Swedish DPA issues fine on organisation entrusted with publishing certificate

Updated: Apr 15, 2020

The Swedish DPA has issued an administrative fine of 35000 EUR towards Mrkoll.se – a site that publishes personal data of all Swedes above the age of 16 – for infringement of the credit information Act and the GDPR.

The site has carried out credit information activity in a way that isn’t in compliance with the regulation.

The source of this article can be found here

The Swedish DPA has issued an administrative fine towards the organisation Nusvar which runs the site Mrkoll.se. This site publishes personal data of all Swedes above the age of 16. In total, the database contains personal data of more than 8 million people. The fine issued amounts to 35000 EUR.

The decision addresses the interplay between the legislative frameworks for credit information activity, data protection and the constitutional protection of freedom of expression, says Hans kärnlöf who led the investigation of the site.

The site in question has been granted a publishing certificate that provides it with constitutional protections for the majority of its publishing activities, meaning that the GDPR does not apply underneath those circumstances.

The site did, however, post information that a person does not have a record of non-payment. Information about payment defaults is considered to be credit information and for the publishing of such information, the credit information Act applies, including its references to the GDPR. The site furthermore published information about records of criminal convictions. Such information is regulated in the GDPR and may not be posted under the credit information Act without prior authorisation from the Swedish DPA. The DPA has not issued any such authorization for this site.

Sites entrusted with a publishing certificate do not need prior authorization from the DPA to carry out credit information activity as such, but they must comply with the guidelines in the credit information Act. This site has not complied with these rules, says Hans kärnlöf.

The decision concerns unlawful publications from December 2018 to April 2019. As of April 2019, the site no longer publishes information about records of non-payment. For that reason, the DPA’s decision will not affect how the site publishes information today.

Since may 2018 the Swedish DPA has received more than 750 complaints concerning sites that hold publishing certificates.