Datatilsynet (Norway) - 20/01772: Difference between revisions
No edit summary |
(→Facts) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 89: | Line 89: | ||
}} | }} | ||
The Norwegian DPA reprimanded the Church of Norway for unlawfully collecting information on members' newborns after their legal basis for such processing had expired, and for failing to provide sufficient information as per [[Article 14 GDPR#1d| | The Norwegian DPA reprimanded the Church of Norway for unlawfully collecting information on members' newborns after their legal basis for such processing had expired, and for failing to provide sufficient information as per [[Article 14 GDPR#1d|Articles 14(1)(d)]], [[Article 14 GDPR#2f|14(2)(f)]] and [[Article 12 GDPR#1|12(1) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Church of Norway (the controller) used information about new births from the National Population Register disclosed on the basis of national law, including sensitive data. If at least one parent was an existing member of the Church, the controller was allowed to register newborns (as 'affiliated persons') in their member register and, on the same condition, they also had permission as per the national population regulations to receive automatic notifications on newborns. This permission expired on 1 October 2018, and on 1 January 2021 the other relevant regulations were replaced. | |||
The controller, however, still continued to receive the automatic notifications until 14 November 2018. At this point, they still considered that the minors registered during the period 1 October to 14 November were correctly registered as per the (now expired) [https://lovdata.no/dokument/NLO/lov/1996-06-07-31 Norwegian Church law], and did not delete the data. | |||
On 28 February 2020 the Norwegian Humanist Association and lawfirm Bull & Co lodged a complaint with the Norwegian DPA on behalf of eight data subjects, claiming that the controller had unlawfully collected information on the data subjects' newborns and failed to inform them about this processing. Consequently, the DPA launched an investigation. | |||
Only when the controller realised that the correct end date was 1 October, it initiated an erasure process, but due to a claimed technical error, this was not carried out until 18 August 2020. The controller informed the DPA that the personal data on affiliated persons would be deleted when the legal basis for this processing expired on 1 January 2021. On 22 January 2021, it informed that the personal data of 108.880 data subjects were deleted. With regard to the alleged lack of information issue, the controller claimed that it could rely on the exemption set forth in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] and noted that it still provided some information through the main privacy notice for the Church, as well as on local websites. | |||
=== Holding === | === Holding === | ||
The DPA held that the controller | The DPA held that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] by processing personal data on members' newborns between 1 October and 14 November 2018, and continued to store the personal data without a valid legal basis. The DPA noted that, in line with [[Article 17 GDPR|Article 17(1)(d) GDPR]], the controller was obliged to delete data processed unlawfully, unless the exception of [[Article 17 GDPR|Article 17(3) GDPR]] (fulfillment of a task in public interest) applied. The DPA held that the controller did not full the requirements of performing a task in the public interest as the special regulations ceased to apply to the controller after 1 October 2018. Therefore, the controller had stored the data illegally before deletion in 2021. The DPA also held that the controller violated [[Article 14 GDPR#1d|Articles 14(1)(d)]], [[Article 14 GDPR#2f|14(2)(f)]] and [[Article 12 GDPR#1|12(1) GDPR]] by not providing the data subjects easily available information about the collection of automatic birth notifications from the National Population Register. | ||
In addition, the DPA noted that | In addition, the DPA noted that the controller could not rely on the exemption in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]], because the collection of automatic birth notifications was not expressly provided by the relevant national law (the former Norwegian Church law). | ||
== Comment == | == Comment == | ||
Interestingly, the DPA does not impose a fine in this case, despite the processing of special category personal data as per [[Article 9 GDPR|Article 9 GDPR]]. They comment in the press release that the reason for not opting for a stricter reaction is that the case has "some mitigating factors", without specifying these further. | ''By initial contributor:'' Interestingly, the DPA does not impose a fine in this case, despite the processing of special category personal data as per [[Article 9 GDPR|Article 9 GDPR]]. They comment in the press release that the reason for not opting for a stricter reaction is that the case has "some mitigating factors", without specifying these further. The DPA also does not address or make any comments regarding the complainants claims that the Church violated [[Article 24 GDPR|Articles 24]], [[Article 33 GDPR|33]] and [[Article 35 GDPR|35 GDPR]], nor finds a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], which is a bit surprising considering the violations they did find. | ||
The DPA also does not address or make any comments regarding the complainants claims that the Church violated [[Article 24 GDPR| | |||
== Further Resources == | == Further Resources == |
Latest revision as of 10:46, 24 January 2023
Datatilsynet - 20/01772 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 6(1) GDPR Article 6(3) GDPR Article 9(2)(d) GDPR Article 9(2)(g) GDPR Article 12(1) GDPR Article 14(1)(d) GDPR Article 14(2)(f) GDPR Article 14(5)(c) GDPR Article 17(1)(d) GDPR Article 58(2)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 28.02.2020 |
Decided: | 09.01.2023 |
Published: | 16.01.2023 |
Fine: | n/a |
Parties: | Church of Norway - Den norske kirke |
National Case Number/Name: | 20/01772 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Norwegian DPA Datatilsynet (in NO) Norwegian DPA Datatilsynet (press release) (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA reprimanded the Church of Norway for unlawfully collecting information on members' newborns after their legal basis for such processing had expired, and for failing to provide sufficient information as per Articles 14(1)(d), 14(2)(f) and 12(1) GDPR.
