Datatilsynet (Norway) - 20/02199: Difference between revisions

From GDPRhub
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 7: Line 7:
|DPA_With_Country=Datatilsynet (Norway)
|DPA_With_Country=Datatilsynet (Norway)


|Case_Number_Name=Datatilsynet - 20/02199-1
|Case_Number_Name=Datatilsynet - 20/02199  
|ECLI=
|ECLI=


Line 23: Line 23:
|Currency=NOK
|Currency=NOK


|GDPR_Article_1=Article 5(1)(b) GDPR
|GDPR_Article_1=
|GDPR_Article_Link_1=Article 5 GDPR#1b
|GDPR_Article_Link_1=
|GDPR_Article_2=Article 5(1)(b) GDPR
|GDPR_Article_2=
|GDPR_Article_Link_2=Article 5 GDPR#1b
|GDPR_Article_Link_2=
|GDPR_Article_3=Article 5(1)(e) GDPR
|GDPR_Article_3=
|GDPR_Article_Link_3=Article 5 GDPR#1e
|GDPR_Article_Link_3=




|National_Law_Name_1=Personal Data Act § 11(1)(c)
|National_Law_Name_1=Personal Data Act § 11(1)(c)
|National_Law_Link_1=https://app.uio.no/ub/ujur/oversatte-lover/data/lov-20000414-031-eng.pdf
|National_Law_Link_1=https://app.uio.no/ub/ujur/oversatte-lover/data/lov-20000414-031-eng.pdf
|National_Law_Name_2=Personal Data Act § 11(1)(c)
|National_Law_Name_2=
|National_Law_Link_2=https://app.uio.no/ub/ujur/oversatte-lover/data/lov-20000414-031-eng.pdf
|National_Law_Link_2=


|Party_Name_1=Norwegian Public Roads Administration  
|Party_Name_1=Norwegian Public Roads Administration  
Line 53: Line 53:


|Initial_Contributor=n/a
|Initial_Contributor=n/a
|
|}}
}}


The Norwegian DPA fined the Norwegian Public Roads Administration a fine of 400,000 kroner (approximately 38,000 Euros) for having  processed personal data for purposes that are incompatible with the original purpose (Article 5(1)(b)) and for not having deleted video surveillance recordings after 7 days (Article 5(1)(e)).
The Norwegian DPA fined the Public Roads Administration €38,000 for processing personal data beyond the original purpose and for not deleting video surveillance recordings after 7 days. The case was assessed according to the prior Personal Data Act of year 2000 in Norway, and not the GDPR.


==English Summary==
==English Summary==


===Facts===
===Facts===
The Norwegian Data Protection Authority received a report of a breach of personal data security (non-conformance report) from the Norwegian Public Roads Administration (SVV) on 31 August 2018. There has also been a report of breaches of regulations for processing personal data by the Norwegian Public Roads Administration , represented by Advokatfirmaet Schjødt AS of 29 June 2018 (case 18/01127). These cases belong together and are dealt with together.  
In June 2018, Veidrift AS, a company delivering operation and maintenance tasks to the Norwegian Public Roads Administration (NPRA) lodged a complaint with Datatilsynet (the DPA) for unlawful processing of personal data related to the use of camera surveillance and Global Positioning System (GPS) data. On 31 August, the NPRA notified the DPA themselves about the personal data breach.  


The Norwegian Public Roads Administration had also set up video surveillance cameras to monitor contractors, employees, subcontractors and employees of the subcontractors.  
The NPRA is an administrative body and a provider of national public services, subordinate to the Ministry of Transport and Communications. They are responsible for planning and building, operating and maintaining the Norwegian road network, including overseeing permanently installed road video surveillance cameras to monitor road safety.
===Dispute===
Was the Norwegian Public Roads Administration in breach of GDPR Article 5(1)(b) and 5(1)(e) for using video surveillance footage for purposes other than which they had initially intended, and for keeping it for longer than necessary?


The NPRA, the controller in this case, had used these surveillance cameras to obtain and use personal data to monitor contractors, employees, subcontractors and employees of the subcontractors. They claimed that this processing could be expected and was, as such, in line with the original purpose (monitoring road safety). Further, they had used GPS data to conduct speed measurements to check if snow plowing crews had upheld the prescribed speed limits, although such data is collected for purposes relating to health and safety, payroll or work conditions.
===Holding===
===Holding===
Pursuant to the GDPR Article 58 no. 2 letter i, and after an assessment of the criteria in the Personal Data Act 2000 § 46 first paragraph, the Norwegian Public Roads Administration is ordered to pay an infringement fee to the Treasury of 400,000 - four hundred thousand - kroner for to have processed personal data for purposes that are incompatible with the original purpose, cf. the Personal Data Act § 11 first paragraph letter c, and for not having deleted recordings after 7 days, cf. the Personal Data Regulations 2000 § 8-4.  
First, the DPA held that the controller's use of the surveillance cameras footage to document contract violations, several months after the fact, exceeded the original purpose of the processing. The DPA also found that the use of GPS data exceeded defined purposes. Altogether, the DPA reasoned that these processing activities were a significant disadvantage for the contractors and their employees, and substantially outside of what data subjects could reasonably expect.  


