Experian Fined €2.7 Million by Dutch Regulator Over GDPR Breaches

Key Takeaways

• AP Upholds GDPR Violations: The Dutch Data Protection Authority (AP) confirmed that Experian unlawfully processed personal data and failed to properly inform individuals.
• €2.7 million Sanction Imposed: Following a re-examination of an earlier decision, AP set the final penalty at €2,700,000.
• Transparency Failings Identified: AP found Experian breached Articles 12 and 14 GDPR, and therefore the Article 5(1)(a) principle of fairness and transparency.
• Invalid Legal Basis: Experian’s use of “legitimate interest” under Article 6(1)(f) did not satisfy the necessity and balancing tests under GDPR.
• Service Terminated: Experian ended its Dutch credit-information services on January 1, 2025 and is working to dismantle and delete related data.

Deep Dive

The Dutch data protection authority has finalized a €2.7 million fine against Experian Nederland B.V. after concluding the company processed personal data without a lawful basis and failed to properly notify affected individuals. The ruling replaced an earlier decision from December 2023 following Experian’s formal objection.

Experian provided a “Credit Check” service used by clients to assess a consumer’s ability to enter into a contract, such as a subscription or rental agreement. AP determined that Experian itself, rather than its UK parent company, decided how and why personal data were processed, making it the controller responsible under GDPR.

Regulators found that individuals whose data were collected, including from non-public sources, were not adequately informed about that processing, their rights, or the legal grounds involved. AP also rejected Experian’s reliance on legitimate interest as a legal basis, stating the company had not demonstrated strict necessity or a balance favorable to individual rights, especially where negative payment histories or bankruptcies could severely affect access to essential services.

AP noted that Experian’s lack of direct relationship with data subjects reinforced that individuals would not reasonably expect such processing. Safeguards introduced by the company were considered insufficient to reduce the impact.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.