Datatilsynet (Norway) - 21/02873: Difference between revisions
(Changed original source link) |
No edit summary |
||
Line 79: | Line 79: | ||
}} | }} | ||
In an [[Article 60 GDPR]] procedure, the Norwegian DPA ordered an HR-services provider, pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to provide | In an [[Article 60 GDPR]] procedure, the Norwegian DPA ordered an HR-services provider, pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to provide the data subject with information he requested in an access request ([[Article 15 GDPR|Article 15 GPDR]]). | ||
the data subject with | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was a former | The data subject was a former employee of a German subsidiary of the controller, a company offering human resources and payroll administration. The controller had offices in various European countries, with its headquartes in Norway. The data subject filed an access request two times. The first request was send on 14 July to the CEO of the controller, who did not respond. The data subject filed a complaint with the Norwegian DPA (DPA) at 26 August 2021. The DPA recommended the data subject to send the request to the e-mail address the controller provided for inquiries regarding its privacy policy. The data subject did this on 28 September 2021. However, the controller also did not reply to this second request at first. | ||
The | The DPA send the controller questions regarding the access request. The controller replied after a additional remidner by the DPA that its response had remained in the email outbox folder, so without actually sending the response to the DPA. | ||
On 22 december 2021. The controller replied to the access request and stated that the second request had been marked as spam and had therefore not been processed in due time. It provided a copy of its privacy policy in this reply by e-mail. The controller provided a copy of personal data on a password protected USB, at first without the password to open the files, which was proived after another remark by the data subject. Later, the data subject stated that upon further inspection, he discoverd that the USB was not password protected after all. | |||
The controller provided a copy of personal data | |||
=== Holding === | === Holding === | ||
The DPA stated that the GDPR was applicable, since the controller had multiple establishments in the EU and the EEA (European Economic Area). | The DPA stated that the GDPR was applicable, since the controller had multiple establishments in the EU and the EEA (European Economic Area). It also processed personal data of its employees in the context of the activities of these establishment ([[Article 3 GDPR#1|Article 3(1) GDPR]]). | ||
The controller had its main establishment ([[Article 4 GDPR#16|Article 4(16) GDPR]]) in the EEA and its processing of the | The DPA determined that the controller had its main establishment ([[Article 4 GDPR#16|Article 4(16) GDPR]]) in the EEA (Norway) and that its processing of the data subject’s personal data was cross-border processing ([[Article 4 GDPR#23|Article 4(23) GDPR]]). Therefore, the cooperation mechanism was applicable [[Article 56 GDPR#1|(Articles 56(1) GDPR]] and [[Article 60 GDPR|60 GDPR)]], with the Norwegian DPA being the lead supervisory authority ([[Article 56 GDPR#1|Articles 56(1) GDPR]]). | ||
Regarding the first request send to the CEO, The DPA stated that it was legitimate for the controller to expect that data subjects would requests through a communication channel that was specifically meant for such purpose. The CEO of a company could not be expected to be directly involved with these requests. Therefore, the controller (the company, not the CEO) did not violate Articles 12(2) and 15 GDPR by failing to respond to the first request. However, the DPA stated that the controller violated article 12(2) GDPR by failing to facilitate the right to access under [[Article 15 GDPR]]. It treated the second request as a spam e-mail, which lead to the fact that this e-mail remained unanswered for almost three months. This was only a minor infringement because only one data subject was affected. The controller also stopped using this specific e-mail address that caused the infringement. The controller also started using a new communication channel using a CAPTCHA solution for data protection inquiries, which should be better at accurately detecting spam. Lastly, although the controller did not respond to the access request submitted on 28 September 2021 within the standard statutory one-month period ([[Article 12 GDPR#3|Article 12(3) GDPR)]], the controller did respond on 22 December 2021 within the maximum 3 months’ period in [[Article 12 GDPR#3|Article 12(3) GDPR]]. Based on these mitigating factors, the DPA did not issue any corrective measures. | |||
The DPA | The DPA also held that the controller did not provide all the personal data and information. Specifically, the controller did not provide sufficient information on the purposes of processing, categories of data concerned and storage periods, by only referring to its privacy policy in its reply. However, the DPA determined that the privacy policy provided sufficient information on recipients, data subject’s rights, the right to lodge a complaint with the supervisory authority, the source of personal data, automated decision making and international transfers. The DPA also determined that the controller did not provide a copy of all the personal data being. The controller had to provide a copy of all the data subject's personal data being processed by the controller, unless the controller was able to demonstrate that one of the exceptions in [[Article 12 GDPR#5|Articles 12(5) GDPR]] or [[Article 15 GDPR#4|15(4) GDPR]] or Article 16 of the Norwegian Personal Data Act were applicable. However, the controller did not have to provide a copy of entire documents in which contained personal data. | ||