English Summary
Facts
The Church of Norway (the controller) used information about new births from the National Population Register disclosed on the basis of national law, including sensitive data. If at least one parent was an existing member of the Church, the controller was allowed to register newborns (as 'affiliated persons') in their member register and, on the same condition, they also had permission as per the national population regulations to receive automatic notifications on newborns. This permission expired on 1 October 2018, and on 1 January 2021 the other relevant regulations were replaced.
The controller, however, still continued to receive the automatic notifications until 14 November 2018. At this point, they still considered that the minors registered during the period 1 October to 14 November were correctly registered as per the (now expired) Norwegian Church law, and did not delete the data.
On 28 February 2020 the Norwegian Humanist Association and lawfirm Bull & Co lodged a complaint with the Norwegian DPA on behalf of eight data subjects, claiming that the controller had unlawfully collected information on the data subjects' newborns and failed to inform them about this processing. Consequently, the DPA launched an investigation.
Only when the controller realised that the correct end date was 1 October, it initiated an erasure process, but due to a claimed technical error, this was not carried out until 18 August 2020. The controller informed the DPA that the personal data on affiliated persons would be deleted when the legal basis for this processing expired on 1 January 2021. On 22 January 2021, it informed that the personal data of 108.880 data subjects were deleted. With regard to the alleged lack of information issue, the controller claimed that it could rely on the exemption set forth in Article 14(5)(c) GDPR and noted that it still provided some information through the main privacy notice for the Church, as well as on local websites.
Holding
The DPA held that the controller violated Article 6(1) GDPR by processing personal data on members' newborns between 1 October and 14 November 2018, and continued to store the personal data without a valid legal basis. The DPA noted that, in line with Article 17(1)(d) GDPR, the controller was obliged to delete data processed unlawfully, unless the exception of Article 17(3) GDPR (fulfillment of a task in public interest) applied. The DPA held that the controller did not full the requirements of performing a task in the public interest as the special regulations ceased to apply to the controller after 1 October 2018. Therefore, the controller had stored the data illegally before deletion in 2021. The DPA also held that the controller violated Articles 14(1)(d), 14(2)(f) and 12(1) GDPR by not providing the data subjects easily available information about the collection of automatic birth notifications from the National Population Register.
In addition, the DPA noted that the controller could not rely on the exemption in Article 14(5)(c) GDPR, because the collection of automatic birth notifications was not expressly provided by the relevant national law (the former Norwegian Church law).
Comment
By initial contributor: Interestingly, the DPA does not impose a fine in this case, despite the processing of special category personal data as per Article 9 GDPR. They comment in the press release that the reason for not opting for a stricter reaction is that the case has "some mitigating factors", without specifying these further. The DPA also does not address or make any comments regarding the complainants claims that the Church violated Articles 24, 33 and 35 GDPR, nor finds a violation of Article 5(1)(a) GDPR, which is a bit surprising considering the violations they did find.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE NORWEGIAN CHURCH Postbox 799 Centrum Excluded from the public: 0106 OSLO Official § 13, cf. Personal Data Act § 24 first paragraph 2nd period Your reference Our reference Date 20/01772-19 09.01.2023 Decision on reprimand - Processing of minors' information in Den Norwegian Church 1 Introduction We refer to our notice of a decision to reprimand the Church of Norway by the Council of Churches (hereinafter "DNK") dated 23 June 2021, and DNK's comments to the notice of 1 July 2021. In the comments, DNK apologized for the breaches of the data protection regulation and the Data Protection Authority's notified decision on reprimand for information. In the notes, DNK further writes that the organization will ensure compliance with the privacy requirements that were explained in The Norwegian Data Protection Authority's letter pointing out the duty of 1 July 2021. The Norwegian Data Protection Authority received comments from the Human-Ethical Association (hereinafter "HEF") on behalf of the complainants on 7 September 2021. 2. Notice of decision on reprimand The Norwegian Data Protection Authority hereby adopts a decision to reprimand the Church of Norway by the Council of Churches, 818 066 872, for: • Violation of the personal protection regulation article 6 no. 1, by obtaining birth notifications for members' children from the Population Register from 1 October to 14 November 2018, and by continue to store the personal data that was collected through the birth certificates, without a valid legal basis. • Breach of the Personal Data Protection Regulation article 14 no. 1 letter d and no. 2 letter f, cf. article 12 no. 1, by not providing easily accessible information to the registered about the collection of birth notices for members' children from the National Register of Citizens. Our authority for issuing a reprimand is the Personal Protection Regulation article 58 no. 2 letter b. 3. Background of the case Postal address: Office address: Telephone: Org. no: Homepage: 1 PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 0105 OSLO 0191 OSLO The complaint from the Human-Ethical Association dated 28 February 2020 On 28 February 2020, the Norwegian Data Protection Authority received a complaint about the treatment of minors personal data in The Norwegian Church at the Church Council (hereafter DNK) from Human-Ethical Forbund (hereafter HEF) and Bull & Co Advokatfirma on behalf of eight registered persons. It appeared from the complaint that the complainants reacted to the fact that they or their children were still listed as belonging to the Church of Norway, despite the fact that the state church system was abolished and new the National Register Act had entered into force. This also applied to a child born after 1 October 2018, when the authority for access to confidential information from the National Register had ceased. The complainants wrote that the registration had taken place without their