CASES, SANCTIONS AND CLAIMS
- (2020, Mar) The Croatian DPA has imposed a fine of EUR 20m on one of the credit institutions in Zagreb for failing to provide data subjects copies of their personal data undergoing processing (Article 15 (3) of the GDPR).
- (2019, Apr) Swedish Data Protection Ombudsman ordered a financial credit company to change the way it performs the creditworthiness assessment. An upper age limit, without considering other solvency indicators, is not acceptable based on national credit information legislation. The company’s online credit decision process was also deemed by the Ombudsman as being a solely automated decision-making process under GDPR Article 22.
- (2019, Apr) In Finland, two financial services companies have been ordered to correct their practices regarding the processing of personal data for assessing creditworthiness.
- (2019, May) Lithuanian DPA fines e-payment company.
- (2019, Jul) The Dutch DPA said that Banks may not use payment data for marketing purposes.
- (2020, Jul) Noyb.eu has filed a GDPR complaint against the credit rating agency “CRIF”, which is active in over 28 countries.
- (2020, Oct) The Norwegian Data Protection Authority has issued Odin Flissenter AS an administrative fine of EUR 13,905 for performing a credit check of a sole proprietorship without having a lawful basis for the processing.
REPORTS AND ARTICLES FROM OTHER ORGANISATIONS
- (2019, Apr) Hong Kong Privacy Commissioner for Personal Data: brief to the banking industry on the use of personal data in the digital era.
- (2019, May) Bloomberg: Who to Sue When a Robot Loses Your Fortune.
- (2019, Aug) Facebook’s Libra digital currency: leading data protection institutions publish joint statements on their privacy expectations.
- (2019, Oct) Mastercard Establishes Principles for Data Responsibility.
- (2020, Jan) The interaction between PSD2 and GDPR is analyzed in this article by Dilja Helgadottir.
OFFICIAL GUIDELINES, REPORTS AND STATEMENTS
- (2017, Jan) FCA (UK): 2016 feedback statement following its Call for Input on Big Data in retail general insurance. The feedback statement highlighted stakeholders’ concerns about the use of data and data protection issues.
- (2017, Dec) ESMA (European Securities and Markets Authority): Joint Committee Discussion Paper on the Use of Big Data by Financial Institutions.
- (2019, Oct) Italian DPA: ‘Code of conduct for credit reporting systems operated by private entities regarding consumer credit, creditworthiness and punctuality in payments’.
- Italian DPA: FAQ on the topic of access to banking data.
- (2020, Jan) European Banking Authority (EBA): report on key challenges in the roll out of Big Data and Advanced Analytics.
- (2020, Jul) EDPB: Guidelines 6/2020 on the interplay of the Second Payment Services Directive and the GDPR.