Earlier this week, the Swedish Data Protection Authority issued an administrative fine against the website Mrkoll.se. The fine was set at 35 000 EUR for infringement of the GDPR and the Credit Information Act. Mrkoll.se published personal data, including credit information and records of criminal convictions, of more than 8 million Swedes.
The website had a publishing certificate under the Swedish Fundamental Law of Freedom to Expression, meaning that the GDPR does not apply for publishing activities. However, when publishing information on a person’s credit availability, the Credit Information Act applies including the applicable references to the GDPR. Furthermore, information on criminal convictions may not be published without an authorization from the Data Protection Authority in accordance with the Credit Information Act. Also, the authority stated that Mrkoll.se has violated the principle of data minimisation in article 5.1 (c) GDPR when publishing irrelevant, inadequate and too extensive amounts of personal data considering the purpose of providing credit information activities.
The large amount of affected data subjects, the fact that the personal data included information on criminal convictions and the discovery of the infringement through individuals’ complaints were all aggravating factors in the matter. At the time of writing, it is not yet decided if Mrkoll.se will appeal against the decision.
The decision can be found, in Swedish, under the link below:
If you would like to know more about this decision, credit information activities or need assistance with data protection legislation in general, please reach out to Alexander Berger, head of Data Privacy.