An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and financing solution company to correct its data processing practises.
The Finnish DPA started an investigation into the Swedish company called Svea Ekonomi after a complaint was made by a Finnish citizen called Krister Linden.
Assessing creditworthiness based on personal data
An 83-year-old man, Krister Linden purchased building supplies. The shop promised to send him an invoice, so he can pay for the supplies later.
The shop outsourced the invoicing service to a large Swedish financial company called Svea Ekonomi who operates also in Finland.
The next day Mr Linden received a call from Svea Ekonomi that told him he wasn’t applicable for credit and that he had to pay for the supplies directly to the shop.
Mr Linden then requested access to his personal data and explanation for the negative credit decision.
Svea Ekonomi refused to hand over the information, stating that automated decision-making processes are part of the company’s trade secrets. That is when Mr Linden decided to submit a complaint to the Finnish Data Protection Authority.
Age in assessing creditworthiness is not acceptable practice
The authority found that Svea Ekonomi was using certain personal data categories as an automatic rejection of creditworthiness, such as high age and place of residence.
As a result of the investigation the authority ordered Svea Ekonomi to change their processing practises as categorical upper limit age in assessing creditworthiness is not acceptable practice.
Also, the authority stated that all data subjects must have access to their processed personal information and the logic of automated decision-making processes according to Article 22 of the GDPR.
Read more: What is a Data Processing Agreement (DPA)?