The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has imposed a €2.7 million fine on Experian Nederland for unlawfully processing personal data and failing to adequately inform individuals about how their information was being used.
The company has acknowledged the violations and will permanently delete its data holdings in the Netherlands.
The investigation was launched after the AP received multiple complaints from individuals who were unexpectedly denied payment options or faced unusually high deposits when switching service providers. These events were later traced back to credit scores produced by Experian, which had not been disclosed to the affected individuals. According to AP chairman Aleid Wolfsen, this lack of transparency prevented people from verifying the accuracy of the information used against them.
Experian, a major global provider of credit scoring and data analytics, had until January 1, 2025, been generating creditworthiness reports for clients, including telecom providers, online retailers, and landlords. These reports assessed individuals' financial behavior, including payment defaults, outstanding debts, or bankruptcies, and assigned them a credit score. Based on this score, Experian's clients would decide whether to approve a purchase on credit, issue a phone contract, or determine the financial conditions for services offered.
While Experian's services played a role in risk assessment for businesses, they also had tangible consequences for consumers. Higher credit scores could lead to more favorable loan terms or reduced deposits, while lower scores might result in outright rejection or increased financial burdens. Yet many of the people affected were unaware that such a score had been created or used to evaluate them.
The AP found that Experian collected data from a wide range of both public and private sources to build its scoring models. These included data from the Dutch Chamber of Commerce (KvK), as well as customer data sold by telecom and energy companies. However, the company failed to justify the necessity of collecting certain categories of data and, more critically, did not obtain proper consent from individuals or provide adequate notice of data usage. Some of the information used was sensitive and had the potential to significantly impact people's access to services and financial stability.
The regulator concluded that Experian's data practices violated the General Data Protection Regulation (GDPR) on multiple fronts: lack of lawful basis for processing, insufficient transparency, and failure to conduct proper data protection impact assessments, particularly regarding the processing of sensitive personal data.
Experian has since ceased its operations in the Dutch market and confirmed it will delete all personal data collected in the Netherlands before the end of the year. It has opted not to appeal the decision, effectively accepting both the fine and the conclusions of the AP's investigation.
Leave a Reply