The Dutch Data Protection Authority (AP) has fined Experian Netherlands EUR 2.7 million for multiple violations of the EU General Data Protection Regulation (GDPR), the regulator said. It is stated that Experian acknowledged the unlawful nature of its activities and said it will not appeal the decision.
The AP said Experian used personal data collected from multiple public and private sources without informing individuals or obtaining consent. The investigation followed complaints from people who reported they could no longer pay instalments or were charged high deposits when switching energy providers, the AP said.
Aleid Wolfsen, chair of the AP, said those affected could not check in time whether the information used in credit checks was accurate because they had not been informed of the checks.
The AP found Experian collected data from sources including the Chamber of Commerce trade register and from telecom and energy companies that sold customer information, and used these inputs to build a large database covering a vast number of people in the Netherlands.
The agency said that until Jan. 1, 2025, Experian provided credit assessments to clients that used data such as negative payment behaviour, outstanding debts or bankruptcies, and that this processing was unlawful under the GDPR.
As a result of the AP’s findings, Experian Netherlands has ceased operations in the country and pledged to delete its entire database of personal data before the end of the year, the article reports. It is unknown how many individuals were affected or whether other Experian units outside the Netherlands face separate enforcement.