The DPA ordered the controller (Article 58(2)(d) GDPR) to provide all of the information the data subject requested pursuant to Article 15 GDPR. This information also had to be understandable and clear (Article 12(1) GDPR). This meant the controller might need to supply additional information that explains the data provided, if such data are not immediately intelligible. However, the information did not need to be provided in machine readable format. | |||
The DPA | |||
== Comment == | == Comment == |
Revision as of 13:48, 17 November 2022
Datatilsynet - 21/02873-22 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 3(1) GDPR Article 4(16) GDPR Article 4(23) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 12(5) GDPR Article 15 GDPR Article 15(4) GDPR Article 56(1) GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.08.2022 |
Decided: | 22.05.2022 |
Published: | |
Fine: | n/a |
Parties: | Zalaris ASA |
National Case Number/Name: | 21/02873-22 |
European Case Law Identifier: | EDPBI:NO:OSS:D:2022:365 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Norwegian DPA ordered an HR-services provider, pursuant to Article 58(2)(d) GDPR, to provide the data subject with information he requested in an access request (Article 15 GPDR).
English Summary
Facts
The data subject was a former employee of a German subsidiary of the controller, a company offering human resources and payroll administration. The controller had offices in various European countries, with its headquartes in Norway. The data subject filed an access request two times. The first request was send on 14 July to the CEO of the controller, who did not respond. The data subject filed a complaint with the Norwegian DPA (DPA) at 26 August 2021. The DPA recommended the data subject to send the request to the e-mail address the controller provided for inquiries regarding its privacy policy. The data subject did this on 28 September 2021. However, the controller also did not reply to this second request at first.
The DPA send the controller questions regarding the access request. The controller replied after a additional remidner by the DPA that its response had remained in the email outbox folder, so without actually sending the response to the DPA.
On 22 december 2021. The controller replied to the access request and stated that the second request had been marked as spam and had therefore not been processed in due time. It provided a copy of its privacy policy in this reply by e-mail. The controller provided a copy of personal data on a password protected USB, at first without the password to open the files, which was proived after another remark by the data subject. Later, the data subject stated that upon further inspection, he discoverd that the USB was not password protected after all.
Holding
The DPA stated that the GDPR was applicable, since the controller had multiple establishments in the EU and the EEA (European Economic Area). It also processed personal data of its employees in the context of the activities of these establishment (Article 3(1) GDPR).
The DPA determined that the controller had its main establishment (Article 4(16) GDPR) in the EEA (Norway) and that its processing of the data subject’s personal data was cross-border processing (Article 4(23) GDPR). Therefore, the cooperation mechanism was applicable (Articles 56(1) GDPR and 60 GDPR), with the Norwegian DPA being the lead supervisory authority (Articles 56(1) GDPR).
Regarding the first request send to the CEO, The DPA stated that it was legitimate for the controller to expect that data subjects would requests through a communication channel that was specifically meant for such purpose. The CEO of a company could not be expected to be directly involved with these requests. Therefore, the controller (the company, not the CEO) did not violate Articles 12(2) and 15 GDPR by failing to respond to the first request. However, the DPA stated that the controller violated article 12(2) GDPR by failing to facilitate the right to access under Article 15 GDPR. It treated the second request as a spam e-mail, which lead to the fact that this e-mail remained unanswered for almost three months. This was only a minor infringement because only one data subject was affected. The controller also stopped using this specific e-mail address that caused the infringement. The controller also started using a new communication channel using a CAPTCHA solution for data protection inquiries, which should be better at accurately detecting spam. Lastly, although the controller did not respond to the access request submitted on 28 September 2021 within the standard statutory one-month period (Article 12(3) GDPR), the controller did respond on 22 December 2021 within the maximum 3 months’ period in Article 12(3) GDPR. Based on these mitigating factors, the DPA did not issue any corrective measures.
