Nusvar AB, website operator, fined EUR 35k

Essentials

Date of enforcement action:
16/Dec/2019
Jurisdiction: Fine imposed:
Sweden Flag for Sweden, which is the jurisdiction taking enforcement action EUR 35,000 (US$39,000)
Defendant company or entity: Industry segment:
Nusvar AB Technology /

Case summary

The Swedish DPA has issued an administrative fine of 35 000 EUR against Mrkoll.se – a website that publishes personal data of all Swedes above the age of 16 – for infringement of the Credit Information Act and the GDPR. The website has carried out credit information activity in a way that is not in compliance with the law.

The Swedish DPA has issued an administrative fine against the company Nusvar AB which runs the website Mrkoll.se. This website publishes personal data of all Swedes above the age of 16. In total, the database contains personal data of more than 8 million people. The administrative fine issued amounts to 35 000 EUR.

The decision addresses the interplay between the legislative frameworks for credit information activity, data protection and the constitutional protection of freedom of expression, says Hans Kärnlöf who led the investigation of the website.

The website in question has been granted a publishing certificate that provides it with a constitutional protection for the majority of its publishing activities, meaning that the GDPR does not apply under those circumstances.

The website did however publish information that a person does not have a record of non-payment. Information about payment defaults is considered to be credit information and for the publishing of such information the Credit Information Act applies, including its references to the GDPR. The website furthermore published information about records of criminal convictions. Such information is regulated in the GDPR and may not be published under the Credit Information Act without prior authorization from the Swedish DPA. The DPA has not issued any such authorization for this website.

Websites entrusted with a publishing certificate do not need prior authorization from the DPA to carry out credit information activity as such, but they must comply with the rules in the Credit Information Act. This website has not complied with these rules, says Hans Kärnlöf.

The decision concerns unlawful publications from December 2018 to April 2019. As of April 2019, the website no longer publishes information about records of non-payment. For that reason, the DPA’s decision will not affect how the website publishes information today.

Since May 2018 the Swedish DPA has received more than 750 complaints concerning websites that hold publishing certificates.

(Swedish DPA, Official Release)

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Swedish Data Protection Authority Flag for Sweden, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Not known

Cite this fine in your work

Data Privacy Fines Index. (2019-12-16 09:42) Nusvar AB, website operator, fined EUR 35k. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/nusvar-ab-website-operator-fined-eur-35k/

Entry last updated: 2020-01-12 11:15 GMT.