Credit rating agency Experian fined €2.7M for GDPR violations
The Dutch data protection authority (DPA) has imposed a €2.7 million fine on Experian for violating the General Data Protection Regulation (GDPR).

By Getty Images
The Dutch data protection authority (DPA) has imposed a €2.7 million fine on Experian for violating the General Data Protection Regulation (GDPR).
- The Dutch DPA penalized Experian for multiple GDPR breaches related to its credit reporting practices.
- Experian failed to properly inform people that their personal data was being collected and used.
- The agency found Experian didn't adequately consider the consequences of using sensitive information.
- The company has stopped its consumer credit services in the country and will delete its database by year's end.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Experian produces credit reports on individuals for clients such as telecom companies, online stores, and landlords. Its clients use these reports to assess whether their customers are eligible for deferred payments or contracts, such as a phone subscription. The score in these credit reports indicates whether customers are likely to be able to pay their bills or whether there’s a risk they can't.
A credit score can have significant consequences for the people concerned. For example, higher credit scores could mean that Experian’s customers could obtain better terms, such as a more favorable interest rate. Lower scores could result in people being refused as customers or having to pay a higher deposit.
To produce these credit reports, Experian collects and analyzes a huge amount of personal and sensitive information from various sources, including the Chamber of Commerce, telecom providers, and energy firms that sell their clients’ information. That’s how Experian managed to build a comprehensive database containing personal and sensitive information on a large number of people in the Netherlands.
Back in 2023, the Dutch DPA launched an investigation after receiving numerous complaints about the credit rating agency. Researchers concluded that Experian had failed to explain why certain personal information was collected.
In addition, the company neglected to provide individuals with sufficient information about what their personal data was used for. Specifically, the company didn’t always inform individuals that it was using information about them.
Lastly, the company didn’t adequately consider the consequences of using sensitive data, and also used this information inappropriately.
For these GDPR violations, the Dutch DPA has lodged a fine of €2.7 million in 2023. Until now, the amount of the fine was unknown. However, last week, the Dutch privacy regulator decided to make the penalty publicly available.
Experian acknowledges that it has violated European privacy laws and will not appeal the fine. The company ceased its consumer credit rating services in the Netherlands in January 2025 and has promised to delete the database containing all this personal data before the end of this year.
Unlock exclusive Cybernews content on YouTube