Icelandic SA fines eCommerce 2020 ApS EUR 50 204 for processing credit information without a legal basis

27 June 2023

Background information

  • Date of decision: 27 June 2023
  • Cross-border case or national case: National case
  • Controller: eCommerce 2020 ApS
  • Legal references: Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing)
  • Decision: Administrative fine
  • Key words: Administrative fine, Lawfulness of processing, Transparency, Credit information agency


Summary of the Decision


Origin of the case

In June 2020 the Icelandic DPA received a complaint from the Consumers’ Association of Iceland regarding the processing of personal data by the credit information agency Creditinfo Lánstraust hf. According to Article 15 of the Icelandic Data Protection Act the operation of credit reference agencies and the processing of information concerning financial matters and the credit ratings of individuals in order to disclose it to others requires a licence from the Icelandic DPA. According to Creditinfo Lánstraust hf.’s licence it is permitted to register defaults when the loan or debt document from which the debt is derived clearly stipulates the authorization to register defaults that have lasted for a minimum of 40 days. Following the investigation of that case, the DPA started an own volition investigation against the loan company eCommerce 2020 ApS, and found that the company had sent information regarding defaults and personal data to the credit information agency, from June 2018 to May 2019, without the necessary provisions on the effect of default having been included in the company’s loan terms and conditions.


Key Findings

  • Failure to demonstrate a lawful ground for all processing operations (Article 6 (1) GDPR)
  • Failure to comply with the obligation to process personal data lawfully, fairly and in a transparent manner (Article 5(1)(a) GDPR)



No provision that clearly stipulates the authorization to register defaults that have lasted for 40 days was to be found in eCommerce 2020 ApS’s loan terms and conditions. The Icelandic DPA considered that the registration of defaults on the loans in question could only have been justified by a provision like that. Therefore, the Icelandic SA concluded that eCommerce 2020 ApS had processed data unlawfully and against Articles 5(1)(a) and 6(1) GDPR, as the company could not rely on any legal basis. Furthermore, the Icelandic SA imposed a fine of app. EUR 50 204 (ISK 7,500,000) on eCommerce 2020 ApS.


For further information:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.