Data Protection Academy » Data Protection News » Data protection fine Swedish company

A person holds five euro notes in his hand. A symbolisation for the data protection fine Swedish company

Data protection fine for a Swedish company

Date: 18.12.2019

Responsible body: Nusvar as operator of the site Mrkoll.se

Nature of the data protection breach: Incorrect processing of credit information

Data protection fine for Swedish company Mrkoll.se by the Swedish data protection supervisory authority - a website which individual-related data of all Swedes aged 16 and over published - a data protection fine of 35,000 euros for breach of the Credit Information Act and the GDPR imposed. The website has processed credit information in a manner that does not comply with the law.

The decision addresses the interplay between the legal framework for credit information activities, the Data protection and the constitutional protection of freedom of expression, says Hans Kärnlöf, who led the investigation into the website.

The website in question was provided with a publication certificate which grants it constitutional protection for the bulk of its publication activity, so that the GDPR is not applicable in these circumstances.

However, information was published on the website that a person is insolvent. Information about financial difficulties is considered credit information and the publication of this information is governed by the Credit Information Act, including its references to the GDPR. Information on criminal records has also been published on the website. This information is regulated by the GDPR and, according to the Credit Information Act, may not be published without prior permission from the Swedish Data Protection Agency. The Swedish Data Protection Agency has not given any such permission for this website.

The decision concerns unlawful publications from December 2018 to April 2019, and from April 2019 onwards no information on solvency was published on the website. Therefore, the decision of the data protection authority will not affect how the website publishes information today.

Since May 2018, the Swedish Data Protection Agency has received more than 750 complaints about websites that have publication certificates.

Categories of data: Credit information

Fines: 35,000 euros

Country: Sweden

SourceEuropean Data Protection Board

Back to the overview of the data breaches

Nadine Porrmann
Latest posts by Nadine Porrmann (see all)

This might interest you too:

Examples of GDPR fines: what happens in data protection

GDPR infringements are punished with heavy fines. Find out which data protection infringements are suspected and secure yourself.

Data protection fine imposed on the Municipality of Oslo Education Authority

120.000 € because the security of the app "Skolemelding" for communication between school staff, parents and pupils was not guaranteed.

Data protection fine Swedish company

35,000 euros fine for violation of three Swedish laws at once. Information about creditworthiness published.