Datatilsynet (Norway) - 20/03046: Difference between revisions
No edit summary |
(Updated with final decision) |
||
Line 11: | Line 11: | ||
|Original_Source_Name_1=Datatilsynet | |Original_Source_Name_1=Datatilsynet | ||
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/ | |Original_Source_Link_1=https://www.datatilsynet.no/contentassets/918bdbdce8a740d2a5e9b65334d82c52/20_03046-17-vedtak-om-overtredelsesgebyr---trumf-as_sladdet.pdf | ||
|Original_Source_Language_1=Norwegian | |Original_Source_Language_1=Norwegian | ||
|Original_Source_Language__Code_1=NO | |Original_Source_Language__Code_1=NO | ||
|Original_Source_Name_2=Datatilsynet | |Original_Source_Name_2=Datatilsynet | ||
|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter- | |Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/gebyr-til-trumf/ | ||
|Original_Source_Language_2=Norwegian | |Original_Source_Language_2=Norwegian | ||
|Original_Source_Language__Code_2=NO | |Original_Source_Language__Code_2=NO | ||
Line 56: | Line 56: | ||
}} | }} | ||
The Norwegian DPA | The Norwegian DPA fined the company Trumf €500,185 (NOK 5,000,000) for failing to report and document repeated data breaches where people could register other people's bank account numbers to get access to their detailed purchase history. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
"Trumf" is a customer loyalty program owned and run by the company with the same name. Users can register their Trumf card at various stores, gas stations, airlines and other Trumf partners to collect bonus points, which can then be used to purchase goods or be withdrawn as cash. | "Trumf" is a customer loyalty program owned and run by the company with the same name (the controller). Users can register their Trumf card at various stores, gas stations, airlines and other Trumf partners to collect bonus points, which can then be used to purchase goods or be withdrawn as cash. | ||
In 2016, it was discovered that people could register other people's bank account numbers to get access to their detailed purchase history. At the time, the Norwegian DPA (Datatilsynet) instructed | In 2016, it was discovered that people could register other people's bank account numbers to get access to their detailed purchase history. At the time, the Norwegian DPA (Datatilsynet) instructed the controller to mitigate this security risk. The controller confirmed that this would be dealt with promptly by implementing a verification mechanism which would solve the problem. | ||
However, in 2020, the DPA, through various news stories, became aware that the security issue was still unresolved. The controller explained that it had been too challenging to resolve it and, further, that they did not report these breaches because they thought they did not have to. Consequently, they did not adhere to [[Article 33 GDPR#5|Article 33(5) GDPR]], nor [[Article 33 GDPR#1|Article 33(1)]]. | However, in 2020, the DPA, through various news stories, became aware that the security issue was still unresolved. The controller explained that it had been too challenging to resolve it and, further, that they did not report these breaches because they thought they did not have to. Consequently, they did not adhere to [[Article 33 GDPR#5|Article 33(5) GDPR]], nor [[Article 33 GDPR#1|Article 33(1)]]. | ||
=== Holding === | === Holding === | ||
The Norwegian DPA held that Trumf had breached [[Article 33 GDPR#1|Article 33(1)]] for failing to notify them of repeated personal data breaches, [[Article 33 GDPR#5|Article 33(5)]] for failing to document these breaches, and [[Article 32 GDPR|Article 32]] for failing to implement sufficient technical and organizational measures. For these violations, the DPA | The Norwegian DPA held that Trumf had breached [[Article 33 GDPR#1|Article 33(1)]] for failing to notify them of repeated personal data breaches, [[Article 33 GDPR#5|Article 33(5)]] for failing to document these breaches, and [[Article 32 GDPR|Article 32]] for failing to implement sufficient technical and organizational measures. For these violations, the DPA fined the controller €500,185 (NOK 5,000,000). | ||
== Comment == | == Comment == | ||
Line 83: | Line 83: | ||
PO Box 1513 Vika | PO Box 1513 Vika | ||
0117 OSLO | 0117 OSLO | ||
Line 92: | Line 92: | ||
105879-564 20 / 03046- | Their reference Our reference Date | ||
105879-564 20 / 03046-17 06/22 / 22.2022 | |||
Decision on infringement fine - Trumf AS | |||
1 Introduction | 1 Introduction | ||
We refer to our | We refer to our notification of a decision on infringement fines on 6 December 2021, as well as a response to | ||
the forecast from Trump December 22, 2021. | |||
2. | 2. Decision on order and infringement fine | ||
The Data Inspectorate has today made the following decision: | |||
Pursuant to the Privacy Ordinance, Article 58 no. 2 letter i, TRUMF AS org.nr. | |||
976 912 047 an infringement fee to the Treasury of NOK 5,000,000 for: | |||
To have breached its obligations under the Privacy Regulation Article 33 (1) and | |||
Article 33 (5) | |||
To have breached its obligations to implement appropriate measures in accordance with | |||
Article 32 of the Privacy Regulation | |||
3. Details of the facts of the case | 3. Details of the facts of the case | ||
Trumf AS ("Trump") is a benefit program that offers private individuals to save bonuses on purchases in | |||
NorgesGruppen's grocery stores and at a number of external Trump partners. Members of | NorgesGruppen's grocery stores and at a number of external Trump partners. Members of | ||
the benefit program can register a bank account number so that a bonus is saved | the benefit program can register a bank account number so that a bonus is saved | ||
the transactions they perform with bank cards linked to the bank account. The Trump member will | the transactions they perform with bank cards linked to the bank account. The Trump member will | ||
then get access to detailed information about purchases made in the stores associated with Trump, | then get access to detailed information about purchases made in the stores associated with Trump, | ||
1 | |||
with certain exceptions. Information about where you shopped, when you shopped, and what you shopped | with certain exceptions. Information about where you shopped, when you shopped, and what you shopped | ||
will be available to the Trump member by logging in to Trump's website. | will be available to the Trump member by logging in to Trump's website. | ||
1 Apotek 1 anonymises some of the purchases made with them. | 1 Apotek 1 anonymises some of the purchases made with them. | ||
Postal address: Office address: Telephone: Org.nr: Website: | Postal address: Office address: Telephone: Org.nr: Website: | ||
PO Box 458 | PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 | ||
0105 OSLO 0191 The | 0105 OSLO 0191 OSLO, On 1 March 2016, a meeting was held between Trump and the Norwegian Data Protection Authority. The meeting was initiated by | ||
membership. | The Data Inspectorate on the basis of a tip to our guidance service in February 2016. This tip consisted of a | ||
person had tried to enter their own account number on their own Trump membership. This was | |||
Trump. | however, not possible because an unknown person had already registered his account number. | ||
The person in question had not received information that his account number was registered with Trump. | |||
Based on the content of the tip received, as well as the meeting of 1 March 2016, the Data Inspectorate chose to initiate | Based on the content of the tip received, as well as the meeting of 1 March 2016, the Data Inspectorate chose to initiate | ||
Line 158: | Line 159: | ||
"Trump registered" in the display on the payment terminal, in addition to the fact that the receipt states that Trump | "Trump registered" in the display on the payment terminal, in addition to the fact that the receipt states that Trump | ||
bonus is registered in connection with the purchase. By the way, Trump wrote that to post some other people | bonus is registered in connection with the purchase. By the way, Trump wrote that to post some other people | ||
their bank account information would constitute a breach of contract. | their bank account information would constitute a breach of contract. | ||
The Data Inspectorate chose on 17 July 2016 to notify a decision on an order against Trump, which consisted of: | The Data Inspectorate chose on 17 July 2016 to notify a decision on an order against Trump, which consisted of: | ||
Order to provide routines for obtaining and checking the consent of all those they process | Order to provide routines for obtaining and checking the consent of all those they process | ||
information about, | information about, | ||
Order to immediately stop processing of account number and other personal data such as | Order to immediately stop processing of account number and other personal data such as | ||
Trump has no treatment basis for, | Trump has no treatment basis for, | ||
Order to establish routines to secure information to the registered when Trump collects or | Order to establish routines to secure information to the registered when Trump collects or | ||
otherwise process information from anyone other than the member of Trump, | otherwise process information from anyone other than the member of Trump, | ||
Order to prepare and adequately document risk assessment, acceptance criteria and measures | Order to prepare and adequately document risk assessment, acceptance criteria and measures | ||
as part of its information security work. | as part of its information security work. | ||
These orders were largely related to the fact that Trump lacked a verification solution such as | These orders were largely related to the fact that Trump lacked a verification solution such as | ||
ensured that Trump members only registered their own bank account, and not others. Below we gave | ensured that Trump members only registered their own bank account, and not others. Below we gave | ||
the following remark in the notice of decision: | the following remark in the notice of decision: | ||
Line 184: | Line 185: | ||
In the Data Inspectorate's opinion, Trump must ensure that the connection between the two is authenticated | In the Data Inspectorate's opinion, Trump must ensure that the connection between the two is authenticated | ||
Trump membership and account holder, so it is not possible to process | Trump membership and account holder, so it is not possible to process | ||
account number on trumf.no, unless the account holder and Trump member are the same person. | 2 | ||
account number on trumf.no, unless the account holder and Trump member are the same person. | |||
On 15 August 2016, Trump responded to the notification of the decision. In this answer it appeared, among other things, that | On 15 August 2016, Trump responded to the notification of the decision. In this answer it appeared, among other things, that | ||
Line 191: | Line 192: | ||
the member of Trump is the same, and found a method to ensure such verification | the member of Trump is the same, and found a method to ensure such verification | ||
It appeared from the answer that it was somewhat uncertain when this solution would be | It appeared from the answer that it was somewhat uncertain when this solution would be | ||
implemented, but according to information, this was to be done during the autumn of 2016. Trump | implemented, but according to information, this was to be done during the autumn of 2016. Trump | ||
2 Letter from the Norwegian Data Protection Authority, 17 July 2016, «Notification of decision - processing of personal data when registering | 2 Letter from the Norwegian Data Protection Authority, 17 July 2016, «Notification of decision - processing of personal data when registering | ||
account number on trumf.no », page 7. | account number on trumf.no », page 7. | ||
2, wrote that this solution would be faster than other alternatives, and that this was the best way to | |||
perform verification on. | |||
The Data Inspectorate decided, in light of Trump's response to the notification of the decision, to close the case. The Data Inspectorate noted | The Data Inspectorate decided, in light of Trump's response to the notification of the decision, to close the case. The Data Inspectorate noted | ||
in a letter dated 5 December 2016, among other things, that there was a need for a strong authentication (two-factor) for that | in a letter dated 5 December 2016, among other things, that there was a need for a strong authentication (two-factor) for that | ||
Trump must be confident that the correct person agrees to register the account number in Trump. | Trump must be confident that the correct person agrees to register the account number in Trump. | ||
The Data Inspectorate noted that the use of Bank ID or security code sent by SMS seemed to be the best | The Data Inspectorate noted that the use of Bank ID or security code sent by SMS seemed to be the best | ||
Line 208: | Line 209: | ||
In 2020, the Norwegian Data Protection Authority, through the media and through contact with the privacy ombudsman in Trump, became aware | In 2020, the Norwegian Data Protection Authority, through the media and through contact with the privacy ombudsman in Trump, became aware | ||
that it was still possible to enter other people's bank account numbers in Trump's customer program and that | that it was still possible to enter other people's bank account numbers in Trump's customer program and that | ||
no verification mechanism had been implemented. On this basis, the Data Inspectorate sent Trump | no verification mechanism had been implemented. On this basis, the Data Inspectorate sent Trump | ||
a requirement for a statement on 2 October 2020. | a requirement for a statement on 2 October 2020. | ||
Line 215: | Line 216: | ||
In Trump's statement of 9 November 2020, they write that since 2016, they have worked purposefully to | In Trump's statement of 9 November 2020, they write that since 2016, they have worked purposefully to | ||
address the situation, but that it has been challenging to realize a service for verification of | address the situation, but that it has been challenging to realize a service for verification of | ||
ownership of bank accounts. | ownership of bank accounts. | ||
Trump must have continuously investigated other possibilities to get | Trump must have continuously investigated other possibilities to get | ||
access to a verification service. | access to a verification service. | ||
Line 223: | Line 224: | ||
update on the work of finding a verification service, as well as further insight into why Trump | update on the work of finding a verification service, as well as further insight into why Trump | ||
had not sent any reports of breaches of personal data security in cases where Trump had | had not sent any reports of breaches of personal data security in cases where Trump had | ||
received information about error registrations. | received information about error registrations. | ||
On April 20, 2021, Trump replied that they would have access to a verification service. The verification solution | On April 20, 2021, Trump replied that they would have access to a verification service. The verification solution | ||
Line 238: | Line 239: | ||
the person is already familiar with. Furthermore, Trump points out that there is often a close relationship between | the person is already familiar with. Furthermore, Trump points out that there is often a close relationship between | ||
the account holder and the Trump member, including family members or other financial communities. | the account holder and the Trump member, including family members or other financial communities. | ||
Trump further mentions that they have not received inquiries where there is a suspicion of wrongdoing | Trump further mentions that they have not received inquiries where there is a suspicion of wrongdoing | ||
registrations with dishonest intentions. They also note that in June 2020 they contacted the Authority in | registrations with dishonest intentions. They also note that in June 2020 they contacted the Authority in | ||
in connection with the question of the duty to notify. Their privacy representative must, in dialogue with the Authority, have provided | in connection with the question of the duty to notify. Their privacy representative must, in dialogue with the Authority, have provided | ||
Line 246: | Line 247: | ||
necessary. | necessary. | ||
3, With the introduction of the Privacy Ordinance in 2018, Trump implemented a digital solution so that | |||
members could request access and access the personal information on trumf.no. The solution was | members could request access and access the personal information on trumf.no. The solution was | ||
launched to fulfill the right of access members have under the regulations. | launched to fulfill the right of access members have under the regulations. | ||
The member could choose which information, which level of detail and which period he wanted | |||
access by selecting from a list of information categories. Detailed purchase history was one of these | access by selecting from a list of information categories. Detailed purchase history was one of these | ||
the options. There was only access to details about the member who was logged in, so that in a common | the options. There was only access to details about the member who was logged in, so that in a common | ||
membership, members will only see details about their own purchases. | membership, members will only see details about their own purchases. | ||
Trump states in an e-mail on November 30, 2021 that the user panel with the self-service solution for access | Trump states in an e-mail on November 30, 2021 that the user panel with the self-service solution for access | ||
was considered best practice at the time it was introduced. Trump points out that the functionality was shown | was considered best practice at the time it was introduced. Trump points out that the functionality was shown | ||
to the Norwegian Data Protection Authority in a meeting in the summer of 2018, and that the authority gave a positive feedback. Before the digital | to the Norwegian Data Protection Authority in a meeting in the summer of 2018, and that the authority gave a positive feedback. Before the digital | ||
the solution was launched, the right of access was handled by Trump customer service. | the solution was launched, the right of access was handled by Trump customer service. | ||
In April 2020, a detailed purchase history was made available to members through a separate button | In April 2020, a detailed purchase history was made available to members through a separate button | ||
digital "receipt" from the purchase history on trumf.no. The solution was launched as it should be | digital "receipt" from the purchase history on trumf.no. The solution was launched as it should be | ||
easier for members to verify the bonus calculation, as there may be different bonus rates | easier for members to verify the bonus calculation, as there may be different bonus rates | ||
different product groups / goods. On the digital receipt, the member can see the items per purchase and associated | different product groups / goods. On the digital receipt, the member can see the items per purchase and associated | ||
bonus calculation for the individual item. It is only possible to access the details for that member | bonus calculation for the individual item. It is only possible to access the details for that member | ||
which is logged in, so that in a joint membership, members will only see details about their own purchases. | which is logged in, so that in a joint membership, members will only see details about their own purchases. | ||
In the comments to the notification, Trump writes that the Data Inspectorate's assessment is taken into account. It appears | |||
further that Trump does not fully agree with the Data Inspectorate's assessment of breaches of the Privacy Ordinance | |||
Article 32, but that the notified fee is accepted. | |||
Line 283: | Line 292: | ||
persons responsible for processing, or the special criteria for appointing the person in question, are determined in | persons responsible for processing, or the special criteria for appointing the person in question, are determined in | ||
Union law or in the national law of the Member States, | Union law or in the national law of the Member States, | ||
4.2. Internal control and information security | 4.2. Internal control and information security | ||
The basic principles for the processing of personal data follow from the Privacy Ordinance | The basic principles for the processing of personal data follow from the Privacy Ordinance | ||
Article 5 No. 1. In accordance with the principle of integrity and confidentiality, personal data shall | Article 5 No. 1. In accordance with the principle of integrity and confidentiality, personal data shall | ||
Line 296: | Line 305: | ||
persons responsible for processing must be able to demonstrate that the principles of privacy are complied with, cf. Article 5 (2). | persons responsible for processing must be able to demonstrate that the principles of privacy are complied with, cf. Article 5 (2). | ||
As the person responsible for processing, you have a duty to implement appropriate technical and organic measures | 4, As the person responsible for processing, you have a duty to implement appropriate technical and organic measures | ||
to ensure and demonstrate that the processing of personal data is in accordance with | to ensure and demonstrate that the processing of personal data is in accordance with | ||
the Privacy Ordinance, cf. Article 24. It is also obligatory to have built-in privacy and | the Privacy Ordinance, cf. Article 24. It is also obligatory to have built-in privacy and | ||
privacy by default in all systems and services that process | privacy by default in all systems and services that process | ||
personal data, cf. Article 25. | personal data, cf. Article 25. | ||
The requirements for personal data security are further regulated in Article 32 | |||
treatment managers have a duty to implement appropriate technical and organizational measures for | treatment managers have a duty to implement appropriate technical and organizational measures for | ||
to achieve a level of safety that is appropriate in terms of risk.Depending on what is | to achieve a level of safety that is appropriate in terms of risk.Depending on what is | ||
Line 349: | Line 357: | ||
as the "commentary") writes the following about this obligation: | as the "commentary") writes the following about this obligation: | ||
5, Irrespective of whether there is a duty to notify the supervisory authorities or not, it is obliged | |||
data controllers to document any breach of information security, including those | data controllers to document any breach of information security, including those | ||
actual conditions, potential consequences and what damage mitigation measures may have been | actual conditions, potential consequences and what damage mitigation measures may have been | ||
implemented. It must also be documented which assessments are the basis for the business | |||
may have failed to report the breach of security to the supervisory authority | may have failed to report the breach of security to the supervisory authority | ||
5. The Danish Data Protection Agency's assessment | |||
5.1. Responsible for processing | 5.1. Responsible for processing | ||
It does not appear disputed that it is Trump who is responsible for processing, as they decide | |||
"The purpose […] and the means to be used", cf. Article 4 (7), in relation to | "The purpose […] and the means to be used", cf. Article 4 (7), in relation to | ||
the treatment activities performed in the context of the Trump benefit program. | the treatment activities performed in the context of the Trump benefit program. | ||
Line 368: | Line 376: | ||
5.2. Today's solution for verifying customers | 5.2. Today's solution for verifying customers | ||
The Data Inspectorate assumes that Trump's current solution, as described in letters of 20 April 2021 and 3. | The Data Inspectorate assumes that Trump's current solution, as described in letters of 20 April 2021 and 3. | ||
June 2021, ensures that Trump members can only register bank accounts that belong to themselves. This | |||
the verification solution means that all new members must verify that they are the owner of | the verification solution means that all new members must verify that they are the owner of | ||
the bank account they wish to register before a new membership is created. Existing members will | the bank account they wish to register before a new membership is created. | ||
Existing members will need to verify that they are the holder of the bank account they have registered on | |||
access to functions such as access to purchase history and detailed receipts. The member will then be given | Trump when the member logs in to his member account. | ||
If such verification is not carried out, the person in question will immediately lose access to functions | |||
such as access to purchase history and detailed receipts. The member will then be given a deadline before the account | |||
deleted. Trump is working to get all customers verified. On that occasion, a meeting was held between | |||
The Data Inspectorate and Trump 20 June 2022. | |||
On 15 December 2021, Trump submitted a report of a breach of personal data security. The new | |||
the technical solution meant that access to historical transactions and receipts was reactivated, but | |||
this then included any historical transactions from payment cards that had been rejected and not | |||
verified by the customer. Trump removed the possibility of access to historical transactions for members | |||
with rejected account number, and further describes in the message that a solution will be developed so that | |||
members with rejected bank accounts only gain access to transactions carried out with verified | |||
