Datatilsynet (Norway) - 19/02450: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=19/...")
 
m (Hyperlinks)
Line 79: Line 79:
}}
}}


A data subject lodged a complaint against the Norwegian DPA and the appointed representative held that the DPA violated Article 13 for failing to specify the legitimate interests for processing personal data on their website, and Article 77 for requiring data subjects to first contact the controller directly and holding them responsible for gathering necessary documentation relating to their case.
A data subject lodged a complaint against the Norwegian DPA and the appointed representative held that the DPA violated [[Article 13 GDPR|Article 13]] for failing to specify the legitimate interests for processing personal data on their website, and [[Article 77 GDPR|Article 77]] for requiring data subjects to first contact the controller directly and holding them responsible for gathering necessary documentation relating to their case.


== English Summary ==
== English Summary ==
Line 86: Line 86:
A data subject lodged a complaint against the Norwegian DPA for several GDPR violations related to their website (https://www.datatilsynet.no). Since the DPA is disqualified from managing complaints lodged against them, the Ministry of Local Government and Regional Development, administratively superior to the DPA, appointed an external party to assess the complaint and make a decision.
A data subject lodged a complaint against the Norwegian DPA for several GDPR violations related to their website (https://www.datatilsynet.no). Since the DPA is disqualified from managing complaints lodged against them, the Ministry of Local Government and Regional Development, administratively superior to the DPA, appointed an external party to assess the complaint and make a decision.


First, the data subject claimed that the DPA violates [[Article 6 GDPR|Article 6 GDPR]] because they base all processing activities relating to website visits on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], when the second paragraph of [[Article 6 GDPR#1|Article 6(1) GDPR]] states that this lawful basis does not apply to processing carried out by public authorities in the performance of their tasks. The data subject opined that since the DPA is a public authority and operating their website happens as part of their tasks, they could not rely on this lawful basis. In addition, the data subject claims that even if the DPA could base certain processing activities on this lawful basis, the interests claimed are not necessary for the processing in question, for example claiming that storing keyword searches are not necessary to operate the website.
First, the data subject claimed that the DPA violates [[Article 6 GDPR|Article 6 GDPR]] because they base all processing activities relating to website visits on [[Article 6 GDPR#1f|Article 6(1)(f)]], when the second paragraph of [[Article 6 GDPR#1|Article 6(1)]] states that this lawful basis does not apply to processing carried out by public authorities in the performance of their tasks. The data subject opined that since the DPA is a public authority and operating their website happens as part of their tasks, they could not rely on this lawful basis. In addition, the data subject claims that even if the DPA could base certain processing activities on this lawful basis, the interests claimed are not necessary for the processing in question, for example claiming that storing keyword searches are not necessary to operate the website.


The DPA responds that they have assessed several possible lawful bases for processing of personal data in relation to their website, for example [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] and [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. However, they felt that (e) was not appropriate and that (a) was only partly appropriate. Thus, they concluded that [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was the correct lawful basis. As for the complaint from the data subject, they refer to the legal preparatory works related to the GDPR, where the Ministry of Justice and Public Security assumes that the exception referred to in the second paragraph of [[Article 6 GDPR#1|Article 6(1) GDPR]] only refers to the processing of personal data related to the exercise of the public authorities' tasks. The DPA also refers to the French DPA's use of this lawful basis for several of their processing activities and purposes.
The DPA responds that they have assessed several possible lawful bases for processing of personal data in relation to their website, for example [[Article 6 GDPR#1e|Article 6(1)(e)]] and [[Article 6 GDPR#1a|Article 6(1)(a)]]. However, they felt that (e) was not appropriate and that (a) was only partly appropriate. Thus, they concluded that [[Article 6 GDPR#1f|Article 6(1)(f)]] was the correct lawful basis. As for the complaint from the data subject, they refer to the legal preparatory works related to the GDPR, where the Ministry of Justice and Public Security assumes that the exception referred to in the second paragraph of [[Article 6 GDPR#1|Article 6(1)]] only refers to the processing of personal data related to the exercise of the public authorities' tasks. The DPA also refers to the French DPA's use of this lawful basis for several of their processing activities and purposes.


Second, the data subject claimed that the DPA violates [[Article 13 GDPR#1d|Article 13(1)(d) GDPR]] because the website privacy notice fails to specify which legitimate interests as per [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] the DPA claims for the processing of the website feedback function and storing comments on their blog, contrary to the Article 29 Group's recommendations. The DPA admits that this information is missing, due to a mistake, but that it was corrected a long time ago.
Second, the data subject claimed that the DPA violates [[Article 13 GDPR#1d|Article 13(1)(d)]] because the website privacy notice fails to specify which legitimate interests as per [[Article 6 GDPR#1f|Article 6(1)(f)]] the DPA claims for the processing of the website feedback function and storing comments on their blog, contrary to the Article 29 Group's recommendations. The DPA admits that this information is missing, due to a mistake, but that it was corrected a long time ago.


Third, the data subject claimed that the DPA violates [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] for not stating specific enough purposes, and thus also violating [[Article 5 GDPR#2|Article 5(2) GDPR]]. The DPA disagreed and referred to their privacy notice, and to their internal controls system information security, privacy and data protection, as regards the accountability principle.
Third, the data subject claimed that the DPA violates [[Article 5 GDPR#1b|Article 5(1)(b)]] for not stating specific enough purposes, and thus also violating [[Article 5 GDPR#2|Article 5(2)]]. The DPA disagreed and referred to their privacy notice, and to their internal controls system information security, privacy and data protection, as regards the accountability principle.


