Regulation 1060/2009 of the European Parliament and of the Council of 16 September 2009 on credit rating agencies is the sort of legal provision that you could confidently predict would have a data protection angle of some sort — and you’d not be wrong.
Right: King Midas had no credit rating problems, yet his personal data remains public knowledge over two millennia after his death
The recitals in the Regulation contain the following:
“(36) This Regulation is without prejudice to the duty of credit rating agencies to protect the right to privacy of natural persons with respect to the processing of personal data in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.
From this we can assume that data protection principles will trump the credit rating regulations if the two should come into conflict.