bank cards, transactions completed after the bank account has been verified, as well as transactions completed | |||
with Trump Visa and Trump cards. At the meeting on 20 June, we understood that this solution was in place. | |||
5.3. Violation of personal data security - Article 4, point 12 | 5.3. Violation of personal data security - Article 4, point 12 | ||
Line 382: | Line 405: | ||
responsible for treatment, without undue delay and no later than 72 hours after becoming aware of it, report | responsible for treatment, without undue delay and no later than 72 hours after becoming aware of it, report | ||
the breach to the supervisory authorities. However, this is not necessary if the breach is likely not | the breach to the supervisory authorities. However, this is not necessary if the breach is likely not | ||
will pose a risk to the rights and freedoms of natural persons. | |||
The duty to report may arise in cases where the security | 6, The duty to report may arise in cases where the breach of security entails a treatment that is illegal, | ||
but also if it results in an treatment that is unintentional, regardless of whether the treatment is | but also if it results in an treatment that is unintentional, regardless of whether the treatment is | ||
illegal. The duty to report also includes incidents that constitute pure accidents. 3 | illegal. The duty to report also includes incidents that constitute pure accidents. 3 | ||
Line 395: | Line 422: | ||
The first question is whether there is a «breach of personal data security», cf. | The first question is whether there is a «breach of personal data security», cf. | ||
Article 33, cf. Article 4 (12), when Trump members register bank accounts that do not belong to them | Article 33, cf. Article 4 (12), when Trump members register bank accounts that do not belong to them | ||
itself and in this way gain access to personal information about shopping trips performed by the account holder. | itself and in this way gain access to personal information about shopping trips performed by the account holder. | ||
Trump writes in their statement that they are of the opinion that this does not constitute a notifiable violation of | Trump writes in their statement that they are of the opinion that this does not constitute a notifiable violation of | ||
Line 402: | Line 429: | ||
First, Trump points out that the experience from customer service inquiries is that most people are affected | First, Trump points out that the experience from customer service inquiries is that most people are affected | ||
is aware of the registration. Secondly, that there is typically an economic community, usually one | is aware of the registration. Secondly, that there is typically an economic community, usually one | ||
family or housing association, between the Trump member and the account holder. Third, no one should have | family or housing association, between the Trump member and the account holder. Third, no one should have | ||
contacted customer service and stated that access to purchase history has been perceived as a problem. | contacted customer service and stated that access to purchase history has been perceived as a problem. | ||
Line 409: | Line 436: | ||
The Data Inspectorate cannot see that these objections are relevant as to whether there is a «violation of | The Data Inspectorate cannot see that these objections are relevant as to whether there is a «violation of | ||
personal data security 'pursuant to Article 4 (12). | personal data security 'pursuant to Article 4 (12). | ||
If a Trump member registers another person's bank account, Trump will process | |||
personal information to the account holder, in an unintentional manner. Trump will make personal information about | personal information to the account holder, in an unintentional manner. Trump will make personal information about | ||
available to a Trump member, without this being Trump's intention. Trump himself has shown | available to a Trump member, without this being Trump's intention. Trump himself has shown | ||
that the registration of others' bank accounts constitutes a breach of contract and in violation of the guidelines for | that the registration of others' bank accounts constitutes a breach of contract and in violation of the guidelines for | ||
membership in Trump. Such registration, and consequently the processing of personal data associated | membership in Trump. Such registration, and consequently the processing of personal data associated | ||
with this, there will therefore be a «breach of security leading to unintentional […] access to | with this, there will therefore be a «breach of security leading to unintentional […] access to | ||
personal data […] », cf. Article 4 (12). | personal data […] », cf. Article 4 (12). | ||
Trump's objections appear more relevant in the assessment of how great a risk the breach is | Trump's objections appear more relevant in the assessment of how great a risk the breach is | ||
the personal data security may entail for the registered person (account holder). One such | the personal data security may entail for the registered person (account holder). One such | ||
However, risk balancing is not included in the definition of what constitutes a breach | However, risk balancing is not included in the definition of what constitutes a breach | ||
personal data security, but is only relevant when assessing whether the matter is notifiable | personal data security, but is only relevant when assessing whether the matter is notifiable | ||
Article 33 (1). See our assessment in section 5.5. | Article 33 (1). See our assessment in section 5.5. | ||
On this basis, we have concluded that the cases where one Trump member registers another | On this basis, we have concluded that the cases where one Trump member registers another | ||
person's bank account on their own membership then this will constitute a «breach of | person's bank account on their own membership then this will constitute a «breach of | ||
personal data security ", cf. Article 4 (12). | personal data security ", cf. Article 4 (12). | ||
Line 438: | Line 464: | ||
3 Commentary, in their comments on Article 33 (1). | |||
7, the Norwegian Data Protection Authority understands that the 950 inquiries have been estimated on the basis of parts of 2021, and that | |||
there may be some uncertainty associated with these numbers. However, Trump himself writes that they consider these | there may be some uncertainty associated with these numbers. However, Trump himself writes that they consider these | ||
the figures to be representative of previous years. Furthermore, these figures are estimated on the basis of | the figures to be representative of previous years. Furthermore, these figures are estimated on the basis of | ||
experience gained after Trump introduced his latest information measure, in the form of the first three | experience gained after Trump introduced his latest information measure, in the form of the first three | ||
the letters of the Trump member appear on the receipt after a purchase (this measure was implemented in | the letters of the Trump member appear on the receipt after a purchase (this measure was implemented in | ||
end of 2020). Consequently, to a greater extent than before, it will be possible for account holders to take directly | end of 2020). Consequently, to a greater extent than before, it will be possible for account holders to take directly | ||
contact Trump members whose names they recognize to have the registration removed. This will | contact Trump members whose names they recognize to have the registration removed. This will | ||
be able to reduce the number of account holders who must contact Trump directly to get the registration | be able to reduce the number of account holders who must contact Trump directly to get the registration | ||
repealed, compared to previous years. Although it can not be completely ruled out, at least it is not | repealed, compared to previous years. Although it can not be completely ruled out, at least it is not | ||
indications that more people will make contact in 2021 than in previous years. | indications that more people will make contact in 2021 than in previous years. | ||
If we take into account the experiences from 2021, Trump will receive an average of around 79 inquiries | If we take into account the experiences from 2021, Trump will receive an average of around 79 inquiries | ||
Line 455: | Line 484: | ||
information on incorrect registrations in the time period from June 2018 (when the Personal Data Act came into force) | information on incorrect registrations in the time period from June 2018 (when the Personal Data Act came into force) | ||
to October 2021. If instead the starting point is the time period June 2018 to July 2020 (then | to October 2021. If instead the starting point is the time period June 2018 to July 2020 (then | ||
The privacy ombudsman contacted the Norwegian Data Protection Authority to announce, among other things, that they believe that these | The privacy ombudsman contacted the Norwegian Data Protection Authority to announce, among other things, that they believe that these | ||
the events are not subject to notification, and we also received information about the situation through the media) | the events are not subject to notification, and we also received information about the situation through the media) | ||
Trump received just under 2,000 inquiries about such incorrect registrations. | Trump received just under 2,000 inquiries about such incorrect registrations. | ||
There is some uncertainty associated with the estimated figures, and possibly how the information measure works | |||
the receipt has affected this. Based on what Trump has explained, it can in any case be assumed that | |||
Trump has received inquiries to a significant extent. | Trump has received inquiries to a significant extent. | ||
The main rule is that all breaches of personal data security must be reported to the Norwegian Data Protection Authority. The | The main rule is that all breaches of personal data security must be reported to the Norwegian Data Protection Authority. The | ||
Line 476: | Line 498: | ||
rights and freedoms of persons ", cf. Article 33 no. 1. We assess whether the events are exempt from | rights and freedoms of persons ", cf. Article 33 no. 1. We assess whether the events are exempt from | ||
the reporting obligation in section 5.5, but first we assess whether Trump has complied with its obligation to | the reporting obligation in section 5.5, but first we assess whether Trump has complied with its obligation to | ||
document the breaches of personal data security in accordance with Article 33 (5). | document the breaches of personal data security in accordance with Article 33 (5). | ||
5.4. Article 33 (5) | 5.4. Article 33 (5) | ||
Trump has informed that categorization of final inquiries has not been done before | Trump has informed that categorization of final inquiries has not been done before | ||
recently. Trump has only presented to the Norwegian Data Protection Authority a rough categorization based on an analysis of | recently. Trump has only presented to the Norwegian Data Protection Authority a rough categorization based on an analysis of | ||
inquiries processed in 2021. | inquiries processed in 2021. | ||
If it is assumed that the number of inquiries from 2021 is also representative for previous years, as added | If it is assumed that the number of inquiries from 2021 is also representative for previous years, as added | ||
due to Trump, this means that Trump has received over 2,000 inquiries about incorrect registrations of | due to Trump, this means that Trump has received over 2,000 inquiries about incorrect registrations of | ||
bank accounts from June 2018 (when the Personal Data Act came into force) to the end of 2020 (around when they | bank accounts from June 2018 (when the Personal Data Act came into force) to the end of 2020 (around when they | ||
began to categorize their inquiries). This is only an estimate, but the numbers show that there has been one | began to categorize their inquiries). This is only an estimate, but the numbers show that there has been one | ||
significant amount of such inquiries that are not categorized or otherwise documented. | significant amount of such inquiries that are not categorized or otherwise documented. | ||
Accordingly, Trump does not have documentation showing «[…] the actual circumstances surrounding the said breach, | Accordingly, Trump does not have documentation showing «[…] the actual circumstances surrounding the said breach, | ||
Line 496: | Line 519: | ||
This documentation obligation exists regardless of whether the breach | 4 Letter from Wikborg Rein on behalf of Trump, «Reply to new demand for statement - Processing of personal data by | ||
registration of account number via Trump », 20 April 2021, page 2. | |||
8, This documentation obligation exists regardless of whether the breach | |||
the security of personal data entails a risk to the rights and freedoms of natural persons, and it is | the security of personal data entails a risk to the rights and freedoms of natural persons, and it is | ||
therefore no condition that the breach is notifiable under Article 33 (1). | therefore no condition that the breach is notifiable under Article 33 (1). | ||
On this basis, the Data Inspectorate concludes that Trump has breached its obligation to document | On this basis, the Data Inspectorate concludes that Trump has breached its obligation to document | ||
the breaches of personal data security that occurred from 18 June 2018 to the end of 2020, cf. | the breaches of personal data security that occurred from 18 June 2018 to the end of 2020, cf. | ||
Article 33 (5). | |||
However, the Norwegian Data Protection Authority has chosen not to problematize the overall categorization of | However, the Norwegian Data Protection Authority has chosen not to problematize the overall categorization of | ||
Line 509: | Line 536: | ||
The next question that the Data Inspectorate will consider is whether Trump has breached its obligation under Article 33 no. | The next question that the Data Inspectorate will consider is whether Trump has breached its obligation under Article 33 no. | ||
1 by not reporting the breaches of personal data security to the Norwegian Data Protection Authority. | |||
5.5. Article 33, paragraph 1 | 5.5. Article 33, paragraph 1 | ||
Line 519: | Line 546: | ||
If the breach of personal data security «is unlikely to pose a risk to physical | |||
persons' rights and freedoms ", cf. Article 33 no. 1, it is not necessary to report it to the Norwegian Data Protection Authority. | persons' rights and freedoms ", cf. Article 33 no. 1, it is not necessary to report it to the Norwegian Data Protection Authority. | ||
It is the person responsible for treatment who must be able to substantiate that there is no risk associated with the fracture | It is the person responsible for treatment who must be able to substantiate that there is no risk associated with the fracture | ||
on personal data security. This emerges, among other things, from preamble 85: | on personal data security. This emerges, among other things, from preamble 85: | ||
As soon as the person in charge of treatment becomes aware that a breach has occurred | As soon as the person in charge of treatment becomes aware that a breach has occurred | ||
personal data security, the person in question should report the said breach to the supervisory authority | personal data security, the person in question should report the said breach to the supervisory authority | ||
without undue delay and if possible no later than 72 hours after becoming aware of it, unless | without undue delay and if possible no later than 72 hours after becoming aware of it, unless | ||
the person in question in accordance with the principle of liability can demonstrate that the said violation of | the person in question in accordance with the principle of liability can demonstrate that the said violation of | ||
personal data security is unlikely to pose a risk to natural persons | personal data security is unlikely to pose a risk to natural persons | ||
rights and freedoms. (own emphasis) | rights and freedoms. (own emphasis) | ||
Consequently, it is Trump who must point to circumstances that indicate that the breach is unlikely to result in one | Consequently, it is Trump who must point to circumstances that indicate that the breach is unlikely to result in one | ||
risk to the rights and freedoms of natural persons. The wording of Article 33 (1) also indicates this, | risk to the rights and freedoms of natural persons. The wording of Article 33 (1) also indicates this, | ||
since what is to be probable is that there is no risk. | since what is to be probable is that there is no risk. | ||
The question is thus whether Trump can substantiate that all the cases mentioned above where Trump- | The question is thus whether Trump can substantiate that all the cases mentioned above where Trump- | ||
members have registered other people's bank account on their own Trump membership, | members have registered other people's bank account on their own Trump membership, | ||
"Is unlikely to pose a risk to the rights and freedoms of natural persons", cf. Article 33 | "Is unlikely to pose a risk to the rights and freedoms of natural persons", cf. Article 33 | ||
no 1. | no 1. | ||
In the guide to the Article 29 group on breaches of personal data security, last revised in February | In the guide to the Article 29 group on breaches of personal data security, last revised in February | ||
2018, it is stated that, among other things, emphasis will be placed on «the nature of the personal data». It must be taken in | 2018, it is stated that, among other things, emphasis will be placed on «the nature of the personal data». It must be taken in | ||
consideration of whether the breach of personal data security may result in damage or other negatives | |||
5 Guidelines on Personal data breach notification under Regulation 2016/679, page 25. | |||
9, consideration of whether the breach of personal data security may result in damage or other negatives | |||
consequences. If the breach may have consequences for particularly vulnerable individuals, this must also be included | consequences. If the breach may have consequences for particularly vulnerable individuals, this must also be included | ||
the assessment. 6 | the assessment. 6 | ||
Line 572: | Line 599: | ||
the member has a family or financial relationship. What you buy can reveal private matters. For | the member has a family or financial relationship. What you buy can reveal private matters. For | ||
For example, the shopping pattern can reveal diets and eating habits, buying pregnancy tests or buying | For example, the shopping pattern can reveal diets and eating habits, buying pregnancy tests or buying | ||
contraceptives. Nor can it be ruled out that a person's trading history may reveal | |||
religious or similar conditions, for example that one deviates from religious or other norms established in | religious or similar conditions, for example that one deviates from religious or other norms established in | ||
family or friends, for example by buying alcohol or certain types of meat. When buying, among | family or friends, for example by buying alcohol or certain types of meat. When buying, among | ||
Line 588: | Line 612: | ||
That Trump has not been directly notified by account holders who have been exposed to such abuse is | That Trump has not been directly notified by account holders who have been exposed to such abuse is | ||
not crucial. Trump must not have concrete and unquestionable knowledge that the risk actually has | not crucial. Trump must not have concrete and unquestionable knowledge that the risk actually has | ||
materialized. If Trump fails to show that it «probably will not pose a risk | materialized. If Trump fails to show that it «probably will not pose a risk | ||
[…] », Cf. Article 33 no. 1, the breach of personal data security shall be reported. | […] », Cf. Article 33 no. 1, the breach of personal data security shall be reported. | ||
However, Trump has referred to a number of general risk mitigation measures that they have implemented. The | However, Trump has referred to a number of general risk mitigation measures that they have implemented. The | ||
seems to be of the opinion that these measures entail a potential risk associated with | seems to be of the opinion that these measures entail a potential risk associated with | ||
the error detection is eliminated, or sufficiently reduced. When using a bank card associated with one | the error detection is eliminated, or sufficiently reduced. When using a bank card associated with one | ||
registered bank account, information about the Trump registration will appear on the bank terminal and | registered bank account, information about the Trump registration will appear on the bank terminal and | ||
the receipt. In November 2020, Trump added further information to the receipt, by the first three | the receipt. In November 2020, Trump added further information to the receipt, by the first three | ||
the letters in the first name of the Trump member appear on the receipt. | the letters in the first name of the Trump member appear on the receipt. | ||
6 Ibid. | |||
7 Routines for risk assessment page 4, appendix 5 To a letter from Wikborg Rein on behalf of Trump, «Reply to request for | |||
statement - processing of personal data when registering account numbers via Trump », of 9 November 2020. | |||
10, the Norwegian Data Protection Authority agrees that information measures implemented by Trump can reduce time one | |||
account holder remains unaware of the registration. However, Trump will have already dealt | account holder remains unaware of the registration. However, Trump will have already dealt | ||
personal information about this person to a greater extent than what they would have done if | personal information about this person to a greater extent than what they would have done if | ||
the bank account was not registered. This applies regardless of whether it is assumed that the account holder | the bank account was not registered. This applies regardless of whether it is assumed that the account holder | ||
immediately receive the information about the registration on its first shopping trip after being registered by a | immediately receive the information about the registration on its first shopping trip after being registered by a | ||
Trump member. The member who incorrectly registered the bank account of someone else will soon be able to have | Trump member. The member who incorrectly registered the bank account of someone else will soon be able to have | ||
received information about the data subject's shopping trip: as noted in the statement to Trump, it will be able to take | received information about the data subject's shopping trip: as noted in the statement to Trump, it will be able to take | ||
as short a time as from the bank card is used for information about the shopping trip becomes available for | as short a time as from the bank card is used for information about the shopping trip becomes available for | ||
the member. | the member. | ||
It is also not a given that the account holder will be made aware of the registration through | It is also not a given that the account holder will be made aware of the registration through | ||
The customer service receives a number of inquiries after the account holder has become | The customer service receives a number of inquiries after the account holder has become | ||
note of incorrect registrations, as a result of the information measures, does not say anything about the number | note of incorrect registrations, as a result of the information measures, does not say anything about the number | ||
customers / account holders who have not discovered the incorrect registration through these information measures. | customers / account holders who have not discovered the incorrect registration through these information measures. | ||
Trump will never receive information about those customers who do not see that it says "Trump registered" | Trump will never receive information about those customers who do not see that it says "Trump registered" | ||
the payment screen, or who otherwise does not try to register their own bank account on their own | the payment screen, or who otherwise does not try to register their own bank account on their own | ||
membership. | membership. | ||
In continuation of this, as Trump himself notes in his statement, it happens that account holders | In continuation of this, as Trump himself notes in his statement, it happens that account holders | ||
turn to customer service because they are trying to register their own bank account on their own | turn to customer service because they are trying to register their own bank account on their own | ||
membership, but is then informed that the bank account has already been registered (such inquiries | membership, but is then informed that the bank account has already been registered (such inquiries | ||
estimates Trump to be over 200 a year). Consequently, these persons have not received information about | |||
the registration via the information measures described by Trump. This is suitable to illustrate how | the registration via the information measures described by Trump. This is suitable to illustrate how | ||
people will be able to shop without noticing the information. At the same time, of course, it can not | people will be able to shop without noticing the information. At the same time, of course, it can not | ||
excluded that these persons had not yet shopped in a store connected to Trump, after that | excluded that these persons had not yet shopped in a store connected to Trump, after that | ||
The Trump member registered their account. Incidentally, this has the presumption against it, since it is a | The Trump member registered their account. Incidentally, this has the presumption against it, since it is a | ||