Fourth, the data subject claimed that the DPA violates [[Article 57 GDPR#2|Article 57(2) GDPR]] for not allowing data subjects to lodge complaints electronically and for making it unnecessary difficult to find information about how to lodge a complaint. The DPA disagreed and referred to the various ways this information was made available on their website. They agreed, however, that the current setup of lodging complaints was too cumbersome and not user friendly. They had been working on an online solution and expected this to be done during the Spring of 2020.
Fourth, the data subject claimed that the DPA violates [[Article 57 GDPR#2|Article 57(2)]] for not allowing data subjects to lodge complaints electronically and for making it unnecessary difficult to find information about how to lodge a complaint. The DPA disagreed and referred to the various ways this information was made available on their website. They agreed, however, that the current setup of lodging complaints was too cumbersome and not user friendly. They had been working on an online solution and expected this to be done during the Spring of 2020.


Fifth, the data subject claimed that the DPA violates [[Article 77 GDPR|Article 77 GDPR]] when requiring data subjects to contact the controller for a complaint, before lodging one with the DPA. The DPA justified this with the dramatic increase in number of cases over the last years and their experience with seeing many cases being resolved when the data subject contacts the controller directly. They admitted, however, that there could be necessary to soften the language, and therefore changed the word "must" to "should".
Fifth, the data subject claimed that the DPA violates [[Article 77 GDPR|Article 77]] when requiring data subjects to contact the controller for a complaint, before lodging one with the DPA. The DPA justified this with the dramatic increase in number of cases over the last years and their experience with seeing many cases being resolved when the data subject contacts the controller directly. They admitted, however, that there could be necessary to soften the language, and therefore changed the word "must" to "should".


=== Holding ===
=== Holding ===
The General Director's replacement ("GDR") held the following:
The General Director's replacement ("GDR") held the following:
1) The DPA had not violated [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The GDR agreed with the DPA that there are no other lawful bases for the processing of personal data in relation to their website. The GDR referred to Recital 47 GDPR and that the DPA's tasks as per [[Article 57 GDPR#1b|Article 57(1)(b) GDPR]] falls outside of the exception referred to in the second paragraph of [[Article 6 GDPR#1|Article 6(1) GDPR]]. Finally, the GDR considers the necessity requirement to be fulfilled since the GDPR itself outlines the needs for information, cf. [[Article 57 GDPR#1b|Article 57(1)(b) GDPR]].


2) The DPA violated [[Article 13 GDPR#1d|Article 13(1)(d) GDPR]] because they failed to specify the legitimate interests claimed for the processing of the website feedback function and storing comments on their blog. As this was already recified by the DPA, the GDR only sufficed by stating his criticism in this regard.
1) The DPA had not violated [[Article 6 GDPR#1f|Article 6(1)(f)]]. The GDR agreed with the DPA that there are no other lawful bases for the processing of personal data in relation to their website. The GDR referred to Recital 47 GDPR and that the DPA's tasks as per [[Article 57 GDPR#1b|Article 57(1)(b)]] falls outside of the exception referred to in the second paragraph of [[Article 6 GDPR#1|Article 6(1)]]. Finally, the GDR considers the necessity requirement to be fulfilled since the GDPR itself outlines the needs for information, cf. [[Article 57 GDPR#1b|Article 57(1)(b)]].


3) The DPA had not violated [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] or [[Article 5 GDPR#2|Article 5(2) GDPR]], cf. [[Article 24 GDPR|Article 24 GDPR]]. The GDR notes that the DPA states 12 different purposes for processing personal data in their website privacy notice. To properly assess this allegation, the GDR would have to do a relatively comprehensive review of each purpose. Since the complaint does not specify exactly why the purposes are not explicit enough and does not specify any particular negative consequences for the data subject, the GDR does not find any violations in this regard.
2) The DPA violated [[Article 13 GDPR#1d|Article 13(1)(d)]] because they failed to specify the legitimate interests claimed for the processing of the website feedback function and storing comments on their blog. As this was already recified by the DPA, the GDR only sufficed by stating his criticism in this regard.


4) The DPA had not violated [[Article 57 GDPR#2|Article 57(2) GDPR]] as the GDR found the information about how to lodge a complaint to the DPA, as sufficient, and because he does not interpret the Article to require electronic submissions of complaints.
3) The DPA had not violated [[Article 5 GDPR#1b|Article 5(1)(b)]] or [[Article 5 GDPR#2|Article 5(2)]], cf. [[Article 24 GDPR|Article 24]]. The GDR notes that the DPA states 12 different purposes for processing personal data in their website privacy notice. To properly assess this allegation, the GDR would have to do a relatively comprehensive review of each purpose. Since the complaint does not specify exactly why the purposes are not explicit enough and does not specify any particular negative consequences for the data subject, the GDR does not find any violations in this regard.


5) The DPA violated [[Article 77 GDPR|Article 77 GDPR]] in requiring data subjects to first contact the controller directly and provide documentation relating to their complaint, to the DPA. The GDR assumes that the DPA will take necessary measures to correct these violations.
4) The DPA had not violated [[Article 57 GDPR#2|Article 57(2)]] as the GDR found the information about how to lodge a complaint to the DPA, as sufficient, and because he does not interpret the Article to require electronic submissions of complaints.
 
5) The DPA violated [[Article 77 GDPR|Article 77]] in requiring data subjects to first contact the controller directly and provide documentation relating to their complaint, to the DPA. The GDR assumes that the DPA will take necessary measures to correct these violations.


