Therefore, the decision of the data protection authority will not affect how the website publishes information today.
Since May 2018, the Swedish Data Protection Agency has received more than 750 complaints about websites that have publication certificates.
Categories of data: Credit information
Fines: 35,000 euros
Source: European Data Protection Board