Datatilsynet (Norway) - 20/02225: Difference between revisions

From GDPRhub
(Updated with DPA decision)
 
(4 intermediate revisions by the same user not shown)
Line 48: Line 48:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=n/a
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
|
|
|GDPR_Article_4=Article 5(1)(a) GDPR}}
|GDPR_Article_4=Article 5(1)(a) GDPR}}
Line 73: Line 73:


In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine.  
In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine.  
It's also worth noting that the lawyer representing Aquateknikk argued that Article 6(1)(e), "processing is necessary for the performance of a task carried out in the public interest", could be a valid legal basis for processing personal data in credit ratings, however this was firmly rejected by the DPA, stating that the company doesn't have a "public interest", nor an additional legal basis as required by this legal grounds (letter e). 


While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4).  
While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4).  
Line 85: Line 87:


<pre>
<pre>
https://www.datatilsynet.no/contentassets/c5f433a97050467497810b9e891d5b83/vedtak-om-palegg-og-overtredelsesgebyr---aquateknikk-as.pdf
Page 1
AQUATEKNIKK AS
Tjemslandshagen 26
4360 VARHAUG
Offl. § 13 cf. Popplyl. § 24 (1) 2.
pkt.
Their reference
Our reference
Date
20 / 02225-6
Decision on order and infringement fee - Credit assessment without legal action
basis - Aquateknikk AS
1 Introduction
We refer to our notice of decision of 3 June 2020. We received Aquateknikk AS ("Aquateknikk") his comments on the notice on 1 September 2020 from lawyer in main organization Virke. Our comments on the comments follow below.
2. Decision on order
The Data Inspectorate adopts the following order:
Pursuant to Article 58 (2) (i) of the Privacy Ordinance, the following is imposed
Aquateknikk AS, org. No. 919 766 751, to pay an infringement fee to the Treasury
NOK 100,000 for having obtained credit information without a legal basis, cf.
Article 6 (1) (f) of the Privacy Regulation.
2. Pursuant to the Privacy Ordinance art. 58 no. 2 letter d is imposed on Aquateknikk
AS to improve its internal control over credit assessment, cf. the Privacy Ordinance
Article 24, as this is deficient.
Our legal basis for issuing orders is Article 58 (2) of the Privacy Ordinance.
The background and reasons for the decision follow below.
The deadline for implementing the orders is stated in section 8 of the decision.
Postal address:
Office address:
Telephone:
Fax:
Company No:
Website:
PO Box 458 Sentrum Tollbugt 3
22 39 69 00
22 42 23 50
974 761 467
www.datatilsynet.no
0105 OSLO
01/04/21
Page 2
3. Details of the facts of the case
In your reply of 1 September, you admit to having credit-rated complaints illegal, and explain that this was
«An inconsiderate mistake that was made in connection with a completely ordinary
and legitimate credit check of the company where the person in question is both owner, chairman of the board and
CEO.". Furthermore, you explain the credit rating with the following:
«It probably quickly made me think that the financial conditions of such a key person for
the business is relevant in a business assessment of another player in the same industry ».
Furthermore, you have several comments on both the assessment of the imposition and the size of the notification
the violation fee of 300,000 kroner. You state, among other things, that the business has reduced
turnover as a result of the corona pandemic, and that an infringement charge of this magnitude will have
very negative consequences for companies and involves the risk of bankruptcy. You have attached a preliminary
annual accounts for 2019, and also points out that a fee of NOK 300,000 will amount to more than 2.5% of
the company's expected turnover in 2020. In addition, you have referred to practice from the Swedish and the
the Danish Data Protection Authority, as well as previous practice from the Privacy Board.
You have also made current remarks related to the Data Inspectorate's right to impose an infringement fee
for violations of the Privacy Regulation Articles 5 and 6.
Finally, you write:
«Aquateknikk AS takes this matter very seriously, and has implemented measures to avoid similar
violations should be able to happen again. The notified fee in combination with the COVID-19 pandemic
nevertheless involves great uncertainty regarding the company's opportunities to survive in it
immediate future. The individual preventive considerations that can normally justify a punitive response
is thus absent in this case. As mentioned above, in our opinion it exists rather
no general preventive considerations that indicate such a severe reaction ».
4. Legal basis for obtaining credit information
Obtaining credit information on individuals and sole proprietorships ("the registered")
constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and
the Personal Data Act § 1.
Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a
legal basis.
When a company must obtain credit information about the registered person without it being available
consent, or the credit rating is strictly necessary to carry out an agreement with it
registered, Article 6 (1) (f) is the most relevant legal basis.
Article 6 (1) (f) requires that the collection of credit information is "necessary" to:
safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration
2
Page 3
individual privacy.
The legitimate interest must be legal, clearly defined in advance, real and objectively justified
in business. Which interests meet this depends on an assessment there, among other things
what benefits the company achieves with the treatment, how important the interest is for the company,
or whether the treatment has a public interest or safeguards non-profit interests
which benefit more are relevant moments.
Furthermore, the treatment in question must be "necessary" for purposes related to the beneficiary