== Comment ==
== Comment ==

Revision as of 09:41, 4 March 2022

Datatilsynet (Norway) - 19/02450
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1) GDPR
Article 5(1)(b) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 6(1)(f) GDPR
Article 12(1) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(4) GDPR
Article 13(1)(d) GDPR
Article 24 GDPR
Article 57(1)(b) GDPR
Article 57(2) GDPR
Article 70(1) GDPR
Forvaltningsloven (Norwegian Public Administration Act) § 2(b), cf. (a)
Type: Investigation
Outcome: Violation Found
Started: 13.08.2019
Decided: 24.03.2020
Published:
Fine: None
Parties: The Norwegian DPA Datatilsynet
National Case Number/Name: 19/02450
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Excempt from public, shared by data subject on LinkedIn (in NO)
Initial Contributor: Rie Aleksandra Walle

A data subject lodged a complaint against the Norwegian DPA and the appointed representative held that the DPA violated Article 13 for failing to specify the legitimate interests for processing personal data on their website, and Article 77 for requiring data subjects to first contact the controller directly and holding them responsible for gathering necessary documentation relating to their case.

English Summary

Facts

A data subject lodged a complaint against the Norwegian DPA for several GDPR violations related to their website (https://www.datatilsynet.no). Since the DPA is disqualified from managing complaints lodged against them, the Ministry of Local Government and Regional Development, administratively superior to the DPA, appointed an external party to assess the complaint and make a decision.

First, the data subject claimed that the DPA violates Article 6 GDPR because they base all processing activities relating to website visits on Article 6(1)(f), when the second paragraph of Article 6(1) states that this lawful basis does not apply to processing carried out by public authorities in the performance of their tasks. The data subject opined that since the DPA is a public authority and operating their website happens as part of their tasks, they could not rely on this lawful basis. In addition, the data subject claims that even if the DPA could base certain processing activities on this lawful basis, the interests claimed are not necessary for the processing in question, for example claiming that storing keyword searches are not necessary to operate the website.

The DPA responds that they have assessed several possible lawful bases for processing of personal data in relation to their website, for example Article 6(1)(e) and Article 6(1)(a). However, they felt that (e) was not appropriate and that (a) was only partly appropriate. Thus, they concluded that Article 6(1)(f) was the correct lawful basis. As for the complaint from the data subject, they refer to the legal preparatory works related to the GDPR, where the Ministry of Justice and Public Security assumes that the exception referred to in the second paragraph of Article 6(1) only refers to the processing of personal data related to the exercise of the public authorities' tasks. The DPA also refers to the French DPA's use of this lawful basis for several of their processing activities and purposes.

Second, the data subject claimed that the DPA violates Article 13(1)(d) because the website privacy notice fails to specify which legitimate interests as per Article 6(1)(f) the DPA claims for the processing of the website feedback function and storing comments on their blog, contrary to the Article 29 Group's recommendations. The DPA admits that this information is missing, due to a mistake, but that it was corrected a long time ago.

Third, the data subject claimed that the DPA violates Article 5(1)(b) for not stating specific enough purposes, and thus also violating Article 5(2). The DPA disagreed and referred to their privacy notice, and to their internal controls system information security, privacy and data protection, as regards the accountability principle.

Fourth, the data subject claimed that the DPA violates Article 57(2) for not allowing data subjects to lodge complaints electronically and for making it unnecessary difficult to find information about how to lodge a complaint. The DPA disagreed and referred to the various ways this information was made available on their website. They agreed, however, that the current setup of lodging complaints was too cumbersome and not user friendly. They had been working on an online solution and expected this to be done during the Spring of 2020.

Fifth, the data subject claimed that the DPA violates Article 77 when requiring data subjects to contact the controller for a complaint, before lodging one with the DPA. The DPA justified this with the dramatic increase in number of cases over the last years and their experience with seeing many cases being resolved when the data subject contacts the controller directly. They admitted, however, that there could be necessary to soften the language, and therefore changed the word "must" to "should".

Holding

The General Director's replacement ("GDR") held the following:

1) The DPA had not violated Article 6(1)(f). The GDR agreed with the DPA that there are no other lawful bases for the processing of personal data in relation to their website. The GDR referred to Recital 47 GDPR and that the DPA's tasks as per Article 57(1)(b) falls outside of the exception referred to in the second paragraph of Article 6(1). Finally, the GDR considers the necessity requirement to be fulfilled since the GDPR itself outlines the needs for information, cf. Article 57(1)(b).

2) The DPA violated Article 13(1)(d) because they failed to specify the legitimate interests claimed for the processing of the website feedback function and storing comments on their blog. As this was already recified by the DPA, the GDR only sufficed by stating his criticism in this regard.

3) The DPA had not violated Article 5(1)(b) or Article 5(2), cf. Article 24. The GDR notes that the DPA states 12 different purposes for processing personal data in their website privacy notice. To properly assess this allegation, the GDR would have to do a relatively comprehensive review of each purpose. Since the complaint does not specify exactly why the purposes are not explicit enough and does not specify any particular negative consequences for the data subject, the GDR does not find any violations in this regard.

4) The DPA had not violated Article 57(2) as the GDR found the information about how to lodge a complaint to the DPA, as sufficient, and because he does not interpret the Article to require electronic submissions of complaints.

5) The DPA violated Article 77 in requiring data subjects to first contact the controller directly and provide documentation relating to their complaint, to the DPA. The GDR assumes that the DPA will take necessary measures to correct these violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision in a case concerning the Data Inspectorate's processing of personal data, etc.

