Suppose a company ran a credit check on you despite the fact that you had no relationship to that company and had not requested nor consented to any credit check.
What do you think the government would do to the company, if anything?
Well, if you are in Norwary, the Norwegian DPA might fine that company 12,500 euros (about $14,500.00) and require them to prepare written routines to comply with Article 24 of the GDPR.
You can read more about the Ultra-Technology AS complaint and decision here.