Datatilsynet (Norway) - 20/02172
Datatilsynet - DT-20/02172 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(f) GDPR Article 24 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 04.01.2021 |
Published: | 06.01.2021 |
Fine: | 100000 NOK |
Parties: | Lindstrand Trading AS |
National Case Number/Name: | DT-20/02172 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynets (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA (Datatilsynet) fined Lindstrand Trading AS NOK 100,000 (€9,700) for subjecting the complainant to multiple credit ratings without a legal basis under Article 6(1)(f) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24 GDPR.
English Summary
Facts
The general manager of Lindstrand Trading AS conducted multiple credit ratings of the complainant and her sole proprietorship, despite having no customer relationship or any other affiliation with the company. The DPA noted that the general manager used the credit rating tool for personal purposes, completely outside of the company's area of business. Consequently, Lindstrand Trading did not have a legal basis for such processing as per Article 6(1)(f) GDPR.
Dispute
Did Lindstrand Trading AS have legal grounds for processing the personal data of the complainant for a credit scoring, as per Article 6(1)(f) GDPR? And did they have sufficient internal controls for the use of credit scoring in their business?
Holding
No, Lindstrand Trading AS did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f) GDPR. For this offense, the company was fined NOK 100,000.
They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24 GDPR. For this offense, the company is required to establish corresponding internal controls and, within four weeks after the expiry of the appeal period, submit a written confirmation and actual documentation of the internal controls, to the DPA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
ADVOKATFIRMAET ECKHOFF FOSMARK & CO DA Excluded from public: PO Box 2624 Solli Offl. § 13 cf. fvl. § 13 (1) no.1 0203 OSLO Marius Vernan Their reference Our reference Date 20 / 02172-4 03.12.2020 Decisions on orders and infringement fines - Credit assessments without legal action basis - Lindstrand Trading AS (formerly DSD Pharma AS) 1 Introduction We refer to our notification of decision of 11 August 2020. We received Lindstrand Trading AS ("Lindstrand Trading")'s comments on the notice via associate attorney Marius Vernan 10. September 2020. Our comments on the comments follow below. 2. Decision on order The Data Inspectorate adopts the following order: Pursuant to Article 58 (2), letter i of the Privacy Ordinance is imposed LINDSTRAND TRADING AS (Formerly DSD PHARMA NORGE AS), org. No. 913 169 581, to pay an infringement fee to the Treasury of NOK 100,000 in order to four times have obtained a credit assessment without a legal basis, cf. the Privacy Ordinance Article 6 (1) (f). 2. Pursuant to the Privacy Ordinance art. 58 No. 2 letter d is imposed LINDSTRAND TRADING AS to establish internal control over credit assessment, cf. Article 24 of the Privacy Regulation, as it was missing at the time of the inspection. Our legal basis for issuing orders is Article 58 (2) of the Privacy Ordinance. The deadline for implementing the orders is stated in section 7 of the decision. 3. Details of the facts of the case In your reply of 10 September 2020, you confirm that Ketil Lindstrand, the owner of Lindstrand Trading, has completed the four credit assessments of ("complaints"), Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 322 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLOhes sole proprietorship, and off, but denies that this has occurred in violation of the Privacy Ordinance. You confirm that the credit assessments were carried out in connection with , men states that Lindstrand Trading had a legal basis for the four credit assessments that were made carried out in that context. In the event that you did not have a legal basis for the credit assessments, you state that The infringement fee is disproportionately high in relation to the company's financial situation. We also refer to our account of the proceedings in the notification of decision section 2. 4. More about the requirements of the Personal Data Act 4.1. Legal basis for obtaining credit information Obtaining credit information on individuals and sole proprietorships ("the registered") constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and the Personal Data Act § 1. Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis. When a company must obtain credit information about the registered person without it being available consent, or the credit rating is strictly necessary to implement an agreement with it registered, Article 6 (1) (f) is the most relevant legal basis. Article 6 (1) (f) requires that the collection of credit information is "necessary" to: safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration individual privacy. The legitimate interest must be legal, clearly defined in advance, real and objectively justified in business. Which interests meet this depends on an assessment there, among other things what benefits the company obtains with the treatment, how important the interest is for the business, or whether the treatment has a public interest or safeguards non-profit interests which benefit more are relevant moments. Furthermore, the treatment in question must be "necessary" for purposes related to the beneficiary interests. That is, the business must consider whether it can achieve the purpose in a way that better safeguards privacy. One must therefore choose the treatment that is least invasive. Then the business must make a balance of interests to decide whether the individual privacy outweighs the business' legitimate interest. What type of information it is relevant to process, for example whether the collection of the relevant information can 2 is perceived as offensive, and what expectations the individual has for the treatment of the personal data, are relevant factors in the balancing of interests. 1 The now repealed Personal Data Regulations § 4-3 contained an additional condition that Credit information could only be obtained unless the business had a "factual need" for it credit information. Section 4-3 of the regulations is continued in accordance with the regulations on transitional rules on the processing of personal data § 4. 2 However, the Privacy Ordinance does not provide national room for maneuver for special regulation of obtaining credit information. We therefore believe that the requirement for "objective need" does not constitute one additional terms to Article 6 (1) (f). However, the assessment of whether the business has a "factual need" pursuant to section 4-3 of the regulations is close connection with the assessment pursuant to Article 6, paragraph 1, letter f. We therefore believe that earlier administrative practice regarding the requirement of objective need is still relevant when assessing an article 6 No. 1 letter f. 4.2. About the duty of internal control According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to prove that they processes personal data in accordance with the law. If it stands in a reasonable relation to the treatment activities, the company shall implement appropriate guidelines for the protection of personal information. Credit rating is an intrusive processing of personal data and constitutes a large encroachment on individuals' right to privacy. Businesses must therefore be able to document their internal routines or processes, so-called internal control, which meet the requirement of objectivity by credit rating. The routines must describe when and how credit information is to be obtained and how to access it shall be provided, and shall ensure that credit assessments are not obtained without the requirement of objective need being fulfilled. Furthermore, the company must have routines for handling deviations. 5. The Data Inspectorate's assessment 5.1. Internal control Lindstrand Trading has not commented on our notice of an order to establish internal control. We therefore maintain our conclusion to order the company to establish internal control for credit assessments, and refers to our assessment in section 5.1 of the notice. 1 2Personal Information Regulations of 15 December 2000 no. 1265. Transitional rules on the processing of personal data of 15 June 2018 no. 877. 3 5.2. Legal basis for obtaining credit information The relevant treatment basis for Lindstrand Trading's acquisition of credit information on complaints and is Article 6 (1) of the Privacy Regulation letter f. The question is whether the company had a legal basis in Article 6 no. 1 letter f when the general manager obtained credit information about complaints Lindstrand Trading's comments In their comments on the notice of decision, Lindstrand Trading stated that the company had legitimate interest in credit rating complaints. This justifies you with that In support of the fact that Lindstrand Trading had a legitimate interest in the credit assessments shows to the Privacy Board's decision PVN-2010-04. In this decision, the tribunal considered whether a lawyer on behalf of his client fulfilled the requirement of "factual need" in the Personal Data Regulations § 4-3. The defendant's lawyer had credit-rated his client's counterparty in a dispute, and the client was disagrees that there was a factual need for credit assessments. The tribunal points in its assessment to the party constellations in the case, and that the lawyer's client had a claim that was approaching obsolescence. On the basis of this, the tribunal assessed the case so that it did not appear unnatural the defendant's attorney's client to consider civil action. The tribunal then came to that the requirement for objective needs was met. The decision was made in accordance with the Personal Data Act of 2000 and the Personal Data Regulations § 4-3. The Data Inspectorate's assessment Article 6 (1) (f) of the Privacy Regulation reads as follows: the processing is necessary for purposes related to the legitimate interests such as pursued by the data controller or a third party, unless it is registered interests or fundamental rights and freedoms take precedence and require protection personal data, especially if the data subject is a child Proposition 47 of the Privacy Ordinance states that in the assessment of «the entitled the interests of a data controller ", among other things, the data subject's must be taken into account expectations based on the relationship between the data controller and the data subject. The 4 must also be emphasized whether it was foreseeable for the registered at the time of collection that the information would be processed for the purpose in question. The legitimate interest must be legal, clearly defined in advance, real and objectively justified in business. It follows from Article 5 (1) (a) of the Privacy Regulation (principle of legality) and the requirement of a legal basis in Article 6 that it is the person responsible for processing who is the subject of the obligation in the regulation, and who must meet the requirements of the regulation before processing personal information starts. It follows from the wording of Article 6, paragraph 1, letter f and paragraph 47 that what constitutes a legitimate interest shall be assessed on the basis of the business the operator responsible for processing. This also follows from the Article 29 Working Party's guidance on "legitimate interest" as a matter of law basis for processing personal data. 4 Lindstrand Trading AS is responsible for processing the collection of credit information about complaints. Lindstrand Trading operates according to Brønnøysundregistrene business with «import and sale in e-commerce, with cosmetic goods, sporting goods and electronics. " Lindstrand Trading has referred to PVN-2010-04 as support that the company had one legitimate interest in carrying out the contested credit assessments in our case. Section 4-3 of the Personal Data Regulations' requirement for a "factual need" for obtaining Credit ratings are no longer a direct additional term for the individual the business that collects credit information. We refer to our account of this in ours notice of decision section 3.1. Assessments related to whether a business has an "objective need" for However, section 4-3 of the Personal Data Regulations is closely related with the assessment pursuant to Article 6, No. 1, letter f. Previous practice from the Privacy Board related to "objective need" is therefore still relevant when assessing "legitimate interest" in Article 6 (1) (f) of the Privacy Regulation. PVN-2010-04 confirms that the assessment of whether the person responsible for treatment has a «justified interest ”shall be based on the business of the operator responsible for processing. In the case is the tribunal assessment of "factual need" related to the person in charge of processing the practice of law, that the credit assessment of a counterparty took place within this business, and in connection with an assignment the data controller had for a client. This was the background for the tribunal's conclusion that the lawyer fulfilled the requirement of "factual need" On the contrary, the general manager in our case has used Lindstrand Trading's credit assessment tool for personal purposes completely outside the company's business area. 3 4 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019). Article 29 Working Party Opinion 06/2014 on the concept of legitimate interests of the data controller under Article 7 of Directive 95/46 / EC, WP217, p. 24. 5No complain personally, her sole proprietorship or have had any relationship with or contact Lindstrand Trading, and had no expectation that the business would Obtain their credit information. It was not foreseeable for complaints the time of collection that Lindstrand Trading should process their credit information. Lindstrand Trading has obtained credit information about two individuals without any kind of customer relationship or contact or other affiliation with their business. The entitled the interest must be objectively justified in the business, and in our case Ketil Lindstrand has obtained credit information for personal use for a purpose completely outside Lindstrand Trading's business area. On the basis of this, we maintain our assessment that the requirement of "legitimate interest" in Article 6 (1) (f) of the Privacy Regulation is not complied with in the case. We therefore uphold our conclusion that Lindstrand Trading had no legal basis in the Privacy Regulation Article 6 No. 1 letter f for the four credit assessments in total of complaints, her sole proprietorship, and We also refer to our assessment of the legal basis in the notice, section 5.2. 6. Infringement fee 6.1. General information about infringement fines Infringement fees are a tool to ensure effective compliance and enforcement of the personal data regulations. We believe it is necessary to respond to the violations with infringement fine, cf. Article 83 of the Privacy Regulation. In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights Article 6. Therefore, a clear preponderance of probabilities for offenses is required in order to be able to impose fee. The case and the question of imposing an infringement fee have been considered starting point in this evidentiary requirement. In this context, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMK). For companies, the debt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual has shown guilt. In Prop. 62 L (2015-2016) page 199 it is stated about § 46: 6 The wording that ‘no individual has shown guilt’ is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. Responsibility is therefore basically objective. 6.2. Assessment of whether an infringement fee is to be imposed Lindstrand Trading has commented on the size of the notified fee. Spring assessment is that these remarks do not change our assessment that a fee should be charged for the violation, and refers to our assessment of this in section 6.2 of the notice. 6.3. Assessment of the size of the fee Lindstrand Trading's comments Lindstrand Trading has stated that the notified fee of NOK 100,000 has been set too high, and has in this connection referred to several decisions from the Privacy Board, as well as factors for determination of infringement fines pursuant to the Personal Data Act of 2000 § 46 with preparatory work. In conclusion, you state that the fee will affect the company's finances disproportionately hard, and writes that there are no funds in the company to cover a possible infringement fee. You have also attached a printout from proff.no with accounting figures from the company. You refer in the comments to several decisions from the Privacy Board, and note that the fees in these cases is set lower than in our case and that the persons responsible for processing in the cases had better economy than Lindstrand Trading. The cases you refer to have been processed accordingly the Personal Data Act of 2000. Our assessment is that these cases do not govern ours assessment of the amount of the fee in this case under the Privacy Ordinance Article 83. The Data Inspectorate's assessment The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that infringement fines shall be determined specifically so that in each individual case it is effective, it says in a reasonable proportion to the violation and acts as a deterrent. The main purpose of infringement fines are contraception, ie the risk of being charged a fee must work deterrent and thereby contribute to increased compliance with the regulations. 5 By Skullerud et al. (2019), page 347, it appears: Contraceptive considerations dictate that the fee for a violation must be set so high that this actually perceived as an evil by the offender. This means that the offender financial ability should be important in the measurement, so that the fee is higher the more stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a 5 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019). 7 companies, it may be relevant to look at the company's total global annual turnover in previous financial year, cf. art. 83 Nos. 4 and 5. And further: The consideration of ensuring an individual assessment in each individual case indicates that Regulators should avoid establishing standardized fee rates. This applies even if national law allows for standardized rates, cf. the Public Administration Act § 43. The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual the business. When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account to the elements of the Privacy Regulation Article 83 (2) (a) to (k). The Norwegian Data Protection Authority may impose infringement fee after a discretionary overall assessment, but the listed factors lays down guidelines for the exercise of discretion by highlighting aspects that are to be given special consideration weight. Obtaining credit information about an individual or sole proprietorship without basis for processing constitutes a violation of the basic principle of legality in Article 5 (1) (a) of the Privacy Ordinance very private character, which the data subject has a high expectation of not obtaining unless it is objectively justified in their relationship with a data controller. This is weighty factors that argue for a fee of a certain size. In our case, Lindstrand Trading has illegally obtained credit ratings a total of four times. This we emphasize in an aggravating direction. The violations in our case are also committed by the general manager, who in the case shows little knowledge about the requirements of the Privacy Ordinance that must be met in order to obtain credit information. We emphasize this in an aggravating direction, as The Privacy Ordinance presupposes a strong anchoring with the data controller management, cf. the principle of liability in Article 5 (2). We also place aggravating emphasis on the fact that the business, according to the information, was not in place technical or organizational measures in the form of written routines to ensure compliance with the regulations, cf. Article 24 of the Privacy Regulation. We also refer to our assessment of the seriousness of the infringement in the notification section 6.2, and maintain this assessment. The serious circumstances we have pointed out above and in our notice of decision justify a fee of a certain size. Contraceptive considerations dictate that the fee for a violation must be set so high that this is actually perceived as an evil by the offender. This means that the offender 8economic ability should be important when measuring, so that the fee is higher the stronger carrying capacity of the offender. At the same time, the company's finances are only one of several factors that the supervisory authority can add emphasis in the determination of infringement fines under the Privacy Regulation Article 83. The The financial situation is not in itself sufficient to avoid an infringement charge supervisory authority, and must be seen in relation to the seriousness of the infringement. In the case, you have argued that there are no funds in the company to cover a fee, and you has attached accounting figures from proff.no which show that the company has not had turnover in financial years 2018 and 2019. In our calculation of the notified fee of NOK 100,000, we have already emphasized the business's financial situation. We remind you that violations of the Privacy Regulation Article 6 may lead to sanctions in the form of infringement fines of up to EUR 20 million, see the Privacy Ordinance, Article 83, No. 5, letter a. This corresponds to NOK 214,000,000. 7 The fee imposed in this case is thus at the very bottom of what the regulation is prescribes for such breaches of regulations. The accounting figures show that Lindstrand Trading is registered with a share capital of 800,000 NOK. Lindstrand Trading also runs the online store DSD de Luxe, which sells beauty and wellness products. It appears from the online store's website that it is in operation, that it sells one large selection of goods, and that it currently has a stock sale. Our assessment is that the company's high share capital, and the fact that there is operation in the company's online store, suggests that Lindstrand Trading can bear an infringement charge. On the basis of the serious violations in the case, and after taking into account the business financial situation, we maintain our assessment that the infringement fee is set at 100 000 kroner. We also refer to our justification for the calculation of the fee in the notice, sections 6.2 and 6.3. 7. Right of appeal and further proceedings You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will forward the case to the Privacy Board for complaint processing. If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act. 6 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019). Calculated on 2 December, acc. information at norges-bank.no/tema/Statistikk/Valutakurser 8https: //www.dsddeluxe.no/ (last visited 20.11.20). 9The deadline for implementing the order section 2 on internal control is 4 weeks after the expiry of the appeal deadline. If you do not appeal the order point 2, you must within this deadline you must send us one written confirmation, as well as documentation, that the order for internal control has been implemented. 8. Transparency and publicity You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform that all documents are in principle public, cf. the Public Access to Information Act § 3. If you believe that there is a basis for exempting all or part of the document from public access we you to justify this. If you have questions about the case, you can contact Ole Martin Moe on telephone 22 39 69 59 or e-mail omm@datatilsynet.no. With best regards Jørgen Skorstad department director, law Ole Martin Moe legal adviser The document is electronically approved and therefore has no handwritten signatures Copy to: 10