1 Introduction
On 13 August 2019, the Danish Data Protection Agency received an undated complaint from Milo5 Novovi € (hereinafter
complaints). The complaint concerned the Data Inspectorate's processing of personal data in connection with
the website www.datatilsynet.no. The Data Inspectorate was sued, and the Data Inspectorate's direct year was
thus incompetent to process the case. The Ministry of Local Government and Modernization appointed
therefore Professor Dr. Juris Dag Wiese Schartum at the Center for Forensic Informatics, UiO as
set directly with the task of making a decision in the case. To prepare the case, Schartum has become
assisted by two employees in the Norwegian Data Protection Authority who were not involved in the design of and
content in www.datatilsynet.no. These caseworkers have performed tasks at the request of
set directly clean.
In a letter dated 20 December 2019, the Norwegian Data Protection Authority was asked to provide answers to questions such as
settedirekt ren had formulated on the basis of the complaint, with a response deadline of 20 January 2020. This
The deadline was for practical reasons later set at 27 January 2020. The Norwegian Data Protection Authority gave its response in
letter of 27 January 2020. The reply was accompanied by ten appendices with various types of documentation such as
substantiated the Data Inspectorate's view of the case.
Notification of a decision was sent to the Norwegian Data Protection Authority on 24 February 2020, with a deadline of 20 March 2020. I
The feedback on the notification from the Norwegian Data Protection Authority, dated 20 March 2020, provided the Authority with information
on how they have reformulated the text regarding the current complaint to the Danish Data Protection Agency in line with
Article 77 of the Privacy Regulation, cf. point E in the notice of decision. Set directly clean found after
this reason to clarify the said point in the decision. Otherwise, the Data Inspectorate had none
notes to the notice.
The complaint was submitted in August 2019, and the case processing has taken more than half a year
The long case processing time is largely due to extra time spent in connection with appointment
of settedirekt r.
Below, I will assess the various complaints in the case as they appear in the claim
statement dated 20 December 2019. I also refer to the mentioned requirement for an account what
applies the legal basis in the case and sees no need for the agent this here.