The DPA also held that the controller did not provide all the personal data and information. Specifically, the controller did not provide sufficient information on the purposes of processing, categories of data concerned and storage periods, by only referring to its privacy policy in its reply. However, the DPA determined that the privacy policy provided sufficient information on recipients, data subject’s rights, the right to lodge a complaint with the supervisory authority, the source of personal data, automated decision making and international transfers. The DPA also determined that the controller did not provide a copy of all the personal data being. The controller had to provide a copy of all the data subject's personal data being processed by the controller, unless the controller was able to demonstrate that one of the exceptions in Articles 12(5) GDPR or 15(4) GDPR or Article 16 of the Norwegian Personal Data Act were applicable. However, the controller did not have to provide a copy of entire documents in which contained personal data.
The DPA ordered the controller (Article 58(2)(d) GDPR) to provide all of the information the data subject requested pursuant to Article 15 GDPR. This information also had to be understandable and clear (Article 12(1) GDPR). This meant the controller might need to supply additional information that explains the data provided, if such data are not immediately intelligible. However, the information did not need to be provided in machine readable format.
Comment
The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”) Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint Committee Decision”)
The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal Data Act and the GDPR entered into force in Norway on 20 July 2018.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
FORDATAPRIVACYANDFREEDOMOFINFORMATION Your: 12.11.2021 Management board member Our: 28.02.2022 nr 2.1.-1/21/3286 Notice oftermination of the proceeding inregardto the protectionofpersonaldata The proceeding of the Estonian DataProtection Inspectorate concerned the claim of a Lithuania citizen (complainant) in regard to the fact that the violated the requirements of GDPR. Given the above, we initiated a supervision proceeding on the basis of clause 56 (3) 8) of the PersonalData Protection Act. During the proceeding, stated the following: Our position is that in the case that was detailed in the inquiry, which includes a breach in security regarding the processingof personaldata, is notat fault. has not processed the personal data of in their system in relation to the described case because the services described in the case were notordered in the systems of nor according to ’s guidelines. The application does notallow the commencementof ordering the services describedin the inquiry and the applicationdoes nothave the functionality to do such things. The is a tool for authentication and electronic signing which is meant for signing documents electronically andlogging in to differentenvironments. We stress that does notand has never takenpayments from users. It is true that on 23 March 2021 we requested on the website that users update the Android systemcomponents of their phones in the Google Play Store. The reasonfor this was that Google had released a broken update for Google Chrome and Android SystemWebview which was causing errors in differentapplications, including the application. The problemwasalsoconfirmedbyGooglethemselves.Googlethenreleasedanupdatewhichfixed the issues that were caused by the previous update and the newupdate was required for not only the seamless operation of but also other applications. More information regarding Google’s problemcan be found here. Through the website, we directedthe users ofthe service to applythe fixedupdate in order for the service to function properly once again. Please note thatthere were no links, QR- codes, or telephone numbers in the message we publishedon the website. We simply requested our clients to update their Google Chrome and Android System Webview in the Google Play Store. The message readsas follows: FORDATAPRIVACYANDFREEDOMOFINFORMATION application started crashing? Please update Google Chrome and Android System Webview in Google Play Store. Google released a broken updatethatcauses applications to crash and they have now also released fix for it. If thatdoes nothelp, please callour helpline or contactus through the e-mailform. In the message, did not request clients to scan a single QR-code, and furthermore, the shortnumber1394is notused by us nor is itunder our control. Therefore, does not knowwhere the person could have received the QR- code for scanning or what exactly could have happened. doesnothave any connections to the case besides requesting on our website that users update their Android components,as was described above. has no knowledgeof the services provided by or the details connected to the order that was described in the inquiry. Furthermore, does not have a contractual or any other kind of relationship with . Basedon the above, the Estonian Data Protection Inspectorate did not identify any violation of the GDPR. For this reason, we are terminating the supervision proceedings. This decision may be challenged within 30 days by submitting one of the two: - A challenge to the Director General of the Estonian Data Protection Inspectorate pursuant to the Administrative Procedure Act , or 2 - Anappealto anadministrative court under the Code ofAdministrative Court Procedure (in this case,the challenge in the same matter canno longer be reviewed). Respectfully Lawyer Authorised by the Director General 1 2https://www riigiteataja.ee/en/eli/527032019002/consolide https://www riigiteataja.ee/en/eli/512122019007/consolide