Netherlands: Dutch Data Protection Authority issued its decision maintaining EUR 2.7 million fine imposed on Experian for General Data Protection Regulation violations

On 16 October 2025, the Dutch Data Protection Authority (AP) issued its decision maintaining the EUR 2.7 million fine imposed on Experian imposed 6 December 2023. In addition to the fine, the original decision issued two orders on Experian for infringements of Article 5(1)(a) in conjunction with Article 6(1) and Article 12(1) in conjunction with Article 14(1) and (2) of the General Data Protection Regulation (GDPR). These infringements related to Experian's failure to adequately inform data subjects and its processing of personal data for its “Credit Check” service without a valid legal basis. Experian submitted its arguments in objection to the interim findings. After reviewing Experian’s arguments, the AP maintained its conclusion that Experian infringed the GDPR's transparency and lawfulness principles. The AP found that Experian did not take sufficient active steps to provide data subjects with crucial information regarding the processing, its purposes, legal bases, legitimate interests involved, and their rights concerning access, rectification, erasure, and restriction. Furthermore, Experian's reliance on “legitimate interests” as a legal basis for processing personal data for creditworthiness assessments was deemed unlawful. Experian failed to demonstrate the necessity of processing certain personal data for these assessments, and the AP determined that the interests or fundamental rights and freedoms of data subjects overrode Experian's legitimate interests. The processing of financial data, particularly from non-public sources, was considered a serious interference with fundamental rights, potentially harming data subjects by hindering access to basic needs due to negative credit scores. The safeguards implemented by Experian, primarily focused on data accuracy, were deemed insufficient to mitigate these consequences.