2. On the right of appeal
Registered persons have the right to appeal to a supervisory authority, cf. the Privacy Ordinance
Article 77 no. 1. In this case, the supervisory authority is the Norwegian Data Protection Authority. The right of appeal after the aforesaid
provision presupposes that the complaint concerns the processing of personal data about complaints (the
registered). The right to appeal in this case has not been disputed. It has nevertheless been rt
noted that the complainants have not indicated that any concrete treatment has taken place
personal information about complaints themselves. B de Datatilsynet and settedirekt ren have, however, added
due to the fact that complainants have used the Data Inspectorate's website with the consequence that personal information about
complaints have been processed.
In the view of the direct director, the complaint could not have been rejected as unjustified without it being in any case
stated that no personal data on complaints had been processed. The principle of
legality, fairness and justice, cf. Article 5 (1) (a) of the Privacy Regulation,
indicates that the supervisory authority should actually process complaints even if it is not clear which ones
personal data processed about the complainant. This assumes that it is
it is probable that personal data about the person in question has been processed.
Alleged violation of Article 6 of the Privacy Regulation
Complainants state that the Data Inspectorate bases all processing activities related to website visits
the basis for consideration of interests in accordance with the Privacy Ordinance, Article 6, paragraph 1, letter 1
f. He believes that the Data Inspectorate can not legally process personal data after this
the basis for treatment in this context because the Privacy Regulation Article 6 (1)
the second paragraph stipulates that no. 1 letter may be applied to treatment performed by
public authorities as part of the performance of their tasks. As the Data Inspectorate is one
public authority and the operation of the website takes place as part of the performance of the Authority's tasks,
considers the complainants that the processing of personal data on this basis of processing is illegal.
Even if the Data Inspectorate had been able to base the processing on the processing basis
balancing of interests in some cases, complainants claim that the interests mentioned in the Data Inspectorate's
privacy statement does not meet the requirements related to legitimate interests. This because it
in the complainant's view there is no logical way to justify that it is necessary to treat them
the relevant personal data for the relevant interests; for example, storage is not off
s keord n necessary for the website to work.
The Data Inspectorate's response states that several possible processing bases for personal data
in connection with the websites has been considered. This specifically applies to a possible basis in
Article 6, paragraph 1, letter e (statement in the public interest or in public
authority) and Article 6 (1) (a), after which the data subject's consent is given
basis for treatment. The Data Inspectorate argues that the alternative in letter e is not
applicable and that the alternative in letter a only partially fits. The Danish Data Protection Agency has therefore intended that
Article 6, paragraph 1, is the only option which is fully applicable to it
the processing of personal data that takes place in connection with the use of www.datatilsynet.no.
To the objection that the alternative in Article 6 No. 1 letter fikke can be used by public
authorities, the Data Inspectorate responds by referring to a statement from the Ministry of Justice and Emergency Preparedness
and Prop. 56 LS (2017-2018) section 6.3.1. Here the ministry writes, among other things: As the exception from
Article 6, paragraph 1, letter fbare addresses public authorities and their tasks,
the Ministry [...] assumes that the exception as a starting point only applies to the processing of
personal data in connection with the exercise of public authority. They further write that
the scope of the exemption from the application of Article 6 (1) (f) to the public
authorities m: fasin clarification through practice.
The Danish Data Protection Agency also states that the French Data Protection Agency, Commission N ationale des Informations
et des Libertes (CNIL), states Article 6 (1) (f) as the legal basis for processing
personal data in connection with a number of their own processing activities and
form of treatment l.
My assessment
I agree with the Data Inspectorate's justification that no other basis for processing in Article 6 no.
1 than the alternative in letter f may be useful as a basis for treatment of
personal information in connection with the use of www.datatilsynet.no. The crucial question
is whether the exception in letter f second paragraph nevertheless means that this basis for treatment is
inapplicable to a public authority such as the Norwegian Data Protection Authority.
The wording of the exception applies to public authorities as part of the performance of their tasks
(highlighted here). The question is whether tasks should be understood as tasks as authority
or also m understand as other tasks a public authority has. In Article 6, paragraph 1
letter e is perform a task and exercise public authority used as alternatives.
This may be an argument that tasks in the letter f must be understood as something more than that
applies to the exercise of authority.
However, it is important to note the premise / justification for the exception as it comes
for expression in the preamble, section 47:
As it is up to the legislature by law to determine the legal basis for
public authorities' processing of personal data should be mentioned in court
basis does not apply to treatment performed by public authorities in connection with
with the performance of the tasks assigned to them.
In my opinion, this statement is only an implicit reference
authority in the strict sense.
In any case, I mean a task that is performed independently of individual case processing or otherwise
authority exercise at the Norwegian Data Protection Authority, and which has the form of supporting one of
the central tasks of the supervisory authorities under Article 57 (1) of the Privacy Regulation
letter bom promote the public's knowledge of risks, rules, guarantees and rights
(...), Falls outside the exceptions mentioned in Article 6, paragraph 1, letter f, second paragraph. The premise m
however, the information provided by the Norwegian Data Protection Authority is not so arranged and formulated that it
gives a definite and authoritative expression of the duties and rights of the user
www.datatilsynet.no has or can have. S led will e.g. a service on the websites as direct
3
offers support for the application of law and discretion in specific cases could come under
mentioned exemption provision. However, I do not consider that www.datatilsynet.no has one
facility or content, and I therefore believe the exception does not apply.
The application of Article 6 (1) (f) as a basis for treatment requires that there is a
preponderance of interests in favor of legitimate interests stated by the data controller,
cf. the wording is at the front of the provision. The legitimate interests must also do so
necessary a na the form l that justifies the treatment.
In the Data Inspectorate's privacy statement, the Authority states: The legitimate interest [as
justifies the processing of personal data] is to improve and further develop information p
our websites. This interest is in accordance with the legal obligation of the Data Inspectorate
pursuant to Article 57 (1) (b) to promote public awareness of risks, rules,
guarantees and rights (...). The rationale is all about promoting privacy using
information services on the Data Inspectorate's website. The processing of personal data
what happens has only the user's IP address as an identifying element and will in practice be experienced
as anonymous information that is only available to a few people. I consider in this
the case that the risk of violating the data subjects' fundamental rights and freedoms is so minimal
that the legitimate interest in spreading knowledge about rules and rights etc. about privacy
undoubtedly must weigh heaviest.
It is clear that the Data Inspectorate can promote the public's knowledge of risks, rules,
guarantees and rights (...) in other ways than by having a website. The website is then also
only one of the measures that the Data Inspectorate uses to inform about the privacy regulations.
However, the website is especially important because it is always available, allowing for constant
updating the information and has a usage capacity that is independent of available
human resources. Although the service is very important, it still can not be seen as
n necessary in the strictest sense of the word, ie in the sense only possible means.
The Data Inspectorate's website and the processing of personal data the service entails, m
however, it is considered necessary to have an information service that is in proportion to
the need for information created by the privacy policy. I consider in other words
n the requirement of necessity in Article 6 (1) (f) as satisfied.
Overall, I have therefore come to the conclusion that the Data Inspectorate has a valid basis for processing in
Article 6 (1) (f) of the Privacy Regulation for the processing of personal data
which takes place in connection with the website www.datatilsynet.no.
4. Alleged violation of Article 13 of the Privacy Regulation
Complainants allege that the Data Inspectorate has violated the requirement in the Privacy Ordinance, Article 13, No. 1
letter d about information to the data subject. The reason for this is that the Data Inspectorate p
the website has not provided specific information on which legitimate interest under Article 6 no.
1 letter f which forms the basis for the processing of personal data in the following
contexts:
• the feedback function Did you find what you were looking for?
4
• when saving comments on the Privacy Blog
Where the Data Inspectorate states the legitimate interests on which a processing is based, it is nevertheless
not provided information on the result of the balance of interests. Complainants state that this is in conflict
with the recommendation of the Article 29 Working Party.
The Norwegian Data Protection Authority admits that this information has not been explicitly provided in the event of an incursion. The
states that the privacy statement stated that the processing of information in connection
to the feedback function was based on a legitimate interest in accordance with Article 6 (1)
letter f. However, it was not stated what specific legitimate interest was involved
about. Nor in connection with the comment function on the Privacy Blog was it given
information on the specific legitimate interest.
The Data Inspectorate points out that the legitimate interest associated with the Privacy Blog is to add
facilitate that readers can express their opinion on and discuss the blog posts and that this is common
practice for bloggers. They therefore assume that this has hardly created uncertainty among readers. In a
In summary, the Data Inspectorate states in its response that to the extent that this can be described
as a breach, the breach has not posed a real risk to the data subjects' rights and freedoms.
They also remind that the relationship has long since been rectified.
My assessment
If a data controller bases the processing of personal data on p
Article 6 (1) (f) of the Privacy Regulation on legitimate interest, and the collection of
information takes place directly from the registered person, the data controller must always state which one
legitimate interest in question. It is not sufficient that it is stated that
the person in charge of treatment considers to have a legitimate interest; it must also be stated which or
what legitimate interests are at stake.
The reason for the obligation to provide specific information is that the basis for processing in Article 6, paragraph 1
letter f differs from the other treatment bases in that the provision is very
broadly worded: It is not only the person responsible for the treatment, but also a third party,
interests that can be included in the assessment of whether there is a legitimate interest.
The basis for processing Article 6, paragraph 1, letter also applies in particular in that the provision refers to
a broad balance of interests between the legitimate interests on the one hand, and the
the interests of data subjects and fundamental rights and freedoms on the other hand.
The various grounds for treatment in Article 6, paragraph 1, are in principle equal, ie they are
no prioritization between them. For a treatment manager, it can be easier
argue for a legitimate interest, cf. Article 6 (1) in letter f, than for example
obtain an informed consent from the data subject, cf. Article 6 no. 1 letter a. Article 6 no.
l gives the data controller full access to argue that his own, possibly
third parties, interests are so significant and weighty that the treatment of
personal information can be obtained without obtaining consent or referring to others
specific treatment bases.
5
The wide right to process personal data as provided for in Article 6 (1) (1),
makes it especially important to provide adequate information to registered persons. Registered can then
have a basis for assessing whether the stated specific legitimate interests, as well as the balance
between them, is durable or not.
I agree with the Norwegian Data Protection Authority that Article 6 no. 1 letter f on legitimate interest is the only one
applicable treatment basis for the mentioned feedback and comment functions, cf.
also the discussion in point 3 above. In this case, the use of legitimate interest is as
treatment basis thus not only an easy solution, but the only possible solution.
A very special aspect of the relevant processing of personal data is that it takes place for
promote personal data protection. In other words, it is about legitimate interests such as
primarily gives positive effects for personal data protection, because the Data Inspectorate will be better able
to see their tasks as specified in the Privacy Ordinance (see in particular
Article 57 (1) (b) of the Privacy Ordinance on the task of promoting knowledge about
personal data protection). At the same time, the treatment takes place in a way that to a very small degree
creates a risk of violations by the data subjects. B the feedback and comment functions can
moreover, it is said to support freedom of expression - albeit in a simple way.
I find it clear that the Data Inspectorate should have provided information about the specific legitimate interests
who justified the feedback and comment functions, but finds this lack difficult
can be said to have had a significant negative impact on the protection of the users of the services
(registered persons). It is not claimed that the missing information has been damaged
some kind. The relationship is focused on and no longer has current interest. I therefore find that it only
is the basis for direct criticism of the Norwegian Data Protection Authority for the period when information about specific
legitimate interests were not given, and I note that Article 13 (1) (d)
the time was broken.
5. Alleged violation of Article 5 of the Privacy Regulation
Complaints state at an overall level that the Data Inspectorate, through its online services, is violating
with some of the principles set out in the Privacy Ordinance Article 5 No. 1. Complaints
believes that the principle of form limitation is violated by the form lene specified in
the privacy statement is not specific enough. Furthermore, complaints to the Danish Data Protection Agency, as a
consequence of the above, has also violated the principle of liability in Article 5 (2).
In its response, the Data Inspectorate disagrees that the terms of reference are not precise enough and refers to
privacy statement. When it comes to compliance with the principle of accountability, shows
The Norwegian Data Protection Authority's management system for information security and privacy, version 3.0.
My assessment
At this point, the complaint is of a very general nature. The Data Inspectorate's privacy statement
describes in detailed ways twelve common types of processing of personal data such as
The Data Inspectorate is responsible for. For each of these, information is given about form l. In the very
In most cases this is done by using the term form l, while in some cases in
the site is given a description of what the information will be used for.
6
Form ls statements have significance for several other legal issues l. For that I know the treatment of
this case should be able to take a position on the question of whether the formal statements are sufficient
specific, it would require a relatively comprehensive discussion of each form l. Complainants have only
given general statements about the lack of specific formalities, and as far as I can understand
is not complaining about any particular situation that has had negative consequences for him. I
therefore finds no reason to go into more detail about each of the many formal statements in