knowledge, and despite the fact that they or their guardians never did anything active in terms of registration, baptism or church confirmation. In the complaint, it was also pointed out that certain registered users had tried to opt out several times, without success. Common for the complainants is that they experienced not being informed about what that happened to their and their children's personal data. In the complaint, it was stated that the Church of Norway violates the principle of openness i the personal protection regulation article 5 no. 1 letter a and the information requirements in article 14. Furthermore, it was stated that DNK violates the data minimization principle in Article 5 no. 1 letter c by storing personal data about the dependents until they are 18 years old. Based on the complaint, the Norwegian Data Protection Authority sent a demand for an explanation to DNK on 12 August 2020, and new requirements for further explanations on 16 December 2020 and 21 April 2021. Explanations from DNK in letters dated 2 September 2020, 22 January 2021 and 11 May 2021 DNK responded to the Data Protection Authority's request for explanations on 2 September 2020, 22 January 2021 and 11 May 2021. In the reply of 2 September 2020, it was stated that DNK processed personal data about minors belonging to the purpose of fulfilling their duties in the now repealed Church Act § 3. In addition, relatives counted together with DNK's members in the calculation basis for the state's grants to faith and belief communities in accordance with the Church Act and the Act on Faith Communities and ymist another. Both the Church Act and the Act on Faithful Communities and a lot of other things became 1 January 2021 replaced with the new Religious Communities Act. DNK pointed out that their membership registration had a legal basis in the Personal Data Protection Regulation article 6 no. 1 letters c and e, and that the supplementary legal basis according to article 6 no. 3 was Church Act § 3 no. 10 and provisions in the related regulations on the Church of Norway member register. DNK stated that the obligation to register only ceased at the age of 18, and that personal data could therefore not be deleted earlier. For processing special categories of personal data, it was stated that the Personal Protection Regulation article 9. no. 2 letter d and g was fulfilled. 1FOR-2016-04-12-1205 2DNK further stated that DNK was exempt from the obligation to provide information in the Personal Protection Ordinance i subject to the exception in Article 14 no. 5 letter c. It is nevertheless granted to varying degrees information at national and regional level through privacy statements at kirken.no or local websites, as well as through baptism invitations that are sent out. In the report dated 11 May In 2021, DNK presented documentation of the information that was available to them registered in the period from 20 July to 1 October 2018. According to DNK, the reason why not all statements from the complainants have been implemented may be wrong from the local congregation. DNK further informed that the delivery of birth notifications from the National Register of Citizens did not stop up 1 October 2018, when the authority for access to confidential information from The population register ceased. DNK had an ongoing appeal pending at the Tax Agency regarding rights to national register information, and was informed by EVRY Information services that it was recommended not to make changes before this appeal was settled. The Church Council was eventually brought to the fore that this was an incorrect assessment, and delivery of birth notifications stopped on 14 November 2018. DNK then assessed that the children who were registered through birth notifications in the period 1. October to 14 November 2018 was correctly registered in accordance with § 3 of the Norwegian Church Act, and therefore let these entries remain. The date 1 October 2018 gradually became a known date for the changes in access to population register information. Therefore DNK wanted the automatic registration of those belonging to the membership register should correspond to this date. DNK therefore ordered a deletion of the personal details of the children who were registered through birth notifications in the period 1. October–14. November 2018 in September 2019. Procedure for the deletion job was carried out and approved in the member register's test environment, but due to an error it was not carried out accurately same procedure in the member register's production environment. Something smaller was therefore deleted data in the production environment. Thus, the relatives were born in the period 1 October–14. November 2018 still in the membership register. This information was later deleted on 18 August 2020. In the statement of 2 September, DNK informed that personal information about relatives would be deleted upon the termination of the Church Act's automatic affiliation scheme for children in Den norske church on 1 January 2021, unless the parents registered the child in DNK and DNK thus got a other legal basis for the processing of your personal data. In the statement of 22. January 2021, it was informed that of the 109,663 members who were registered in member register before the turn of the year, the personal information of 108,880 was deleted by DNK. New complaints in HEF's letter to the Norwegian Data Protection Authority dated 30 September 2020 and 22 February 2021. HEF has made comments to the reports the Norwegian Data Protection Authority has received from DNK, and has in in this connection extended the complaint on behalf of the registered. 3HEF states that the transfer of confidential population register information after 1 October 2018, as well as the continued processing of this personal data, was illegal. Furthermore, it is stated that DNK has not implemented sufficient technical or organizational measures according to the personal data protection regulation article 24, and that the transfer of confidentiality population register information after 1 October 2018 was not documented and reported to The Danish Data Protection Authority's personal protection regulation article 33. It was further stated that DNK did not have carried out a DPIA in accordance with Article 35 of the Personal Data Protection Regulation. The Norwegian Data Protection Authority's notice, comments from NDK and comments from HEF The Norwegian Data Protection Authority announced a decision to reprimand DNK on 23 June 2021 for breach of the personal protection regulation article 6 no. 1 letter a and article 14 no. 1 letter d and no. 2 letter f, cf. article 12 no. 1. In its comments to the notice of 1 July 2021, DNK took note of the Danish Data Protection Authority's assessments and apologized for the violations. In its comments on the notice of 7 September 2021, HEF asked the Norwegian Data Protection Authority to reconsider its notify concussion regarding the issue of data minimization, process all complaints together and in all cases reconsider their notified sanction of reprimand. 