Updated: Apr 15, 2020
Two cases concerning Svea Ekonomi, a financial credit organisation, have been processed at the workplace of the Data Protection Ombudsman. As a result, the Data Protection Ombudsman has ordered the company to correct its practices in the processing of personal data related to the assessment of creditworthiness, the right of inspecting one’s own PII and notification practices.
The source of this article can be found here
One of the cases concerning Svea Ekonomi, concerned the personal data used to assess creditworthiness and the data subject’s right to inspect data concerning them. Furthermore, the office of the Data Protection Ombudsman began to process the matter concerning the company’s notification practices upon its initiative.
In its decision, the Data Protection Ombudsman stated that the use of a categorical upper age limit in assessing creditworthiness is not acceptable under the definition of credit information set out in the Credit Information Act. The mere age of the credit score applicant does no longer describe their solvency, willingness to pay or ability to deal with their commitments. Based on the account submitted by the company, the credit applicant’s financial position has not been taken into consideration at all in the automatic processing of the credit application.
The Data Protection Ombudsman also pointed out that the company’s online credit decision service should be considered automatic decision-making of the type referred to in Article 22 of GDPR, in which the decision is essential to conclude or implement an agreement between the company and the credit applicant.
In its decision, the Data Protection Ombudsman ordered that Svea Ekonomi change the processing of personal data related to assessing creditworthiness. The company must additionally provide the private person has complained about the matter with information on the logic employed in automatic decision-making, its role in making the credit decision as well as its consequences for the credit applicant.
The technique employed by Svea Ekonomi for assessing creditworthiness was also processed at the national Non-Discrimination and Equality Tribunal, which in its decision 216/2017, dated 21 March 2018, prohibited the organisation from repeating a procedure that is against the Equality Act and the Non-Discrimination Act.
The office of the Data Protection Ombudsman has also investigated Svea Ekonomi’s notification practices related to the automatic decision-making system used to assess creditworthiness. The Data Protection Ombudsman stated that the current notification practices do not sufficiently specify the logic of data processing so that the credit applicant could understand the grounds for the decision and ordered that such notification practices be changed.
Based at the Data Protection Ombudsman’s decision, Svea Ekonomi must notify by 30 April 2019 how it has changed its processing of personal data. According to the office of the Data Protection Ombudsman, Svea Ekonomi has not applied for a change in the decision, so the decision is legally enforceable.