the privacy statement is sufficiently specific or not.
The requirement for a specific form statement will vary depending on the risk of
privacy breaches. Such risk in connection with www.datatilsynet.no_er, as far as I can
First, review the end very low. As far as I can tell, there are no clues
claim that the statements of form in the Data Inspectorate's privacy statement are not very specific.
Overall, I do not find grounds to conclude that there is a breach of the principle
on the limitation of formalities in Article 5 (1) (b) of the Privacy Regulation or
the principle of liability in Article 5 (2), cf. Article 24.
6. Alleged violation of Articles 57 and 77 of the Privacy Regulation
My assessment - Article 57 (2) of the Privacy Regulation
Complainants claim that the Data Inspectorate makes it unnecessarily difficult for the registered complaints to be submitted
matters to them. Information on how to proceed with a complaint is, in the complainant's view, not easy
available, either by primary or secondary navigation on the website. The Data Inspectorate disagrees
in this and refers to the different ways in which this information is made available.
The right to appeal arises from information that becomes available via the search function on
the site. Here is the information if you are applying for a complaint or appeal to
The Data Inspectorate (on the other hand, not by so-called right of appeal, for example). Alternatively, the user can follow the path
Contact us How to complain to the Norwegian Data Protection Authority. Information about the right of appeal appears
also directly if someone outside the Data Inspectorate's website searches Google for the Data Inspectorate
complaint or the like. The information about the right of appeal states that users can submit a formal
complain to the Norwegian Data Protection Authority if they have experienced something they believe is a breach of the privacy regulations.
It would obviously be possible for the Data Inspectorate to expose the information on the right of appeal better
than is the case today on www.datatilsynet.no. On the other hand, the information is good
available via general search functions, both within the website and via general websites.
After this, I can not find support for the complainants' claim of lack of availability.
Furthermore, the complainants maintain that the Norwegian Data Protection Authority does not make it possible for the registered applicants
complain electronically, but require them to send a complaint in physical format by post. This means
complaints is a violation of the Privacy Regulation Article 57 No. 2, which states that each
the supervisory authority shall facilitate the submission of complaints as mentioned in no. 1 letter fved
with the help of measures such as a complaint form that can also be filled in electronically, without exclusion
other means of communication.
7
To this point in the complaint, the Data Inspectorate replies that complaints often have a content that requires that
the shipment is satisfactorily protected. The audit has not yet developed its own secure digital
solution for filing a complaint, and they admit that the current procedure is cumbersome and small
user friendly. However, a new digital solution is under construction and is expected to be completed by 2020.
The Data Inspectorate reminds that complaints are not infrequently containing sensitive information
character. Ordinary e-mail is therefore not a sufficiently secure procedure for filing
of complaint. Only in special cases where complainants can encrypt their communication, will the Data Inspectorate
therefore could receive complaint by email. The main rule is that the complaint must be sent by letter to
The Data Inspectorate's mailbox address. If anyone has objections to the way the Data Inspectorate processes
personal information, they can also contact the Authority's privacy representative, who in turn
can provide advice and guidance on complaints. The Data Inspectorate's privacy statement contains more information
information about this.
The provision in Article 57 (2) to which the complainants refer stipulates that the supervisory authorities shall
facilitate the filing of complaints [...] by means of measures such as a complaint form as
can also be filled in electronically (...). The key here is the duty to facilitate submission
of complaint. Facilitation using a form that can also be filled in electronically (digitally) is
here is an example of how such an arrangement can take place.
The Privacy Ordinance only sets requirements for the use of electronic aids and
standardized routines etc. in the communication between the various authorities, see e.g.
Article 60 (12), (61), (6) and (6) and Article 64 (4) and (5)
responsible for processing and registered, become electronic routines etc. either maintained as permitted
or as an example of how communication can take place. The provision of Article 57 (2) on
The Data Inspectorate's arrangements for filing complaints must be seen in this wider context.
In my opinion, the provision can neither be seen as a duty to have digital routines for
filing a complaint or obligation for such digital routines to contain forms.
The eGovernment Regulations (efvf.) 'regulate the use of electronic by public administrative bodies
means of communication, including communication with citizens. According to these rules it is
up to the executive body itself to decide whether they want to facilitate electronically
communication and whether specific procedures should be used as such
communication is used, cf. $ 3 first paragraph. The Danish Data Protection Agency can thus determine this
a specific form, a special address, etc. must be used. These Norwegian, national regulations
does not contravene the provision of Article 57 (2) of the Privacy Regulation and supplements
hence the Regulation.
After this, I come to the conclusion that the Data Inspectorate's requirement that an appeal should as a general rule be submitted as
letter mail does not contravene the Privacy Ordinance Article 57 No. 2. This understanding
harmonizes with the requirements of the eGovernment Regulations. Admittedly, it gives p g end
the digitalisation of society a clear expectation of the use of digital aids. B de
1 Regulation 25 June 2004 No. 988.
8
The Privacy Ordinance and the eGovernment Regulations facilitate such digitization.
In addition, Article 57 (2) of the Privacy Regulation is understood to be a non-electronic order
means of communication in any case shall be retained, cf. the wording without exclusion
other means of communication. It must always be possible to lodge a complaint by letter, even after
that electronic routines become available.
My assessment - Article 77 (I) of the Privacy Regulation
Article 77 (1) of the Privacy Ordinance gives registered persons the right to appeal to
the supervisory authority if they believe that the processing of personal data about them is contrary to
Regulation. Complainants believe it is contrary to the Privacy Ordinance Article 77 n r
The Norwegian Data Protection Authority requires that the registered persons contact the company responsible for processing before
they complain to the supervisory authority.
In the information on the website www.datatilsynet.no about submitting a complaint to the Data Inspectorate
it says, among other things:
To ensure efficient case processing, you must contact the company beforehand
you complain to us. Often the case will be able to be seen even then. We demand that you
attach relevant correspondence with the company and any other
documentation. We demand a concrete description of what the breach is about
ut p.
In the continuation of this information, it is determined which information and which
documentation The Data Inspectorate must have before they process the appeal.
In its response to the complaint, the Data Inspectorate justifies the scheme of referring complainants to a closer
contact with the person in charge of treatment with the dramatic increase in the number of cases in recent years
rene. The number of cases in 2017, the year before the Privacy Ordinance came into force, was approx. 1800. This
kte to approx. 3010 cases in 2019. The Data Inspectorate's experience is that many cases will be resolved if
registered persons make direct contact with the data controller. The audit has also looked into
what the English and French data protection authorities require for their appeal proceedings and
believes that these inspections make similar demands as the Norwegian. In a concluding comment in