4. Legal background The Personal Data Protection Regulation and processing responsibility The Personal Data Act implements the Personal Data Protection Regulation in Norwegian law, and entered into force 20 July 2018. It follows from the personal protection regulation article 4 no. 7 that the data controller is the which determines the purpose of the processing of personal data and the means to be used used. Principles for processing personal data and legal basis The basic principles for processing personal data follow the personal protection regulation article 5 no. 1. Here it follows, among other things, that: • Personal data must be processed in a legal, fair and transparent manner, cf. letter a. • The personal data processed must be adequate, relevant and limited to that which is necessary for the purposes for which they are processed, cf. letter c. • The personal information must not be stored for longer periods than is necessary the purposes for which they are processed, cf. letter e. The data controller must be able to demonstrate that the privacy price norms are complied with, cf. Article 5 No. 2. 4 All processing of personal data must have a legal basis according to the Personal Protection Ordinance Article 6 No. 1 to be legal. Legal grounds for the processing can be: • The registered person has consented to the processing of personal data for one or more specific purposes, cf. letter a. • The processing is necessary to fulfill a legal obligation incumbent upon it data controller, cf. letter c. • The processing is necessary to carry out a task in the public interest or exercise public authority to which the data controller is required, cf. letter e. • The processing is necessary for purposes related to the legitimate interests which is pursued by the controller or a third party, unless it is registered interests or fundamental rights and freedoms take precedence and require protection of personal data, especially if the registered person is a child, cf. letter f. The grounds for processing under Article 6 no. 1 letter c and e shall follow Norwegian law, cf. article 6 no. 3. For special categories of personal data, such as personal data about religion, health or sexual orientation, the starting point is that such treatment is prohibited, unless some of the exceptions in the regulation's article 9 no. 2 apply. Information about family relationships can for example infer information about sexual orientation. This requirement is in addition to the requirement for processing grounds according to Article 6. Children have the right to special protection of their personal data and privacy, cf. point no. 38 of the Personal Protection Ordinance. Information requirements Anyone who has their personal data processed has the right to information about several matters. When the personal information has been obtained from someone other than the registered person, it follows Article 14 of the Personal Data Protection Regulation states that, among other things, one must be informed about the identity and the contact details of the data controller and their possible privacy representative, the purposes for which the information is processed, the processing basis, the affected categories of personal data, the period for storing the data, the source of the data from and the right to request deletion of personal data, cf. article 14 nos. 1 and 2. If the processing is based on Article 6 no. 1 letter f, the entitled persons must also be informed the interests pursued by the controller or a third party, cf. article 14 no. 2. The controller must take appropriate measures to provide the information that is required according to Article 14 in a concise, open, understandable and easily accessible way, and in a clear and single language, cf. Article 12 no. 1. The information must be provided within a reasonable time after the personal information has been collected, but at the latest within one month, cf. article 14 no. 3, letter a. 5 According to article 14 no. 5, this article does not apply if: • The registered person already has the information, cf. letter a. • It turns out to be impossible to provide said information or it will involve a disproportionate effort, cf. letter b. • The collection is expressly stipulated in Union law or the national law of the member states to which the data controller is subject, and which contains suitable measures to protect the data subject's legitimate interests. Deletion of personal data Article 17 gives the data subject in many cases a right to have their personal data deleted, and the data controller also has a duty to delete the personal data on its own initiative if certain conditions are met. According to Article 17 no. 1 letter d, this applies among otherwise if the personal data has been processed illegally. Article 17 nos. 1 and 2 do not apply if the processing is necessary to fulfill a legal obligation or to perform a task in the public interest or practice public authority to which the controller is responsible, cf. Article 17 no. 3 letter b. The affiliation scheme for children in the Church of Norway The Church Act's automatic affiliation scheme for children in the Church of Norway was repealed by the entry into force of the new Religious Communities Act on 1 January 2021. The new Religious Communities Act replaced both the Church Act and the Act on Faithful Communities and many other things. In the draft law, Prop 130 L (2018-2019) p. 141, it follows: "Since the law no longer provides rules that children automatically belong to the Church of Norway, then unless one or both parents are members, there will not be a statutory requirement that relatives must be included in the register, cf. also the notes to the individual provisions in § 17 of the bill." Before the new Religious Communities Act came into force on 1 January 2021, it followed from the Church Act section 3 no. 2 that children are considered to belong to the Church of Norway if one of the parents is a member. Children who were considered to belong to the Church of Norway became members of this when they were baptized. If the child turned 18 without being baptised, the person was no longer considered to belong under the Church of Norway, cf. § 3 no. 5. Persons who were considered to belong to or were members of the Church of Norway were registered in The Norwegian Church's central membership register, cf. § 3 no. 10. Rules on the keeping of the register were given by the Church Meeting, and the Church Council is responsible for processing the central membership register, cf. regulation on the Church of Norway's membership register § 4. Collection of information about members' children from the national register 6Previously, DNK has received digital birth notifications directly from the National Register of Citizens. Connected to the member information registered on parents, DNK could thus lead relatives into the church's membership register based on this information. In the National Register Act, which entered into force on 1 October 2017, information about kinship is subject obligation of confidentiality, cf. the National Register Act § 9-1, and can only be disclosed to public and private parties businesses that are authorized by law to obtain this information, cf. § 10-2. DNK was authorized to receive the birth notifications in the transition scheme in the National Register Act § 13-1 until 1 October 2018, but after this has no such legal authority. 