Experian Netherlands, a subsidiary of one of the world’s largest credit reporting and data analytics companies, has been hit with a hefty EUR 2.7 million fine for serious violations of the General Data Protection Regulation (GDPR). The penalty was imposed by the Dutch Data Protection Authority (AP) after an investigation revealed the company was improperly collecting and utilizing personal data from a multitude of sources. Experian used both public and private information to construct credit scores and risk assessments, yet it failed to notify the affected customers that their data was being processed. This lack of transparency and consent is at the heart of the regulatory action, which has garnered significant attention given Experian’s global role in the financial services sector.
The AP launched its investigation following complaints from individuals who were experiencing financial difficulties, such as being unable to secure installment plans or facing high upfront deposits when switching utility providers. The agency determined that the root of these problems lay in the credit scores Experian was supplying to service providers and vendors, which directly influenced interest rates and deposit requirements. The core issue, as stated by AP chair Aleid Wolfsen, was that “Because people weren’t aware of the credit check, they couldn’t check in time whether the information they used was accurate.” This lack of awareness prevented individuals from challenging potentially erroneous data that was negatively impacting their financial standing.
The investigation uncovered that Experian compiled its extensive database—which contained key information on “a vast number of people in the Netherlands”—by collecting data from diverse sources. These included the Chamber of Commerce trade register as well as information purchased from telecom and energy companies. The AP concluded that in gathering and processing data on negative payment behavior, outstanding debts, and bankruptcies for the purpose of credit assessments, Experian repeatedly failed to adhere to fundamental GDPR principles. Specifically, it neglected to inform people about the collection of their personal data, obtain the necessary consent for processing it, or provide a legitimate justification for why the data needed to be gathered in the first place.
As a direct consequence of the regulatory findings, the AP imposed the significant fine on the organization. Notably, Experian Netherlands chose not to appeal the ruling, instead acknowledging the unlawful nature of its data processing activities. The company had been providing these credit assessments to its clients until January 1, 2025, but its operations in the central European country have now been entirely halted. This immediate action underscores the seriousness of the regulatory breach and the firm’s acceptance of responsibility.
The resolution to the case demonstrates a decisive enforcement of GDPR regulations by the Dutch authorities. In addition to ceasing all operations, Experian Netherlands has made a commitment to permanently delete its entire database of collected personal data before the end of the current year. This move ensures that the improperly gathered information will be destroyed, closing the book on an operation that was found to have systematically violated the data privacy rights of numerous individuals within the Netherlands.
Reference:
