Datatilsynet (Norway) - 20/02375: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 57: Line 57:


=== Facts ===
=== Facts ===
A person lodged a complaint to the Norwegian DPA (Datatilsynet) for having been subject to what they felt was an unlawful credit rating by the company Ultra-Technology AS. The company claimed legal grounds for this in [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], pursuing a third party's legitimate interest.  
A person lodged a complaint to the Norwegian DPA (Datatilsynet) for having been subject to what they felt was an unlawful credit rating by the company Ultra-Technology AS. The company claimed legal grounds for this in [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], pursuing a ''third party's'' legitimate interest.  


After receiving the DPA's notification of a fine, the company claimed they had other internal policies and procedures in place which would be sufficient for credit ratings. They also claimed that the intended fine was too high.
After receiving the DPA's notification of a fine, the company claimed they had other internal policies and procedures in place which would be sufficient for credit ratings. They also claimed that the intended fine was too high.

Revision as of 12:34, 18 October 2021

Datatilsynet (Norway) - DT-20/02375
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 24 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 21.09.2021
Published: 06.10.2021
Fine: 125000 NOK
Parties: Ultra-Technology AS
National Case Number/Name: DT-20/02375
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined Ultra-Technology AS €12,785 (NOK 125,000) for conducting an unlawful credit rating, breaching Article 6(1) GDPR, and requires the company to implement a policy for conducting credit ratings, cf. Article 24 GDPR.

English Summary

Facts

A person lodged a complaint to the Norwegian DPA (Datatilsynet) for having been subject to what they felt was an unlawful credit rating by the company Ultra-Technology AS. The company claimed legal grounds for this in Article 6(1)(f) GDPR, pursuing a third party's legitimate interest.

After receiving the DPA's notification of a fine, the company claimed they had other internal policies and procedures in place which would be sufficient for credit ratings. They also claimed that the intended fine was too high.

Holding

The Norwegian DPA (Datatilsynet) held that Ultra-Technology AS had no legal basis as per Article 6(1) GDPR to conduct the credit rating, because the legitimate interest must be based on the company's requirement and interest.

Consequently, the DPA fined the company €12,785 (NOK 125,000), reduced from NOK 175,000, however only due to the long case processing time (in line with the Norwegian Privacy Appeal Board's latest decisions) and not the company's request for a reduced fine.

The DPA also held that company must create a company policy and implement internal controls of their credit rating process, in line with Article 24.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 ADVOKATFIRMA ØGLÆND & CO AS

 Luramyrveien 25A Excluded from the public:
                                                                Offl. § 13 cf. Popplyl. § 24 (1) 2.
 4313 SANDNES
                                                                pkt.

 Håkon Pinderød Eliassen





 Their reference Our reference Date
                         20 / 02375-9 21.09.2021



Decision on order and infringement fee - Credit assessment without legal
basis - Ultra-Technology AS



1 Introduction

We refer to our notice of decision on order and infringement fee of 21 December 2020.


We received Ultra-Technology AS '("Ultra-Technology") comments on the notice via a lawyer
Håkon Pinderød Eliassen in a letter dated 11 January 2021. Our comments on the comments
follows below.


Initially, we would like to apologize for the long case processing time.



2. Decision on order and infringement fine

The Data Inspectorate makes the following decisions:


    1. Pursuant to Article 58 (2) (2) of the Privacy Regulation, we impose Ultra-
        Technology AS, corporate identity number 925 887 498, an infringement fee to the Treasury of 125,000
        NOK for having obtained credit information without a legal basis, cf.

        Article 6 (1) of the Privacy Regulation.


    2. Pursuant to the Privacy Ordinance art. 58 No. 2 letter d is imposed Ultra-
        Technology AS to prepare written routines for credit assessment, cf.

        Article 24 of the Privacy Regulation, as the company did not have this on
        the control time.


Our legal basis for issuing orders is Article 58 (2) of the Privacy Ordinance.




Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 The OSLO deadline for implementing the orders is stated in section 7 of the decision.


3. Details of the facts of the case

In your reply of 11 January 2021, you confirm that general manager Stig Seglem rated credit
                            ("Complaints") through Ultra-Technology's access to
credit rating tool, but denies that this has happened in violation of
the Privacy Regulation.


You confirm that the credit assessment was carried out in connection with, however
states that Ultra-Technology had a legal basis for the credit rating that was
carried out in that context.

In the alternative, you state that the notified fee is too high.



4. Legal basis for obtaining credit information

4.1. Responsible for processing

The Privacy Ordinance defines "data controller" as:

        […] A natural or legal person, a public authority, an institution or any other
        another body which alone or together with others determines the purpose of

        the processing of personal data and the means to be used; when the purpose
        and the means of treatment are laid down in Union law or in the Member States
        national law, the person responsible for processing, or the special criteria for appointment
        by the person concerned, shall be determined by Union law or by the national law of the Member States

4.2. Legal basis for obtaining credit information

Obtaining credit information on individuals and sole proprietorships ("the registered")
constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and

the Personal Data Act § 1.

Article 6 (1) of the Privacy Regulation requires that the data controller has a legal right
basis for processing personal data.

When a business must obtain credit information about the registered person without it being available
consent, or the credit rating is strictly necessary to carry out an agreement with it

registered, Article 6 (1) (f) is the most relevant legal basis.

Article 6 (1) (f) requires that the collection of credit information is "necessary" to:
safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration
individual privacy.





                                                                                              2The legitimate interest must be legal, clearly defined in advance, real and objectively justified
in business. Which interests meet this depends on an assessment there, among other things
what benefits the company achieves with the treatment, how important the interest is for

the business, or whether the treatment has a public interest or safeguards non-profit interests
which benefit more are relevant moments.

Furthermore, the treatment in question must be "necessary" for purposes related to the beneficiary
interests. That is, the business must consider whether it can achieve the purpose in a way that

better safeguards privacy. One must therefore choose the treatment that is least invasive.
Then the business must make a balance of interests to decide whether the individual
Privacy outweighs the business' legitimate interest.

What type of information is relevant to process, for example about obtaining the relevant information

the information may be perceived as offensive, and what expectations the individual has of
the processing of personal data are relevant factors in the balancing of interests.

The now repealed Personal Data Regulations § 4-3 contained an additional condition that
Credit information could only be obtained unless the business had a "factual need" for it

credit information.

Section 4-3 of the regulations is continued in accordance with the regulations on transitional rules on the processing of
personal data § 4. 2


However, the Privacy Ordinance does not provide national room for maneuver for special regulation of
obtaining credit information. We therefore believe that the requirement for "objective need" does not constitute one
additional terms to Article 6 (1) (f).

However, the assessment of whether the business has an "objective need" pursuant to section 4-3 of the regulations is close

connection with the assessment pursuant to Article 6, paragraph 1, letter f. We therefore believe that earlier
administrative practice regarding the requirement of objective need is still relevant when assessing an article
6 No. 1 letter f.

4.3. About the duty to written routines (internal control)

According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to prove that they
processes personal data in accordance with the law. If it stands in a reasonable relation to

the treatment activities, the company shall implement appropriate guidelines for the protection of
personal information.

Credit rating is an intrusive processing of personal data and constitutes a large
encroachment on individuals' right to privacy. Businesses must therefore be able to document

their internal routines or processes, so-called internal control, which meet the requirement of objectivity
by credit rating.


1
2Personal Information Regulations of 15 December 2000 no. 1265.
 Transitional rules on the processing of personal data of 15 June 2018 no. 877.



                                                                                                   The routines must describe when and how credit information is to be obtained and how to access it
shall be provided, and shall ensure that credit assessments are not obtained without the requirement of objective need being
fulfilled. Furthermore, the company must have routines for handling deviations.



5. The Data Inspectorate's assessment

5.1. Responsible for processing


On 21 December 2020, the Data Inspectorate notified Ultra-Technology AS of the order and infringement fee
(org. no. 987 204 265).

This limited company, on the other hand, was deleted from the Register of Business Enterprises on 12 June 2021. 3


The announcement in the business register shows that the company Ultra-Technology AS (corp. No. 987
204 265) has been merged with the new company Ultra-Technology AS (corp. No. 925)
887 498). The merger notification was registered in the Register of Business Enterprises on 12 June 2021.


The purpose of the articles of association and the activity / industry stated for the new company are
identical to the first company:

«Processing of metal and plastic materials as well as what is connected with this, including participating in

other companies with similar business »

Stig Nordby Seglem is listed as general manager and chairman of the board. We also assume that
the workshop business the first company ran has been continued in the new company after
          5
the merger.

In our notice of decision, we assumed that Ultra-Technology AS (corporate identity no. 987 204 265) was
responsible for processing the contested credit assessment performed by the general manager.

The placement of the processing responsibility with the company for illegal credit assessments performed by
general manager has support in the Privacy Board's decisions PVN-2017-02 Bertram Bil and PVN-
2020-21 Flisleggingssenter AS.


The decisions have several similarities with our case, and concerned both general managers' use of
the business's credit rating tool for private credit ratings.

In our case, the company that is responsible for processing the credit assessment of complaints has merged

with another company.





3https: //w2.brreg.no/enhet/sok/detalj.jsp? Orgnr = 987204265 (last visited 21.09.21).
4https: //w2.brreg.no/kunngjoring/hent_en.jsp? Kid = 20210000291533 & sokeverdi = 925887498 & spraak = nb (sist
visited 21.09.21)
5https: //www.ultratech.biz/about-us (last visited 21.09.21).




                                                                                                     4The question of processing responsibility when the legal person responsible for processing becomes
merged with another is not regulated in the Privacy Ordinance. The answer must therefore depend
on an interpretation of the rules for mergers of companies in the Companies Act.

Section 13-2 of the Norwegian Companies Act reads as follows:

        (1) Mergers of companies are subject to the rules on mergers in this chapter

                company (the acquiring company) shall take over another company (the
                transferring the company) assets, rights and obligations as a whole towards
                that the shareholders of this company receive as consideration

        Shares in the acquiring company, or
        2. such shares with a supplement that must not exceed 20 percent of the total
                the consideration


        (Our highlight)

In our case, this means that the acquiring company (Ultra-Technology AS, corporate identity number 925
887 498), has taken over the transferring company (Ultra-Technology AS, corporate identity number 987 204 265)
their assets, rights and obligations.


In our opinion, the acquiring company has taken over the transferring company
processing responsibility for the processing of personal data in the company.

Our conclusion is after this that the acquiring company Ultra-Technology AS (corp. No. 925
887 498) is responsible for processing the transferring company's credit rating of complaints.


Our decision on orders and infringement fees can thus be directed at Ultra-Technology AS
(org. no. 925 887 498).

5.2. Written routines (internal control)

Ultra-Technology confirms in the comments to the notice that the company has no written
routines for credit ratings. You further write that you will not oppose an order to
establish routines, but state the following:

        The fact that the company has not designed its own routines has its explanation. It is noted that

        the company already has an internal company routine, which involves following agreements
        contracts. The company is bound by contract law to comply
        the Personal Data Act by searching the register, through the objectivity criterion in contract one
        with Experian AS.

        This is the reason why the company has not seen a need for additional, internal
        guidelines. However, separate guidelines may be appropriate, such as

        refers to these, to avoid use that does not pursue legitimate interest. This is how it is
        not in this case.




                                                                                                 5We have noticed the input, but can not see that it has any significance for our assessments in
this case.

We also refer to our account of the content of the Privacy Ordinance, Article 24, No. 1
and 2 above, in section 4.2.



The person responsible for processing is obliged to implement technical and organizational measures as they are taken
consideration of «the nature, scope, purpose and context of the treatment in which it is performed, as well as the risks
of varying probability and severity for the rights of natural persons and
freedoms ». If it is in a reasonable relation to the treatment activities, the measures shall
include appropriate guidelines for the protection of personal data, cf. Article 24 (2).


Credit ratings of individuals are an intrusive form of treatment of
personal information. Access to credit rating tools therefore presupposes that
The person in charge of processing takes appropriate measures to prevent illegal credit assessments
carried out. In our opinion, written routines would have a preventive effect against the illegal one
the credit assessment carried out in our case, and such routines will ensure that future
credit ratings are only conducted by Ultra-Technology when the terms of
the Privacy Ordinance is complied with.


On the basis of this, we maintain our conclusion that it is necessary to impose Ultra-
Technology to establish written routines for credit ratings.

We also refer to our assessment in section 5.1 of the notice.


5.3. Legal basis for obtaining credit information
The relevant legal basis for Ultra-Technology's collection of complaints

credit information is the Privacy Regulation Article 6 No. 1 letter f.

The question is whether the company had a legal basis in Article 6 (1) (f) on a daily basis
manager obtained credit information on complaints

Ultra-Technology's remarks


Ultra-Technology states that the company pursued a "third party" "legitimate interest"
then the general manager credit-rated complaints, and that the company thus fulfilled the condition of
"Legitimate interest" in Article 6 (1) (f).

The Data Inspectorate's assessment

The relevant basis for processing the collection of credit information about complaints is

Article 6 (1) (f) of the Privacy Regulation.





                                                                                                 6The first condition that must be met is that Ultra-Technology AS had a «entitled
interest ”in obtaining the information.

Proposition 47 of the Privacy Ordinance states that in the assessment of whether an interest is
justified, among other things, the data subject's expectations based on the relationship shall be taken into account

between the data controller and the data subject. Emphasis should also be placed on whether it is on
the time of collection was foreseeable for the data subjects that the information would be processed
for the current purpose.


The credit assessment was carried out on the basis of





However, the legitimate interest must be justified on the basis of the company's objective needs
and interest. As the credit assessment was carried out via the access to Ultra-
Technology AS, we believe the company was responsible for processing the credit assessment.


According to the Brønnøysund Register Center, Ultra-Technology AS operates with «Processing of metal and
plastic materials and what is connected with this, including participating in other companies with
similar business ». In our view, therefore, the complainants had no expectation that Ultra-

Technology AS was to process her credit information in connection with
The Privacy Board has recently handed down the decision PVN-2020-21, which supports our understanding of

the law. In the decision, the tribunal upheld the Data Inspectorate's order and infringement fee
NOK 150,000 to "Flisleggingsfirma AS" for an illegal credit assessment.

The fact of the matter was that the general manager of the tiling company had rated his neighbor in credit
connection with construction work on the neighbor's property to investigate whether the person had
ability to pay for themselves if something should go wrong.


In the decision, the tribunal states the following about the requirement for a legitimate interest in
Article 6 (1) (f) of the Privacy Regulation:

        The law's requirement that the processing (collection of credit information) must be
        necessary for purposes related to the legitimate interest of the controller,
        implies that the interest safeguarded by the data controller must be legal and

        actually justified.

        It is Flisleggingsfirma AS that buys services from Bisnode and that is why
        Flisleggingsfirma AS which must have a legitimate interest in checking the credit information
        about A. There is no customer relationship between A and Flisleggingsfirma AS and
        Flisleggingsfirma AS obviously has no legitimate interest in making one
        credit rating of A. In this case, the general manager of Flisleggingsfirma AS, B,

        who has used the company's online access to Bisnode for private purposes, namely to



                                                                                               7 credit rating a neighbor to investigate her financial situation because he was
        worried about whether the initiated construction work on the neighboring plot would inflict his
        property financial damage for which he would claim compensation. (Our emphasis).

        B's use of the service from Bisnode for private purposes is clearly in violation of the law.
        The tribunal agrees with the Norwegian Data Protection Authority that the credit assessment entails a basic
        violation of A's privacy rights. The tribunal agrees with the Authority's assessment and

        concludes in the same way as the audit that there was no legal basis for
        credit rating A.

        When Flisleggingsfirma AS does not have a legitimate interest in the treatment, it is not
        necessary for the tribunal to consider the other conditions in Article 6 No. 1 letter f, then
        all the conditions must be met in order to satisfy the law's requirements for treatment basis.


The decision has several similarities with the case against Ultra-Technology, in that both cases apply
the general manager's use of the company's credit rating tool for private purposes outside
the business' business area.

On the basis of this, we maintain our assessment that the requirement of "legitimate interest" in
Article 6 (1) (f) of the Privacy Regulation is not complied with.


It is therefore not necessary for the Norwegian Data Protection Authority to assess whether the credit rating was
"Necessary" for the purpose and whether the legitimate interest of the company exceeded the considerations
complainant's privacy.


The conclusion is that Ultra-Technology AS had no legal basis under Article 6 no. 1
letter f to process the credit information on complaints obtained on 27 August 2019.

We also refer to our assessment of the legal basis in the notice, section 5.2.


Infringement fee


6.1. General information about infringement fines

Violation fees are a tool to ensure effective compliance and enforcement of

the personal data regulations.

In accordance with the Supreme Court's practice, cf. Rt. 2012 page 1556, we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights

(ECHR) Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to
charge fee.

In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.

By an administrative sanction is meant a negative reaction that can be imposed by a



                                                                                               8forvaltningsorgan, which is directed against a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMF).

Section 46, first paragraph, of the Public Administration Act states:

        When it is stipulated in law that an administrative sanction may be imposed on an enterprise,
        the sanction can be imposed even if no individual has shown guilt.


In Prop. 62 L (2015-2016) page 199 it is stated about § 46:

        The wording that ‘no individual has shown guilt’ is taken from the section on
        corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. Responsibility
        is therefore basically objective.

In judgment HR-2021-797-A, the Supreme Court has assumed that the objective responsibility for

corporate punishment that follows from the Penal Code § 27 is not compatible with the concept of punishment in the ECHR as such
it is interpreted by the EMD. The Supreme Court states in the judgment that whoever has acted on behalf of
the company must have shown guilt, and that general negligence is sufficient to fulfill this.

As infringement fines are considered a penalty under the ECHR, we assume that we can only

impose an infringement fine on an enterprise if the person who has acted on behalf of the enterprise has
shown guilt, and that general negligence is sufficient, cf. HR-2021-797-A.

6.2. The guilt claim when imposing an infringement fee

In order for the Data Inspectorate to be able to impose an infringement fee on Ultra Technology AS, it is therefore required
that the person who has acted on behalf of the company has shown guilt. In this case, our assessment

that intent is the actual form of guilt.

The intent requirement follows from general basic legal principles, and these principles are
codified in the Penal Code § 22. It follows from the provision:

        "Intention exists when someone commits an act that covers the description of the act in a
        penalty:


        a) with intent,
        b) with awareness that the action certainly or most likely covers
        the description of the act, or
        c) considers it possible that the action covers the description of the act, and chooses to act
        even if that were the case. " ‘


It follows from the second paragraph of the provision, however, that «[t] he presumption exists even if the offender
is not aware that the act is illegal, cf. § 26 ». There is thus no requirement that one
knew that the act was against the law.





                                                                                                9 It follows from the Penal Code § 26 that «[d] one who at the time of the action due to ignorance
if legal rules are unknown that the act is illegal, is punished when the ignorance is negligent. " IN
According to the requirement of diligence, companies must familiarize themselves with which legislation
applies to the area, and organize the business in accordance with the framework that follows from it
current regulations.


In this case, Ultra-Technology AS has acknowledged in its statement that the company's general manager
deliberately credit-rated complaints in connection with


We assume that the general manager acted on behalf of the company when he credit-rated complaints,
cf. section 5.3 of the decision, and that the credit assessment was a deliberate and willful act.

Our conclusion is therefore that the infringement was committed intentionally by Ultra-Technology AS.


The guilt requirement for imposing an infringement fee is thus fulfilled.

6.3. Our assessment of whether an infringement fee should be imposed

When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
to the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate can

impose infringement fines after a discretionary overall assessment, but they listed
the moments lay down guidelines for the exercise of discretion by highlighting moments that should
special weight is given.

Here we will assess the relevant aspects on an ongoing basis.


(a) the nature, gravity and duration of the infringement, taking into account it;
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered


The principle of legality in the Privacy Ordinance Article 5 No. 1 letter a and the requirement for legal
basis in Article 6 (1) is among the basic requirements to be met when a
business processes personal data. In this case, we have come to the conclusion that Ultra-
Technlogy violated the provision of Article 6 (1), as the relevant personal data became
obtained without a legal basis. This suggests that the infringement was serious.


The Privacy Board has also stated this about the illegal credit assessment that was
implemented in PVN-2020-21:


        This is a serious violation of the Privacy Ordinance.
        The principle of legality in Article 5 (1) and the requirement for a basis for processing in Article 6
        represents basic requirements for the processing of personal data. These are
        broken. Private individuals have an expectation that companies do not collect

        credit information about them without this being justified in a legitimate interest with



                                                                                               10 business as a result of a real customer relationship. Collection of credit information
        has in this case happened for a purpose completely outside the business' business area
        and for the general manager's personal use outside the business. He has no doubt acted
        intentionally. Any error regarding the legal rules is not excusable, cf. the principle in
        Penal Code § 26.


Furthermore, credit information is a type of personal information that is particularly worthy of protection,
and as individuals have an expectation that is not obtained by businesses unless
it is objectively justified in their relationship with them. The infringement is therefore serious and indicates that

an infringement fine is imposed.

A single illegal credit rating will not be a long-term breach. On it
on the other hand, the damage has already occurred and it cannot be reversed after the personal data

has been obtained illegally.

Furthermore, one person is affected by the violation, and one credit assessment was made
of complaints.


b) whether the infringement was committed intentionally or negligently

Ultra-Technology AS acknowledges in its statement that the credit assessments were obtained deliberately

for use in. We therefore assume that the violation was committed
intentionally.

c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects


We do not see that such measures have been taken by Ultra-Technology AS.

d) the degree of responsibility of the data controller or data processor, taking into account

the technical and organizational measures they have implemented in accordance with Articles 25 and 32

In an aggravating direction, we emphasize that the violations were committed by the general manager in
the business, as the Privacy Ordinance presupposes that compliance with the regulations is

particularly rooted in the management of an enterprise, cf. Article 5 No. 2.

e) any previous violations committed by the data controller or
the data processor


The Norwegian Data Protection Authority is not aware of any previous violations.

f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it

possible negative effects of it



                                                                                                11Ultra-Technology AS has contributed to the information of the case by responding to our request for
statement. According to guidelines from the Article 29 Working Party, adopted by the Privacy Council

("EDPB"), it is not appropriate to place mitigating emphasis on cooperation that is anyway
required by the Privacy Ordinance. We do not see that it exists by the way
co-operation considerations in our case, and therefore does not find this aspect relevant.


g) the categories of personal data affected by the infringement

Special categories of personal data (sensitive personal data) are not affected by

the infringement in our case. However, information on salary, debt and creditworthiness is
information that has a special need for protection due to its private nature. This
draws in an aggravating direction, and advocates the imposition of infringement fines.


The Privacy Board has assessed this correspondingly in its decision PVN-2020-21:

        Although the information affected by the infringement does not belong to the group in particular

        categories of information in Article 9, then represent credit information on
        individuals information of a private nature that the individual may have reason to
        desire remains private. This, too, is therefore a factor in an aggravating direction.


h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified
the infringement


We do not find this aspect relevant.

(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned

data controller or data controller with respect to the same subject matter, that mentioned
measures are complied with

We do not know that measures have previously been taken against the company with regard to the same

case subject.

(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42


We do not find this aspect relevant.




6
 Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679,
WP 253, page 14.



                                                                                                 12k) and any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement


We do not see that there are other aggravating or mitigating factors in the case.

Based on the assessment above, the Data Inspectorate concludes that an infringement fee should be imposed. The

The next question is the size of the fee.

6.4. Assessment of the size of the fee

Ultra-Technology has stated that the notified fee is "significantly too high", and that this
«Reserved for elaboration». The company has not submitted documentation or presented others
arguments that justify why the company believes the notified fee is too high.


When measuring the size of the fee, emphasis shall be placed on the same assessment factors
as in the question of whether a fee should be charged, cf. Article 83 (2).

The points we have pointed out in section 6.2 speak in favor of a fee of a certain size. In aggravating
direction, we place particular emphasis on the fact that the credit assessment took place by a deliberate act, that

the principle of legality is one of the most basic principles for the treatment of
personal data, and the nature of the personal data affected by the infringement.

It follows from Article 83 (1) of the Privacy Regulation that infringement fines must be set
specifically so that in each case it is effective, stands in a reasonable relation to

the violation and acts as a deterrent.

The main purpose of the infringement fee is contraception, ie the risk of being charged a fee
shall act as a deterrent and contribute to increased compliance with the regulations. 7

By Bergseng Skullerud et al., 2019, commentary on the Privacy Ordinance, page 347

it appears:

        Contraceptive considerations dictate that the fee for a violation must be set so high that this
        actually perceived as an evil by the offender. This means that the offender
        financial ability should be important in the measurement, so that the fee is higher the more
        stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a

        companies, it may be relevant to look at the company's total global annual turnover in
        previous financial year, cf. art. 83 Nos. 4 and 5.

And further:





7
 See updated version of the commentary to the Privacy Ordinance by Bergseng Skullerud, Rønnevik,
Skorstad and Engh Pellerud (2019) p. 343.



                                                                                                 13 The consideration of ensuring an individual assessment in each individual case indicates that
        Regulators should avoid establishing standardized fee rates. This applies
        even if national law allows for standardized rates, cf. the Public Administration Act § 43.

The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual
the business. We therefore place emphasis on the company's finances.


According to publicly available documents, Ultra-Technology AS is registered with one
turnover of NOK 20,158,000 in 2019, and an annual profit of NOK 3,191,000. The business is continuing
registered with a very good solvency.

We also add that the Privacy Board in PVN-2020-21 stated that an infringement fee of
NOK 150,000 for an illegal credit assessment of a sole proprietorship «in any case is not for
loud".


On the basis of this, the Data Inspectorate basically finds no reason to adjust it down
notified the fee of 175,000 kroner.

However, the case processing time at the audit is important for the measurement of
the infringement fee, cf. the Privacy Ordinance art. 83 No. 2 letter k, cf.
The Personal Welfare Board's decision in case PVN-2021-03.


We asked Ultra-Technology to explain the case in our letter dated 29 April 2020. We notified
then a decision on the infringement fee in our letter of 21 December 2020. When the audit imposes
decisions on fees have taken approx. 10 months since the notice, and approx. one and a half years ago
the Authority contacted Ultra-Technology for the first time.


In line with the Privacy Board's practice, we therefore reduce the notified fee to DKK 125,000
on the basis of the long case processing time.

Our conclusion is after this that Ultra-Technology will be fined NOK 125,000.

We also refer to our assessment of the size of the fee in the notice, sections 6.2 and 6.3.



7. Right of appeal and further proceedings

You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will
forward the case to the Privacy Board for complaint processing.

If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after
the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act.


The deadline for implementing section 2 of the order on written routines (internal control) is 4 weeks after
expiry of the time limit for appeal. If you do not appeal the order point 2, you must within this deadline




                                                                                               14You must send us a written confirmation, as well as documentation, of that order
internal control has been completed.


8. Publicity, transparency and duty of confidentiality

We will inform you that all documents are in principle public, cf.
§ 3 of the Public Access to Information Act If you believe there is a basis for exempting all or part of it
the document from public access, we ask you to justify this.


The Norwegian Data Protection Authority has a duty of confidentiality about who has complained to us, and about the complainant's personal
relationship. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and
Section 13 of the Public Administration Act As a party to the case, you may nevertheless be made aware of such
information from the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You are also entitled
for access to the case documents, cf. the Public Administration Act § 18.


We point out that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority
the complainant's identity, personal circumstances and other identifying information, and that you only
may use this information to the extent necessary to safeguard the interests
their in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that
Violation of this duty of confidentiality can be punished according to the Penal Code § 209.

If you have questions about the case, you can contact Ole Martin Moe by e-mail

omm@datatilsynet.no or telephone 22 39 69 59.



With best regards



Jørgen Skorstad
department director
                                                                   Ole Martin Moe
                                                                   legal adviser

The document is electronically approved and therefore has no handwritten signatures



Copy to:












                                                                                              15