5. The Norwegian Data Protection Authority's assessment 5.1. Limitation in the Norwegian Data Protection Authority's assessments The Personal Data Act implements the Personal Data Protection Regulation in Norwegian law, and entered into force 20 July 2018. The Norwegian Data Protection Authority has limited our investigations in this case to processing of personal data that has taken place after the Personal Data Protection Regulation entered into force. 5.2. Processing of birth notifications collected from the Population Register from 1 October to 14 November 2018 – Article 6 The collection of birth notifications from the National Register of Citizens from 1 October to 14 November 2018 DNK has informed in its reports that the deliveries of birth notices from the National Register of Citizens did not stop on 1 October 2018, but continued until 14 November 2018. Any processing of personal data requires a legal basis according to Article 6 No. 1 in order to be legal, including the collection of personal data. The Norwegian Data Protection Authority is thus assessing whether DNK had a legal basis for the collection of birth notices from the Population Register from 1 October to 14 November 2018. In our demand for an explanation of 16 December 2020, the Norwegian Data Protection Authority asked DNK to explain which legal basis in the personal protection regulation article 6 no. 1 DNK had to collect the personal information about members' children through birth notifications from the National Register of Citizens i the period 1 October to 14 November 2018. DNK replied in the statement of 22 January 2021 that it was not DNK's intention to collect the relevant confidential personal information in violation of the law. It was nevertheless considered that DNK had a legal basis to continue to store the personal data on the persons concerned through birth notifications from the National Register of Citizens from 1 October to 14 November 2018 in their membership register pursuant to Article 6 no. 1 letters c and e. For the processing of personal data with a legal basis in Article 6 no. 1 letters c and e, it is required that the basis for the processing is laid down in national law, cf. Article 6 no. 3 DNK 7 has shown that the supplementary legal basis for storing the personal information about them relatives received through birth notifications from the National Register of Citizens from 1 October to 14 November 2018 in DNK's membership register, was § 3 no. 10 of the Church Act cf. § 3 no. 5. The Norwegian Data Protection Authority first assesses whether the basis for collection of the data belongs to them birth notifications from 1 October to 14 November 2018 were stipulated in national law, cf. Article 6 No. 3. It follows from recital 45 that a special statutory provision is not required for each individual treatment. A law may be sufficient as a basis for several processing activities. The the legal basis can further specify the regulation's general conditions for legal processing of personal data. As mentioned in point 5.2, the church has been authorized to register members in their member register, cf. § 3 no. 10 cf. § 3 no. 5. It further followed from § 10 of the regulation on Den church's membership register that DNK obliged to keep the membership register up to date on the basis of information from the National Map Agency's cadastral register, the central population register and the Unit Register. The collection and use of population register information is, however, specially regulated in the National Register Act which entered into force on 1 October 2017. According to section 1-2, the purpose of the act is to contribute so that the information in the National Register can be used for official and public tasks administration, research, statistics and to look after basic societal needs. After this one the Act, information about kinship is subject to a duty of confidentiality, cf. the National Register Act § 9-1, and can therefore only be disclosed to public and private enterprises that are authorized by law to obtain this information, cf. § 10-2. Section 3 of the Church Act said nothing about the disclosure of confidential information about kinship from Folkeregisteret, and did not give authority as mentioned in the Folkeregister Act § 10-2 first paragraph. DNA also had no other legal authority for the disclosure of confidential information from The National Register. However, DNK had permission to release the birth notices through a decision dated 18 June 2001 according to the old National Register Act, and was thus entitled to receive the birth notices through the transition scheme in the National Register Act § 13-1 first sentence until it lapsed a year after the law came into force. The People's Register Act entered into force on 1 October 2017, and the right to receive birth notifications therefore ceased on 1 October 2018. If the party had applied within this year for "equivalent disclosure of information", it applied access until the register authority has made a decision in the matter, cf. the National Register Act § 13-1 second sentence. Based on the correspondence between DNK, the Ministry of Finance and The Norwegian Tax Administration, in the view of the Norwegian Data Protection Authority, it was clarified no later than 19 September 2018 that DNK did not have an application for processing for "equivalent disclosure" of information to processing, as DNK's current case did not include access to those subject to confidentiality the information about kinship. DNK's permission to receive confidential information about kinship therefore did not apply from 1 October 2018. 