Credit Information Act: new rules for credit assessments and processing of personal data
This article provides an overview of key issues in the new Credit Information Act which businesses must be aware of to ensure compliance with the new regulations.
On 1 July 2022, the new Credit Information Act (Nw: kredittopplysningsloven) with regulations (Nw: kredittopplysningsforskriften) entered into force. At the same time, the transitional provisions on the processing of personal data (only in Norwegian) were repealed.
Who does the new Credit Information Act apply to?
The new provisions related to credit assessments are relevant to
- credit reporting companies which carry out credit assessments for businesses; and
- businesses which order credit assessments through such companies.
What is a credit assessment, and why is it relevant for processing of personal data?
A credit assessment shows details of the finances of the individual and/or the company in question, such as any payment notices, voluntary pledges and debt ratio. Individuals have, according to applicable data protection laws, certain rights to have their privacy and personal data protected in relation to such activity. The Norwegian Data Protection Authority receives many inquiries both from private individuals who have been subject to a credit assessment, from businesses that would like to carry out credit assessments and from credit reporting companies. In Norway, there has been several cases where companies have been subject to administrative fines for not complying with applicable laws.
Businesses no longer need licenses in order to run a credit reporting company
Under the Credit Information Act, businesses are no longer required to apply for a licence from the Norwegian Data Protection Authority (NDPA) to run a credit reporting company. This means that the NDPA will supervise compliance with the regulations through inspections instead of pre-approving processing through license applications. Licenses granted under the previous licensing scheme are simultaneously annulled.
Sole proprietorships must be treated as natural persons (data subjects)
The Credit Information Act requires all sole proprietorships (Nw: enkeltpersonforetak) to be treated as natural persons/data subjects. This means that
- all sole proprietorships get the same rights as natural persons, for example, right to access and information,
- the obligation to send a counterpart letter (Nw: gjenpartsbrev) will also apply when a sole proprietorship is subject to a credit assessment, and
- there are certain restrictions on which sources can be used to obtain information about sole proprietorships, and which types of information can be registered in credit assessments.
Those who do not want to be subject to a credit assessment can register a credit freeze
Credit freeze is the process where a person blocks the possibility of anyone carrying out credit assessments about himself/herself by contacting a credit reporting company. The right to register a credit freeze expressly applies to everyone who is registered with a credit reporting company, including sole proprietorships and legal entities. Anyone who wants to register or cancel a credit freeze must provide identification using an electronic ID. However, this might in turn mean that those who have decided to register a credit freeze may not start subscriptions or take out loans.
The persons subject to credit assessments must receive counterpart letters and be informed
Upon conducting a credit assessment, the credit reporting company has an obligation to send counterpart letters, e.g. via physical or electronic mail, to the person in question. The information must, among others, include the sources from which the information in question is obtained, who the recipient of the information is and the date of the credit assessment.
Furthermore, the business that orders a credit assessment also has a separate obligation to provide notification to relevant persons with information about why they are being credit assessed, what legal basis there is for the credit assessment, and what the credit assessment is to be used for (see Articles 12 and 14 of the GDPR). You can read more about the information requirements in the NDPA's guidelines (only available in Norwegian).
Sources that can be used
Section 9 of the Credit Information Act includes a list of sources which can be used in credit assessments. The list also now includes the collective term "publicly available sources". Information on publicly available basic data must only be obtained from the Brønnøysund registers. The NDPA indicates that the rules for which types of information can be registered and the principle of accuracy under the GDPR will in practice limit which sources can be considered and used within the scope of "publicly available sources". For example, media (television, newspapers etc.) as a publicly available source cannot be used when collecting credit information on natural persons and sole proprietorships.
Other matters to keep in mind from a data protection perspective
- Justifiable need (NW: saklig behov) for disclosure of information: Credit information companies are only allowed to hand over credit information to recipients who have a justifiable need for the information in connection with an assessment of creditworthiness. The recipient has to be able to demonstrate a customer relationship, or a connection to the data subject and/or the company in question, which could justify the credit assessment.
- Legal bases: The credit reporting companies must have a legal basis for handing out the credit assessment under the Credit Information Act, and the business ordering the credit assessment must have a legal basis for receiving it and using it. The NDPA provides detailed and specialised guidelines to both credit reporting companies (only available in Norwegian) and businesses ordering credit assessments through such companies (only available in Norwegian) with respect to the requirements of a valid legal basis.
- Types of information that can be registered: Special categories of personal data and information about criminal convictions and offenses, with the exception of information about accounting offences, shall not be processed in credit reporting activities. Debt collection information relating to a disputed claim must also not be processed in credit reporting activities. All disclosure of credit information must be in writing. It is therefore no longer possible to hand out information orally.
- Period for use and deletion of information: In principle, information must not be processed in credit reporting activities for longer than four years from when the information was first legally registered. Specific rules on periods for use and deletion are regulated in Chapter 5 of the Credit Information Act.
- Historical archive: The new laws clarify that the information in the historical archive must be deleted or anonymised when it is no longer necessary for the purpose that the information is stored in an identifiable form. The absolute deadline of 10 years for deletion or anonymisation of information in historical archives still applies.
Summary – concluding remarks
The new Credit Information Act brings significant changes to the legal framework surrounding credit assessments as well as continuing some of the key requirements from the previous laws. Businesses which provide credit reporting services and businesses which order credit assessments for their customers or employees must familiarise themselves with the new framework and make sure that their services and operations are in line with the laws in effect.
Wikborg Rein has extensive experience and expertise in data protection and privacy compliance as well as competence to assist companies in relation to rules around processing of personal data as part of credit assessments. Please contact our partner Gry Hvidsten or our senior associate Wegard Kyo Bergli for assistance on the rules relating to credit assessments and processing of personal data and for other privacy related questions.