Dutch DPA fines Experian €2.7m for breaches of the GDPR

By Rachel de Souza on November 12, 2025

Posted in Enforcement, General Data Protection Regulation, Lawful basis, Legitimate Interests, Privacy Law, Transparency

The Dutch Data Protection Authority (“AP“) has imposed a fine of €2.7 million on Experian Nederland B.V. (“Experian“) for breaches the General Data Protection Regulation (“GDPR“).

This fine comes after Experian filed an objection against the AP’s initial decision and imposition of a fine in December 2023 (the value of the fine was not disclosed), for breaches of the GDPR, as well as two penalty orders requiring Experian to remedy the violations. In this latest decision, the AP has reconsidered the contested decision, taking into account the arguments raised by Experian in its objection.

Background

At the request of customers (such as telecom providers, online retailers, and landlords), Experian prepared creditworthiness reports on individuals when they want to make purchases on credit or enter into contracts, e.g. for a mobile subscription. Each report included a credit score, which reflected an individual’s ability to pay bills and the likelihood of default. Clients then used these scores to decide whether to approve a purchase and under what conditions. A higher credit score may lead to better terms, such as lower interest rates, while a lower score could result in being declined as a customer or required to pay a larger deposit.

In order to produce these credit reports, Experian collected a large amount of data, such as negative payment behaviour, outstanding debts, or bankruptcies, from a variety of public and non-public sources, including the Trade Register of the Chamber of Commerce and telecom and energy companies that sell data from their customers. This enabled Experian to create an extensive database containing personal data, including special category personal data, on a significant number of individuals within the Netherlands.

The AP initiated its investigation following complaints from consumers who reported being asked to pay large deposits or being denied credit by service providers, without being informed that this was linked to credit scores issued by Experian or that credit checks had been conducted.

AP Decision

Following its investigation, the AP found that Experian was in breach of Articles 5(1)(a), 6(1), 9(1)(a), 12(1), and 14(2) of the GDPR. In particular, the AP found that Experian:

was in breach of the transparency principle by collecting data about consumers from a variety of both public and private sources without adequately informing individuals. The AP concluded that Experian could not rely on the exemption to the right to be informed when obtaining personal data from a third party under Article 14(5) UK GDPR; and
did not have an adequate legal basis for processing personal data, In particular, the AP held that Experian did not clearly show why processing certain personal data was strictly necessary—rather than just “nice to have”—for creditworthiness assessments and therefore could not rely on legitimate interest as a legal basis. In addition, the AP concluded that Experian failed to adequately balance the interests of the individuals concerned – finding that individuals’ rights outweighed Experian’s claimed legitimate interest. The AP suggested that a key safeguard could have been a very short retention period tailored to this processing, but concluded that Experian largely followed outdated industry guidelines with long retention periods that could not be considered adequate under current law and technology developments.

The AP reviewed its initial decision and concluded that a fine of €2.7 million is justified. It is not clear whether this fine is a significant step down from the fine originally imposed on Experian by the AP, but Experian has confirmed that it will not appeal the fine. Experian also confirmed that it stopped its consumer credit rating services in the Netherlands in January 2025 and that it will delete the relevant database containing personal data this year.

This latest penalty against Experian underscores the ongoing scrutiny of major credit agencies across Europe, particularly regarding breaches of the lawfulness, fairness and transparency principle (Article 5(1)(a) GDPR). The AP’s decision reinforces the critical need for transparent data processing and illustrates the complex balancing act controllers face when processing personal data.