8 That later misunderstandings arose through DNK's communication with EVRY, and that as a result of this, it was decided that the collection of birth notices from the National Register of Citizens would not should be stopped, does not change the conclusion that the collection of birth notifications was in contrary to the National Register Act. We further point out that it is DNK as the data controller was responsible for ensuring and demonstrating that the processing of personal data takes place in line with the rules in the personal protection regulation, cf. article 5 no. 2 and article 24 no. 1. We show for the sake of order also due to the fact that it followed from point 3.1 of the current agreement between DNK and EVRY: "Access to the Services is dependent on permission from SKD (competent population registration authority). The customer is himself responsible for managing such an application. The customer is responsible for processing Data in accordance with applicable laws and regulations.” As DNK's collection of the relatives' birth notifications from 1 October to 14 November 2018 was contrary to the National Register Act, was not the basis for the collection of the relatives birth notices from the National Register of Citizens stipulated in national law, cf. article 6 no. 3. It is thus clear that this collection was not "necessary to fulfill a legal obligation incumbent on the controller, or "necessary to carry out a task in the public interest', cf. article 6 no. 1 letters c and e. The Norwegian Data Protection Authority clarifies for the record that unlawful collection of personal data does not will not be able to constitute a "legitimate interest" for the data controller, cf. Article 6 No. letter f. DNK thus had no legal basis in Article 6 for the collection of birth notices from the National Register of Citizens from 1 October to 14 November 2018, and the relevant processing of personal data was illegal. Continued storage of personal data collected through birth notifications from The population register from 1 October to 14 November 2018 Although it was eventually clarified from DNK's side that the transfer of birth notifications from The population register from 1 October to 14 November 2018 was not in line with the Population Register Act, DNK considered that the children who were registered through birth notifications in the period from 1 October to 14 November 2018 was correctly registered in accordance with § 3 of the Church Act, and let these the entries remain. All processing of personal data, including storage, requires a legal basis in the article 6 No. 1 to be legal. Furthermore, the starting point is that the controller is obliged to delete personal data without unjustified stay if they have been processed illegally, cf. Article 17 no. 1 letter d. The Danish Data Protection Authority has concluded above the collection of birth notifications from The population register from 1 October to 14 November 2018 was in breach of the Population Register Act, and that 9 it did not have a legal basis in the personal protection regulation article 6. The relevant the processing of personal data was thus illegal. However, it follows from Article 17 no. 3 letter b that Article 17 no. 1 does not apply if the processing is necessary to fulfill a legal obligation or to perform a task i public interest or exercising public authority as the data controller imposed. This provision refers to the processing of personal data that has a legal basis basis in Article 6 no. 1 letters c and e. The Danish Data Protection Authority is therefore assessing whether DNK had a legal basis in the Personal Data Protection Regulation article 6 no. 1 for further storage of the personal data collected through birth notices from the Population Register from 1 October to 14 November 2018. DNK has shown that you had a legal basis in Article 6 no. 1 letters c and e to store the personal information about the relatives received through birth notifications from the National Register of Citizens from 1 October to 14 November 2018 in their membership register. For the processing of personal data with a legal basis in Article 6 no. 1 letters c and e, it is required that the basis for the processing is laid down in national law, cf. Article 6 No. 3 DNK has, as mentioned, stated that the supplementary legal basis for storing the personal data about the relatives received through birth notifications from the National Register of Citizens from 1 October to 14 November 2018 in their membership register, the Church Act was § 3 no. 10 cf. § 3 no. 5. The Danish Data Protection Authority first assesses whether the basis for the storage of personal data about them relatives collected from birth notifications from the Population Register 1 October to 14 November 2018 was laid down in national law, cf. Article 6 no. 3. It follows from recital 45, as mentioned, that no special statutory provision is required for each simple treatment. A law may be sufficient as a basis for several processing activities. The legal basis can further specify the regulation's general conditions for legality processing of personal data. It follows from Section 3 of the Norwegian Church Act that DNK must register members in their membership register. However, the collection of the relevant birth notifications was in breach of the National Register Act § 10-2. It also follows from the National Register Regulations Section 10-2-1 that confidential information must not be used for purposes other than those for which permission has been granted. DNK did not have permission from The tax authorities to use the confidential information, and continued storage of the information was thus also in breach of the National Register Regulations § 10-2-1. The People's Register Act and associated regulations are a special regulation for population register information, and will follow The Norwegian Data Protection Authority's assessment here takes precedence over the older church law in the event of a conflict. We points out, however, for the record, that neither the Church Act nor related regulations required DNK to obtain the relevant birth notifications from the National Register of Citizens. 2FOR-2017-07-14-1201 10 Due to continued storage of the confidential national register information collected through birth notices were in breach of the national register regulations, was not the basis for continuation storage of the personal data from the illegally obtained birth certificates from The population register laid down in national law, cf. article 6 no. 3. DNK thus had no legal basis for the continued storage of personal data from birth notices collected from the Population Register from 1 October to 14 November 2018, and the the current processing of personal data was illegal. 