The Swedish DPA has issued an administrative fine against the company Nusvar which runs the website Mrkoll.se. This website publishes personal data of all Swedes above the age of 16. In total, the database contains personal data of more than 8 million people. The administrative fine issued amounts to 35 000 EUR.
- The decision addresses the interplay between the legislative frameworks for credit information activity, data protection and the constitutional protection of freedom of expression, says Hans Kärnlöf who led the investigation of the website.
The website in question has been granted a publishing certificate that provides it with a constitutional protection for the majority of its publishing activities, meaning that the GDPR does not apply under those circumstances.
The website did however publish information that a person does not have a record of non-payment. Information about payment defaults is considered to be credit information and for the publishing of such information the Credit Information Act applies, including its references to the GDPR. The website furthermore published information about records of criminal convictions. Such information is regulated in the GDPR and may not be published under the Credit Information Act without prior authorization from the Swedish DPA. The DPA has not issued any such authorization for this website.
- Websites entrusted with a publishing certificate do not need prior authorization from the DPA to carry out credit information activity as such, but they must comply with the rules in the Credit Information Act. This website has not complied with these rules, says Hans Kärnlöf.
The decision concerns unlawful publications from December 2018 to April 2019. As of April 2019, the website no longer publishes information about records of non-payment. For that reason, the DPA's decision will not affect how the website publishes information today.
Since May 2018 the Swedish DPA has received more than 750 complaints concerning websites that hold publishing certificates.