WIth regards to the breach of the Purpose Limitation principle, although the Norwegian Public Roads Administration had tried to claim that the further processing of the data was 'predictable', in general, further processing cannot be considered predictable if it is not sufficiently related to the original purpose and does not meet the reasonable expectations of the data subjects at the time of collection, based on the context of the collection
Finally, the DPA held that the surveillance cameras footage should be deleted within 7 days, according to national regulations. As the controller had used footage dating back several months, they had also breached this obligation.


With regards to the video surveillance recordings, the DPA held that it was very serious when the Norwegian Public Roads Administration used information from VTS to monitor contractors, employees, subcontractors and employees of the subcontractors in the follow-up of a contract. The same severity applied to the processing of personal data from the data capture in the GPS unit that is not justified in HSE or pay and working conditions. It is stated, among other things, that the GPS system had been used for subsequent speed measurements to check whether the plow crews had maintained the prescribed speed at all times. Such control cannot be said to be part of the HSE measures. The Data Inspectorate is of the opinion that this has not been a one-off case, but that there has been a deliberate use of film and recordings from these cameras.  
For these violations, the DPA fined the controller €38,000. The fine was not larger as the assessment was done according to the prior Personal Data Act of 2000.


==Comment==
==Comment==
''Share your comments here!''
The case was determined after the prior Personal Data Act of year 2000 in Norway, and not the GDPR. The DPA does, however, refer to corresponding Articles in the GDPR: Articles 5(1)(b) and (c), as well as Article 17.


==Further Resources==
==Further Resources==

Latest revision as of 09:09, 21 August 2022

Datatilsynet - Datatilsynet - 20/02199
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law:
Personal Data Act § 11(1)(c)
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 25.08.2020
Fine: 400000 NOK
Parties: Norwegian Public Roads Administration
National Case Number/Name: Datatilsynet - 20/02199
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA fined the Public Roads Administration €38,000 for processing personal data beyond the original purpose and for not deleting video surveillance recordings after 7 days. The case was assessed according to the prior Personal Data Act of year 2000 in Norway, and not the GDPR.

English Summary

Facts

In June 2018, Veidrift AS, a company delivering operation and maintenance tasks to the Norwegian Public Roads Administration (NPRA) lodged a complaint with Datatilsynet (the DPA) for unlawful processing of personal data related to the use of camera surveillance and Global Positioning System (GPS) data. On 31 August, the NPRA notified the DPA themselves about the personal data breach.

The NPRA is an administrative body and a provider of national public services, subordinate to the Ministry of Transport and Communications. They are responsible for planning and building, operating and maintaining the Norwegian road network, including overseeing permanently installed road video surveillance cameras to monitor road safety.

The NPRA, the controller in this case, had used these surveillance cameras to obtain and use personal data to monitor contractors, employees, subcontractors and employees of the subcontractors. They claimed that this processing could be expected and was, as such, in line with the original purpose (monitoring road safety). Further, they had used GPS data to conduct speed measurements to check if snow plowing crews had upheld the prescribed speed limits, although such data is collected for purposes relating to health and safety, payroll or work conditions.

Holding

First, the DPA held that the controller's use of the surveillance cameras footage to document contract violations, several months after the fact, exceeded the original purpose of the processing. The DPA also found that the use of GPS data exceeded defined purposes. Altogether, the DPA reasoned that these processing activities were a significant disadvantage for the contractors and their employees, and substantially outside of what data subjects could reasonably expect.

Finally, the DPA held that the surveillance cameras footage should be deleted within 7 days, according to national regulations. As the controller had used footage dating back several months, they had also breached this obligation.

For these violations, the DPA fined the controller €38,000. The fine was not larger as the assessment was done according to the prior Personal Data Act of 2000.

Comment

The case was determined after the prior Personal Data Act of year 2000 in Norway, and not the GDPR. The DPA does, however, refer to corresponding Articles in the GDPR: Articles 5(1)(b) and (c), as well as Article 17.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision on infringement fee - Norwegian Public Roads Administration 