5.3. Information to the registered about the processing of personal data - article 14 HEF has stated that DNK breached the information requirements in Article 5 of the Personal Data Protection Regulation letter a and articles 12-14 related to the processing of personal data about relatives. In our demand for an explanation of 12 August 2020, we asked DNK to explain how DNK has fulfilled the information requirements in Article 14 where children's personal data have been registered based on population register information until this scheme ceased on 1 October 2018. In the statement of 2 September 2020, DNK stated that DNK was covered by the exception in the personal protection regulation article 14 no. 5 letter c. However, it is indicated that it is nevertheless carried out some information measures, including through privacy statements on kirken.no and articles on the website. It follows from the personal protection regulation article 14 no. 5 letter c that article 14 no. 1-4 may not application if "collection or disclosure is expressly provided for in Union law or the national law of the Member States to which the data controller is subject, and which contains suitable measures to protect the data subject's legitimate interests". The Norwegian Data Protection Authority first assesses whether DNK's collection of birth notifications from the National Register of Citizens was expressly provided for by the national law of the Member States in which the data controller is subject to, and which contain suitable measures to protect the data subject's legitimate interests, cf. article 14 no. 5 letter c. With the wording "expressly", it is clear that something more than just the foundation is required here for the processing is stipulated in the national law of the Member State in which the data controller is subject to, as follows from Article 6 No. 3. For Article 6 No. 3, a special statutory provision for each individual treatment, cf. paragraph 45. A law may be sufficient as a basis according to article 6 no. 3 for several processing activities that are based on a legal obligation incumbent on the controller, or if the processing is necessary to carry out a task in the public interest or exercise public authority. Article 29 Data Protection Working Party, the predecessor of the Personal Protection Council (EDPB), has i Guidelines on transparency under Regulation 2016/679 stated that the exceptions in Article 14 b 11 3 "should, as a general rule, be interpreted and applied narrowly." Furthermore, it is specifically stated about the exception in article 14 no. 5 letter c in point 66: "Such a law must directly address the data controller and the obtaining or disclosure in question should be mandatory upon the data controller. Accordingly, the data controller must be able to demonstrate how the law in question applies to them and requires them to either obtain or disclose the personal data in question.” Such an interpretation, where the relevant collection or disclosure of the personal data must follow directly from national law and be mandatory for the data controller, harmonizes also with the principle of transparency in Article 5 no. 1 letter a. The principle applies in particular "further information to ensure fair and open treatment for the affected individuals persons as well as their right to obtain confirmation of and be informed about the personal data which applies to those who are processed", cf. paragraph 39. If the data subject can foresee from national law that a collection of your personal data takes place, that is the starting point not necessary to ensure fair and open processing that the data controller informs the data subject about the processing. However, such predictability presupposes that the collection in question follows directly from national law and is mandated by it data controller. It is clear that DNK's general duty to register minor relatives was express laid down in national law in the Church Act § 3. The specific collection of birth notices for However, members' children from the National Register did not follow § 3 of the Church Act. The collection of birth notices for members' children from the National Register of Citizens was thus not express laid down in section 3 of the Church Act, and the exception in article 14 no. 5 letter c thus did not apply application based on this provision. The current collection of birth notifications for members' children from the National Register of Citizens nor did it expressly comply with the National Register of Citizens Act or associated regulations. Of the current regulation on the Church of Norway's membership register § 10 on up-to-date information, given in in accordance with § 3 of the Church Act, it followed, however, that on the basis of information from the person who is registered, the central and local data controller is obliged to keep the membership register up to date. The central data controller is also obliged to keep the membership register up to date on the basis of information from the National Map Agency's cadastral register, the central population register and the Unit Register. The Norwegian Data Protection Authority is therefore considering whether the collection of birth notifications for members' children from The folk register expressly followed the regulations on the Church of Norway's member register § 10. According to Store norske lexikon, À jour is a French expression that is most often used in the meaning "updated", and the Norwegian Data Protection Authority considers that this is also the natural understanding of the wording. That DNK should keep the membership register up-to-date based on information from the National Register of Citizens, dictates, according to the Danish Data Protection Authority's assessment, that existing members and related information must 3 Point 57 12 is kept up-to-date on the basis of population register information, for example related to changes in names, contact details or deaths. The provision did not expressly state that it birth notifications for members' children are collected from the National Register of Citizens, and the provision can nor is it understood that DNK had a duty to collect birth notifications from The National Register. The Norwegian Data Protection Authority thus considers that the collection of birth notifications for members' children from The population register did not expressly comply with regulations on the Church of Norway's membership register § 10. The exception in Article 14 no. 5 letter c therefore did not apply to DNK's collection of birth notifications for members' children from the National Register of Citizens. The Norwegian Data Protection Authority then assesses whether DNK met the information requirements in Article 14 regarding the collection of birth notices for members' children from the National Register of Citizens. It follows