Finnish Data Protection Authority started investigation upon a data subject's complaint

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and financing solution company to correct its data processing practises.

The Finnish DPA started an investigation into the Swedish company called Svea Ekonomi after a complaint was made by a Finnish citizen called Krister Linden. 

Assessing creditworthiness based on personal data 

An 83-year-old man, Krister Linden purchased building supplies. The shop promised to send him an invoice, so he can pay for the supplies later.

The shop outsourced the invoicing service to a large Swedish financial company called Svea Ekonomi who operates also in Finland. 

The next day Mr Linden received a call from Svea Ekonomi that told him he wasn’t applicable for credit and that he had to pay for the supplies directly to the shop.

Mr Linden then requested access to his personal data and explanation for the negative credit decision.

Svea Ekonomi refused to hand over the information, stating that automated decision-making processes are part of the company’s trade secrets. That is when Mr Linden decided to submit a complaint to the Finnish Data Protection Authority.

Age in assessing creditworthiness is not acceptable practice

The authority found that Svea Ekonomi was using certain personal data categories as an automatic rejection of creditworthiness, such as high age and place of residence.

As a result of the investigation the authority ordered Svea Ekonomi to change their processing practises as categorical upper limit age in assessing creditworthiness is not acceptable practice.

Also, the authority stated that all data subjects must have access to their processed personal information and the logic of automated decision-making processes according to Article 22 of the GDPR. 

Read more: What is a Data Processing Agreement (DPA)?

 

Original source of the article: Pelkkä ikä riitti tekemään Krister Lindénistä, 83, luottokelvottoman – Rahoitusyhtiö Svea Ekonomi on tehnyt luottopäätöksiä myös äidinkielen ja sukupuolen perusteella

More on this topic: 

Are you GDPR compliant?

Assess whether you have to comply with the GDPR in the first place and if you do, what is the level of preparedness of the GDPR compliance. Also check out the answers for the frequently asked questions.
Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
GDPR in Healthcare: Compliance Guide

GDPR in Healthcare: Compliance Guide

Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare...
DPR software: 10 Great Tools For Compliance in 2024

DPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach?According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that results...