Experian Netherlands has been fined €2.7 million (approximately US $3.2 million) by the Dutch Data Protection Authority (AP) for multiple violations of the General Data Protection Regulation (GDPR).
The AP concluded that Experian collected personal data from a wide range of public and private sources—including trade-register information, telecom and energy-company customer lists—without properly informing individuals, obtaining their consent, or limiting the scope and purpose of data collection.
“Because people weren’t aware of the credit check, they couldn’t check in time whether the information they used was accurate.” — Aleid Wolfsen, Chair of the AP
AP Investigation Finds Unlawful Data Usage Across Services in Netherlands
The AP began its investigation after receiving complaints from consumers who experienced unexpectedly high deposits or loan-denial based on credit scores generated by Experian. The regulator found that Experian in the Netherlands amassed a database of individuals using aggregated sources, then supplied credit assessments to energy and telecom firms without disclosing how the data was collected or used.
Specifically, the AP found:
- Experian pulled data from both public registers and proprietary lists from telecom and energy providers.
- Individuals were not informed that their records were included in such databases and had no realistic opportunity to verify or contest the data.
- From 1 January 2025, Experian used this aggregated data to provide “credit assessments” to clients without lawful basis under Dutch and EU data-protection law.
Experian Netherlands acknowledged that its operations in the country would terminate and committed to deleting its entire database before the end of 2025.
Fines Reflect Breach of Obligations Despite Limited Victim Quantification
Although the €2.7 million fine is modest relative to Experian’s global revenues, the AP emphasised that the penalty is linked to the scale of unauthorised data collection and the impact on individuals’ rights. The regulator said the nature of the breached data—combined with lack of transparency and oversight—warranted enforcement.
The fine arises from careful assessment of aggravating factors (large-scale profiling for commercial purposes) and mitigating factors (Experian’s acknowledgement, cessation of the relevant service in the Netherlands, and cooperation). The AP did not publish a detailed breakdown of how many individuals’ data were impacted.
Wider Implications for Credit-Reporting Firms and Data Brokers
Industry observers say the sanction against Experian signals increased scrutiny of credit-reporting agencies and data analytics firms that compile large consumer profiles from diverse sources. Key takeaways include:
- Data brokers relying on aggregated streams must ensure individual rights to transparency, correction and objection under GDPR are respected.
- Profiling for commercial decision-making (e.g., determining deposit requirements or service eligibility) requires explicit lawful basis and must consider data-protection impact.
- Firms operating in regulated sectors across borders must assess local lawful basis, inform individuals and implement appropriate retention and deletion policies.
As credit-reporting services expand their scope—especially into non-traditional sectors like energy and telecom—the risk of regulatory scrutiny is mounting. The AP’s decision may prompt other national regulators to review similar profiling models in their jurisdictions.
What Consumers and Organisations Should Do
For affected individuals:
- Review any communications from service providers referencing credit or risk assessments.
- Under GDPR, request access to any data held, ask for correction or deletion, and evaluate whether credit checks occurred without your knowledge.
- Monitor offers or deposit demands from utilities or telecoms, and query whether credit scores played a role.
For businesses that use consumer profiling services:
- Verify your vendor’s lawful basis for data processing and ensure transparency requirements were met.
- Audit vendor contracts to ensure individuals’ rights (access, rectification, objection) are enabled and documented.
- Lose reliance on opaque scoring processes where consumers have no visibility or recourse.
- Maintain audit logs of vendor-supplied scores and how they influence business decisions.
Experian’s case in the Netherlands stands as a reminder that large-scale data collection and automated profiling, even when legal under commercial logic, still trigger regulatory risk if individuals are deprived of visibility and control. As the data-economy evolves, organisations will increasingly face expectations for greater transparency, governance and accountability in profiling and large-scale consumer analytics.
