Experian Netherlands, the credit reporting giant, has been fined €2.7 million (£2.34 million) by the Dutch Data Protection Authority (AP) for serious violations of GDPR. Regulators found that the company had collected and used personal data from both public and private sources without notifying the individuals concerned. Experian reportedly leveraged this data to support banks and lenders in assessing financial risk across its global operations in more than 40 countries. The news broke here in BleepingComputer.
Despite also offering data protection services, often to clients that have suffered a data breach, Experian have not followed the rules to obtain consent for the use of individuals’ personal data for credit assessments, and there was no justification that their data was needed for such assessments.
The legal proceedings have meant the company has ceased trading in the Netherlands and promised to delete all its database.
Dr. Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), said the likely number of people affected ran into many millions, whilst the exact toll is unknown.
“In the UK alone, where Experian faced similar troubles with the UK ICO in the previous years, it was reported that the credit score giant collected information about as many as 51 million British residents. Therefore, in this case, one may easily estimate the number of EU residents whose personal data was used without notice or consent”.
“Worse, practically speaking, the personal data in question is highly sensitive, even if not expressly labelled as such by the blank ink of GDPR, and its misuse or disclosure can cause long-lasting and material damage to affected persons”.
“In view of the long duration of such processing and taking into consideration the substantial financial harm suffered by individuals by unlawful processing activities, the Dutch DPA’s fine seems to be surprisingly mild and lenient. Having said this, the story unlikely ends here”.
He also added that European Court of Justice recently allowed individuals to sue for non-material damages if their GDPR rights were infringed, and many private litigation cases opened for plaintiffs whose damage is not quantifiable in simple numbers.
The recent fine imposed on Experian for mass-collecting personal data underscores the growing importance of accountability and transparency in identity systems. Identity Week Europe 2026 is THE place to be for insights into ethical data practices and stronger privacy protections. Identity Week Europe is Europe’s largest and most trusted identity event where attendees can hear from identity leaders about building trust, regulatory compliance, and responsible identity architecture across global digital ecosystems.