interests. That is, the business must consider whether it can achieve the purpose in a way that
better safeguards privacy. One must therefore choose the treatment that is least invasive.
Then the business must make a balance of interests to decide whether the individual
Privacy outweighs the business' legitimate interest. What type of information
it is relevant to process, for example whether obtaining the relevant information can
perceived as offensive, and what expectations the individual has for the treatment of
the personal data, are relevant factors in the balancing of interests.
The now repealed Personal Data Regulations § 4-31 contained an additional condition that
Credit information could only be obtained unless the business had a "factual need" for it
credit information.
Section 4-3 of the regulations is continued in accordance with the regulations on transitional rules on the processing of
personal data § 42.
However, the Privacy Ordinance does not provide national room for maneuver for special regulation of the collection of
credit information. We therefore believe that the requirement for "factual need" does not constitute an additional condition to the article
6 No. 1 letter f.
However, the assessment of whether the business has a "factual need" pursuant to section 4-3 of the regulations is close
connection with the assessment pursuant to Article 6, paragraph 1, letter f. We therefore believe that earlier
administrative practice regarding the requirement of objective need is still relevant when assessing Article 6 (1)
letter f.
5. On the duty of internal control
According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to demonstrate that they process
personal data in accordance with the law. If it stands in a reasonable relation to
the treatment activities, the company shall implement appropriate guidelines for the protection of
personal information.
Credit assessment is an intrusive processing of personal data and constitutes a significant violation
of individual privacy. Companies must therefore be able to document their internal routines or
processes (internal control), which meets the requirement for a legal basis for credit assessment.
1 Personal Data Regulations of 15 December 2000 no. 1265.
2 Transitional rules on the processing of personal data of 15 June 2018 no. 877.
3
Page 4
The routines must describe when and how credit information is to be obtained and how access is to be provided.
and shall ensure that credit assessments are not obtained without the requirement of a legal basis being met. Further
the company must have routines for non-conformance handling.
6. The Data Inspectorate's assessment
6.1. The duty to have written routines for the processing of personal data ("internal control")
Aquateknikk did not have internal control when the credit assessment took place, but has prepared a routine 18.
October 2019 and sent this to the Danish Data Protection Agency. In our notice, we assessed that the submitted routine was
deficient. The routine does not contain a description of the requirement for a legal basis
Article 6 of the Privacy Regulation. It also does not specify who can obtain it
credit information on, in addition to the fact that only "new customers and existing customers" are to be credit assessed and
that this should never be private individuals.
You have not submitted new routines in your comments for notification of decisions.
A written routine, or internal control, pursuant to Article 24 (2) of the Privacy Regulation shall be a
work tools for management and employees in a company to ensure and document compliance with
the Privacy Regulation.
In order for the routine for obtaining credit assessments to fulfill this, the company must make it visible
the requirements of the Privacy Ordinance for the processing of personal data, including the relevant information
legal basis for credit assessments of sole proprietorships and natural persons. Internal control
should also provide examples of when credit rating will be legal in the business to ensure and demonstrate that
their processing of credit information takes place in accordance with the Privacy Ordinance, cf. Article 24 no.
1 and 2.
Improvement of the routines may have a preventive effect against unlawful implementation
credit ratings.
The Norwegian Data Protection Authority has the competence to order the data controller to ensure that
the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf.
Article 58 (2) (d) of the Privacy Regulation.
This is the background for the order to prepare routines for credit assessment. Aquateknikk must prepare
a written routine that ensures that credit assessments of sole proprietorships and natural persons only take place
when the requirements of the Privacy Ordinance are met.
We also refer to our assessment of the submitted routine in section 5.1 of the notification of decision.
You will find information and guidance on the legal bases on our websites
https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/behandlingsgrunnlag/.
4
Page 5
6.2. Legal basis for obtaining credit information
6.2.1. Choice of legal basis
In your comments on the notification of decisions, you argue that Article 6 (1) of the Privacy Regulation
letter e "necessary to perform a task in the public interest" may be a relevant legal
basis for obtaining credit information. Furthermore, you write that «The Data Inspectorate has not opened for
this in the notice, but instead stated that the balancing of interests pursuant to Article 6 f) is the only relevant one
legal basis, without further justification. ».
In order for a data controller to be able to use letter e as a basis for processing, it is required
the Privacy Ordinance that there is a supplementary national legal basis that regulates the task
the data controller performs in the public interest.
In the preparatory work for a new Credit Information Act3 , the Ministry assumes that
credit information companies perform a task in the public interest, and that
