Experian Netherlands has been fined EUR 2.7 million ($3.2 million) for multiple violations of the General Data Protection Regulation (GDPR)
The Dutch Data Protection Authority (AP) says that the credit and analytics services company used improperly personal data collected from multiple sources, both public and private, and did not inform customers.
Experian is one of the world’s largest credit reporting and data analytics companies, operating in more than 40 countries, helping banks and lenders evaluate the risk of doing business with certain individuals and organizations.
The firm also sells data protection and credit monitoring services, and is often contracted by companies that suffer a data breach to help protect their clients and mitigate potential financial risks that could result from the exposure.
In the Netherlands, the AP launched an investigation into the way Experian used the collected personal data after receiving complaints from people who could no longer pay their installments or had to pay high deposits when changing energy providers.
The data protection agency discovered that the problems originated from credit scores Experian delivered to service providers and sellers, which influenced the interest rates and upfront deposits.
“Because people weren’t aware of the credit check, they couldn’t check in time whether the information they used was accurate” – Aleid Wolfsen, chair of the AP
The AP found that Experian collected data from multiple public and private sources, including the Chamber of Commerce trade register and telecom and energy companies that sold customer information. It used this data to build a large database containing key information about “a vast number of people in the Netherlands.”
The agency concludes that Experian failed to inform people about collecting their personal information, obtain their consent, and justify why it needed to gather the data.
“Until January 1, 2025, Experian provided credit assessments about individuals to its clients,” says the Dutch Data Protection Authority.
“To do this, the company collected data such as negative payment behavior, outstanding debts, or bankruptcies. The AP found that Experian violated the law by unlawfully using personal data.”
As a result, the AP imposed an EUR 2.7 million fine on the organization, which has acknowledged the unlawful nature of its activities and declared it will not be appealing AP’s decision.
Experian Netherlands has ceased all operations in the central European country and promised to delete its entire database of personal data before the end of the year.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