large number who each year make contact after trying to register their bank account and then discovered that | large number who each year make contact after trying to register their bank account and then discovered that | ||
Line 641: | Line 666: | ||
Trump has further pointed out how registering someone else's account number represents a breach | Trump has further pointed out how registering someone else's account number represents a breach | ||
the terms of the agreement that the Trump member enters into with Trump, and that it is specified to the member that they | the terms of the agreement that the Trump member enters into with Trump, and that it is specified to the member that they | ||
only need to register accounts that belong to themselves. From May 2018 required registration of account number | only need to register accounts that belong to themselves. From May 2018 required registration of account number | ||
also a two-factor confirmation from the member, by sending an SMS code to the member's registered | also a two-factor confirmation from the member, by sending an SMS code to the member's registered | ||
mobile phone number | mobile phone number. | ||
Such circumstances may reduce a possible erroneous assumption by Trump members that it is acceptable | Such circumstances may reduce a possible erroneous assumption by Trump members that it is acceptable | ||
to register other people's bank account if e.g. is a familial connection between them. | to register other people's bank account if e.g. is a familial connection between them. | ||
However, such measures have no real impact on the cases where the Trump member registers someone | However, such measures have no real impact on the cases where the Trump member registers someone | ||
others' bank account deliberately in violation of the terms of the agreement, since Trump does not have one | others' bank account deliberately in violation of the terms of the agreement, since Trump does not have one | ||
Line 658: | Line 683: | ||
11, The Data Inspectorate believes on this background that there are conditions in one's shopping history (including what one | |||
trades where you trade and when you trade) which indicates that there will be an associated risk | trades where you trade and when you trade) which indicates that there will be an associated risk | ||
the cases where a third party has access to such personal information, this despite Trump's measures. | the cases where a third party has access to such personal information, this despite Trump's measures. | ||
This applies regardless of whether this third party is a family member or similar. | This applies regardless of whether this third party is a family member or similar. | ||
As a clear starting point, the Data Inspectorate therefore believes that such matters should be reported in accordance with the article | As a clear starting point, the Data Inspectorate therefore believes that such matters should be reported in accordance with the article | ||
33 no. 1, with the exception of those cases where reference can be made to specific circumstances of the breach that cause that | 33 no. 1, with the exception of those cases where reference can be made to specific circumstances of the breach that cause that | ||
the duty to notify nevertheless does not occur. | the duty to notify nevertheless does not occur. | ||
Trump has, as noted above, concluded that none of the inquiries they have received | Trump has, as noted above, concluded that none of the inquiries they have received | ||
notice that there have been incorrect registrations, has indicated a sufficient degree of risk of | notice that there have been incorrect registrations, has indicated a sufficient degree of risk of | ||
actualize the duty to report in Article 33. Trump has given only an overall description of the various | actualize the duty to report in Article 33. Trump has given only an overall description of the various | ||
the inquiries they have received, and placed them in different groupings based on experiences from the beginning | the inquiries they have received, and placed them in different groupings based on experiences from the beginning | ||
of 2021. They note in their statement that the assessment has some uncertainty due to varying | of 2021. They note in their statement that the assessment has some uncertainty due to varying | ||
quality and scope of information from the dialogue with the person who directs the inquiry to customer service and | quality and scope of information from the dialogue with the person who directs the inquiry to customer service and | ||
The Trump member who has the account registered. As commented above, Trump has not presented anything | The Trump member who has the account registered. As commented above, Trump has not presented anything | ||
documentation related to the breaches of personal data security that occurred before 2021, and they | documentation related to the breaches of personal data security that occurred before 2021, and they | ||
writes that the categorization of completed inquiries has not been done until recently. | writes that the categorization of completed inquiries has not been done until recently. | ||
The Norwegian Data Protection Authority will review these types of cases in the following and comment on any risks associated | The Norwegian Data Protection Authority will review these types of cases in the following and comment on any risks associated | ||
with them, before concluding on which breaches of personal data security are | with them, before concluding on which breaches of personal data security are | ||
Trump can prove that there is no risk. | Trump can prove that there is no risk. | ||
12,13,14,15, Conclusion on the risk assessment pursuant to Article 33 (1) | |||
As noted above, the Norwegian Data Protection Authority has concluded that there is a potential for abuse in that | As noted above, the Norwegian Data Protection Authority has concluded that there is a potential for abuse in that | ||
Trump members can register other people's account number. If Trump gets to know about such | Trump members can register other people's account number. If Trump gets to know about such | ||
breaches of personal data security, these shall in principle be reported to the Norwegian Data Protection Authority in accordance | breaches of personal data security, these shall in principle be reported to the Norwegian Data Protection Authority in accordance | ||
with Article 33 (1). | with Article 33 (1). | ||
If the breaches are not reported, Trump must be able to show that the specific breaches | If the breaches are not reported, Trump must be able to show that the specific breaches | ||
personal data security «is unlikely to pose a risk to natural persons | personal data security «is unlikely to pose a risk to natural persons | ||
rights and freedoms ", cf. Article 33 (1) and (4). | rights and freedoms ", cf. Article 33 (1) and (4). | ||
Trump has on an overall and general basis referred to conditions in the various inquiries as they | Trump has on an overall and general basis referred to conditions in the various inquiries as they | ||
believes that there is no risk to the rights and freedoms of natural persons. The description of the | |||
different types of cases are, as mentioned, general and they contain a number of ambiguities. | |||
The Data Inspectorate is otherwise reluctant to review a specific risk assessment, as this will | The Data Inspectorate is otherwise reluctant to review a specific risk assessment, as this will | ||
be a discretionary exercise. We therefore choose to deal with the cases where we believe it is clear | be a discretionary exercise. We therefore choose to deal with the cases where we believe it is clear | ||
that Trump can not prove that there is no risk to the rights of natural persons and | that Trump can not prove that there is no risk to the rights of natural persons and | ||
Line 710: | Line 763: | ||
Trump member, before the person received information about this via, for example, the receipt or because | Trump member, before the person received information about this via, for example, the receipt or because | ||
the person has tried to register their own bank account on their own membership. | the person has tried to register their own bank account on their own membership. | ||
In such cases, the account holder will not be able to do anything to cancel the registration, as | In such cases, the account holder will not be able to do anything to cancel the registration, as | ||
the person - until the person receives such information - will not have any knowledge of the registration. | the person - until the person receives such information - will not have any knowledge of the registration. | ||
The account holder will also not be able to adapt where he or she trades, to avoid that | The account holder will also not be able to adapt where he or she trades, to avoid that | ||
the trading history is made available to a third party. Trump must be able to point to clear concrete | the trading history is made available to a third party. Trump must be able to point to clear concrete | ||
evidence that means that there is still probably no risk in such cases. As | evidence that means that there is still probably no risk in such cases. As | ||
reviewed above, we do not share Trump's view that a family connection or a financial one | reviewed above, we do not share Trump's view that a family connection or a financial one | ||
community between the Trump member and the account holder itself makes it probable that it does not exist | community between the Trump member and the account holder itself makes it probable that it does not exist | ||
risk to the account holder. The Norwegian Data Protection Authority can not rule out further investigations, in particular | risk to the account holder. The Norwegian Data Protection Authority can not rule out further investigations, in particular | ||
case, may reveal that there is still no such risk, but Trump has not implemented this in | case, may reveal that there is still no such risk, but Trump has not implemented this in | ||
Line 725: | Line 778: | ||
The Danish Data Protection Agency concludes that Trump has not substantiated that breach | The Danish Data Protection Agency concludes that Trump has not substantiated that breach | ||
personal data security, in the form of Trump members registering other people's bank account, | personal data security, in the form of Trump members registering other people's bank account, | ||
16, "is unlikely to pose a risk to the rights and freedoms of natural persons", cf. Article 33 | |||
No. 1, in those cases where the account holder is not familiar with the registration from the beginning. | No. 1, in those cases where the account holder is not familiar with the registration from the beginning. | ||
The question thus becomes how many breaches of personal data security have such a character. | The question thus becomes how many breaches of personal data security have such a character. | ||
The following is stated in Trump's letter of 9 November 2020: | The following is stated in Trump's letter of 9 November 2020: | ||
According to customer service, the majority of those who go there and ask | According to customer service, the majority of those who go there and ask | ||
assistance in deleting one's account number from another's membership, even being aware of that | assistance in deleting one's account number from another's membership, even being aware of that | ||
the account has been registered to another person, typically a close family member. The most common | the account has been registered to another person, typically a close family member. The most common | ||
the explanation received from the person contacting customer service is that he wants | the explanation received from the person contacting customer service is that he wants | ||
change related to marital breakdown or similar. Only a small minority of inquiries to | change related to marital breakdown or similar. Only a small minority of inquiries to | ||
customer service applies to people who say they themselves have not been aware of the registration. This | customer service applies to people who say they themselves have not been aware of the registration. This | ||
applies to less than 15 people per month - on an annual basis about 0.0001% of the membership. | applies to less than 15 people per month - on an annual basis about 0.0001% of the membership. | ||
These people state to customer service that they have become aware of the registration, when they have | These people state to customer service that they have become aware of the registration, when they have | ||
tried to register as a new member, or when they have seen the receipt that there is one | tried to register as a new member, or when they have seen the receipt that there is one | ||
Trump registration on the account that they do not know. This just shows that | Trump registration on the account that they do not know. This just shows that | ||
Line 754: | Line 809: | ||
The personal data security that Trump | |||
It is not necessary for the Norwegian Data Protection Authority to decide on the exact number of violations | |||
The personal data security that Trump cannot prove does not pose a risk to physical | |||
rights and freedoms of persons. It is sufficient to state that Trump has regularly, at least 15 times in | rights and freedoms of persons. It is sufficient to state that Trump has regularly, at least 15 times in | ||
an average month, received such inquiries. | an average month, received such inquiries. | ||
5.5.2. Knowledge of the breach of personal data security | 5.5.2. Knowledge of the breach of personal data security | ||
In the assessment, we have only taken as our starting point the inquiries about which Trump has received information | In the assessment, we have only taken as our starting point the inquiries about which Trump has received information | ||
through its customer service. Consequently, there is no doubt that Trump has repeatedly exceeded 72- | through its customer service. Consequently, there is no doubt that Trump has repeatedly exceeded 72- | ||
the time limit, as set out in Article 33 (1). | the time limit, as set out in Article 33 (1). | ||
Line 771: | Line 834: | ||
The starting point is that the supervisory authorities must report breaches of personal data security in | |||
17, The starting point is that the supervisory authorities must report breaches of personal data security in | |||
pursuant to Article 33 no. 1. The Norwegian Data Protection Authority has concluded that Trump, in a number of cases, cannot | pursuant to Article 33 no. 1. The Norwegian Data Protection Authority has concluded that Trump, in a number of cases, cannot | ||
prove that there is no risk to the rights and freedoms of natural persons, cf. Article 33 | prove that there is no risk to the rights and freedoms of natural persons, cf. Article 33 | ||
The content of the notification must be drafted in accordance with Article 33 (3). | The content of the notification must be drafted in accordance with Article 33 (3). | ||
The Norwegian Data Protection Authority has not received any reports of breaches of personal data security from Trump. We | The Norwegian Data Protection Authority has not received any reports of breaches of personal data security from Trump. We | ||
therefore concludes that Trump has repeatedly breached its obligation under Article 33 (1) to | therefore concludes that Trump has repeatedly breached its obligation under Article 33 (1) to | ||
send Datatilsynet notifications of breaches of personal data security. | send Datatilsynet notifications of breaches of personal data security. | ||
Our conclusion does not imply that Trump may have sent one message for each event. Article | Our conclusion does not imply that Trump may have sent one message for each event. Article | ||
The 29-group describes the possibility of giving collective messages in cases where there are repeated ones | The 29-group describes the possibility of giving collective messages in cases where there are repeated ones | ||
breach of personal data security with similar content and procedure: | breach of personal data security with similar content and procedure: | ||
Strictly speaking, each individual breach is a reportable incident. However, to avoid being overly | Strictly speaking, each individual breach is a reportable incident. However, to avoid being overly | ||
burdensome, the controller may be able to submit a “bundled” notification representing all these | burdensome, the controller may be able to submit a “bundled” notification representing all these | ||
breaches, provided that they concern the same type of personal data breached in the same way, | breaches, provided that they concern the same type of personal data breached in the same way, | ||
over a relatively short space of time. If a series of breaches take place that concern different types | over a relatively short space of time. If a series of breaches take place that concern different types | ||
of personal data, breached in different ways, then notification should proceed in the normal way, | |||
with each breach being reported in accordance with Article 33. 8 | |||
5.6. Safety of treatment - Article 32 | |||
Article 32 establishes an obligation for Trump to implement appropriate technical and organizational measures for | Article 32 establishes an obligation for Trump to implement appropriate technical and organizational measures for | ||
to ensure a level of safety appropriate to the risk. What constitutes suitable technical and | to ensure a level of safety appropriate to the risk. What constitutes suitable technical and | ||
organizational measures depend on «[…] the technical development, the implementation costs and | |||
the nature, scope, purpose and context of the treatment in which it is performed, as well as the risks of varying | the nature, scope, purpose and context of the treatment in which it is performed, as well as the risks of varying | ||
probability and severity of natural persons' rights and freedoms […] ». | probability and severity of natural persons' rights and freedoms […] ». | ||
Line 810: | Line 873: | ||
The question that the Data Inspectorate must decide on is whether Trump has implemented «suitable technical and | The question that the Data Inspectorate must decide on is whether Trump has implemented «suitable technical and | ||
organizational measures to achieve a level of safety that is appropriate with regard to the risk […] », cf. | organizational measures to achieve a level of safety that is appropriate with regard to the risk […] », cf. | ||
article 32 no. 1. We will take as our starting point the level of security that existed before the verification solution | article 32 no. 1. We will take as our starting point the level of security that existed before the verification solution became | ||
implemented. | |||
Trump has for a long time regularly received inquiries that incorrect registrations occur, in the form that | Trump has for a long time regularly received inquiries that incorrect registrations occur, in the form that | ||
Line 818: | Line 881: | ||
Trump receives clear information about constant cases of «unauthorized disclosure of or access to | Trump receives clear information about constant cases of «unauthorized disclosure of or access to | ||
personal data […] », cf. Article 32 (2) and breaches of« […] confidentiality […] in | personal data […] », cf. Article 32 (2) and breaches of« […] confidentiality […] in | ||
their treatment systems and services, cf. Article 32 (1) (b). | their treatment systems and services, cf. Article 32 (1) (b). | ||
As we discussed above, there may be a clear risk to the rights of natural persons and | As we discussed above, there may be a clear risk to the rights of natural persons and | ||
freedoms by giving a third party access to personal data on trading history (including place of trading, | freedoms by giving a third party access to personal data on trading history (including place of trading, | ||
what one has traded and when one has traded). This will be able to reveal in-depth private matters, and | what one has traded and when one has traded). This will be able to reveal in-depth private matters, and | ||
will in any case be experienced as uncomfortable. This risk is anyone who has not already registered | |||
8 Guidelines on Personal data breach notification under Regulation 2016/679, page 16. | |||
18, will in any case be experienced as uncomfortable. This risk is anyone who has not already registered | |||
his account number in Trump, exposed to. | his account number in Trump, exposed to. | ||
This risk assessment must take into account the probability of possible events that may have | |||
occurred without Trump having gained specific knowledge of them, as well as possible future consequences. | occurred without Trump having gained specific knowledge of them, as well as possible future consequences. | ||
Trump can not on this occasion cite a lack of concrete knowledge about, for example, that persons | Trump can not on this occasion cite a lack of concrete knowledge about, for example, that persons | ||
Line 835: | Line 902: | ||
Trump has taken certain risk mitigation measures, including that it says "Trump registered" in | Trump has taken certain risk mitigation measures, including that it says "Trump registered" in | ||
the payment display and that information about the Trump membership appears on the receipt. In later | |||
time, Trump has supplemented with additional information on the receipt, in the form of the first three letters | time, Trump has supplemented with additional information on the receipt, in the form of the first three letters | ||
to the Trump member appears. It is also necessary to use your mobile phone to register one | to the Trump member appears. It is also necessary to use your mobile phone to register one | ||
Line 842: | Line 909: | ||
The Data Inspectorate believes that these measures are not sufficient to achieve a required level of security | The Data Inspectorate believes that these measures are not sufficient to achieve a required level of security | ||
pursuant to Article 32. | |||
As mentioned above, the repeated inquiries show which the account holder first receives information about | As mentioned above, the repeated inquiries show which the account holder first receives information about | ||
Line 853: | Line 920: | ||
Trump has given their members access to information about the place of trading and shopping history, despite | Trump has given their members access to information about the place of trading and shopping history, despite | ||
that Trump has lacked a verification solution. Furthermore, Trump has had concrete knowledge that it constantly | |||
incorrect registrations were made, in violation of their membership terms. This creates a clear call | incorrect registrations were made, in violation of their membership terms. This creates a clear call | ||
to respond. | to respond. | ||
This risk could have been significantly reduced through technical and organizational measures. | |||
If Trump had removed or significantly reduced the information about the place of trading, trading time and what | If Trump had removed or significantly reduced the information about the place of trading, trading time and what | ||
that were traded, the account holders would no longer be exposed to the relevant risk. | that were traded, the account holders would no longer be exposed to the relevant risk. | ||
The implementation costs associated with limiting the amount of information available to a | The implementation costs associated with limiting the amount of information available to a | ||
Trump membership is likely to be limited. | Trump membership is likely to be limited. | ||
The Data Inspectorate understands that such information may be popular among Trump members, and that å | The Data Inspectorate understands that such information may be popular among Trump members, and that å | ||
limiting such information (overview of the time of shopping, place of shopping and what was purchased) will reduce | limiting such information (overview of the time of shopping, place of shopping and what was purchased) will reduce | ||
insight into details about the basis for bonus earning. However, the Trump solution will still work in | insight into details about the basis for bonus earning. However, the Trump solution will still work in | ||
in line with its primary purpose. Trump himself noted in his letter of 21 April 2016, that Trump is a | in line with its primary purpose. Trump himself noted in his letter of 21 April 2016, that Trump is a | ||
loyalty program where members receive a calculated bonus based on purchase history, and the purpose of registering | loyalty program where members receive a calculated bonus based on purchase history, and the purpose of registering | ||
bank account number is to simplify the collection of bonus basis. This purpose will still be able to | bank account number is to simplify the collection of bonus basis. This purpose will still be able to | ||
persecuted, even by measures that significantly limit the amount of information available to the Trump | persecuted, even by measures that significantly limit the amount of information available to the Trump | ||
the member, as long as Trump can not verify that the member has registered his own account. | the member, as long as Trump can not verify that the member has registered his own account. | ||
Trump has previously stated that they believe that the information about the trading history is being made | Trump has previously stated that they believe that the information about the trading history is being made | ||
available to the Trump member ensures a privacy-friendly solution, in that the user has easy | 19, available to the Trump member ensures a privacy-friendly solution, in that the user has easy | ||
access to their own personal information. Trump therefore appears to be of the opinion that a measure, in | access to their own personal information. Trump therefore appears to be of the opinion that a measure, in | ||
form of reducing information on trade history, is not suitable to implement as a result of such | form of reducing information on trade history, is not suitable to implement as a result of such | ||
cons. | cons. | ||
The Norwegian Data Protection Authority does not agree that this is a privacy-friendly solution, in light of the circumstances of the case. The | The Norwegian Data Protection Authority does not agree that this is a privacy-friendly solution, in light of the circumstances of the case. The | ||
Article 12 (2) presupposes that the controller is not obliged to submit | Article 12 (2) presupposes that the controller is not obliged to submit | ||
to enable the data subject to exercise his rights under Articles 15 to 22 if | to enable the data subject to exercise his rights under Articles 15 to 22 if | ||
data controllers are not able to identify the data subject. The solution to Trump, given that they | data controllers are not able to identify the data subject. The solution to Trump, given that they | ||
has not been able to verify that the member registers his own account, is consequently not one | has not been able to verify that the member registers his own account, is consequently not one | ||
privacy-friendly solution, but poses a risk to the rights and freedoms of natural persons. | privacy-friendly solution, but poses a risk to the rights and freedoms of natural persons. | ||
In other respects, the "scope of the treatment" must be taken into account in the assessment of appropriate technical and | In other respects, the "scope of the treatment" must be taken into account in the assessment of appropriate technical and | ||
organizational measures. Trump's loyalty program has around 2.395 million members, of which | organizational measures. Trump's loyalty program has around 2.395 million members, of which | ||
has registered a bank account. The figures indicate that more than a dozen people have registered | has registered a bank account. The figures indicate that more than a dozen people have registered | ||
bank accounts in the solution, without Trump knowing if the account numbers belong to the Trump members they are | bank accounts in the solution, without Trump knowing if the account numbers belong to the Trump members they are | ||
registered on. | registered on. | ||
Trump also states how they have «continuously followed up other possibilities for access to one | |||
verification service ». 9 | |||
However, as we have pointed out above, experience shows | |||
Trump's customer service that this did not prevent misregistrations. | Trump's customer service that this did not prevent misregistrations. | ||
Line 925: | Line 989: | ||
The Norwegian Data Protection Authority believes that there are clearly suitable measures that would significantly reduce precisely those risks | The Norwegian Data Protection Authority believes that there are clearly suitable measures that would significantly reduce precisely those risks | ||
as Trump himself identifies. Trump himself is aware of similar measures, as they were mentioned in 2016 | as Trump himself identifies. Trump himself is aware of similar measures, as they were mentioned in 2016 | ||
the ability to reduce the amount of information available to Trump members. | |||
Trump writes in the comments that they do not agree with the Data Inspectorate's assessments of breaches | |||
Article 32 of the Privacy Regulation as some of the measures were implemented when it was not | |||
available any verification solution in the market. The Data Inspectorate, on the other hand, is of the opinion that when it happened | |||
clear that Trump could not soon implement a verification solution should Trump have reduced the risk | |||
9 Letter from Wikborg Rein, on behalf of Trump, «Reply to request for statement - processing of personal data by | |||
registration of account number via Trump », 9 November 2020. | |||
20, so that Trump members could gain access to the personal information of others, for example by removing, | |||
or significantly reduce, the information about the place of trade, time and information about what was traded for | |||
the members, until they became clear that they did not disclose personal information about the account holder to | |||
second. | |||
In light of the above, we conclude that Trump has not implemented «suitable technical and | In light of the above, we conclude that Trump has not implemented «suitable technical and | ||
Line 959: | Line 1,030: | ||
That Trump sought guidance, and consequently considered the possibility of a specific risk mitigation measure, gets | That Trump sought guidance, and consequently considered the possibility of a specific risk mitigation measure, gets | ||
a certain significance in the assessment of the severity of the breach. We address this further below | a certain significance in the assessment of the severity of the breach. We address this further below | ||
point 6.2. | |||
In other respects, the responsibility according to Article 32 is placed with the person responsible for processing, which also follows from | In other respects, the responsibility according to Article 32 is placed with the person responsible for processing, which also follows from | ||
the principle of liability, cf. Article 5 no. 2. This point is also emphasized in the commentary. | the principle of liability, cf. Article 5 no. 2. This point is also emphasized in the commentary. | ||
The fact that guidance was sought from the Norwegian Data Protection Authority therefore does not change the position that Trump has broken his | The fact that guidance was sought from the Norwegian Data Protection Authority therefore does not change the position that Trump has broken his | ||
obligation under Article 32. This is particularly the case in light of the fact that new regulations have been implemented in | obligation under Article 32. This is particularly the case in light of the fact that new regulations have been implemented in | ||
meanwhile, which must be considered to particularly actualize a new, independent, assessment on Trump's part. | meanwhile, which must be considered to particularly actualize a new, independent, assessment on Trump's part. | ||
Furthermore, it must be noted that Trump also had certain information measures implemented in 2016. The Data Inspectorate was | Furthermore, it must be noted that Trump also had certain information measures implemented in 2016. The Data Inspectorate was | ||
even then, which is clearly stated for Trump in the notification of the decision of 17 June 2016, of that opinion | even then, which is clearly stated for Trump in the notification of the decision of 17 June 2016, of that opinion | ||
that such information measures did not sufficiently reduce the risk of incorrect registrations and that one | that such information measures did not sufficiently reduce the risk of incorrect registrations and that one | ||
verification solution was necessary to ensure adequate information security. Then | verification solution was necessary to ensure adequate information security. Then | ||
the verification solution still did not become available, Trump had a clear call to investigate | the verification solution still did not become available, Trump had a clear call to investigate | ||
alternative risk reduction measures. Lack of guidance from the Data Inspectorate on this point must be seen in light | alternative risk reduction measures. Lack of guidance from the Data Inspectorate on this point must be seen in light | ||
that the audit was of the opinion that Trump would secure a verification solution soon. | that the audit was of the opinion that Trump would secure a verification solution soon. | ||
Line 983: | Line 1,051: | ||
As mentioned above, we have concluded that Trump has violated Article 32, but we do not impose Trump | As mentioned above, we have concluded that Trump has violated Article 32, but we do not impose Trump | ||
order to implement such organizational and / or technical measures, as Trump now has | |||
10 Letter from Wikborg Rein on behalf of Trump, «Reply to notification of decision - Registration of account number on Trumf.no», 15. | |||
August 2016. | |||
21, an order to implement such organizational and / or technical measures, as Trump now has | |||
implemented a verification solution. | implemented a verification solution. | ||
Infringement fee | Infringement fee | ||
6.1. General information about infringement fines | 6.1. General information about infringement fines | ||
Violation fees are a tool to ensure effective compliance and enforcement of | Violation fees are a tool to ensure effective compliance and enforcement of | ||
the personal data regulations. We believe it is necessary to react to the violation, and warn with | the personal data regulations. We believe it is necessary to react to the violation, and warn with | ||
this imposition of infringement fines, cf. the Privacy Ordinance Article 83. In accordance with | this imposition of infringement fines, cf. the Privacy Ordinance Article 83. In accordance with | ||
The Supreme Court's case law (cf. Rt. 2012 page 1556) we assume that the infringement fee is to be regarded as | The Supreme Court's case law (cf. Rt. 2012 page 1556) we assume that the infringement fee is to be regarded as | ||
punishment under Article 6 of the European Convention on Human Rights | punishment under Article 6 of the European Convention on Human Rights | ||
overriding probability of an offense in order to impose a fee. | overriding probability of an offense in order to impose a fee. | ||
In this context, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a | In this context, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a | ||
administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects | administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects | ||
against a committed violation of law, regulation or individual decision, and which is considered a punishment | against a committed violation of law, regulation or individual decision, and which is considered a punishment | ||
according to the European Convention on Human Rights (ECHR). | according to the European Convention on Human Rights (ECHR). | ||
6.2. Assessment of whether an infringement fee is to be imposed | 6.2. Assessment of whether an infringement fee is to be imposed | ||
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account | When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account | ||
the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate may impose | the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate may impose | ||
infringement fee after a discretionary overall assessment, but the listed factors add up | infringement fee after a discretionary overall assessment, but the listed factors add up | ||
guidelines on the exercise of discretion by highlighting factors that are to be given special weight. | guidelines on the exercise of discretion by highlighting factors that are to be given special weight. | ||
We will here assess the relevant factors on an ongoing basis. | We will here assess the relevant factors on an ongoing basis. | ||
a) the nature, severity and duration of the infringement, taking into account it | a) the nature, severity and duration of the infringement, taking into account it | ||
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and | the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and | ||
the extent of the damage they have suffered | the extent of the damage they have suffered | ||
The Norwegian Data Protection Authority is of the opinion that the degree of seriousness justifies the imposition of an infringement fine. Trump | |||
currently has around 2.4 million members. All members have had the opportunity to register | |||
account numbers on their memberships, without Trump having verified that the account numbers belong to the members they | account numbers on their memberships, without Trump having verified that the account numbers belong to the members they | ||
is connected to. This weakness has been open in Trump's systems for many years. Trump has not only | is connected to. This weakness has been open in Trump's systems for many years. Trump has not only | ||
have been aware that there is a risk of incorrect registrations in their solution, but have also had concrete | have been aware that there is a risk of incorrect registrations in their solution, but have also had concrete | ||
Line 1,026: | Line 1,097: | ||
The background of the case sharpens the severity. In 2016, the Danish Data Protection Agency made it clear that we were looking seriously | The background of the case sharpens the severity. In 2016, the Danish Data Protection Agency made it clear that we were looking seriously | ||
the situation, and emphasized to Trump how important it was to ensure verification, as we were off | the situation, and emphasized to Trump how important it was to ensure verification, as we were off | ||
the perception that lack of verification opened up for misuse of the solution. This led to | the perception that lack of verification opened up for misuse of the solution. This led to | ||
The Norwegian Data Protection Authority announced a decision aimed at Trump, which among other things meant that they had to stop processing | The Norwegian Data Protection Authority announced a decision aimed at Trump, which among other things meant that they had to stop processing | ||
Line 1,037: | Line 1,108: | ||
The Data Inspectorate nevertheless chose not to make a final decision in the case as Trump gave a supplement | The Data Inspectorate nevertheless chose not to make a final decision in the case as Trump gave a supplement | ||
information on how they, among other things, would soon implement a solution that would | information on how they, among other things, would soon implement a solution that would | ||
ensure that Trump members only had the opportunity to register their own bank account numbers. Trump was | |||
22, ensure that Trump members only had the opportunity to register their own bank account numbers. Trump was | |||
however, already in the winter of 2016/2017 aware that it was not possible to use. | however, already in the winter of 2016/2017 aware that it was not possible to use. | ||
That Trump violated his duty to report under such circumstances must be characterized as serious. | That Trump violated his duty to report under such circumstances must be characterized as serious. | ||
Line 1,048: | Line 1,120: | ||
there is some uncertainty about the numbers. We are particularly reluctant to emphasize the lack | there is some uncertainty about the numbers. We are particularly reluctant to emphasize the lack | ||
messages related to the breaches of personal data security that Trump received after June 2020. On | messages related to the breaches of personal data security that Trump received after June 2020. On | ||
at this time, Trump's privacy representative contacted the Data Inspectorate, and provided information that they did not | |||
assessed cases of incorrect registrations as notifiable violations. | assessed cases of incorrect registrations as notifiable violations. | ||
Line 1,055: | Line 1,127: | ||
has not been reported to the Data Inspectorate, despite the fact that Trump was aware of the Data Inspectorate's opinion on | has not been reported to the Data Inspectorate, despite the fact that Trump was aware of the Data Inspectorate's opinion on | ||
that failure to verify account numbers entails a risk to the account holders' rights and | that failure to verify account numbers entails a risk to the account holders' rights and | ||
freedoms. | |||
With regard to Article 33 (5), it is important that companies document their breaches | With regard to Article 33 (5), it is important that companies document their breaches | ||
Line 1,062: | Line 1,134: | ||
assess whether the data controller complies with its obligations in relation to Article 33, but will | assess whether the data controller complies with its obligations in relation to Article 33, but will | ||
also be useful for the data controller's work to ensure an adequate degree of security. 11 | also be useful for the data controller's work to ensure an adequate degree of security. 11 | ||
That Trump has not provided such documentation is in itself a breach, at the same time as it has done so | That Trump has not provided such documentation is in itself a breach, at the same time as it has done so | ||
more difficult for the Data Inspectorate to investigate Trump's compliance with Article 33 No. 1. | more difficult for the Data Inspectorate to investigate Trump's compliance with Article 33 No. 1. | ||
The Norwegian Data Protection Authority understands that the assessment made in accordance with Article 33, No. 1, concerns the risk to them | The Norwegian Data Protection Authority understands that the assessment made in accordance with Article 33, No. 1, concerns the risk to them | ||
the data subject's rights and freedoms, are discretionary and that this can be challenging in the specific | the data subject's rights and freedoms, are discretionary and that this can be challenging in the specific | ||
case. However, the obligation to document breaches under Article 33 (5) is clear and lacks | case. However, the obligation to document breaches under Article 33 (5) is clear and lacks | ||
discretionary assessments. | |||
Trump has put forward some arguments as to why they believe that cases of misregistration do not | |||
represents a "breach of personal data security", which we reviewed above. These were in | represents a "breach of personal data security", which we reviewed above. These were in | ||
reality only relevant in the risk assessment pursuant to Article 33 (1), and did not appear to be relevant | reality only relevant in the risk assessment pursuant to Article 33 (1), and did not appear to be relevant | ||
for the assessment of whether such erroneous registrations in themselves meet the definition in Article 4 (12) | for the assessment of whether such erroneous registrations in themselves meet the definition in Article 4 (12) | ||
Line 1,082: | Line 1,151: | ||
The breach of Article 33 no. 5 must also be seen in the light of the communication between Trump and the Norwegian Data Protection Authority in | The breach of Article 33 no. 5 must also be seen in the light of the communication between Trump and the Norwegian Data Protection Authority in | ||
2016, when it became clear to Trump that they would not be able to implement a verification solution, as first | 2016, when it became clear to Trump that they would not be able to implement a verification solution, as first | ||
described to the Norwegian Data Protection Authority. That documentation and grouping of the incorrect registrations first, apparently, | described to the Norwegian Data Protection Authority. That documentation and grouping of the incorrect registrations first, apparently, | ||
was implemented in 2021, we consider, in these circumstances, to be serious. The Danish Data Protection Agency has also chosen | was implemented in 2021, we consider, in these circumstances, to be serious. The Danish Data Protection Agency has also chosen | ||
not to problematize whether the overall descriptions and groupings given by the 2021 cases are | not to problematize whether the overall descriptions and groupings given by the 2021 cases are | ||
Line 1,090: | Line 1,159: | ||
As noted, the Data Inspectorate has also concluded that Trump violated its obligation under Article 32, | As noted, the Data Inspectorate has also concluded that Trump violated its obligation under Article 32, | ||
as a result of Trump not implementing appropriate measures when they became aware that one | as a result of Trump not implementing appropriate measures when they became aware that one | ||
verification solution could not be implemented in the short term. However, Trump described the possibility of | 11 Commentary in relation to Article 33 (5). | ||
23, verification solution could not be implemented in the short term. However, Trump described the possibility of | |||
limit some of the amount of information that became available to Trump members back in 2016. | limit some of the amount of information that became available to Trump members back in 2016. | ||
Trump asked the Data Inspectorate for guidance regarding the measure, but the Data Inspectorate did not answer this | Trump asked the Data Inspectorate for guidance regarding the measure, but the Data Inspectorate did not answer this | ||
the request. We take this into account in our assessment of the severity. At the same time, we must emphasize | the request. We take this into account in our assessment of the severity. At the same time, we must emphasize | ||
that the liability under Article 32 is placed with the controller, and Trump had any | that the liability under Article 32 is placed with the controller, and Trump had any | ||
reason to carry out a new independent assessment, especially in light of the new privacy regulations | reason to carry out a new independent assessment, especially in light of the new privacy regulations | ||
came into force after they sought guidance from the Norwegian Data Protection Authority. Furthermore, the Data Inspectorate did not have a strong | came into force after they sought guidance from the Norwegian Data Protection Authority. Furthermore, the Data Inspectorate did not have a strong | ||
encouragement to provide such guidance or comment on the subject as Trump provided information that they | encouragement to provide such guidance or comment on the subject as Trump provided information that they | ||
would implement a verification solution soon. | would implement a verification solution soon. | ||
In addition, it must be emphasized, as above, that the Data Inspectorate in 2016 announced that Trump had to prepare and | In addition, it must be emphasized, as above, that the Data Inspectorate in 2016 announced that Trump had to prepare and | ||
adequately document risk assessment, acceptance criteria and measures as part of its | adequately document risk assessment, acceptance criteria and measures as part of its | ||
information security work. The Danish Data Protection Agency wrote the following about this point, under the heading | information security work. The Danish Data Protection Agency wrote the following about this point, under the heading | ||
"Information security and internal control": | "Information security and internal control": | ||
As the situation is today, the solution on trumf.no means that it can easily happen unauthorized | As the situation is today, the solution on trumf.no means that it can easily happen unauthorized | ||
processing of account numbers, location data and shopping history for household members and | processing of account numbers, location data and shopping history for household members and | ||
persons who are not members of Trump. In the Data Inspectorate's opinion, Trump must provide one | persons who are not members of Trump. In the Data Inspectorate's opinion, Trump must provide one | ||
authentication of the link between Trump membership and account holder, so it is not | authentication of the link between Trump membership and account holder, so it is not | ||
possible to process account numbers on trumf.no, unless the account holder and Trumf- | possible to process account numbers on trumf.no, unless the account holder and Trumf- | ||
member is the same person. Knowledge of who is the account holder is also one | member is the same person. Knowledge of who is the account holder is also one | ||
prerequisite for obtaining and checking that there is valid consent from the data subject. | prerequisite for obtaining and checking that there is valid consent from the data subject. | ||
This statement made visible to Trump how the security level, as a result of lack | This statement made visible to Trump how the security level, as a result of lack | ||
verification solution, was not sufficient. Further measures were necessary, in addition to the Data Inspectorate | verification solution, was not sufficient. Further measures were necessary, in addition to the Data Inspectorate | ||
believed that the basis for treatment had to be secured. As previously noted, the reason why the Data Inspectorate was not | believed that the basis for treatment had to be secured. As previously noted, the reason why the Data Inspectorate was not | ||
followed up this warning, among other things, that Trump wrote that they would secure a verification solution. | followed up this warning, among other things, that Trump wrote that they would secure a verification solution. | ||
measures, as identified above, were not implemented when it became clear that Trump would still not be able to get | measures, as identified above, were not implemented when it became clear that Trump would still not be able to get | ||
implemented a verification solution must be considered reprehensible. | implemented a verification solution must be considered reprehensible. | ||
b) whether the infringement was committed intentionally or negligently, | |||
Line 1,134: | Line 1,205: | ||
about not implementing measures that reduced the risk of abuse that existed due to | about not implementing measures that reduced the risk of abuse that existed due to | ||
missing verification mechanism. We consider the infringements in relation to Article 33, paragraphs 1 and 32 | missing verification mechanism. We consider the infringements in relation to Article 33, paragraphs 1 and 32 | ||
consequently to be intentional, by the management of the business. This pulls in an aggravating direction. | consequently to be intentional, by the management of the business. This pulls in an aggravating direction. | ||
c) any measures taken by the data controller or data processor to limit | c) any measures taken by the data controller or data processor to limit | ||
Line 1,144: | Line 1,215: | ||
24, This provision acts as an assessment of the degree of responsibility of the controller after the | |||
infringement has occurred. It may cover cases where the controller / processor has clearly not | infringement has occurred. It may cover cases where the controller / processor has clearly not | ||
taken a reckless / negligent approach but where they have done all they can to correct their | taken a reckless / negligent approach but where they have done all they can to correct their | ||
actions when they became aware of the infringement. | 12 | ||
actions when they became aware of the infringement. | |||
The Article 29 Working Party gives an example of such a case: | The Article 29 Working Party gives an example of such a case: | ||
Line 1,154: | Line 1,227: | ||
[…] Timely action taken by the data controller / processor to stop the infringement from | […] Timely action taken by the data controller / processor to stop the infringement from | ||
continuing or expanding to a level or phase which would have had a far more serious impact | continuing or expanding to a level or phase which would have had a far more serious impact | ||
than it did. | than it did. | ||
Trump has implemented information measures that are intended to make account holders aware of their | Trump has implemented information measures that are intended to make account holders aware of their | ||
Line 1,161: | Line 1,234: | ||
Furthermore, in 2018 they introduced two-factor authentication via SMS to the member's registered | Furthermore, in 2018 they introduced two-factor authentication via SMS to the member's registered | ||
The fact that Trump has taken such measures is an argument against infringement fines. Trump | The fact that Trump has taken such measures is an argument against infringement fines. Trump | ||
did not, however, implement measures to reduce the information available to their members, i | did not, however, implement measures to reduce the information available to their members, i | ||
in case there should be incorrect registrations - as Trump knew occurred many times a year. Such | in case there should be incorrect registrations - as Trump knew occurred many times a year. Such | ||
information restriction could reduce the damage to the data subjects. Like what happened | information restriction could reduce the damage to the data subjects. Like what happened | ||
commented above, we take into account the fact that Trump sought guidance from the Norwegian Data Protection Authority on measures | commented above, we take into account the fact that Trump sought guidance from the Norwegian Data Protection Authority on measures | ||
to be implemented. | to be implemented. | ||
(d) the degree of responsibility of the controller or processor, taking into account those | (d) the degree of responsibility of the controller or processor, taking into account those | ||
technical and organizational measures they have implemented in accordance with Articles 25 and 32 | technical and organizational measures they have implemented in accordance with Articles 25 and 32 | ||
Trump has breached its obligation under Article 32 due to a lack of appropriate technical and | Trump has breached its obligation under Article 32 due to a lack of appropriate technical and | ||
Line 1,177: | Line 1,250: | ||
e) any relevant previous violations committed by the data controller or | |||
the data processor | the data processor | ||
We have not identified any previously relevant violations, and this relationship therefore does not speak for itself | We have not identified any previously relevant violations, and this relationship therefore does not speak for itself | ||
imposition of infringement fines. | imposition of infringement fines. | ||
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it | f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it | ||
possible negative effects of it | possible negative effects of it | ||
Trump has collaborated with the Norwegian Data Protection Authority, and answered the questions that were asked. This is, however | Trump has collaborated with the Norwegian Data Protection Authority, and answered the questions that were asked. This is, however | ||
Trump ordered to do.The Article 29 Working Party notes on this occasion the following: | Trump ordered to do.The Article 29 Working Party notes on this occasion the following: | ||
[…] It would not be appropriate to give additional regard to cooperation that is already | […] It would not be appropriate to give additional regard to cooperation that is already | ||
Line 1,199: | Line 1,269: | ||
12 Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, | |||
pages 12 to 13. | |||
25, That Trump has given complementary answers to the Data Inspectorate's requirements for statements is not a mitigating | |||
circumstance in itself. | circumstance in itself. | ||
However, Trump's privacy ombudsman, in connection with the media reports, contacted | However, Trump's privacy ombudsman, in connection with the media reports, contacted | ||
The Data Inspectorate to inquire about the Authority's further process, as well as to inform the parent of the measures | The Data Inspectorate to inquire about the Authority's further process, as well as to inform the parent of the measures | ||
Trump had implemented. This pulls in a somewhat mitigating direction, in isolation. | Trump had implemented. This pulls in a somewhat mitigating direction, in isolation. | ||
By the way, it became clear | By the way, it already became clear in the winter of 2016/2017 that Trump would not be able to implement | ||
the verification solution that Trump envisioned the Data Inspectorate when we closed the case in 2016. Trump did not | the verification solution that Trump envisioned the Data Inspectorate when we closed the case in 2016. Trump did not | ||
the Authority some information on this. If the Data Inspectorate had received information that the challenge with | the Authority some information on this. If the Data Inspectorate had received information that the challenge with | ||
verification would not still be resolved we could have considered the possibility of, for example, imposing | verification would not still be resolved we could have considered the possibility of, for example, imposing | ||
Trump to limit the amount of personal information that became available to the Trump member. Trump was | Trump to limit the amount of personal information that became available to the Trump member. Trump was | ||
required to provide us with such information, in light of the fact that the lack of verification mechanism led to repeated | required to provide us with such information, in light of the fact that the lack of verification mechanism led to repeated | ||
cases of notifiable breaches of personal data security. The degree of cooperation with | cases of notifiable breaches of personal data security. The degree of cooperation with | ||
On this basis, the supervisory authorities have not been considered as a mitigating circumstance in particular | On this basis, the supervisory authorities have not been considered as a mitigating circumstance in particular | ||
importance. | importance. | ||
g) the categories of personal data affected by the infringement | g) the categories of personal data affected by the infringement | ||
Line 1,223: | Line 1,296: | ||
The Article 29 group's supervisor points out that the assessment under letter g is, among other things, related to whether | The Article 29 group's supervisor points out that the assessment under letter g is, among other things, related to whether | ||
dissemination of personal data may cause harm or inconvenience to the data subjects. We are showing | dissemination of personal data may cause harm or inconvenience to the data subjects. We are showing | ||
to previous comments about the potential for abuse that exists as a result of Trump members | to previous comments about the potential for abuse that exists as a result of Trump members | ||
can get information about purchase history etc. to other people. | can get information about purchase history etc. to other people. | ||
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in | (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in | ||
Line 1,232: | Line 1,305: | ||
In 2020, the Data Inspectorate was informed, via media coverage and contact with the Privacy Ombudsman, that | |||
the verification solution was not implemented in line with Trump's progress plan from 2016. On | the verification solution was not implemented in line with Trump's progress plan from 2016. On | ||
At the time when the privacy ombudsman contacted the Danish Data Protection Agency, it was obvious that the media would | At the time when the privacy ombudsman contacted the Danish Data Protection Agency, it was obvious that the media would | ||
further describe how Trump had not implemented a verification solution. Despite this | further describe how Trump had not implemented a verification solution. Despite this | ||
the contact from the privacy representative must be emphasized as a mitigating circumstance under letter h. | the contact from the privacy representative must be emphasized as a mitigating circumstance under letter h. | ||
(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned | (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned | ||
Line 1,246: | Line 1,316: | ||
measures are complied with | measures are complied with | ||
In 2016, the Data Inspectorate announced a decision on an order against Trump. However, this did not result in a final | |||
decisions, and related to old regulations. For this reason, we never used the expertise as | decisions, and related to old regulations. For this reason, we never used the expertise as | ||
is stated in Article 58 (2). This factor is therefore not relevant when assessing whether | is stated in Article 58 (2). This factor is therefore not relevant when assessing whether | ||
infringement fines must be imposed. | infringement fines must be imposed. | ||
(j) compliance with approved standards of conduct in accordance with Article 40 or approved | (j) compliance with approved standards of conduct in accordance with Article 40 or approved | ||
certification mechanisms in accordance with Article 42 | certification mechanisms in accordance with Article 42 | ||
We do not find this | |||
13 Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, page 14. | |||
26, We do not find this moment relevant. | |||
k) any other aggravating or mitigating factor in the case, e.g. economic benefits such as | k) any other aggravating or mitigating factor in the case, e.g. economic benefits such as | ||
has been obtained, or losses that have been avoided, directly or indirectly, as a result of the infringement | has been obtained, or losses that have been avoided, directly or indirectly, as a result of the infringement | ||
Line 1,265: | Line 1,336: | ||
circumstance. In PVN-2021-03, the Privacy Board emphasizes that the facts of the case became essentially | circumstance. In PVN-2021-03, the Privacy Board emphasizes that the facts of the case became essentially | ||
clarified in May 2019, while it took over a year before the audit notified the order and infringement fee. In PVN- | clarified in May 2019, while it took over a year before the audit notified the order and infringement fee. In PVN- | ||
2021-09, the Privacy Board also emphasized the long case processing time at the audit. In that case | 2021-09, the Privacy Board also emphasized the long case processing time at the audit. In that case | ||
It had been six months since the audit received a report of a breach of personal data security | It had been six months since the audit received a report of a breach of personal data security | ||
a statement was requested. After receiving the report, it took approx. four months before notice | a statement was requested. After receiving the report, it took approx. four months before notice | ||
Line 1,272: | Line 1,343: | ||
the company complained, it took another three months before the case was received by the Privacy Board. | the company complained, it took another three months before the case was received by the Privacy Board. | ||
The Supreme Court has otherwise in its practice assumed that only in the case of total inactivity of around one year is considered | The Supreme Court has otherwise in its practice assumed that only in the case of total inactivity of around one year is considered | ||
processing time to violate the European Convention on Human Rights. | 14 | ||
processing time to violate the European Convention on Human Rights. | |||
This case was initiated by the Data Inspectorate sending Trump a request for a statement. This requirement | This case was initiated by the Data Inspectorate sending Trump a request for a statement. This requirement | ||
Line 1,279: | Line 1,350: | ||
answer the Data Inspectorate's questions. This request was granted. The Norwegian Data Protection Authority received the report | answer the Data Inspectorate's questions. This request was granted. The Norwegian Data Protection Authority received the report | ||
Trump November 9, 2020. A new request for a statement was sent to Trump on March 8, 2021. March 23 | Trump November 9, 2020. A new request for a statement was sent to Trump on March 8, 2021. March 23 | ||
In 2021, Trump was granted a postponed deadline to respond to the statement. On April 20, 2021 received | In 2021, Trump was granted a postponed deadline to respond to the statement. On April 20, 2021 received | ||
The Data Inspectorate Trump's new statement. On 3 June 2021, the Norwegian Data Protection Authority received further information from | The Data Inspectorate Trump's new statement. On 3 June 2021, the Norwegian Data Protection Authority received further information from | ||
Trump, of which Trump informed that the implementation of their verification solution went as | Trump, of which Trump informed that the implementation of their verification solution went as | ||
Line 1,287: | Line 1,358: | ||
The Norwegian Data Protection Authority believes that the progress of the case and the case processing time in general should not constitute one | |||
mitigating circumstance in this case. The longest inactivity has been around 5 months, from | mitigating circumstance in this case. The longest inactivity has been around 5 months, from | ||
the | the factual circumstances of the case were essentially clarified until notification of the decision. The significance of the case | ||
and scope means that 5 months is not an unacceptably long time. Furthermore, 6 months have passed | |||
Trump gave his comments until this decision is made. Nor can this be considered to be | |||
unacceptable. | |||
Line 1,301: | Line 1,371: | ||
6.3. Assessment of the size of the fee | 6.3. Assessment of the size of the fee | ||
When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in | When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in | ||
the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case | the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case | ||
above. The violation fee must be effective, be in a reasonable proportion to the violation and work | above. The violation fee must be effective, be in a reasonable proportion to the violation and work | ||
deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in | deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in | ||
each case. | each case. | ||
The fee should be set so high that it also has an effect beyond the specific case, at the same time as the fee | |||
14 HR-2016-225-S, section 32. | |||
27, The fee should be set so high that it also has an effect beyond the specific case, at the same time as the fee | |||
size must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no. 1. | size must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no. 1. | ||
The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter | |||
the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee | the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee | ||
shall be determined concretely so that in each individual case it is effective, is in a reasonable relation to | shall be determined concretely so that in each individual case it is effective, is in a reasonable relation to | ||
Line 1,318: | Line 1,392: | ||
the regulations. | the regulations. | ||
The commentary, in relation to Article 83, states: | |||
Contraceptive considerations dictate that the fee for a violation must be set so high that it is in fact | Contraceptive considerations dictate that the fee for a violation must be set so high that it is in fact | ||
Line 1,325: | Line 1,399: | ||
have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender | have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender | ||
hair. […] When assessing the financial viability of an enterprise, it may be relevant to look at | hair. […] When assessing the financial viability of an enterprise, it may be relevant to look at | ||
the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5. | |||
And further: | And further: | ||
Line 1,332: | Line 1,406: | ||
The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities | The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities | ||
should avoid establishing standardized fee rates. This applies even if national law allows for it | should avoid establishing standardized fee rates. This applies even if national law allows for it | ||
standardized rates, cf. the Public Administration Act § 43. | |||
The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business. | The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business. | ||
Line 1,340: | Line 1,414: | ||
Article 33, paragraph 5. Trump did not send reports of violations to regulators | Article 33, paragraph 5. Trump did not send reports of violations to regulators | ||
personal data security and did not otherwise implement appropriate security measures, despite the fact that | personal data security and did not otherwise implement appropriate security measures, despite the fact that | ||
it was clear - based on the circumstances of the case - that the Data Inspectorate was very clear on the need | it was clear - based on the circumstances of the case - that the Data Inspectorate was very clear on the need | ||
to verify account holders. The Data Inspectorate was clear on this need, among other things, due to | |||
the abuse potential that lay in making account holder information available to Trump members. | the abuse potential that lay in making account holder information available to Trump members. | ||
Pursuant to Article 83 (4), an infringement fine of up to EUR 10 000 000 or, where | Pursuant to Article 83 (4), an infringement fine of up to EUR 10 000 000 or, where | ||
Line 1,353: | Line 1,424: | ||
note the following: | note the following: | ||
If an undertaking is charged an infringement fee, an undertaking for these purposes should be understood as one | |||
undertakings within the meaning of Articles 101 and 102 of the TEU. | undertakings within the meaning of Articles 101 and 102 of the TEU. | ||
The European Court of Justice has, inter alia in C-231/11 P - C-233/11, given the following remarks related to | The European Court of Justice has, inter alia in C-231/11 P - C-233/11, given the following remarks related to | ||
the understanding of "enterprise", but then in a different legal context: | the understanding of "enterprise", but then in a different legal context: | ||
The authors of the Treaties chose to use the concept of an undertaking to designate the | The authors of the Treaties chose to use the concept of an undertaking to designate the | ||
perpetrator of an infringement of competition law, who is liable to be punished pursuant to | |||
28, Articles 81 EC and 82 EC, and not other concepts such as the concept of a company or firm or | |||
of a legal person, used, inter alia, in Article 48 EC (see, to that effect, Case | of a legal person, used, inter alia, in Article 48 EC (see, to that effect, Case | ||
C-501/11 P Schindler Holding and Others v Commission [2013] ECR, paragraph 102). | C-501/11 P Schindler Holding and Others v Commission [2013] ECR, paragraph 102). | ||
The Court of Justice has consistently held that the concept of an undertaking covers any entity | The Court of Justice has consistently held that the concept of an undertaking covers any entity | ||
engaged in an economic activity, regardless of the legal status of the entity or the way in which | engaged in an economic activity, regardless of the legal status of the entity or the way in which | ||
it is financed. That concept must be understood as covering an economic unit, even if, from a | it is financed. That concept must be understood as covering an economic unit, even if, from a | ||
legal perspective, that unit is made up of a number of natural or legal persons (see, inter alia, | legal perspective, that unit is made up of a number of natural or legal persons (see, inter alia, | ||
Joined Cases C-628/10 P and C-141/11 P Alliance One International and Standard | Joined Cases C-628/10 P and C-141/11 P Alliance One International and Standard | ||
Commercial Tobacco v Commission [2012] ECR, paragraph 42 and the case-law cited). | Commercial Tobacco v Commission [2012] ECR, paragraph 42 and the case-law cited). | ||
In «The EU General Data Protection Regulation, GDPR, ACommentary», pages 1187-1188, it is given | In «The EU General Data Protection Regulation, GDPR, ACommentary», pages 1187-1188, it is given | ||
the following comment to Article 83: | the following comment to Article 83: | ||
Articles 101 and 102 TFEU do not themselves contain any definition of the concept of | Articles 101 and 102 TFEU do not themselves contain any definition of the concept of | ||
Line 1,389: | Line 1,462: | ||
as a 'single economic entity'. Moreover, under this case law, each person forming part of a | as a 'single economic entity'. Moreover, under this case law, each person forming part of a | ||
single economic entity may be held liable for an infringement of EU competition law committed | single economic entity may be held liable for an infringement of EU competition law committed | ||
by that economic entity.15 | |||
by that economic entity. | |||
According to Proff, NorgesGruppen ForbrukerserviceAS is the only shareholder in Trump. NorgesGruppen | According to Proff, NorgesGruppen ForbrukerserviceAS is the only shareholder in Trump. NorgesGruppen | ||
ForbrukerserviceAS is owned by NorgesGruppenASA. On this basis, we assume that Trump | ForbrukerserviceAS is owned by NorgesGruppenASA. On this basis, we assume that Trump | ||
AS and NorgesGruppenASA are part of the same «enterprise», cf. Article 83 no. 4, and the turnover of | AS and NorgesGruppenASA are part of the same «enterprise», cf. Article 83 no. 4, and the turnover of | ||
NorgesGruppenASA must be taken into account when determining the infringement fee. | |||
The annual result for NorgesGruppenASA, for 2020, shows a turnover of NOK 101.56 billion, a | |||
increase from NOK 90.5 billion in 2019. 16 | |||
The annual result for NorgesGruppenASA, for | |||
increase from NOK 90.5 billion in 2019. | |||
The fee must be set so high that it is effective and achieves a sufficient deterrent effect. Out from | The fee must be set so high that it is effective and achieves a sufficient deterrent effect. Out from | ||
Line 1,415: | Line 1,484: | ||
7. | 7. Right of appeal and further proceedings | ||
15 THE EU GENERAL DATAPROTECTION REGULATION (GDPR), ACommentary, edited by Kuner, Bygrave and | |||
Docksey, 2020. | |||
16 https://www.dn.no/handel/norgesgruppen/kiwi/meny/rekordar-for-koronavinneren-norgesgruppen-over-100-milliarder-i- | |||
turnover / 2-1-986439 and https://www.norgesgruppen.no/globalassets/finansiell-informasjon/rapporter/2020/ars-og- | |||
barekraftsrapport-2020.pdf. | |||
29, You can appeal the decision. Any complaint must be sent to us within three weeks after this letter is | |||
received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will send the case | |||
on to the Privacy Board for complaint handling. | |||
If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after | |||
the expiry of the appeal period, cf. the Personal Data Act § 27. | |||
8. Publicity | 8. Publicity | ||
We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3. | We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3. | ||
If you believe there are grounds for exempting all or part of the document from public access, please | If you believe there are grounds for exempting all or part of the document from public access, please | ||
we you to justify this. | we you to justify this. | ||
If you have questions about the case, you can contact Ida Småge Breidablikk on telephone 22 39 69 | If you have questions about the case, you can contact Ida Småge Breidablikk on telephone 22 39 69 | ||
70. | 70. | ||
Line 1,434: | Line 1,513: | ||
With best regards | |||
Jørgen Skorstad | Jørgen Skorstad | ||
department director, law | department director, law | ||
Ida Småge Breidablikk | Ida Småge Breidablikk | ||
senior legal adviser | senior legal adviser | ||
The document is electronically approved and therefore has no handwritten signatures | The document is electronically approved and therefore has no handwritten signatures | ||
</pre> | </pre> |
Latest revision as of 08:08, 24 June 2022
Datatilsynet (Norway) - 20/03046 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 32 GDPR Article 33(1) GDPR Article 33(5) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 06.12.2021 |
Published: | 09.12.2021 |
Fine: | 5000000 NOK |
Parties: | Trumf |
National Case Number/Name: | 20/03046 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined the company Trumf €500,185 (NOK 5,000,000) for failing to report and document repeated data breaches where people could register other people's bank account numbers to get access to their detailed purchase history.
English Summary
Facts
"Trumf" is a customer loyalty program owned and run by the company with the same name (the controller). Users can register their Trumf card at various stores, gas stations, airlines and other Trumf partners to collect bonus points, which can then be used to purchase goods or be withdrawn as cash.
In 2016, it was discovered that people could register other people's bank account numbers to get access to their detailed purchase history. At the time, the Norwegian DPA (Datatilsynet) instructed the controller to mitigate this security risk. The controller confirmed that this would be dealt with promptly by implementing a verification mechanism which would solve the problem.
However, in 2020, the DPA, through various news stories, became aware that the security issue was still unresolved. The controller explained that it had been too challenging to resolve it and, further, that they did not report these breaches because they thought they did not have to. Consequently, they did not adhere to Article 33(5) GDPR, nor Article 33(1).
Holding
The Norwegian DPA held that Trumf had breached Article 33(1) for failing to notify them of repeated personal data breaches, Article 33(5) for failing to document these breaches, and Article 32 for failing to implement sufficient technical and organizational measures. For these violations, the DPA fined the controller €500,185 (NOK 5,000,000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
WIKBORG REINADVOKATFIRMAAS PO Box 1513 Vika 0117 OSLO Gry Hvidsten Their reference Our reference Date 105879-564 20 / 03046-17 06/22 / 22.2022 Decision on infringement fine - Trumf AS 1 Introduction We refer to our notification of a decision on infringement fines on 6 December 2021, as well as a response to the forecast from Trump December 22, 2021. 2. Decision on order and infringement fine The Data Inspectorate has today made the following decision: Pursuant to the Privacy Ordinance, Article 58 no. 2 letter i, TRUMF AS org.nr. 976 912 047 an infringement fee to the Treasury of NOK 5,000,000 for: To have breached its obligations under the Privacy Regulation Article 33 (1) and Article 33 (5) To have breached its obligations to implement appropriate measures in accordance with Article 32 of the Privacy Regulation 3. Details of the facts of the case Trumf AS ("Trump") is a benefit program that offers private individuals to save bonuses on purchases in NorgesGruppen's grocery stores and at a number of external Trump partners. Members of the benefit program can register a bank account number so that a bonus is saved the transactions they perform with bank cards linked to the bank account. The Trump member will then get access to detailed information about purchases made in the stores associated with Trump, 1 with certain exceptions. Information about where you shopped, when you shopped, and what you shopped will be available to the Trump member by logging in to Trump's website. 1 Apotek 1 anonymises some of the purchases made with them. Postal address: Office address: Telephone: Org.nr: Website: PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO, On 1 March 2016, a meeting was held between Trump and the Norwegian Data Protection Authority. The meeting was initiated by The Data Inspectorate on the basis of a tip to our guidance service in February 2016. This tip consisted of a person had tried to enter their own account number on their own Trump membership. This was however, not possible because an unknown person had already registered his account number. The person in question had not received information that his account number was registered with Trump. Based on the content of the tip received, as well as the meeting of 1 March 2016, the Data Inspectorate chose to initiate letter check to Trump to investigate whether their processing of personal data was in line with the requirements of the Personal Data Act with regulations. On April 21, 2016, Trump wrote, among other things, that they were aware that members can enter incorrectly account number of a third party. Trump, however, pointed out that they had implemented solutions with intended to prevent such behavior; if a payment card associated with a registered bank account is used, it says "Trump registered" in the display on the payment terminal, in addition to the fact that the receipt states that Trump bonus is registered in connection with the purchase. By the way, Trump wrote that to post some other people their bank account information would constitute a breach of contract. The Data Inspectorate chose on 17 July 2016 to notify a decision on an order against Trump, which consisted of: Order to provide routines for obtaining and checking the consent of all those they process information about, Order to immediately stop processing of account number and other personal data such as Trump has no treatment basis for, Order to establish routines to secure information to the registered when Trump collects or otherwise process information from anyone other than the member of Trump, Order to prepare and adequately document risk assessment, acceptance criteria and measures as part of its information security work. These orders were largely related to the fact that Trump lacked a verification solution such as ensured that Trump members only registered their own bank account, and not others. Below we gave the following remark in the notice of decision: In the Data Inspectorate's opinion, Trump must ensure that the connection between the two is authenticated Trump membership and account holder, so it is not possible to process 2 account number on trumf.no, unless the account holder and Trump member are the same person. On 15 August 2016, Trump responded to the notification of the decision. In this answer it appeared, among other things, that Trump had considered various alternative ways to verify the identity of bank accounts and the member of Trump is the same, and found a method to ensure such verification It appeared from the answer that it was somewhat uncertain when this solution would be implemented, but according to information, this was to be done during the autumn of 2016. Trump 2 Letter from the Norwegian Data Protection Authority, 17 July 2016, «Notification of decision - processing of personal data when registering account number on trumf.no », page 7. 2, wrote that this solution would be faster than other alternatives, and that this was the best way to perform verification on. The Data Inspectorate decided, in light of Trump's response to the notification of the decision, to close the case. The Data Inspectorate noted in a letter dated 5 December 2016, among other things, that there was a need for a strong authentication (two-factor) for that Trump must be confident that the correct person agrees to register the account number in Trump. The Data Inspectorate noted that the use of Bank ID or security code sent by SMS seemed to be the best the suggestions for a strong authentication, partly because the mobile number and social security number will be able to verified in as data is uploaded to this database. In 2020, the Norwegian Data Protection Authority, through the media and through contact with the privacy ombudsman in Trump, became aware that it was still possible to enter other people's bank account numbers in Trump's customer program and that no verification mechanism had been implemented. On this basis, the Data Inspectorate sent Trump a requirement for a statement on 2 October 2020. In Trump's statement of 9 November 2020, they write that since 2016, they have worked purposefully to address the situation, but that it has been challenging to realize a service for verification of ownership of bank accounts. Trump must have continuously investigated other possibilities to get access to a verification service. On 8 March 2021, the Data Inspectorate asked a number of follow-up questions, including one we wanted update on the work of finding a verification service, as well as further insight into why Trump had not sent any reports of breaches of personal data security in cases where Trump had received information about error registrations. On April 20, 2021, Trump replied that they would have access to a verification service. The verification solution means that the member must identify himself with BankID. When asked why incidents of incorrect registrations have not been reported to the Norwegian Data Protection Authority, he replied Trump, among other things, that the typical situation is that the account holder wants to change a registration as the person is already familiar with. Furthermore, Trump points out that there is often a close relationship between the account holder and the Trump member, including family members or other financial communities. Trump further mentions that they have not received inquiries where there is a suspicion of wrongdoing registrations with dishonest intentions. They also note that in June 2020 they contacted the Authority in in connection with the question of the duty to notify. Their privacy representative must, in dialogue with the Authority, have provided expression that Trump was not of the opinion that this was a reportable breach personal data security, and said she was available if further dialogue on the subject was necessary. 3, With the introduction of the Privacy Ordinance in 2018, Trump implemented a digital solution so that members could request access and access the personal information on trumf.no. The solution was launched to fulfill the right of access members have under the regulations. The member could choose which information, which level of detail and which period he wanted access by selecting from a list of information categories. Detailed purchase history was one of these the options. There was only access to details about the member who was logged in, so that in a common membership, members will only see details about their own purchases. Trump states in an e-mail on November 30, 2021 that the user panel with the self-service solution for access was considered best practice at the time it was introduced. Trump points out that the functionality was shown to the Norwegian Data Protection Authority in a meeting in the summer of 2018, and that the authority gave a positive feedback. Before the digital the solution was launched, the right of access was handled by Trump customer service. In April 2020, a detailed purchase history was made available to members through a separate button digital "receipt" from the purchase history on trumf.no. The solution was launched as it should be easier for members to verify the bonus calculation, as there may be different bonus rates different product groups / goods. On the digital receipt, the member can see the items per purchase and associated bonus calculation for the individual item. It is only possible to access the details for that member which is logged in, so that in a joint membership, members will only see details about their own purchases. In the comments to the notification, Trump writes that the Data Inspectorate's assessment is taken into account. It appears further that Trump does not fully agree with the Data Inspectorate's assessment of breaches of the Privacy Ordinance Article 32, but that the notified fee is accepted. 4. The requirements of the regulations 4.1. Responsible for processing Article 4 (7) of the Privacy Regulation defines "data controller" as: […] A natural or legal person, a public authority, an institution or any other person body which alone or together with others determines the purpose of the treatment of personal information and what funds are to be used; when the purpose of and the means of the treatment is provided for in Union law or in the national law of the Member States, it may persons responsible for processing, or the special criteria for appointing the person in question, are determined in Union law or in the national law of the Member States, 4.2. Internal control and information security The basic principles for the processing of personal data follow from the Privacy Ordinance Article 5 No. 1. In accordance with the principle of integrity and confidentiality, personal data shall processed in a manner that ensures adequate security of personal data, cf. Article 5 (1) letter f. This means, among other things, that appropriate technical or organizational measures must be implemented to protect against unauthorized or illegal treatment, and against unintentional loss, destruction or alteration. It persons responsible for processing must be able to demonstrate that the principles of privacy are complied with, cf. Article 5 (2). 4, As the person responsible for processing, you have a duty to implement appropriate technical and organic measures to ensure and demonstrate that the processing of personal data is in accordance with the Privacy Ordinance, cf. Article 24. It is also obligatory to have built-in privacy and privacy by default in all systems and services that process personal data, cf. Article 25. The requirements for personal data security are further regulated in Article 32 treatment managers have a duty to implement appropriate technical and organizational measures for to achieve a level of safety that is appropriate in terms of risk.Depending on what is suitable, this applies to, among other things: a) pseudonymisation and encryption of personal data, b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services, c) ability to restore the availability and access to personal information in a timely manner if a physical or technical event occurs, d) a process for regular testing, analysis and assessment of how effective the treatment is technical and organizational security measures are. In assessing the appropriate level of safety, special consideration shall be given to the risks involved with the treatment, in particular as a result of accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data, cf. Article 32 (2) of the Privacy Regulation. 4.3. Notification of breach of personal data security Article 33 of the Privacy Ordinance stipulates that the data controller is in principle obliged to report "breaches of personal data security" to the Norwegian Data Protection Authority. "Violation of personal data security" is defined in Article 4 (12) of the Privacy Regulation as: […] A breach of security leading to accidental or unlawful destruction, loss, alteration, illegal dissemination of or access to personal data that has been transferred, stored or otherwise way treated, It must be reported without undue delay, and no later than 72 hours after the person responsible for treatment has received it knowledge of the fracture, unless the fracture is unlikely to pose a physical risk rights and freedoms of persons. Article 33 (5) states that "the controller shall document any breach personal data security […]. This documentation should enable the supervisory authority to verify compliance with this Article '. Skullerud et al. (updated version of the commentary to the Privacy Ordinance, hereinafter referred to as as the "commentary") writes the following about this obligation: 5, Irrespective of whether there is a duty to notify the supervisory authorities or not, it is obliged data controllers to document any breach of information security, including those actual conditions, potential consequences and what damage mitigation measures may have been implemented. It must also be documented which assessments are the basis for the business may have failed to report the breach of security to the supervisory authority 5. The Danish Data Protection Agency's assessment 5.1. Responsible for processing It does not appear disputed that it is Trump who is responsible for processing, as they decide "The purpose […] and the means to be used", cf. Article 4 (7), in relation to the treatment activities performed in the context of the Trump benefit program. 5.2. Today's solution for verifying customers The Data Inspectorate assumes that Trump's current solution, as described in letters of 20 April 2021 and 3. June 2021, ensures that Trump members can only register bank accounts that belong to themselves. This the verification solution means that all new members must verify that they are the owner of the bank account they wish to register before a new membership is created. Existing members will need to verify that they are the holder of the bank account they have registered on Trump when the member logs in to his member account. If such verification is not carried out, the person in question will immediately lose access to functions such as access to purchase history and detailed receipts. The member will then be given a deadline before the account deleted. Trump is working to get all customers verified. On that occasion, a meeting was held between The Data Inspectorate and Trump 20 June 2022. On 15 December 2021, Trump submitted a report of a breach of personal data security. The new the technical solution meant that access to historical transactions and receipts was reactivated, but this then included any historical transactions from payment cards that had been rejected and not verified by the customer. Trump removed the possibility of access to historical transactions for members with rejected account number, and further describes in the message that a solution will be developed so that members with rejected bank accounts only gain access to transactions carried out with verified bank cards, transactions completed after the bank account has been verified, as well as transactions completed with Trump Visa and Trump cards. At the meeting on 20 June, we understood that this solution was in place. 5.3. Violation of personal data security - Article 4, point 12 Article 33 (1) states that in the event of a "breach of personal data security", it shall: responsible for treatment, without undue delay and no later than 72 hours after becoming aware of it, report the breach to the supervisory authorities. However, this is not necessary if the breach is likely not will pose a risk to the rights and freedoms of natural persons. 6, The duty to report may arise in cases where the breach of security entails a treatment that is illegal, but also if it results in an treatment that is unintentional, regardless of whether the treatment is illegal. The duty to report also includes incidents that constitute pure accidents. 3 Trump writes in their statement that they have regularly received information about cases where Trump members register other people's bank account on their own Trump membership. The first question is whether there is a «breach of personal data security», cf. Article 33, cf. Article 4 (12), when Trump members register bank accounts that do not belong to them itself and in this way gain access to personal information about shopping trips performed by the account holder. Trump writes in their statement that they are of the opinion that this does not constitute a notifiable violation of personal data security, as defined in Article 4 (12) of the Privacy Regulation. First, Trump points out that the experience from customer service inquiries is that most people are affected is aware of the registration. Secondly, that there is typically an economic community, usually one family or housing association, between the Trump member and the account holder. Third, no one should have contacted customer service and stated that access to purchase history has been perceived as a problem. The Data Inspectorate cannot see that these objections are relevant as to whether there is a «violation of personal data security 'pursuant to Article 4 (12). If a Trump member registers another person's bank account, Trump will process personal information to the account holder, in an unintentional manner. Trump will make personal information about available to a Trump member, without this being Trump's intention. Trump himself has shown that the registration of others' bank accounts constitutes a breach of contract and in violation of the guidelines for membership in Trump. Such registration, and consequently the processing of personal data associated with this, there will therefore be a «breach of security leading to unintentional […] access to personal data […] », cf. Article 4 (12). Trump's objections appear more relevant in the assessment of how great a risk the breach is the personal data security may entail for the registered person (account holder). One such However, risk balancing is not included in the definition of what constitutes a breach personal data security, but is only relevant when assessing whether the matter is notifiable Article 33 (1). See our assessment in section 5.5. On this basis, we have concluded that the cases where one Trump member registers another person's bank account on their own membership then this will constitute a «breach of personal data security ", cf. Article 4 (12). Trump receives, according to his own estimates based on their experiences from 2021, information about such events around 950 times a year. 3 Commentary, in their comments on Article 33 (1). 7, the Norwegian Data Protection Authority understands that the 950 inquiries have been estimated on the basis of parts of 2021, and that there may be some uncertainty associated with these numbers. However, Trump himself writes that they consider these the figures to be representative of previous years. Furthermore, these figures are estimated on the basis of experience gained after Trump introduced his latest information measure, in the form of the first three the letters of the Trump member appear on the receipt after a purchase (this measure was implemented in end of 2020). Consequently, to a greater extent than before, it will be possible for account holders to take directly contact Trump members whose names they recognize to have the registration removed. This will be able to reduce the number of account holders who must contact Trump directly to get the registration repealed, compared to previous years. Although it can not be completely ruled out, at least it is not indications that more people will make contact in 2021 than in previous years. If we take into account the experiences from 2021, Trump will receive an average of around 79 inquiries incorrect registration in the month. To illustrate the scope, this will amount to over 3,000 inquiries information on incorrect registrations in the time period from June 2018 (when the Personal Data Act came into force) to October 2021. If instead the starting point is the time period June 2018 to July 2020 (then The privacy ombudsman contacted the Norwegian Data Protection Authority to announce, among other things, that they believe that these the events are not subject to notification, and we also received information about the situation through the media) Trump received just under 2,000 inquiries about such incorrect registrations. There is some uncertainty associated with the estimated figures, and possibly how the information measure works the receipt has affected this. Based on what Trump has explained, it can in any case be assumed that Trump has received inquiries to a significant extent. The main rule is that all breaches of personal data security must be reported to the Norwegian Data Protection Authority. The there is an exemption from the duty to notify if «the breach is unlikely to entail a risk of physical rights and freedoms of persons ", cf. Article 33 no. 1. We assess whether the events are exempt from the reporting obligation in section 5.5, but first we assess whether Trump has complied with its obligation to document the breaches of personal data security in accordance with Article 33 (5). 5.4. Article 33 (5) Trump has informed that categorization of final inquiries has not been done before recently. Trump has only presented to the Norwegian Data Protection Authority a rough categorization based on an analysis of inquiries processed in 2021. If it is assumed that the number of inquiries from 2021 is also representative for previous years, as added due to Trump, this means that Trump has received over 2,000 inquiries about incorrect registrations of bank accounts from June 2018 (when the Personal Data Act came into force) to the end of 2020 (around when they began to categorize their inquiries). This is only an estimate, but the numbers show that there has been one significant amount of such inquiries that are not categorized or otherwise documented. Accordingly, Trump does not have documentation showing «[…] the actual circumstances surrounding the said breach, the effects of it and what measures have been taken to remedy it ", cf. Article 33 (5), for a number of breach of personal data security. 4 Letter from Wikborg Rein on behalf of Trump, «Reply to new demand for statement - Processing of personal data by registration of account number via Trump », 20 April 2021, page 2. 8, This documentation obligation exists regardless of whether the breach the security of personal data entails a risk to the rights and freedoms of natural persons, and it is therefore no condition that the breach is notifiable under Article 33 (1). On this basis, the Data Inspectorate concludes that Trump has breached its obligation to document the breaches of personal data security that occurred from 18 June 2018 to the end of 2020, cf. Article 33 (5). However, the Norwegian Data Protection Authority has chosen not to problematize the overall categorization of events in 2021 meet the requirements of Article 33 (5). The next question that the Data Inspectorate will consider is whether Trump has breached its obligation under Article 33 no. 1 by not reporting the breaches of personal data security to the Norwegian Data Protection Authority. 5.5. Article 33, paragraph 1 5.5.1. Risk to the rights and freedoms of natural persons As concluded above, the cases where a Trump member registers another person will bank account on their own membership constitute a «breach of personal data security», cf. article 4 No. 12. If the breach of personal data security «is unlikely to pose a risk to physical persons' rights and freedoms ", cf. Article 33 no. 1, it is not necessary to report it to the Norwegian Data Protection Authority. It is the person responsible for treatment who must be able to substantiate that there is no risk associated with the fracture on personal data security. This emerges, among other things, from preamble 85: As soon as the person in charge of treatment becomes aware that a breach has occurred personal data security, the person in question should report the said breach to the supervisory authority without undue delay and if possible no later than 72 hours after becoming aware of it, unless the person in question in accordance with the principle of liability can demonstrate that the said violation of personal data security is unlikely to pose a risk to natural persons rights and freedoms. (own emphasis) Consequently, it is Trump who must point to circumstances that indicate that the breach is unlikely to result in one risk to the rights and freedoms of natural persons. The wording of Article 33 (1) also indicates this, since what is to be probable is that there is no risk. The question is thus whether Trump can substantiate that all the cases mentioned above where Trump- members have registered other people's bank account on their own Trump membership, "Is unlikely to pose a risk to the rights and freedoms of natural persons", cf. Article 33 no 1. In the guide to the Article 29 group on breaches of personal data security, last revised in February 2018, it is stated that, among other things, emphasis will be placed on «the nature of the personal data». It must be taken in 5 Guidelines on Personal data breach notification under Regulation 2016/679, page 25. 9, consideration of whether the breach of personal data security may result in damage or other negatives consequences. If the breach may have consequences for particularly vulnerable individuals, this must also be included the assessment. 6 In general, the Data Inspectorate is of the opinion that the breach of personal data security in itself constitutes an invasion of the privacy of the person who has had his account number registered with Trump without knowledge and will. The shopping history is made available to unauthorized persons and Trump processes personal information if unsuspecting registered to a greater extent than intended. In addition to this, there is a potential for abuse. The security hole can, among other things, be used to identify people living on secret address; if you have the account number of a person living at a secret address, and If you register this on your Trump membership, you will receive information about where and when the person trades. This information can give clear indications of which areas the person is staying in, or otherwise where the person lives. That it can take as short a time as from a person has shopped for a Trump member receives information about when, where and what he or she has done, contributes to increase this risk. Failure to verify account holders can therefore have consequences for the very vulnerable persons. There may also be a significant potential for abuse in cases where the account holder and Trump the member has a family or financial relationship. What you buy can reveal private matters. For For example, the shopping pattern can reveal diets and eating habits, buying pregnancy tests or buying contraceptives. Nor can it be ruled out that a person's trading history may reveal religious or similar conditions, for example that one deviates from religious or other norms established in family or friends, for example by buying alcohol or certain types of meat. When buying, among other, gluten-free products, the shopping history will also be able to reveal the account holder's allergies. That Trump has not been directly notified by account holders who have been exposed to such abuse is not crucial. Trump must not have concrete and unquestionable knowledge that the risk actually has materialized. If Trump fails to show that it «probably will not pose a risk […] », Cf. Article 33 no. 1, the breach of personal data security shall be reported. However, Trump has referred to a number of general risk mitigation measures that they have implemented. The seems to be of the opinion that these measures entail a potential risk associated with the error detection is eliminated, or sufficiently reduced. When using a bank card associated with one registered bank account, information about the Trump registration will appear on the bank terminal and the receipt. In November 2020, Trump added further information to the receipt, by the first three the letters in the first name of the Trump member appear on the receipt. 6 Ibid. 7 Routines for risk assessment page 4, appendix 5 To a letter from Wikborg Rein on behalf of Trump, «Reply to request for statement - processing of personal data when registering account numbers via Trump », of 9 November 2020. 10, the Norwegian Data Protection Authority agrees that information measures implemented by Trump can reduce time one account holder remains unaware of the registration. However, Trump will have already dealt personal information about this person to a greater extent than what they would have done if the bank account was not registered. This applies regardless of whether it is assumed that the account holder immediately receive the information about the registration on its first shopping trip after being registered by a Trump member. The member who incorrectly registered the bank account of someone else will soon be able to have received information about the data subject's shopping trip: as noted in the statement to Trump, it will be able to take as short a time as from the bank card is used for information about the shopping trip becomes available for the member. It is also not a given that the account holder will be made aware of the registration through The customer service receives a number of inquiries after the account holder has become note of incorrect registrations, as a result of the information measures, does not say anything about the number customers / account holders who have not discovered the incorrect registration through these information measures. Trump will never receive information about those customers who do not see that it says "Trump registered" the payment screen, or who otherwise does not try to register their own bank account on their own membership. In continuation of this, as Trump himself notes in his statement, it happens that account holders turn to customer service because they are trying to register their own bank account on their own membership, but is then informed that the bank account has already been registered (such inquiries estimates Trump to be over 200 a year). Consequently, these persons have not received information about the registration via the information measures described by Trump. This is suitable to illustrate how people will be able to shop without noticing the information. At the same time, of course, it can not excluded that these persons had not yet shopped in a store connected to Trump, after that The Trump member registered their account. Incidentally, this has the presumption against it, since it is a large number who each year make contact after trying to register their bank account and then discovered that it is already registered. It seems unlikely that all of them have tried to register for Trump before his first shopping trip. Trump has further pointed out how registering someone else's account number represents a breach the terms of the agreement that the Trump member enters into with Trump, and that it is specified to the member that they only need to register accounts that belong to themselves. From May 2018 required registration of account number also a two-factor confirmation from the member, by sending an SMS code to the member's registered mobile phone number. Such circumstances may reduce a possible erroneous assumption by Trump members that it is acceptable to register other people's bank account if e.g. is a familial connection between them. However, such measures have no real impact on the cases where the Trump member registers someone others' bank account deliberately in violation of the terms of the agreement, since Trump does not have one verification mechanism. These measures are also not suitable for preventing unconscious misregistrations, if the member believes that they are registering their own account number, such measures will not be effective. For otherwise, the constant inquiries to customer service (estimated to be 950 each year) illustrate that these the measures are not sufficient to eliminate the risk of incorrect registrations. 11, The Data Inspectorate believes on this background that there are conditions in one's shopping history (including what one trades where you trade and when you trade) which indicates that there will be an associated risk the cases where a third party has access to such personal information, this despite Trump's measures. This applies regardless of whether this third party is a family member or similar. As a clear starting point, the Data Inspectorate therefore believes that such matters should be reported in accordance with the article 33 no. 1, with the exception of those cases where reference can be made to specific circumstances of the breach that cause that the duty to notify nevertheless does not occur. Trump has, as noted above, concluded that none of the inquiries they have received notice that there have been incorrect registrations, has indicated a sufficient degree of risk of actualize the duty to report in Article 33. Trump has given only an overall description of the various the inquiries they have received, and placed them in different groupings based on experiences from the beginning of 2021. They note in their statement that the assessment has some uncertainty due to varying quality and scope of information from the dialogue with the person who directs the inquiry to customer service and The Trump member who has the account registered. As commented above, Trump has not presented anything documentation related to the breaches of personal data security that occurred before 2021, and they writes that the categorization of completed inquiries has not been done until recently. The Norwegian Data Protection Authority will review these types of cases in the following and comment on any risks associated with them, before concluding on which breaches of personal data security are Trump can prove that there is no risk. 12,13,14,15, Conclusion on the risk assessment pursuant to Article 33 (1) As noted above, the Norwegian Data Protection Authority has concluded that there is a potential for abuse in that Trump members can register other people's account number. If Trump gets to know about such breaches of personal data security, these shall in principle be reported to the Norwegian Data Protection Authority in accordance with Article 33 (1). If the breaches are not reported, Trump must be able to show that the specific breaches personal data security «is unlikely to pose a risk to natural persons rights and freedoms ", cf. Article 33 (1) and (4). Trump has on an overall and general basis referred to conditions in the various inquiries as they believes that there is no risk to the rights and freedoms of natural persons. The description of the different types of cases are, as mentioned, general and they contain a number of ambiguities. The Data Inspectorate is otherwise reluctant to review a specific risk assessment, as this will be a discretionary exercise. We therefore choose to deal with the cases where we believe it is clear that Trump can not prove that there is no risk to the rights of natural persons and freedoms. This applies to those cases where the account holder was not aware that the account was registered on a Trump member, before the person received information about this via, for example, the receipt or because the person has tried to register their own bank account on their own membership. In such cases, the account holder will not be able to do anything to cancel the registration, as the person - until the person receives such information - will not have any knowledge of the registration. The account holder will also not be able to adapt where he or she trades, to avoid that the trading history is made available to a third party. Trump must be able to point to clear concrete evidence that means that there is still probably no risk in such cases. As reviewed above, we do not share Trump's view that a family connection or a financial one community between the Trump member and the account holder itself makes it probable that it does not exist risk to the account holder. The Norwegian Data Protection Authority can not rule out further investigations, in particular case, may reveal that there is still no such risk, but Trump has not implemented this in relation to each individual breach of personal data security. The Danish Data Protection Agency concludes that Trump has not substantiated that breach personal data security, in the form of Trump members registering other people's bank account, 16, "is unlikely to pose a risk to the rights and freedoms of natural persons", cf. Article 33 No. 1, in those cases where the account holder is not familiar with the registration from the beginning. The question thus becomes how many breaches of personal data security have such a character. The following is stated in Trump's letter of 9 November 2020: According to customer service, the majority of those who go there and ask assistance in deleting one's account number from another's membership, even being aware of that the account has been registered to another person, typically a close family member. The most common the explanation received from the person contacting customer service is that he wants change related to marital breakdown or similar. Only a small minority of inquiries to customer service applies to people who say they themselves have not been aware of the registration. This applies to less than 15 people per month - on an annual basis about 0.0001% of the membership. These people state to customer service that they have become aware of the registration, when they have tried to register as a new member, or when they have seen the receipt that there is one Trump registration on the account that they do not know. This just shows that the information measures work. [our emphasis]. It is not necessary for the Norwegian Data Protection Authority to decide on the exact number of violations The personal data security that Trump cannot prove does not pose a risk to physical rights and freedoms of persons. It is sufficient to state that Trump has regularly, at least 15 times in an average month, received such inquiries. 5.5.2. Knowledge of the breach of personal data security In the assessment, we have only taken as our starting point the inquiries about which Trump has received information through its customer service. Consequently, there is no doubt that Trump has repeatedly exceeded 72- the time limit, as set out in Article 33 (1). 5.5.3. Conclusion on breach of personal data security The Data Inspectorate has demonstrated how cases where a Trump member registers others' account numbers constitute a "breach of personal data security", cf. Article 4 (12). 17, The starting point is that the supervisory authorities must report breaches of personal data security in pursuant to Article 33 no. 1. The Norwegian Data Protection Authority has concluded that Trump, in a number of cases, cannot prove that there is no risk to the rights and freedoms of natural persons, cf. Article 33 The content of the notification must be drafted in accordance with Article 33 (3). The Norwegian Data Protection Authority has not received any reports of breaches of personal data security from Trump. We therefore concludes that Trump has repeatedly breached its obligation under Article 33 (1) to send Datatilsynet notifications of breaches of personal data security. Our conclusion does not imply that Trump may have sent one message for each event. Article The 29-group describes the possibility of giving collective messages in cases where there are repeated ones breach of personal data security with similar content and procedure: Strictly speaking, each individual breach is a reportable incident. However, to avoid being overly burdensome, the controller may be able to submit a “bundled” notification representing all these breaches, provided that they concern the same type of personal data breached in the same way, over a relatively short space of time. If a series of breaches take place that concern different types of personal data, breached in different ways, then notification should proceed in the normal way, with each breach being reported in accordance with Article 33. 8 5.6. Safety of treatment - Article 32 Article 32 establishes an obligation for Trump to implement appropriate technical and organizational measures for to ensure a level of safety appropriate to the risk. What constitutes suitable technical and organizational measures depend on «[…] the technical development, the implementation costs and the nature, scope, purpose and context of the treatment in which it is performed, as well as the risks of varying probability and severity of natural persons' rights and freedoms […] ». Trump does not dispute his obligations under Article 32, but writes that the residual risk for individuals rights and freedoms are at an acceptable level in the light of their already implemented measures. The question that the Data Inspectorate must decide on is whether Trump has implemented «suitable technical and organizational measures to achieve a level of safety that is appropriate with regard to the risk […] », cf. article 32 no. 1. We will take as our starting point the level of security that existed before the verification solution became implemented. Trump has for a long time regularly received inquiries that incorrect registrations occur, in the form that Trump members register other people's bank accounts on their own membership. This means that Trump receives clear information about constant cases of «unauthorized disclosure of or access to personal data […] », cf. Article 32 (2) and breaches of« […] confidentiality […] in their treatment systems and services, cf. Article 32 (1) (b). As we discussed above, there may be a clear risk to the rights of natural persons and freedoms by giving a third party access to personal data on trading history (including place of trading, what one has traded and when one has traded). This will be able to reveal in-depth private matters, and 8 Guidelines on Personal data breach notification under Regulation 2016/679, page 16. 18, will in any case be experienced as uncomfortable. This risk is anyone who has not already registered his account number in Trump, exposed to. This risk assessment must take into account the probability of possible events that may have occurred without Trump having gained specific knowledge of them, as well as possible future consequences. Trump can not on this occasion cite a lack of concrete knowledge about, for example, that persons at a secret address have been disclosed, or that third parties have used the information available to them to find out if the account holders are at home or on holiday, for example. Trump has taken certain risk mitigation measures, including that it says "Trump registered" in the payment display and that information about the Trump membership appears on the receipt. In later time, Trump has supplemented with additional information on the receipt, in the form of the first three letters to the Trump member appears. It is also necessary to use your mobile phone to register one Bank account. The Data Inspectorate believes that these measures are not sufficient to achieve a required level of security pursuant to Article 32. As mentioned above, the repeated inquiries show which the account holder first receives information about the registration at the time when the account holder himself tries to register his account on his own membership, that the information measures are not sufficiently effective. Furthermore, even if the account holder getting information about the registration after a while via such information measures will a potential harm could have already occurred. Trump has given their members access to information about the place of trading and shopping history, despite that Trump has lacked a verification solution. Furthermore, Trump has had concrete knowledge that it constantly incorrect registrations were made, in violation of their membership terms. This creates a clear call to respond. This risk could have been significantly reduced through technical and organizational measures. If Trump had removed or significantly reduced the information about the place of trading, trading time and what that were traded, the account holders would no longer be exposed to the relevant risk. The implementation costs associated with limiting the amount of information available to a Trump membership is likely to be limited. The Data Inspectorate understands that such information may be popular among Trump members, and that å limiting such information (overview of the time of shopping, place of shopping and what was purchased) will reduce insight into details about the basis for bonus earning. However, the Trump solution will still work in in line with its primary purpose. Trump himself noted in his letter of 21 April 2016, that Trump is a loyalty program where members receive a calculated bonus based on purchase history, and the purpose of registering bank account number is to simplify the collection of bonus basis. This purpose will still be able to persecuted, even by measures that significantly limit the amount of information available to the Trump the member, as long as Trump can not verify that the member has registered his own account. Trump has previously stated that they believe that the information about the trading history is being made 19, available to the Trump member ensures a privacy-friendly solution, in that the user has easy access to their own personal information. Trump therefore appears to be of the opinion that a measure, in form of reducing information on trade history, is not suitable to implement as a result of such cons. The Norwegian Data Protection Authority does not agree that this is a privacy-friendly solution, in light of the circumstances of the case. The Article 12 (2) presupposes that the controller is not obliged to submit to enable the data subject to exercise his rights under Articles 15 to 22 if data controllers are not able to identify the data subject. The solution to Trump, given that they has not been able to verify that the member registers his own account, is consequently not one privacy-friendly solution, but poses a risk to the rights and freedoms of natural persons. In other respects, the "scope of the treatment" must be taken into account in the assessment of appropriate technical and organizational measures. Trump's loyalty program has around 2.395 million members, of which has registered a bank account. The figures indicate that more than a dozen people have registered bank accounts in the solution, without Trump knowing if the account numbers belong to the Trump members they are registered on. Trump also states how they have «continuously followed up other possibilities for access to one verification service ». 9 However, as we have pointed out above, experience shows Trump's customer service that this did not prevent misregistrations. The Norwegian Data Protection Authority believes that there are clearly suitable measures that would significantly reduce precisely those risks as Trump himself identifies. Trump himself is aware of similar measures, as they were mentioned in 2016 the ability to reduce the amount of information available to Trump members. Trump writes in the comments that they do not agree with the Data Inspectorate's assessments of breaches Article 32 of the Privacy Regulation as some of the measures were implemented when it was not available any verification solution in the market. The Data Inspectorate, on the other hand, is of the opinion that when it happened clear that Trump could not soon implement a verification solution should Trump have reduced the risk 9 Letter from Wikborg Rein, on behalf of Trump, «Reply to request for statement - processing of personal data by registration of account number via Trump », 9 November 2020. 20, so that Trump members could gain access to the personal information of others, for example by removing, or significantly reduce, the information about the place of trade, time and information about what was traded for the members, until they became clear that they did not disclose personal information about the account holder to second. In light of the above, we conclude that Trump has not implemented «suitable technical and organizational measures to achieve a level of safety that is appropriate with regard to the risk […] », cf. Article 32 (1). The Data Inspectorate concludes that Trump has breached its obligation under Article 32. In 2016, as mentioned, Trump noted the possibility of implementing a risk reduction measure, in expecting that they could ensure an adequate degree of verification. Trump asked for guidance on this the point. [F] or to alleviate the risk that purchase history can be used to find out where third parties actually are has resided, Trump will, until the relationship account owner - account number is verified, be able to hide the place name of the store in the shopping history, as described in point 3 below. This solution is complete and can be implemented immediately. The solution will, however, mean reduced transparency for the vast majority of members, who then lose a built-in privacy measure on trumf.no. Trump asks for the Data Inspectorate's guidance on whether the measure should be implemented. 10 However, the Data Inspectorate did not respond to this request for guidance in 2016. That Trump sought guidance, and consequently considered the possibility of a specific risk mitigation measure, gets a certain significance in the assessment of the severity of the breach. We address this further below point 6.2. In other respects, the responsibility according to Article 32 is placed with the person responsible for processing, which also follows from the principle of liability, cf. Article 5 no. 2. This point is also emphasized in the commentary. The fact that guidance was sought from the Norwegian Data Protection Authority therefore does not change the position that Trump has broken his obligation under Article 32. This is particularly the case in light of the fact that new regulations have been implemented in meanwhile, which must be considered to particularly actualize a new, independent, assessment on Trump's part. Furthermore, it must be noted that Trump also had certain information measures implemented in 2016. The Data Inspectorate was even then, which is clearly stated for Trump in the notification of the decision of 17 June 2016, of that opinion that such information measures did not sufficiently reduce the risk of incorrect registrations and that one verification solution was necessary to ensure adequate information security. Then the verification solution still did not become available, Trump had a clear call to investigate alternative risk reduction measures. Lack of guidance from the Data Inspectorate on this point must be seen in light that the audit was of the opinion that Trump would secure a verification solution soon. As mentioned above, we have concluded that Trump has violated Article 32, but we do not impose Trump 10 Letter from Wikborg Rein on behalf of Trump, «Reply to notification of decision - Registration of account number on Trumf.no», 15. August 2016. 21, an order to implement such organizational and / or technical measures, as Trump now has implemented a verification solution. Infringement fee 6.1. General information about infringement fines Violation fees are a tool to ensure effective compliance and enforcement of the personal data regulations. We believe it is necessary to react to the violation, and warn with this imposition of infringement fines, cf. the Privacy Ordinance Article 83. In accordance with The Supreme Court's case law (cf. Rt. 2012 page 1556) we assume that the infringement fee is to be regarded as punishment under Article 6 of the European Convention on Human Rights overriding probability of an offense in order to impose a fee. In this context, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects against a committed violation of law, regulation or individual decision, and which is considered a punishment according to the European Convention on Human Rights (ECHR). 6.2. Assessment of whether an infringement fee is to be imposed When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate may impose infringement fee after a discretionary overall assessment, but the listed factors add up guidelines on the exercise of discretion by highlighting factors that are to be given special weight. We will here assess the relevant factors on an ongoing basis. a) the nature, severity and duration of the infringement, taking into account it the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered The Norwegian Data Protection Authority is of the opinion that the degree of seriousness justifies the imposition of an infringement fine. Trump currently has around 2.4 million members. All members have had the opportunity to register account numbers on their memberships, without Trump having verified that the account numbers belong to the members they is connected to. This weakness has been open in Trump's systems for many years. Trump has not only have been aware that there is a risk of incorrect registrations in their solution, but have also had concrete knowledge that this risk is constantly materializing. The background of the case sharpens the severity. In 2016, the Danish Data Protection Agency made it clear that we were looking seriously the situation, and emphasized to Trump how important it was to ensure verification, as we were off the perception that lack of verification opened up for misuse of the solution. This led to The Norwegian Data Protection Authority announced a decision aimed at Trump, which among other things meant that they had to stop processing of account numbers and other personal information for which Trump had no basis for processing (The Data Inspectorate believed that Trump lacked a basis for treatment in cases where the Trump member registered someone else's account number, in light of missing verification mechanism). The Data Inspectorate nevertheless chose not to make a final decision in the case as Trump gave a supplement information on how they, among other things, would soon implement a solution that would 22, ensure that Trump members only had the opportunity to register their own bank account numbers. Trump was however, already in the winter of 2016/2017 aware that it was not possible to use. That Trump violated his duty to report under such circumstances must be characterized as serious. The extent of violations of Article 33 no. 1 is challenging for the Data Inspectorate to determine. Based on the estimates given by Trump, they have received a significant number of inquiries about incorrect registrations, which The Data Inspectorate believes that Trump should have reported in accordance with Article 33 no. 1. At the same time, the Data Inspectorate is cautious with placing too much emphasis on the large number of breaches of personal data security, as it there is some uncertainty about the numbers. We are particularly reluctant to emphasize the lack messages related to the breaches of personal data security that Trump received after June 2020. On at this time, Trump's privacy representative contacted the Data Inspectorate, and provided information that they did not assessed cases of incorrect registrations as notifiable violations. The key for the Data Inspectorate is that Trump has had repeated breaches of personal data security such as has not been reported to the Data Inspectorate, despite the fact that Trump was aware of the Data Inspectorate's opinion on that failure to verify account numbers entails a risk to the account holders' rights and freedoms. With regard to Article 33 (5), it is important that companies document their breaches personal data security. Such documentation is not only intended to ensure that the Data Inspectorate can assess whether the data controller complies with its obligations in relation to Article 33, but will also be useful for the data controller's work to ensure an adequate degree of security. 11 That Trump has not provided such documentation is in itself a breach, at the same time as it has done so more difficult for the Data Inspectorate to investigate Trump's compliance with Article 33 No. 1. The Norwegian Data Protection Authority understands that the assessment made in accordance with Article 33, No. 1, concerns the risk to them the data subject's rights and freedoms, are discretionary and that this can be challenging in the specific case. However, the obligation to document breaches under Article 33 (5) is clear and lacks discretionary assessments. Trump has put forward some arguments as to why they believe that cases of misregistration do not represents a "breach of personal data security", which we reviewed above. These were in reality only relevant in the risk assessment pursuant to Article 33 (1), and did not appear to be relevant for the assessment of whether such erroneous registrations in themselves meet the definition in Article 4 (12) it is clear to the Norwegian Data Protection Authority that such incidents are «breaches of personal data security». The breach of Article 33 no. 5 must also be seen in the light of the communication between Trump and the Norwegian Data Protection Authority in 2016, when it became clear to Trump that they would not be able to implement a verification solution, as first described to the Norwegian Data Protection Authority. That documentation and grouping of the incorrect registrations first, apparently, was implemented in 2021, we consider, in these circumstances, to be serious. The Danish Data Protection Agency has also chosen not to problematize whether the overall descriptions and groupings given by the 2021 cases are sufficient to comply with Article 33 (5). As noted, the Data Inspectorate has also concluded that Trump violated its obligation under Article 32, as a result of Trump not implementing appropriate measures when they became aware that one 11 Commentary in relation to Article 33 (5). 23, verification solution could not be implemented in the short term. However, Trump described the possibility of limit some of the amount of information that became available to Trump members back in 2016. Trump asked the Data Inspectorate for guidance regarding the measure, but the Data Inspectorate did not answer this the request. We take this into account in our assessment of the severity. At the same time, we must emphasize that the liability under Article 32 is placed with the controller, and Trump had any reason to carry out a new independent assessment, especially in light of the new privacy regulations came into force after they sought guidance from the Norwegian Data Protection Authority. Furthermore, the Data Inspectorate did not have a strong encouragement to provide such guidance or comment on the subject as Trump provided information that they would implement a verification solution soon. In addition, it must be emphasized, as above, that the Data Inspectorate in 2016 announced that Trump had to prepare and adequately document risk assessment, acceptance criteria and measures as part of its information security work. The Danish Data Protection Agency wrote the following about this point, under the heading "Information security and internal control": As the situation is today, the solution on trumf.no means that it can easily happen unauthorized processing of account numbers, location data and shopping history for household members and persons who are not members of Trump. In the Data Inspectorate's opinion, Trump must provide one authentication of the link between Trump membership and account holder, so it is not possible to process account numbers on trumf.no, unless the account holder and Trumf- member is the same person. Knowledge of who is the account holder is also one prerequisite for obtaining and checking that there is valid consent from the data subject. This statement made visible to Trump how the security level, as a result of lack verification solution, was not sufficient. Further measures were necessary, in addition to the Data Inspectorate believed that the basis for treatment had to be secured. As previously noted, the reason why the Data Inspectorate was not followed up this warning, among other things, that Trump wrote that they would secure a verification solution. measures, as identified above, were not implemented when it became clear that Trump would still not be able to get implemented a verification solution must be considered reprehensible. b) whether the infringement was committed intentionally or negligently, The fact that Trump members register others' account numbers on their membership is not intentional by Trump, on the contrary, such registration is contrary to Trump's contract terms. However, it is clear that it has been intention of Trump not to report these incidents to the Data Inspectorate. Trump also made a conscious choice about not implementing measures that reduced the risk of abuse that existed due to missing verification mechanism. We consider the infringements in relation to Article 33, paragraphs 1 and 32 consequently to be intentional, by the management of the business. This pulls in an aggravating direction. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects. The Article 29 Working Party's Guidelines on Infringement Fees state, inter alia, the following the point: 24, This provision acts as an assessment of the degree of responsibility of the controller after the infringement has occurred. It may cover cases where the controller / processor has clearly not taken a reckless / negligent approach but where they have done all they can to correct their 12 actions when they became aware of the infringement. The Article 29 Working Party gives an example of such a case: […] Timely action taken by the data controller / processor to stop the infringement from continuing or expanding to a level or phase which would have had a far more serious impact than it did. Trump has implemented information measures that are intended to make account holders aware of their bank account is registered on a Trump membership, and consequently increase the chance of detecting incorrect registration. Furthermore, in 2018 they introduced two-factor authentication via SMS to the member's registered The fact that Trump has taken such measures is an argument against infringement fines. Trump did not, however, implement measures to reduce the information available to their members, i in case there should be incorrect registrations - as Trump knew occurred many times a year. Such information restriction could reduce the damage to the data subjects. Like what happened commented above, we take into account the fact that Trump sought guidance from the Norwegian Data Protection Authority on measures to be implemented. (d) the degree of responsibility of the controller or processor, taking into account those technical and organizational measures they have implemented in accordance with Articles 25 and 32 Trump has breached its obligation under Article 32 due to a lack of appropriate technical and organizational measures to achieve a level of security that is appropriate in light of the risk. This therefore speaks for itself imposition of infringement fines. e) any relevant previous violations committed by the data controller or the data processor We have not identified any previously relevant violations, and this relationship therefore does not speak for itself imposition of infringement fines. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it Trump has collaborated with the Norwegian Data Protection Authority, and answered the questions that were asked. This is, however Trump ordered to do.The Article 29 Working Party notes on this occasion the following: […] It would not be appropriate to give additional regard to cooperation that is already required by law for example, the entity is in any case required to allow the supervisory authority access to premises for audits / inspections. 12 Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, pages 12 to 13. 25, That Trump has given complementary answers to the Data Inspectorate's requirements for statements is not a mitigating circumstance in itself. However, Trump's privacy ombudsman, in connection with the media reports, contacted The Data Inspectorate to inquire about the Authority's further process, as well as to inform the parent of the measures Trump had implemented. This pulls in a somewhat mitigating direction, in isolation. By the way, it already became clear in the winter of 2016/2017 that Trump would not be able to implement the verification solution that Trump envisioned the Data Inspectorate when we closed the case in 2016. Trump did not the Authority some information on this. If the Data Inspectorate had received information that the challenge with verification would not still be resolved we could have considered the possibility of, for example, imposing Trump to limit the amount of personal information that became available to the Trump member. Trump was required to provide us with such information, in light of the fact that the lack of verification mechanism led to repeated cases of notifiable breaches of personal data security. The degree of cooperation with On this basis, the supervisory authorities have not been considered as a mitigating circumstance in particular importance. g) the categories of personal data affected by the infringement The Article 29 group's supervisor points out that the assessment under letter g is, among other things, related to whether dissemination of personal data may cause harm or inconvenience to the data subjects. We are showing to previous comments about the potential for abuse that exists as a result of Trump members can get information about purchase history etc. to other people. (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in the extent to which the data controller or data processor has notified the infringement In 2020, the Data Inspectorate was informed, via media coverage and contact with the Privacy Ombudsman, that the verification solution was not implemented in line with Trump's progress plan from 2016. On At the time when the privacy ombudsman contacted the Danish Data Protection Agency, it was obvious that the media would further describe how Trump had not implemented a verification solution. Despite this the contact from the privacy representative must be emphasized as a mitigating circumstance under letter h. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter that that mentioned measures are complied with In 2016, the Data Inspectorate announced a decision on an order against Trump. However, this did not result in a final decisions, and related to old regulations. For this reason, we never used the expertise as is stated in Article 58 (2). This factor is therefore not relevant when assessing whether infringement fines must be imposed. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 13 Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, page 14. 26, We do not find this moment relevant. k) any other aggravating or mitigating factor in the case, e.g. economic benefits such as has been obtained, or losses that have been avoided, directly or indirectly, as a result of the infringement In its practice, the Privacy Board has stated that long case processing time shall constitute a mitigating factor circumstance. In PVN-2021-03, the Privacy Board emphasizes that the facts of the case became essentially clarified in May 2019, while it took over a year before the audit notified the order and infringement fee. In PVN- 2021-09, the Privacy Board also emphasized the long case processing time at the audit. In that case It had been six months since the audit received a report of a breach of personal data security a statement was requested. After receiving the report, it took approx. four months before notice decision was sent, and then ten months from the notice was sent until the decision was made. After the company complained, it took another three months before the case was received by the Privacy Board. The Supreme Court has otherwise in its practice assumed that only in the case of total inactivity of around one year is considered 14 processing time to violate the European Convention on Human Rights. This case was initiated by the Data Inspectorate sending Trump a request for a statement. This requirement statement was sent on October 2, 2020. Trump, through their representative, asked for an extended deadline to answer the Data Inspectorate's questions. This request was granted. The Norwegian Data Protection Authority received the report Trump November 9, 2020. A new request for a statement was sent to Trump on March 8, 2021. March 23 In 2021, Trump was granted a postponed deadline to respond to the statement. On April 20, 2021 received The Data Inspectorate Trump's new statement. On 3 June 2021, the Norwegian Data Protection Authority received further information from Trump, of which Trump informed that the implementation of their verification solution went as planned. The factual circumstances of the case were consequently only, in essence, clarified in June 2021, cf. PVN-2021-03. The Norwegian Data Protection Authority believes that the progress of the case and the case processing time in general should not constitute one mitigating circumstance in this case. The longest inactivity has been around 5 months, from the factual circumstances of the case were essentially clarified until notification of the decision. The significance of the case and scope means that 5 months is not an unacceptably long time. Furthermore, 6 months have passed Trump gave his comments until this decision is made. Nor can this be considered to be unacceptable. Based on the assessment above, the Danish Data Protection Agency concludes that an infringement fee should be imposed. The next the question is the size of the fee. 6.3. Assessment of the size of the fee When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case above. The violation fee must be effective, be in a reasonable proportion to the violation and work deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in each case. 14 HR-2016-225-S, section 32. 27, The fee should be set so high that it also has an effect beyond the specific case, at the same time as the fee size must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no. 1. The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee shall be determined concretely so that in each individual case it is effective, is in a reasonable relation to the violation and acts as a deterrent. The main purpose of the infringement fee is contraception, ie that the risk of being charged a fee shall have a deterrent effect and thereby contribute to increased compliance with the regulations. The commentary, in relation to Article 83, states: Contraceptive considerations dictate that the fee for a violation must be set so high that it is in fact perceived as an evil by the offender. This means that the offender's financial capacity should have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender hair. […] When assessing the financial viability of an enterprise, it may be relevant to look at the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5. And further: The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities should avoid establishing standardized fee rates. This applies even if national law allows for it standardized rates, cf. the Public Administration Act § 43. The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business. It has been concluded that Trump has breached its obligations under Article 32, Article 33 (1) and Article 33, paragraph 5. Trump did not send reports of violations to regulators personal data security and did not otherwise implement appropriate security measures, despite the fact that it was clear - based on the circumstances of the case - that the Data Inspectorate was very clear on the need to verify account holders. The Data Inspectorate was clear on this need, among other things, due to the abuse potential that lay in making account holder information available to Trump members. Pursuant to Article 83 (4), an infringement fine of up to EUR 10 000 000 or, where is an "undertaking" ("undertaking" in English) of up to 2% of the total global annual turnover in the previous financial year, where the highest amount is used. In Advocate 150 note the following: If an undertaking is charged an infringement fee, an undertaking for these purposes should be understood as one undertakings within the meaning of Articles 101 and 102 of the TEU. The European Court of Justice has, inter alia in C-231/11 P - C-233/11, given the following remarks related to the understanding of "enterprise", but then in a different legal context: The authors of the Treaties chose to use the concept of an undertaking to designate the perpetrator of an infringement of competition law, who is liable to be punished pursuant to 28, Articles 81 EC and 82 EC, and not other concepts such as the concept of a company or firm or of a legal person, used, inter alia, in Article 48 EC (see, to that effect, Case C-501/11 P Schindler Holding and Others v Commission [2013] ECR, paragraph 102). The Court of Justice has consistently held that the concept of an undertaking covers any entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed. That concept must be understood as covering an economic unit, even if, from a legal perspective, that unit is made up of a number of natural or legal persons (see, inter alia, Joined Cases C-628/10 P and C-141/11 P Alliance One International and Standard Commercial Tobacco v Commission [2012] ECR, paragraph 42 and the case-law cited). In «The EU General Data Protection Regulation, GDPR, ACommentary», pages 1187-1188, it is given the following comment to Article 83: Articles 101 and 102 TFEU do not themselves contain any definition of the concept of 'undertaking'. Consequently, the reference in recital 150 should be understood as a reference to the whole body of jurisprudence concerning the definition of an 'undertaking' under the TFEU. In this respect, the case law of the EU courts in the area of competition law has defined an undertaking as an economic unit, which may comprise several natural or legal persons or 'which may be formed by the parent company and all involved subsidiaries', together referred to as a 'single economic entity'. Moreover, under this case law, each person forming part of a single economic entity may be held liable for an infringement of EU competition law committed by that economic entity.15 According to Proff, NorgesGruppen ForbrukerserviceAS is the only shareholder in Trump. NorgesGruppen ForbrukerserviceAS is owned by NorgesGruppenASA. On this basis, we assume that Trump AS and NorgesGruppenASA are part of the same «enterprise», cf. Article 83 no. 4, and the turnover of NorgesGruppenASA must be taken into account when determining the infringement fee. The annual result for NorgesGruppenASA, for 2020, shows a turnover of NOK 101.56 billion, a increase from NOK 90.5 billion in 2019. 16 The fee must be set so high that it is effective and achieves a sufficient deterrent effect. Out from the company's high turnover, as well as the serious violations of the Privacy Ordinance in the case, we have concluded that an infringement fee of NOK 5,000,000 is considered correct. The amount is approx. 0.005 percent of the company's turnover in the previous financial year. The infringement fee is consequently at the very bottom of what the Privacy Ordinance Article 83 no. 3 gives the Norwegian Data Protection Authority competence to impose. 7. Right of appeal and further proceedings 15 THE EU GENERAL DATAPROTECTION REGULATION (GDPR), ACommentary, edited by Kuner, Bygrave and Docksey, 2020. 16 https://www.dn.no/handel/norgesgruppen/kiwi/meny/rekordar-for-koronavinneren-norgesgruppen-over-100-milliarder-i- turnover / 2-1-986439 and https://www.norgesgruppen.no/globalassets/finansiell-informasjon/rapporter/2020/ars-og- barekraftsrapport-2020.pdf. 29, You can appeal the decision. Any complaint must be sent to us within three weeks after this letter is received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will send the case on to the Privacy Board for complaint handling. If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after the expiry of the appeal period, cf. the Personal Data Act § 27. 8. Publicity We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3. If you believe there are grounds for exempting all or part of the document from public access, please we you to justify this. If you have questions about the case, you can contact Ida Småge Breidablikk on telephone 22 39 69 70. With best regards Jørgen Skorstad department director, law Ida Småge Breidablikk senior legal adviser The document is electronically approved and therefore has no handwritten signatures