Denmark has issued new guidance affecting multinational credit reporting agencies such as Dublin-based Experian PLC and Stockholm-based Bisnode AB that’s designed to bring its data rules fully in line with the European Union’s strict privacy regulation.
The changes include stipulating exceptions to when credit reporting bureaus must inform data subjects about the information held on them.
The adjustments, which also apply to domestic credit agencies, better align Danish law with the EU’s General Data Protection Regulation, Data Protection Agency spokesman Anders Due said. The GDPR tightened data handling procedures across the bloc and set maximum fines for violations of 20 million euros ($22 million), or 4% of annual revenues, whichever is higher.
“Credit scores or details of debt are considered by most people to be very sensitive personal information,” said Michael Gorm Madsen, a lawyer with Bird and Bird. “Credit agencies are urged to study the new guidance carefully to ensure that they conform to the current requirements.”
The guidance stipulates that credit agencies may be exempt from informing data subjects about the information they hold if the duty to inform is outweighed by compelling public or private interests, or if providing the information is impossible or would require a disproportionate effort.
Under both the existing rules and the new guidance, companies are obliged to disclose what personal information they’re holding regardless of whether a data subject has requested it.
The guidance also spells out what companies must do to get a DPA permit to operate in Denmark, including using up-to-date technology, following approved data handling processes, and appointing a data controller.
Also, credit bureaus can only process personal data relevant to a particular credit report; only distribute information on an individual’s creditworthiness to the customer who requested the report; not use data from one individual as the basis to assess the credit of a second person; and not process information more than five years old unless it’s essential to a credit assessment, according to the guidance.
The guidance further stipulates when credit bureaus can transfer information on personal debt owed to public institutions, such as parking fines or student loans. The information can only be transferred if the debt exceeds 7,500 kroner ($1,100), and can’t be transferred if the data subject is in compliance with an agreed payment plan, according to the guidance.
Experian and the industry group Danish Credit Council declined to immediately respond to questions.