The Data Inspectorate's response to the complaint, the Authority admits that there may be a need to soften the requirements
for complaints. They state that it has been decided to change the text referred to above from m
you contact the company until you should contact the company (highlighted here).
The processing and decision of appeals is regarded as individual case processing and individual decisions, cf.
Public Administration Act $ 2 letter b, cf. letter a. To the extent that it does not conflict with requirements
the case processing in the ordinance, m appeal proceedings according to the privacy ordinance
Article 77 shall take place in accordance with the detailed provisions of individual decisions in
the Public Administration Act and be in line with administrative law principles. For assessment of
complaint procedures in cases concerning the data subjects' rights (Articles 15 -22), it is also relevant
withdraw the provisions of Article 12, paragraphs 1, 2 and 4. In other cases where registered complaints
applies to Article 12, paragraph 1.
9
Article 12 (4) of the Privacy Ordinance imposes requirements on the person responsible for processing in
situations where the latter completely or partially refuses to comply with the data subject's request
use of rights. In such situations, the data controller must provide information such as
explains why the request cannot be complied with. If the data subject chooses a
on appeal such a refusal in accordance with Article 77 No. 1, it is this justification Datatilsynet
m assess the durability of.
The communication between the data controller and the data subject shall be open and
easily understood, cf. Article 12 (1). The same provision requires written communication or
communication in another way. To be understandable and easily accessible as the provision
requires, the communication must be documented so that the data subject can relate to one
concrete and clarified justification for refusing to use the right. There must be one
documented communication between the data controller and the data subject. This
the documentation will be the primary basis for the appeal proceedings. If so
documentation does not exist because the data controller has not complied with the requirement in
Article 12, No. 4, m The Danish Data Protection Agency shall require the data controller to send to the Authority a
written basis for refusing to comply with the data subject's request.
A duty of assessment and activity in complaints for the person responsible for processing, as mentioned above,
is a well-founded scheme: It is the person in charge of treatment who in most cases has
best knowledge of current rules and practices. This is a consequence of the principle of responsibility in
Article 5 (2) The provision means that the person responsible for processing must familiarize himself with his
obligations under the Regulation. Participation from the person responsible for treatment to inform
Appeals also mean that the duty is imposed on a file that the Data Inspectorate can grant in court
binding on leg, cf. article 5 8 no. 1 letter a.
I have therefore come to the conclusion that the Data Inspectorate cannot demand that the data subject himself provide information
appeals relating to Articles 15 to 22. In such cases, the Data Inspectorate can only demand from the complainant
that the person in question identifies the person responsible for processing and what the complaint concerns. The duty to
inform the case is mainly on the person responsible for processing. This division of responsibilities
m appear in the information about the appeal proceedings. The Danish Data Protection Agency may request that the complainant
provides relevant information in its case, but can not request this in a way that
can give the impression of the further case processing is dependent on this happening.
In the case of complaints from registered persons in matters not relating to rights and Article 15
-22, the starting point is probably the opposite of what is mentioned above. In such cases do not come
the provisions of Article 12 (2) and (4) shall apply. The starting point is then that the Data Inspectorate
can organize the case investigation in ways that provide appropriate and sound information
of the case. It can not be ruled out that in such cases it may be justifiable to impose
registered persons who complain about a duty to% inform the case, in a similar way as the Data Inspectorate
today requires.
In light of the principle of justice, cf. the Privacy Ordinance, Article 5 no. In letter a, it is
reason to be careful about imposing on complainants the duty to contribute to the case investigation, at least
as a fixed, standardized requirement. The reason is primarily that the privacy regulations are so special
10
comprehensive and complex and therefore demanding to understand and apply. A treatment manager will
typically have better conditions for complying with these regulations, either by themselves or by
with the help of lawyers or other advisers. Standard routines that, in particular, add complaints
contributing to the enlightenment of the case will therefore easily run counter to the principle of justice. Placement of
duty on the presumed inferior party in a dispute may also mean that the registered becomes more
skeptical of using their right of appeal.
In summary, I mean the current requirements for registered persons who complain to the Norwegian Data Protection Authority, in
in the event of a complaint regarding rights and articles 15 - 22, is not in accordance with
Article 77 (1) of the Privacy Regulation, cf. Article 5 (1) (a). Also in other cases
In my opinion, it is doubtful whether the current complaints system fully satisfies the requirements that
follows from the said provisions.
7. Decision
Following this, the Data Inspectorate's Directorate sets the basis for making the following decisions:
A. Not a violation of Article 6 of the Privacy Regulation
The Norwegian Data Protection Authority has a valid basis for processing in accordance with Article 6 of the Privacy Ordinance
No. 1 letter f for the processing of personal data that takes place in connection with
www .datatilsynet.no.
B. Violation of Article 13 of the Privacy Regulation
The Data Inspectorate's failure to state the specific legitimate interests such as
The reasoned feedback and comment functions on www.datatilsynet.no involve a
violation of the Privacy Regulation Article 13 No. 1 letter d. The relationship is directed at,
no longer has a current interest and can not be seen to have had a significant negative
impact on the freedoms and rights of data subjects. There is therefore no basis
for further follow-up.
C. Not a violation of Article 5 of the Privacy Regulation
There is no basis for concluding that there is a breach of the principle of
Article 5 (1) (b) or (b) of the Privacy Regulation
the principle of liability in Article 5 (2), cf. Article 24.
D. No violation of Article 57 of the Privacy Regulation
I) The Data Inspectorate's information on the right of appeal is considered satisfactory, cf.
Article 57 (2) of the Privacy Regulation.
II) The Data Inspectorate's requirement that a complaint as a general rule must be submitted as a letter post is
not in breach of Article 57 (2) of the Privacy Regulation.
E. Violation of Article 77 of the Privacy Regulation
In appeals concerning the rights in Articles 15 - 22, the Data Inspectorate may not provide as
which is to process the complaint that the registered person must first inform the case by contacting
the data controller. Such a condition would constitute a breach of
11
Article 77 of the Privacy Ordinance. The Norwegian Data Protection Authority may not provide information on
the right of appeal in a way that gives the impression that it is the data subject himself, and not the one
those responsible for processing, who have the primary responsibility for informing cases concerning rende
Article 15-22. In other types of appeals that registrants promote, the Data Inspectorate may
require that complainants inform the case to the extent required by the Public Administration Act 17 and p
far the requirement of participation does not conflict with the Privacy Ordinance
Article 5 (1) (a) on fair treatment.
I assume that the Data Inspectorate takes adequate measures to ensure compliance with point E i
the decision.
Right of appeal
The Data Inspectorate can appeal the decision. Any complaint must be sent to the undersigned within three
weeks after this letter has been received, cf. the Public Administration Act 28 and 29. If I.
If the decision is upheld, I will forward the case to the Privacy Board for processing complaints.
Sincerely, <'4.caa
12