Login
Contact Us
Finnish Data Protection Authority started investigation upon a data subject's complaint

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and financing solution company to correct its data processing practises.

The Finnish DPA started an investigation into the Swedish company called Svea Ekonomi after a complaint was made by a Finnish citizen called Krister Linden. 

Assessing creditworthiness based on personal data 

An 83-year-old man, Krister Linden purchased building supplies. The shop promised to send him an invoice, so he can pay for the supplies later.

The shop outsourced the invoicing service to a large Swedish financial company called Svea Ekonomi who operates also in Finland. 

The next day Mr Linden received a call from Svea Ekonomi that told him he wasn’t applicable for credit and that he had to pay for the supplies directly to the shop.

Mr Linden then requested access to his personal data and explanation for the negative credit decision.

Svea Ekonomi refused to hand over the information, stating that automated decision-making processes are part of the company’s trade secrets. That is when Mr Linden decided to submit a complaint to the Finnish Data Protection Authority.

Age in assessing creditworthiness is not acceptable practice

The authority found that Svea Ekonomi was using certain personal data categories as an automatic rejection of creditworthiness, such as high age and place of residence.

As a result of the investigation the authority ordered Svea Ekonomi to change their processing practises as categorical upper limit age in assessing creditworthiness is not acceptable practice.

Also, the authority stated that all data subjects must have access to their processed personal information and the logic of automated decision-making processes according to Article 22 of the GDPR. 

Read more: What is a Data Processing Agreement (DPA)?

 

Original source of the article: Pelkkä ikä riitti tekemään Krister Lindénistä, 83, luottokelvottoman – Rahoitusyhtiö Svea Ekonomi on tehnyt luottopäätöksiä myös äidinkielen ja sukupuolen perusteella

More on this topic: 

Are you GDPR compliant?

Assess whether you have to comply with the GDPR in the first place and if you do, what is the level of preparedness of the GDPR compliance. Also check out the answers for the frequently asked questions.
GDPR Compliance Checklist

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Request a demo

Save time and be confident

Latest Posts
7 Key Changes in EU Children’s Data Protection Rules You Need to Know by 2025

7 Key Changes in EU Children’s Data Protection Rules You Need to Know by 2025

The European Union is taking a bold step to protect minors online. From 2025, EU children’s data protection rules will...
Top 5 Myths About the EU AI Act (And What to Do Instead)

Top 5 Myths About the EU AI Act (And What to Do Instead)

Top 5 Myths About the EU AI Act — Expert Advice from GDPR Register’s CEO EU AI Act – Top...
GDPR Fines Hit €3 Billion in 2025: What DPOs Must Learn

GDPR Fines Hit €3 Billion in 2025: What DPOs Must Learn

GDPR fines hit €3 billion in 2025. Learn what went wrong at Meta, Amazon & TikTok—and what every DPO must...
Why Every Organisation Needs a Solid GDPR Foundation: Lessons from the SportAdmin Breach

Why Every Organisation Needs a Solid GDPR Foundation: Lessons from the SportAdmin Breach

Lesson 1: Privacy Isn’t Optional — It’s a Safety IssueIn the SportAdmin breach, attackers gained access to a database containing...
Is DPO the new AI officer?

Is DPO the new AI officer?

Key Takeaways on AI Compliance and the Role of Privacy Professionals The GDPR Register webinar brought together privacy professionals and...
What Is a DPO? Understanding the Role and Its Importance in GDPR Compliance

What Is a DPO? Understanding the Role and Its Importance in GDPR Compliance

The General Data Protection Regulation (GDPR) establishes the requirement for certain organizations to appoint a Data Protection Officer (DPO). The...
ESG and Data Protection: How GDPR Compliance Drives Sustainable Business Practices

ESG and Data Protection: How GDPR Compliance Drives Sustainable Business Practices

Environmental, Social, and Governance (ESG) compliance has evolved into a critical factor in corporate sustainability. Investors, regulators, and customers now...
Data Transfer Impact Assessments: The Key to GDPR-Compliance

Data Transfer Impact Assessments: The Key to GDPR-Compliance

In today’s globalized business environment, data flows across borders are essential—but they must be secure and compliant with the General...
Is Google Recaptcha GDPR Compliant?

Is Google Recaptcha GDPR Compliant?

Google reCAPTCHA is a popular tool that protects websites from spam and abuse by distinguishing between humans and bots. But...
Your Essential Guide to Developing a Data Breach Response Plan

Your Essential Guide to Developing a Data Breach Response Plan

The General Data Protection Regulation (GDPR) places significant emphasis on securing personal data, particularly in Articles 32-34, which outline requirements...
GDPR Register
Facebook-f Linkedin-in Twitter Youtube

Company

About
Privacy
Cookies
Security

SERVICES

GDPR Register
Terms and Conditions
Find a DPO
Legal Notice

Resources

Book a Demo
BLOG
News
FAQ

Newsletter

Your e-mail address is only used to send you our newsletter and information about the activities of GDPR Register. You can always use the unsubscribe link included in the mail.

Contact Us