Datatilsynet (Norway) - 20/02042: Difference between revisions

From GDPRhub
m (Added information about Innovation Norway and clarified that the process of conducting credit scorings is not the issue here, only the misuse of it by the one employee)
 
(5 intermediate revisions by 3 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=Datatilsynet (in NO)
|Original_Source_Name_1=Datatilsynet (in NO)
|Original_Source_Link_1=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/varsel-om-overtredelsesgebyr-til-innovasjon-norge/
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/ecc60fae5be740da81468d4eb23c43a3/vedtak-om-overtredelsesgebyr-til-innovasjon-norge.pdf
|Original_Source_Language_1=Norwegian
|Original_Source_Language_1=Norwegian
|Original_Source_Language__Code_1=NO
|Original_Source_Language__Code_1=NO
Line 25: Line 25:
|GDPR_Article_1=Article 6(1)(f) GDPR
|GDPR_Article_1=Article 6(1)(f) GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1f
|GDPR_Article_Link_1=Article 6 GDPR#1f
|GDPR_Article_2=Article 33 GDPR
|GDPR_Article_2=Article 33(1) GDPR
|GDPR_Article_Link_2=Article 33 GDPR
|GDPR_Article_Link_2=Article 33 GDPR


Line 46: Line 46:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Rie Aleksandra Walle
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
|
|
}}
}}


The Norwegian DPA (Datatilsynet) notified Innovation Norway that they will be fined €95,000 for subjecting the complainant to multiple credit ratings without a legal basis under Article 6(1)(f) GDPR. Innovation Norway has until January 25 2021 to contest the fine.  
The Norwegian DPA (Datatilsynet) upheld its decision to fine Innovation Norway NOK 1,000,000 (~€98,000) for subjecting the complainant to multiple credit ratings without a legal basis under Article 6(1)(f) GDPR.  


==English Summary==
==English Summary==


===Facts===
===Facts===
The complaintant was subjected to multiple credit ratings by Innovation Norway*, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.  
The complainant was subjected to multiple credit ratings by Innovation Norway*, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.  


When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.
When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.
Line 62: Line 62:


===Dispute===
===Dispute===
Did Innovation Norway have a legal basis for conducting credit rating(s) of the complaintant?
 
#Did Innovation Norway have a legal basis for conducting credit rating(s) of the complainant?
#Did Innovation Norway have sufficient internal controls for conducting credit ratings?
#Should Innovation Norway have report the personal data breaches to the DPA, cf. Article 33(1)?


===Holding===
===Holding===
The DPA found that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question, that they hadn't followed up on their own internal policies and procedures and that they should have notified the DPA of the personal data breach cf. Article 33 GDPR.
 
#The DPA held that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question.
#They also held that Innovation Norway hadn't followed up on their own internal policies and procedures and these were insufficient.
#They also held that Innovation Norway breached their duty to notify the DPA three of the (first) personal data breaches (unlawful credit ratings), however they upheld it at the fourth.
 
For these breaches, the DPA fined Innovation Norway NOK 1,000,000.


==Comment==
==Comment==
The complaintant was subjected to a total of ten credit ratings; one on the complaintant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.
The complainant was subjected to a total of ten credit ratings; one on the complainant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.


The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.  
The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.  


==Further Resources==
==Further Resources==
''Share blogs or news articles here!''
 
* The Norwegian DPA's first press release (notification) (in Norwegian): https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/varsel-om-overtredelsesgebyr-til-innovasjon-norge/
* The Norwegian DPA's final press release about the decision to fine Innovation Norway (in Norwegian): https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/gebyr-til-innovasjon-norge/<br />


==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
Line 79: Line 89:


<pre>
<pre>
__________ PRESS RELEASE __________
Fee to Innovation Norway


Notification of infringement fee to Innovation Norway
The Norwegian Data Protection Authority has sent a decision on an infringement fee of NOK 1 million to Innovation Norway. The case concerns a credit assessment without a basis for processing.
Fee to Innovation Norway


The Norwegian Data Protection Authority has sent Innovation Norway a notice of infringement fines of NOK 1 million. The case concerns four credit of an individual and his sole proprietorship without any basis for assessments treatment .
- Innovation Norway has not been able to refer to a customer relationship, or a connection to the complainant and the company in question, which could justify these credit assessments, says senior adviser Ida Småge Breidablikk.
Notification of infringement fee to Innovation Norway


- Innovation Norway has not been able to point to a customer relationship, or a connection to complainants and his company, that could justify these credit assessments, says senior adviser Ida Småge Breidablikk.
The amount is unchanged after we first sent notice in the case.
Must have a valid treatment basis


Innovation Norway has agreed that they did not have a treatment basis for the four credit assessments. The credit assessments took place over a period of 3 months.
A credit rating is the result of compiling personal information from many different sources, and shows a number that indicates the probability that an individual or sole proprietorship will pay a claim. A credit assessment will also show details about the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.
Must have a valid treatment basis


A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person or sole proprietorship will pay a claim. A credit assessment will also show details about the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.
Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships.


Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships. It is part of the case that the complainant's limited company has also been credit-rated six times. However, this is not covered by the privacy regulations, and the Data Inspectorate cannot sanction this.
Read more about credit rating and privacy
Experienced offensive
Experienced offensive


- Credit information about sole proprietorships also says something about the owner's personal finances. It is private information that can not be collected by other companies unless it is objectively justified, says legal senior adviser Ida Småge Breidablikk. We understand that complaints react when he has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, she concludes.
- Credit information about sole proprietorships also says something about the owner's personal finances. It is private information that can not be collected by others unless it is objectively justified, says senior adviser Ida Småge Breidablikk.
 
- We understand that the complainant reacts when the person in question has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, Breidablikk concludes.


Innovation Norway has been given a deadline of 25 January to submit comments on the notification.
Innovation Norway has a three-week appeal period from the time they receive our decision.
</pre>
</pre>

Latest revision as of 18:57, 5 March 2022

Datatilsynet - DT-20/02042
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.01.2021
Published: 04.01.2021
Fine: 1000000 NOK
Parties: Complaintant (data subject - anonymized)
Innovation Norge
Innovation Norway
National Case Number/Name: DT-20/02042
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) upheld its decision to fine Innovation Norway NOK 1,000,000 (~€98,000) for subjecting the complainant to multiple credit ratings without a legal basis under Article 6(1)(f) GDPR.

English Summary

Facts

The complainant was subjected to multiple credit ratings by Innovation Norway*, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.

When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.

* Innovation Norway is state-owned and the Norwegian government's instrument for innovation and development of Norwegian enterprises and industry. Their programs and services are aimed at stimulating entrepreneurship in Norway. Conducting credit scoring of individuals and companies are common practice and not an issue in itself. The issue here was the misuse of credit scoring by one employee.

Dispute

  1. Did Innovation Norway have a legal basis for conducting credit rating(s) of the complainant?
  2. Did Innovation Norway have sufficient internal controls for conducting credit ratings?
  3. Should Innovation Norway have report the personal data breaches to the DPA, cf. Article 33(1)?

Holding

  1. The DPA held that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question.
  2. They also held that Innovation Norway hadn't followed up on their own internal policies and procedures and these were insufficient.
  3. They also held that Innovation Norway breached their duty to notify the DPA three of the (first) personal data breaches (unlawful credit ratings), however they upheld it at the fourth.

For these breaches, the DPA fined Innovation Norway NOK 1,000,000.

Comment

The complainant was subjected to a total of ten credit ratings; one on the complainant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.

The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.

Further Resources

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Fee to Innovation Norway

The Norwegian Data Protection Authority has sent a decision on an infringement fee of NOK 1 million to Innovation Norway. The case concerns a credit assessment without a basis for processing.
Fee to Innovation Norway

- Innovation Norway has not been able to refer to a customer relationship, or a connection to the complainant and the company in question, which could justify these credit assessments, says senior adviser Ida Småge Breidablikk.

The amount is unchanged after we first sent notice in the case.
Must have a valid treatment basis

A credit rating is the result of compiling personal information from many different sources, and shows a number that indicates the probability that an individual or sole proprietorship will pay a claim. A credit assessment will also show details about the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.

Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships.

Read more about credit rating and privacy
Experienced offensive

- Credit information about sole proprietorships also says something about the owner's personal finances. It is private information that can not be collected by others unless it is objectively justified, says senior adviser Ida Småge Breidablikk.

- We understand that the complainant reacts when the person in question has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, Breidablikk concludes.

Innovation Norway has a three-week appeal period from the time they receive our decision.