1 Introduction 

The Norwegian Data Protection Authority received a report of a breach of personal data security (non-conformance report) from the Norwegian Public Roads Administration (SVV) on 31 August 2018. There has also been a report of breaches of regulations for processing personal data by the Norwegian Public Roads Administration , represented by Advokatfirmaet Schjødt AS of 29 June 2018 (case 18/01127). These cases belong together and are dealt with together. We also refer to the feedback on notification of infringement fines from the Norwegian Public Roads Administration of 11 March 2020. In the feedback, the Norwegian Public Roads Administration announces that in this case they have not been good enough to comply with the requirement for purpose limitation, and warns that they will charge a final infringement fee. intelligence. However, they ask the Data Inspectorate to assess the size of the infringement fee in light of the measures mentioned in the feedback. An infringement fee shall reflect the seriousness of the offense in question. It follows from Norwegian law that the Norwegian Public Roads Administration must implement necessary measures to prevent future offenses - SVV has a legal obligation to ensure that the regulatory requirements are complied with at all times (cf. the Privacy Ordinance art. 5 no. 2). Measures implemented to limit the negative effects for those affected by a breach of personal data security that have already occurred may be emphasized in a mitigating direction, see WP 253 pages 12 and 13, but there is no basis for assessing future regulatory compliance as a mitigating circumstance. The Data Inspectorate has therefore come to the conclusion that the subsequent measures to rectify the incidents do not affect the size of the infringement fee. 

2 Decision on infringement fines 

1. Pursuant to the Privacy Ordinance Article 58 no. 2 letter i, and after an assessment of the criteria in the Personal Data Act 2000 § 46 first paragraph, the Norwegian Public Roads Administration is ordered to pay an infringement fee to the Treasury of 400,000 - four hundred thousand - kroner for to have processed personal data for purposes that are incompatible with the original purpose, cf. the Personal Data Act § 11 first paragraph letter c, and for not having deleted recordings after 7 days, cf. the Personal Data Regulations 2000 § 8-4. 

3 Choice of law 

On 20 July 2018, a new Personal Data Act, which implements the EU Privacy Regulation in Norwegian law, entered into force. The relevant violation of the rules occurred before the new law came into force. It follows from the Personal Data Act 2018 § 33 that the rules on the processing of personal data that applied at the time of action, shall be used as a basis when a decision is made on an infringement fee. The legislation at the time of the decision shall nevertheless be applied when this leads to a more favorable result for the person responsible, cf. the Personal Data Act 2018 § 33 first paragraph second sentence. An assessment of the circumstances that occurred under the Personal Data Act 2018 would probably have resulted in an infringement fee higher than NOK 400,000. We refer to the Privacy Ordinance art. 83 no. 5, which stipulates that an infringement fine of up to 20 million euros may be imposed, if the offense violates the basic principles for the processing of personal data in art. 5, 6, 7 and 9, cf. also the Personal Data Act 2018 § 26 second paragraph. In this case, the violation applies to the Personal Data Act (2000) § 11 first paragraph letter c) and the Personal Data Regulations (2000) § 8-4. Section 11, first paragraph, letter c) is continued in the Privacy Ordinance, Article 5, paragraph 1, letter c. There is nothing to indicate that the application of the rules in the Privacy Ordinance would have resulted in a more favorable result. With regard to § 8-4, this has not been continued in the Privacy Ordinance. It is thus the general rules in the Privacy Ordinance that must be assessed in relation to whether its application could lead to a more favorable result. According to § 8-4, the deletion deadline for camera recordings is set at 7 days. The Privacy Ordinance has no such provision, but the Data Inspectorate considers that there are good reasons for continuing the same application of law in the assessment of Article 17, cf. Article 5 no. 1 letter b) and c). The Norwegian Data Protection Authority has therefore come to the conclusion that the application of the rules of the Privacy Ordinance will not give a more favorable result for SVV. The condition in the Personal Data Act 2018 § 33 first paragraph second sentence is thus not fulfilled. Reference is also made to the assessment made by the Privacy Board in case PVN-2019-09 on the publication of an image from a surveillance camera on Facebook. The case has therefore been processed in accordance with the Personal Data Act of 14 April 2000 no. 31, with associated regulations of 15 December 2000 no. 1265.

4 The actual circumstances 

There is a report of a breach of personal data security («deviation report») of 31 August 2018 (18 / 02466-1) and the Norwegian Public Roads Administration's report of 27 August 2019 (18 / 02466-3) which forms the basis for our understanding of the actual pages of the case. However, we also refer to the notification of a breach of the regulations from the law firm Schjødt AS of 29 June 2018 (18 / 01127-1). 3 The Norwegian Public Roads Administration and the law firm Schjødt agree, as it appears from the documents, on the facts of the case. Therefore, reference is made to their perception of the case. See the Internal Audit Office's (IR) report and the Norwegian Public Roads Administration's response to this (18 / 02466-3). With effect from 1 September 2015 to 31 August 2020, the Norwegian Public Roads Administration, Region East, entered into a contract with Veidrift AS (Veidrift) for operation and maintenance tasks of roads in the Follo region. During the contract period, investigations were initiated in connection with the fulfillment of the contract. The contract was terminated in July 2018. On 29 June 2018, Veidrift sent a notification to the Norwegian Public Roads Administration claiming that there were serious weaknesses in the Norwegian Public Roads Administration's collection and use of personal data in the ongoing follow-up of the contract. The Director of Public Works instructed the Internal Audit to carry out a fact-finding with a view to clarifying: • Whether the investigation of the Follo contract was carried out in violation of current privacy rules. • Whether the report is based on a reassuring methodology. IR conducted the investigation with the assistance of the Privacy Ombudsman and the law firm PwC.

