Dutch regulator fines Experian Netherlands €2.7M for unlawful data use
Experian Netherlands has been fined EUR 2.7 million by the Dutch Data Protection Authority (AP) for multiple breaches of the General Data Protection Regulation (GDPR). The AP found that Experian collected and processed personal data from various public and private sources without properly informing the individuals involved or obtaining lawful grounds for such processing. The data included negative payment behavior, outstanding debts, and bankruptcy information used to generate credit assessments supplied to service providers and sellers.
Complaints from consumers who faced higher deposits or were denied services prompted the AP investigation. Many affected individuals were unaware that a credit check had occurred and therefore could not verify or correct the information before it influenced commercial decisions. The AP determined that Experian’s practices prevented timely access to and rectification of data, undermining key GDPR rights such as transparency and accuracy.
Experian sourced data from the Chamber of Commerce register, telecom and energy companies, and other providers to build an extensive database covering a large number of people in the Netherlands. The AP concluded that the firm failed to justify its data collection and did not meet GDPR requirements for lawful processing, information provision, and purpose limitation. Experian acknowledged the unlawful processing and indicated it would not appeal the sanction.
Following the decision, Experian Netherlands stopped operations in the country and committed to deleting its entire personal data database before year-end. The AP’s sanction underscores the obligation of data brokers and credit agencies to maintain GDPR-compliant practices, including transparency, lawful basis for processing, and allowing data subjects to exercise their rights.