from article 14 no. 1 letter d that the data controller must give the data subject information about "the affected categories of personal data" that are processed. It follows also of article 14 no. 2 letter f that the data controller must give the data subject information about "from which source the personal data originates", which is necessary to ensure fair and open treatment for the data subject. Furthermore, it follows from Article 12 No. 1 that the data controller must take appropriate measures for to present information to the data subject as mentioned in Article 14 in a "concise, open, comprehensible and easily accessible manner and in clear and simple language'. Article 29 Data Protection The Working Party has stated the following in its Guidelines on transparency under Regulation 2016/679 on the requirement that the information be provided in an "easily accessible manner": "The "easily accessible" element means that the data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc."4 The provisions must also be seen in connection with the transparency principle in Article 5 no. 1 letter a, as well as paragraph 39, where it follows: "The principle of transparency requires that all information and communication in connection with processing of said personal data is easily accessible and easy to understand, and that the language used is clear and simple. The principle applies in particular to information to them registered about the identity of the data controller and the purposes of the processing as well as additional information to ensure fair and open processing 4 Point 11 13 for the affected natural persons as well as their right to receive confirmation of and be informed about the personal data concerning them, which is processed" In its statement of 11 May 2021, DNK has explained and submitted documentation for what information was given to the registered about the collection of birth notifications for members' children from the National Register of Citizens in the period from 20 July to 1 October 2018. From the documentation, it appears that DNK did not inform those registered in the current one the privacy statement from 2017 that birth notifications from the National Register of Citizens are processed, or otherwise that information is obtained from other than the registered person that members have children. The population register was not mentioned in the privacy policy. From the other documentation DNK has presented, the Norwegian Data Protection Authority can only see that the collection of birth notifications for members' children from the National Register of Citizens is mentioned in two contexts. The first is the Church Council's circular no. 2 of 3 September 2018 and circular no. 3 of 28. September 2018 to the parish offices, the ecclesiastical joint council offices, the parish offices and the diocesan offices. These were available to the general public at https://kirken.no/rundskriv and https://kirken.no/nb-NO/om-kirken/for-medarbeidere/rundskriv-fra-kirkeradet/. The other is the article "Adoption and belonging" of 23 October 2017, which was available at https://kirken.no/nb-NO/om-kirken/medlemskap/om-medlemskapet/adopsjon-og-tilhorighet/, and was available with a link from the About membership and Affiliation and membership pages. The relevant circulars from the Church Council were aimed at the church's subordinate bodies, and the one in question the article on adoption and belonging only appears to be relevant to a very small group registered – those who have adopted a child. It was not intuitive or clear to the registrants that they had to seek out these parts of kirken.no to find information about the treatment of theirs personal data, and these sources of information did not ensure an open and fair treatment. The Norwegian Data Protection Authority finds it clear that neither the circulars nor the article on adoption and affiliation met the requirements that the information should be "easily accessible" to them registered. The Norwegian Data Protection Authority thus finds that DNK has not provided information about the collection of birth notices for members' children from the Folkeregisteret in line with the requirements in article 12 no. 1. DNK has thus not given the registered person "readily accessible" information about "those affected the categories of personal data" that are processed or "from which source the personal information originates from", cf. article 14 no. 1 letter d and no. 2 letter f, cf. Article 12 No. 1. 6. About reprimand, right of appeal and further proceedings A reprimand is an administrative reaction with the purpose of highlighting criticism of those mentioned the violations of the rules. The imposition of a reprimand may be emphasized at a later date assessment of the imposition of an infringement fee if a corresponding breach occurs the regulations cf. the personal data protection regulation art. 83 no. 2 letter i. 5https://kirken.no/globalassets/kirken.no/personvernerklaering_2017.pdf 14DNK can appeal against the decision on reprimand. Any complaint must be sent to us within three weeks after this letter has been received, cf. the Public Administration Act §§ 28 and 29. If we If our decision is upheld, we will forward the case to the Personal Protection Board for complaint processing. 7. Publicity, transparency and confidentiality We would like to inform you that all documents are basically public, cf. Public Relations Act § 3. If you believe there are grounds for exempting all or part of the document from public inspection, we ask you to give reasons for this. The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal information relationship. The duty of confidentiality follows, among other things, from the Personal Information Act § 24 and Section 13 of the Public Administration Act. As a party to the case, you may nevertheless be made aware of such information from the Norwegian Data Protection Authority, cf. the Administration Act § 13 b first paragraph no. 1. You also have the right for inspection of the case's documents, cf. section 18 of the Public Administration Act. We draw your attention to the fact that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority the complainant's identity, personal circumstances and other identifying information, and that you only can use this information to the extent necessary to safeguard its interests theirs in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that breach of this duty of confidentiality can be punished according to Section 209 of the Criminal Code. With best regards Jørgen Skorstad department director Anders Sæve Obrestad senior legal advisor The document is electronically approved and therefore has no handwritten signatures Copy to: BULL & CO ADVOKATFIRMA AS 15