4.1 Processing responsibility The report from the Norwegian Public Roads Administration (18 / 02466-3) states about the processing responsibility: «The Norwegian Public Roads Administration is responsible for processing personal data from the traffic monitoring carried out by VTS. Recording of vehicles that perform assignments on a contract with the Norwegian Public Roads Administration must normally be regarded as personal data because the GPS units and crew lists reported in Elrapp make it relatively easy to link the vehicle from filming to an individual. Registration of crew lists and other personal information in Elrapp can be used to check the supplier's compliance with the contract's requirements for HSE and in pay and working conditions for the employees who perform work on the contract. This is authorized in the client regulations and regulations on wages and working conditions in public contracts. The Norwegian Public Roads Administration is responsible for processing the individual employee for processing such information. The Norwegian Public Roads Administration is also responsible for processing personal data in Elrapp through the data capture from the GPS units as well as for personal data collected as a result of manual control, such as by filming or photographing contract deviations 

4.2 Use of recordings from the surveillance cameras from Vegtrafikksentralen Early winter 2017/2018 the builder revealed that it was broken into towards the middle parts. This is not in line with the terms of the contract. The client therefore wanted to document the practice, as 4 breaches towards the middle parts in addition to being a breach of contract were considered to be dangerous in traffic. The client is here the Norwegian Public Roads Administration. IR has assumed that the fixed road cameras referred to in the warning are those administered by the Road Traffic Centers (VTS). Relevant central in this case is VTS East, which is located in Oslo and administers traffic monitoring throughout the East Region. The requirement under the Personal Data Act (2000) was that all processing of personal data should be reported to the Norwegian Data Protection Authority. As the Norwegian Public Roads Administration had a privacy ombudsman, it was sufficient that the notification had been sent to the Privacy Ombudsman. There is a report on the processing of personal data signed by the Regional Road Director on 31 October 2016. From this it appears that the purpose of the camera surveillance is traffic management and traffic safety (18 / 02466-5). Regarding VTS, the IR report states that it: «shall be the hub of traffic preparedness for national and county roads and other road owners' road networks. The road traffic control centers perform these tasks through continuous monitoring using cameras and other installations that provide support for traffic control through remote control of technical facilities and installations, notification and dissemination of information on status and incidents on the road network, in road traffic and in the immediate vicinity of the road. It has been revealed that information has been extensively obtained and used from fixed road cameras to monitor contractors, employees, subcontractors and employees of the subcontractors in the follow-up of the contract. In a letter from Advokatfirmaet Schjødt (18 / 01127-1) point 2, it is stated: Appendix 32 to the letter. In other words, there is extensive use of information from road cameras for purposes other than those that will result from a possible license basis. Veidrift cannot see that SVV has a legal basis, contractual legal basis or other legal basis for extracting such images, nor to the extent that the purpose is to prove any reprehensible or criminal offenses with a previous subcontractor. However, it appears that SVV has in any case not limited the acquisition and use of such images for this purpose. If it is the case that SVV uses the information from the road cameras for purposes that are not covered by the license basis, this will constitute a serious violation of the Personal Data Act. "

4.3 Processing of personal data in ELRAPP related to HSE This is stated in the inquiry from Advokatfirmaet Schjødt (as a representative of Veidrift AS) (18/01127): «Thirdly, significant deviations from the regulations have been identified for the collection and use of GPS data. . Specifically, it is a matter of collecting and using GPS data through the 5 web-based system ELRAPP. There is reason to question whether the use of ELRAPP is illegal according to current regulations. There is also the question of whether the system satisfies the requirements that will be set when the new Personal Data Act enters into force later this year. The relevant conditions are described in a letter of 8 May 2018 with attachments from SVV to Veidrift, where SVV notifies termination of the contract in accordance with NS 8406 section 29.1 second paragraph. It is disputed by Veidrift that there are grounds for termination of the contract. " Elrapp is a system for electronic reporting and follow-up of tasks related to operation and maintenance contracts with functional responsibility for the Norwegian Public Roads Administration. Elrapp is used for reporting between contractor and client. The system is also a tool for planning, reporting and follow-up of client control. In the inquiry from Advokatfirmaet Schjødt, see section 4 (18 / 01127-1), it is pointed out that there is: «reason to address the issue of collection and use of GPS data through the web-based system ELRAPP, cf. the contract art 8.4 .2, where the contractor is required to have a computer system to monitor winter operations in real time. It is further stipulated that SVV shall have access to this system for corresponding follow-up on its own PC / IT equipment. It can be added that ELRAPP seems to have been used to store other sensitive personal information, for example that the driving license has been suspended with one of the employees of a former subcontractor of Veidrift. It appears from appendix 12 that the GPS system has, among other things, been used for subsequent speed measurements to check whether the plow crews have maintained the prescribed speed at all times. " In order to fulfill the client's regulations' requirements for HSE, the Follo contract had stipulated that Veidrift would daily report crew lists of who performed work via Elrapp. The Norwegian Public Roads Administration then carried out checks of this to ensure that the lists were updated. The client's responsibility for HSE is both secured directly in the contract and is based on the client's regulations. The contract C2, section 27.2 states: «The HSE coordinator shall at all times have an overview of everyone who performs work at the workplace. In order for the client to be able to handle this task in a satisfactory manner, the contractor must, through ELRAPP, keep a daily overview list with the names and organization numbers of all employers who carry out contract work. For each of these, the name, date of birth and nationality of all employees performing contract work are specified. " 

