Experian Netherlands fined €2.7 million for unlawful use of personal data under GDPR

The Dutch Data Protection Authority has fined Experian Netherlands €2.7 million ($3.2 million) for multiple violations of the General Data Protection Regulation (GDPR), ruling that the credit reporting firm unlawfully collected and used personal data from public and private sources without properly informing individuals.

The Autoriteit Persoonsgegevens (AP), the Netherlands’ data protection authority, announced that Experian’s Dutch branch built extensive consumer profiles using data obtained from various organizations, including telecom and energy companies, as well as public databases such as the Chamber of Commerce trade register. The agency concluded that Experian failed to obtain consent, adequately inform data subjects, or justify its legal grounds for processing the information.

Experian, one of the world’s largest credit reporting and data analytics companies, operates in more than 40 countries. It provides credit scoring and risk analysis services to financial institutions, helping them assess the reliability of individuals and businesses. The firm also sells data protection and credit monitoring services and is often contracted by companies that experience data breaches to help mitigate financial and reputational risks.

According to the AP, the investigation into Experian’s Dutch operations began after complaints from consumers who reported being denied payment plans or charged high deposits when changing energy providers. The regulator traced these issues back to Experian’s credit assessments, which had influenced how service providers determined customer risk levels.

“Because people weren’t aware of the credit check, they couldn’t check in time whether the information used was accurate,” said Aleid Wolfsen, chair of the Dutch Data Protection Authority.

The agency found that Experian had aggregated and analyzed data related to negative payment behavior, outstanding debts, and bankruptcies to produce credit reports for its clients. However, the company never notified the individuals whose data it processed nor provided them with an opportunity to verify or correct the information.

“Until January 1, 2025, Experian provided credit assessments about individuals to its clients,” the AP stated. “The company violated the law by unlawfully using personal data.”

In response to the ruling, Experian Netherlands acknowledged the violations and confirmed it will not appeal the decision. The company announced that it has ceased all operations in the country and will delete its entire database of personal data before the end of 2025.