• (2020, Mar) The Croatian DPA has imposed a fine of EUR 20m on one of the credit institutions in Zagreb for failing to provide data subjects copies of their personal data undergoing processing (Article 15 (3) of the GDPR).
  • (2019, Apr) Swedish Data Protection Ombudsman ordered a financial credit company to change the way it performs the creditworthiness assessment. An upper age limit, without considering other solvency indicators, is not acceptable based on national credit information legislation. The company’s online credit decision process was also deemed by the Ombudsman as being a solely automated decision-making process under GDPR Article 22.
  • (2019, Apr) In Finland, two financial services companies have been ordered to correct their practices regarding the processing of personal data for assessing creditworthiness.
  • (2019, May) Lithuanian DPA fines e-payment company.
  • (2019, Jul) The Dutch DPA said that Banks may not use payment data for marketing purposes.
  • (2020, Jul) has filed a GDPR complaint against the credit rating agency “CRIF”, which is active in over 28 countries.
  • (2020, Oct) The Norwegian Data Protection Authority has issued Odin Flissenter AS an administrative fine of EUR 13,905 for performing a credit check of a sole proprietorship without having a lawful basis for the processing.



  • (2017, Jan) FCA (UK): 2016 feedback statement following its Call for Input on Big Data in retail general insurance. The feedback statement highlighted stakeholders’ concerns about the use of data and data protection issues.
  • (2017, Dec) ESMA (European Securities and Markets Authority): Joint Committee Discussion Paper on the Use of Big Data by Financial Institutions.
  • (2019, Oct) Italian DPA: ‘Code of conduct for credit reporting systems operated by private entities regarding consumer credit, creditworthiness and punctuality in payments’.
  • Italian DPA: FAQ on the topic of access to banking data.
  • (2020, Jan) European Banking Authority (EBA): report on key challenges in the roll out of Big Data and Advanced Analytics.
  • (2020, Jul) EDPB: Guidelines 6/2020 on the interplay of the Second Payment Services Directive and the GDPR.