4.4 Use of personal data from the GPS unit / other observation The complaint from Advokatfirmaet Schjødt (18 / 01127-1) states: «It further appears from the letter that SVV has on several occasions used covert observation and filming in the ongoing follow-up of the contract, and in this way 6 monitored both own employees, Veidrift's employees and subcontractors. This is stated, among other things, in appendix 4, where a reconnaissance team from SVV has followed plowing crews to document that plowing is being carried out towards the middle parts of parts of the E6. We perceive that SVV has given this activity its own code name, which helps to indicate that the reconnaissance is systematic and of a certain scope. " The statement from IR section 2.8 states: «With Region East suspected breach of contract, they increased the control of the fulfillment of the contract. They were often out on the road to monitor and document any discrepancies. Pictures and film were used as evidence. As with the collection of information through the data capture, random checks are also authorized in the contract. If the region reveals breaches of contract during such inspections, it must therefore implicitly follow that such breaches are documented e.g. when filming plowing towards the middle parts. Control and documentation of breach of contract also follows from general contract law principles ». 

4.5 Demonstrated use of driver without a valid driver's license This is stated in IR's report (18 / 02466-3): «As deviations were discovered in the execution of the contract, a check of the workers' competence was carried out. Checks on drivers' driving licenses were therefore carried out. The notice of termination, section 2.1.4 states the following: «In connection with control of pay and working conditions by UE AHG AS, it was revealed that one of the employees had his driving license suspended forever on 16.12.2015. The person in question was reported for driving on the Elrappen date in December 2017 and in three cases in January 2018. This is not stated in time sheets submitted for control of pay and working conditions. On review of quantity lists, on the other hand, it appears that the person in question has performed work as a driver with a bulldozer on a number of occasions.

5 Requirements of the Personal Data Act 

It follows from the Personal Data Act 2000 § 11 first paragraph letter c that personal data shall be collected for explicitly stated and objective purposes, and not later processed for purposes that are "incompatible" with the original purpose of the collection, without the data subject's consent. 7 In the preparatory work for the Personal Data Act, Ot.prp. No. 92 (1998-1999), the Ministry writes on page 113: How much it takes before the new processing purpose is incompatible with the original purpose for the collection of the information, can not be regulated exhaustively in the law. The question must be considered concretely and individually. Central elements in the assessment will be whether the use of the information entails disadvantages for the data subject, whether the use differs greatly from the one on which the collection was based, or whether the use sets stricter requirements for data quality than the original collection purpose. An example of a purpose that will often be incompatible with the collection purpose is the use of the information for control purposes, especially when the control is not a natural part of the activity the data controller conducts, or when the inconvenience to the data subject is not in reasonable proportion to the benefits the inspector obtains. . Reference is also made to the Supreme Court ruling in the Waste Service case (HR-2012-00234-A) where the Supreme Court emphasizes the basic principle that an employment relationship is based on a necessary and mutual trust between the parties. This becomes clear in the discussion when the court highlights the consideration of trust in the employment relationship as a key element in the assessment of whether an employer can use personal data for control purposes, when the employee has not been explicitly made aware of it in advance. The same can be applied between contract partners. It follows from the Personal Data Act's regulations § 8-4 that recordings shall be deleted when there is no longer a reason for storage, and no later than 7 days after the recordings have been made. However, this does not apply if it is probable that the recording will be handed over to the police in connection with the investigation of criminal acts or accidents. 

