Finnish Data Protection Authority started investigation upon a data subject's complaint

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and financing solution company to correct its data processing practises.

The Finnish DPA started an investigation into the Swedish company called Svea Ekonomi after a complaint was made by a Finnish citizen called Krister Linden. 

Assessing creditworthiness based on personal data 

An 83-year-old man, Krister Linden purchased building supplies. The shop promised to send him an invoice, so he can pay for the supplies later.

The shop outsourced the invoicing service to a large Swedish financial company called Svea Ekonomi who operates also in Finland. 

The next day Mr Linden received a call from Svea Ekonomi that told him he wasn’t applicable for credit and that he had to pay for the supplies directly to the shop.

Mr Linden then requested access to his personal data and explanation for the negative credit decision.

Svea Ekonomi refused to hand over the information, stating that automated decision-making processes are part of the company’s trade secrets. That is when Mr Linden decided to submit a complaint to the Finnish Data Protection Authority.

Age in assessing creditworthiness is not acceptable practice

The authority found that Svea Ekonomi was using certain personal data categories as an automatic rejection of creditworthiness, such as high age and place of residence.

As a result of the investigation the authority ordered Svea Ekonomi to change their processing practises as categorical upper limit age in assessing creditworthiness is not acceptable practice.

Also, the authority stated that all data subjects must have access to their processed personal information and the logic of automated decision-making processes according to Article 22 of the GDPR. 

Original source of the article: Pelkkä ikä riitti tekemään Krister Lindénistä, 83, luottokelvottoman – Rahoitusyhtiö Svea Ekonomi on tehnyt luottopäätöksiä myös äidinkielen ja sukupuolen perusteella

More on this topic: 

Are you GDPR compliant?

Assess whether you have to comply with the GDPR in the first place and if you do, what is the level of preparedness of the GDPR compliance. Also check out the answers for the frequently asked questions.
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...