6 The Data Inspectorate's assessment 

6.1 Use of recordings from the surveillance cameras from Vegtrafikksentralen

The deviation report has revealed circumstances that constitute a breach of the Personal Data Act (2000) §11 first paragraph letter c and the Personal Data Regulations 2000 § 8-4. The surveillance cameras from Veitrafikksentralen are based on immediate safety measures. Recordings from these cameras have later been used by SVV for documentation of breach of contract, by monitoring contract parties, employees, subcontractors and employees of the subcontractors in the follow-up of the contract. In assessing whether the new use of the recordings is compatible / incompatible with the original purpose, the Data Inspectorate has placed great emphasis on the new use being a significant disadvantage for the contractor and his employees, and is significantly outside what the contractor can expect personal data to be used for . That emphasis should be placed on these factors is stated in the Article 29 Working Party's statement on the purpose limitation principle, where the Article 29 Working Party has stated the following (WP203 page 13): 8 «If a purpose is sufficiently specific and clear, individuals will know what to expect : the way data are processed will be predictable. This brings legal certainty to the data subjects, and also to those processing personal data on behalf of the data controller. Predictability is also relevant when assessing the compatibility of further processing activities. In general, further processing cannot be considered predictable if it is not sufficiently related to the original purpose and does not meet the reasonable expectations of the data subjects at the time of collection, based on the context of the collection. " The Article 29 Working Party further states on page 24: “The second factor focuses on the specific context in which the data were collected and the reasonable expectations of the data subjects as to their further use base don the context. In other words, the issue here is what a reasonable person in the data subject’s situation would expect his or her data to be used for based on the context of the collection ». In the Privacy Regulation (EU) 2016/679 advocacy point 50, several of the elements we find in WP 203 are codified, and thus express secure rights. However, we use the statements in WP 203 as a basis in this case. Paragraph 50 states: The processing of personal data for purposes other than those for which the personal data were originally collected should only be permitted if the processing is compatible with the purposes for which the personal data were originally collected. In such a case, no other legal basis is required than that on which the collection of personal data is based. If the processing is necessary to carry out a task in the public interest or to exercise public authority imposed on the controller, it may in Union law or the national law of the Member States determines and specifies the tasks and purposes for which further processing should be considered compatible and lawful. Further processing for archival purposes in the public interest, for purposes related to scientific or historical research or for statistical purposes should be regarded as compatible and lawful processing activities. The legal basis for the processing of personal data laid down in Union or national law of the Member States may also constitute a legal basis for further processing. In order to determine whether the purpose of the further processing is compatible with the purpose for which the personal data were originally collected, the data controller should, after fulfilling all requirements to ensure that the original processing is lawful, take into account any connection between these purposes and the purposes of the intended further processing, the context in which the personal data has been collected, in particular the data subjects' reasonable expectations on the basis of their relationship with the controller with regard to further use of the data, the nature of the personal data, the consequences of the intended further processing for the data subjects; whether both the original processing activities and the intended further processing activities are covered by the necessary guarantees.

In the Waste Service case (HR-2012-00234-A), the Supreme Court stated in section 61: “On this basis, the use of the information for general control of the employees would clearly have been outside what [A] had reasonable expectations that the information should be used for. . It is somewhat more doubtful whether he had similar expectations that the information should not be used to investigate specific suspicions, as in this case. However, the consideration of trust in working conditions indicates that an employee can, as a starting point, only expect personal data to be used for control purposes if it has been made explicitly known in advance. " The Data Inspectorate is of the opinion that the same applies between contractors. Reference is made here to what has been said under point 3. 

Conclusion: It is therefore not possible to use this information for contract follow-up. Recordings made in connection with the VTS cameras must be deleted no later than seven days after the recordings have been made. However, the deletion obligation does not apply if it is probable that the recording will be handed over to the police in connection with the investigation of criminal acts or accidents. It is not probable that such film footage would have been handed over to the police. It is obvious to state that the law's requirement for deletion here has been violated, as the recordings have been stored beyond the law's deletion deadline of seven days. 

6.2 Processing of personal data in Elrapp related to HSE

The Norwegian Data Protection Authority agrees with IR when they conclude in the report that processing of personal data in ELRAPP for HSE purposes is not contrary to the Personal Data Act (2000) as a result of a lack of processing basis. 

6.3 Use of personal data from the GPS unit / other observation

 The non-conformance report has revealed circumstances that constitute a breach of the Personal Data Act (2000) §11 first paragraph letter c. Processing of personal data from the GPS unit can only be justified in HSE or pay and working conditions. Other uses are not compatible with the original purpose, and thus can not be used for control purposes. Reference is made to what has been said above about the use of surveillance films from Veitrafikksentralen, see section 6.1. The use of the GPS system for subsequent speed measurements to check whether the plow crews have maintained the prescribed speed at all times is, as the Data Inspectorate does not see it in line with the original purpose associated with HSE, and will be contrary to § 11 first paragraph letter c. 

6.4 Demonstrated use of a driver without a valid driver's license

 The Data Inspectorate agrees with IR, and does not find any breach of the Personal Data Act. 

7 General information on infringement fines 

The Norwegian Data Protection Authority believes that it is necessary to respond to the offenses described above. Pursuant to section 46 of the Personal Data Act 2000, the Data Inspectorate may impose an infringement fee: «The Data Inspectorate may order a person who has violated this Act or regulations pursuant thereto to pay an amount of money to the Treasury (infringement fee) of up to 10 times the basic amount in the National Insurance Scheme. Natural persons may only be fined for intentional or negligent violations. An enterprise may not be fined if the infringement is due to circumstances beyond the enterprise's control. When assessing whether an infringement fine should be imposed, and when determining, special emphasis shall be placed on a) how seriously the infringement has violated the interests protected by law, b) the degree of guilt, c) whether the infringer by guidelines, instruction, training, control or other measures could have prevented the violation, d) if the violation was committed to promote the violator's interests, e) if the violator has had or could have obtained an advantage from the violation, f) if there is repetition, g) if other reactions as a result of the violation are imposed the offender or anyone else who has acted on his behalf, including whether any individual is punished and h) the offender's financial capacity. " Section 46 of the Personal Data Act 2000 provides in principle that the imposition of an infringement fee is based on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting factors that shall have special emphasis, as it is considered that the imposition of an infringement fee in each individual case effective, proportionate and dissuasive. 

8 Grounds for decisions on infringement fines 

The right to impose infringement fines is provided as a tool to ensure effective compliance and enforcement of the Personal Data Act. Under international law, an infringement fine is not to be regarded as a punishment, but as an administrative sanction. It must be assumed, however, that the infringement fine is to be regarded as a punishment under Article 6 of the ECHR (European Convention on Human Rights), and in accordance with the case law of the Supreme Court, cf. 2012 page 1556 with further references. The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required for an offense in order to be able to impose a fee. The case and the question of imposing an infringement fine

«The Data Inspectorate may order anyone who has violated this Act or regulations pursuant to it, to pay an amount of money to the Treasury (infringement fee) of up to 10 times the basic amount in the National Insurance Scheme. Natural persons may only be fined for intentional or negligent violations. An enterprise may not be fined if the infringement is due to circumstances beyond the enterprise's control. When assessing whether an infringement fine should be imposed, and when determining, special emphasis shall be placed on a) how seriously the infringement has violated the interests protected by law, b) the degree of guilt, c) whether the infringer by guidelines, instruction, training, control or other measures could have prevented the violation, d) if the violation was committed to promote the violator's interests, e) if the violator has had or could have obtained an advantage from the violation, f) if there is repetition, g) if other reactions as a result of the violation are imposed the offender or anyone else who has acted on his behalf, including whether any individual is punished and h) the offender's financial capacity. " Section 46 of the Personal Data Act 2000 provides in principle that the imposition of an infringement fee is based on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting factors that shall have special emphasis, as it is considered that the imposition of an infringement fee in each individual case effective, proportionate and dissuasive.

8 Grounds for decisions on infringement fines 

The right to impose infringement fines is provided as a tool to ensure effective compliance and enforcement of the Personal Data Act. Under international law, an infringement fine is not to be regarded as a punishment, but as an administrative sanction. It must be assumed, however, that the infringement fine is to be regarded as a punishment under Article 6 of the ECHR (European Convention on Human Rights), and in accordance with the case law of the Supreme Court, cf. 2012 page 1556 with further references. The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required for an offense in order to be able to impose a fee. The case and the question of imposing an infringement fee have been assessed on the basis of this evidentiary requirement. The Norwegian Data Protection Authority finds it clear that the Norwegian Public Roads Administration has used film recordings / images from VTS, and data capture from the GPS units in violation of the Personal Data Act (2000) § 11 c) and the Personal Data Regulations (2000) § 8-4. 11 We have placed particular emphasis on the following aspects in our assessment of whether an infringement fee should be imposed: a) how seriously the infringement has violated the interests protected by law The discrepancy is a result of personal data being used for later purposes that is incompatible with the original purpose cf. the Personal Data Act § 11 first paragraph letter c. In particular, this applies to the use of film recordings / images taken from Veitrafikksentralen's fixed surveillance cameras. The notification of the processing of personal data to the privacy ombudsman in the Norwegian Public Roads Administration states under VTS 'purpose: "Monitoring, regulation and warning systems to ensure traffic safety and optimal traffic flow along roads, in tunnels. The monitoring is also linked to the management of tilting bridges for boat traffic in Østfold county. " The use of such images for documentation of breach of contract several months after the relationship has occurred is not compatible with the traffic safety purpose for which the VTS monitoring is justified, as this is intended to enable immediate safety measures. It is therefore not possible to use this information for, for example, contract follow-up. Such a purpose will not be compatible with the purpose for which the information was collected. The use of film footage from VTS in the relevant contract follow-up will be in conflict with § 11 first paragraph letter c). Downloading film footage / photos for later use for the follow-up of the contract will also be in violation of the Personal Data Regulations § 8-4, second paragraph. Recordings made in connection with the VTS cameras must be deleted no later than 7 days after the recordings have been made. However, the deletion obligation does not apply if it is probable that the recording will be handed over to the police in connection with the investigation of criminal acts or accidents. It is not documented that it is probable that such film footage would have been handed over to the police. It is very serious when the Norwegian Public Roads Administration uses information from VTS to monitor contractors, employees, subcontractors and employees of the subcontractors in the follow-up of the contract. The same severity applies to the processing of personal data from the data capture in the GPS unit that is not justified in HSE or pay and working conditions. It is stated, among other things, that the GPS system has been used for subsequent speed measurements to check whether the plow crews have maintained the prescribed speed at all times. Such control cannot be said to be part of the HSE measures. The report to IR clearly states that the Norwegian Public Roads Administration has not established and maintained planned and systematic measures that are necessary to meet the requirements in or pursuant to the Personal Data Act (2000), see sections 2.2 and 2.10 of the report. The Norwegian Public Roads Administration has not established any internal control in accordance with the Personal Data Act (2000) § 14, cf. the Personal Data Regulations (2000) § 3-1. b) the degree of guilt 12 According to Section 46 of the Public Administration Act, an administrative sanction may be imposed on an enterprise even if no individual has shown guilt. This means that the Norwegian Public Roads Administration has an objective fault responsibility. Enterprise means a company, cooperative, association or other association, sole proprietorship, foundation, estate or public enterprise. It appears in an undated note from the Norwegian Public Roads Administration at the Crime Section (18 / 1127-6, appendix 11) that they have on a number of occasions extracted film and images from the Road Traffic Control Center's surveillance cameras. The Data Inspectorate is of the opinion that this has not been a one-off case, but that there has been a deliberate use of film and recordings from these cameras. In the same note, the Norwegian Public Roads Administration has also stated that the GPS system has been used for subsequent speed measurements. The report from IR states that the Norwegian Public Roads Administration has not carried out an assessment of the Personal Data Act (2000) when processing personal data related to the conclusion of contracts. This has meant that no internal control has been carried out as the agency is required to do in accordance with personal data imposed pursuant to section 14 of the Personal Data Act. Such an internal control could have made visible the illegal use made by the Norwegian Public Roads Administration. Violation of section 11, first paragraph, letter c, is considered one of the most serious breaches of the personal data regulations. c) whether the infringer could have prevented the infringement through guidelines, instructions, training, control or other measures It is clear that the Norwegian Public Roads Administration could have prevented the deviation by implementing necessary routines when entering into contracts where personal data is processed, and by establishing routines which would have prevented the deviation. d) whether the infringement was committed to promote the infringer's interests It can be stated that the deviation occurred in order to promote the Norwegian Public Roads Administration's interests, in connection with the follow - up of the contract with Veidrift. e) whether the infringer has had or could have obtained an advantage in the infringement It cannot be established that the Norwegian Public Roads Administration has acquired any advantage in the infringement. f) whether there is repetition This has not been a one-off case, but a deliberate use of personal data of film and recordings from the cameras. g) whether other reactions as a result of the violation are imposed on the offender or anyone else who has acted on his behalf, including whether any individual is punished. No information is provided in the case about such matters. h) the offender's financial capacity The Data Inspectorate has not placed significant emphasis on the Norwegian Public Roads Administration's financial capacity. 13 In assessing whether an infringement fee should be imposed, the Data Inspectorate places particular emphasis on the fact that the Norwegian Public Roads Administration could and should have arranged itself so that the deviation could have been avoided. The Norwegian Data Protection Authority has also emphasized the general preventive considerations in the case. Following this, the Data Inspectorate has come to the conclusion that an infringement fee should be imposed. 

9 The size of the fee 

With regard to the size of the fee, special weight shall be given to the same factors as when assessing whether a fee is to be charged. The circumstances that the Data Inspectorate has pointed out above suggest a fee of a significant size. The fee should be set so high that it also has an effect beyond the specific case. The Norwegian Public Roads Administration has deliberately collected films / images through data capture from the GPS units for use for purposes other than those for which they were originally collected, and which are incompatible with the original purpose. In particular, it must be expected that a public agency is familiar with and relates to current privacy legislation, and is able to quickly rectify established discrepancies. As this has not happened, a reaction of a certain magnitude is necessary. The signal effect of this case, the general preventive considerations, we believe is clear. We want to make it clear that such incidents must not occur and that all public bodies that process personal data must be aware of their responsibility. Inadequate routines often have the consequence that the risk of errors increases. In this case, weak routines have actually had a real consequence. After an overall assessment of the case and especially with regard to the seriousness of the violation, we have come to the conclusion that a violation fee of 400,000 is considered correct. 10 Recovery of infringement fees The infringement fee is due for payment four weeks after the decision is final, cf. the Personal Data Act (2018) § 27. The decision is a compulsory basis for disbursement. Recovery of the claim will be carried out by the Central Government Collection Agency. 11 Right of appeal You can appeal the decision. Any complaint must be sent to us within three weeks after this letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22. 12 Access and publicity You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform you that all documents are in principle public, cf. the Public Access to Information Act § 3, but also emphasize that security documentation is generally exempt from public access, cf. § 13 and the Public Administration Act § 13 first paragraph no. 2.