The Credit Information Act will constitute a supplementary national legal basis, cf. the Privacy Ordinance
Article 6 (1) (e) and Article 6 (3).4
Our assessment is that Aquateknikk neither performs a task in the public interest, nor has one
supplementary national legal basis that can authorize the contested credit assessment in the case.
In our case, Aquateknikk has not obtained consent from complainants, nor was the credit rating
necessary for the implementation of an agreement on complaints, cf. Article 6 (1) (b). Article 6 (1)
letter f «balancing of interests» is therefore the relevant legal basis for the credit assessment in the case.
6.2.2. Assessment of the Privacy Regulation, Article 6, paragraph 1, letter f - «balancing of interests»
The question is whether Aquateknikk had a legal basis in the Privacy Ordinance Article 6 No. 1
letter f for obtaining the complainant's credit information.
The first condition that must be met for the processing of the complainant's credit information to be
it is legal that Aquateknikk had a "legitimate interest" in obtaining the information.
The requirement of "legitimate interest" is to a large extent a continuation of the same requirement in the previous one
the Personal Data Act of 2000 § 8 first paragraph, letter f.
Proposition 47 of the Privacy Ordinance states that in assessing whether an interest is justified,
among other things, the data subject's expectations based on the relationship between it shall be taken into account
data controller and the data subject. Emphasis should also be placed on whether it is on
the time of collection was foreseeable for the data subjects that the information would be processed for it
current purpose.
3 LOV-2019-12-20-109.
4 Prop.139 L (2018-2019) point 3.3.1.
5
Page 6
In the statement and comments to the notice, you acknowledge that you have personally assessed credit complaints at a
error, and that the intention was to credit rating his corporation.
Aquateknikk has obtained credit information about an individual without any kind of customer relationship,
supplier relationship or other connection to their business. Complaints drive a competitor
business, and had no expectation that Aquateknikk would treat his personal
credit information, nor was it foreseeable for him that the company would collect this.
In our opinion, Aquateknikk did not have a legitimate interest in obtaining complaints
credit information.
We do not consider it appropriate to assess the requirement of "necessity", as our assessment is that
the business did not have a legitimate interest in carrying out the credit assessment.
We will nevertheless say something brief about the third condition in Article 6, paragraph 1, letter f. This is the specific one
the balance of interests between the company's interest in processing personal data and it
data subjects' privacy interests.
Credit information is a type of personal information that is particularly worthy of protection. One
Credit rating is the result of compiling personal information from many different sources, and shows
a number that indicates the probability that a person will pay a claim. A credit rating will too
show details about individuals' personal finances, including any payment remarks, volunteers
mortgages and debt ratio. This is private information that individuals have an expectation of
not obtained by companies unless it is objectively justified in their relationship with them.
Private individuals should therefore enjoy special protection against obtaining credit information.
Consideration of the complainant's right to privacy weighs heavily in the processing of this type of personal data,
and significantly heavier than the company's need to obtain credit information about an individual
without any connection to their business.
The conclusion is after this that Aquateknikk had no legal basis under Article 6, paragraph 1, letter f
to obtain the complainant's credit information.
7. Infringement fee
7.1. General information about infringement fines
Infringement fees are a tool to ensure effective compliance and enforcement of
the personal data regulations. We believe it is necessary to react to the violation, cf.
Article 83 of the Privacy Regulation.
In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that the infringement fee is
to be regarded as a punishment under Article 6 of the European Convention on Human Rights
clear overriding probability of offenses in order to impose a fee. The case and the question of to
impose infringement fines is assessed on the basis of this evidentiary requirement.
6
Page 7
In this connection, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a
administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects
against a committed violation of law, regulation or individual decision, and which is considered a punishment
under the European Convention on Human Rights (ECHR).
For companies, the guilt assessment is unique. Section 46, first paragraph, of the Public Administration Act states:
When it is stipulated in law that an administrative sanction may be imposed on an enterprise,
the sanction is imposed even if no individual has shown guilt.
In Prop. 62 L (2015-2016) page 199 it is stated about § 46:
The wording that 'no individual has shown guilt' is taken from the section on
corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore
as a starting point objectively.
Aquateknikk has made a number of comments on the Data Inspectorate's right to impose
infringement fine for breach of the Privacy Regulation Article 5 (2) and (6) (f). In addition
have you submitted comments on the assessment of whether an infringement fee should be imposed, as well
the assessment of the size of the fee.
Their comments do not change our assessment that an infringement fee should be imposed, but are significant
for the measurement of the fee size. We will comment on the comments below.
7.2. The Data Inspectorate's right to impose infringement fines for breaches of the Privacy Ordinance
Articles 5 and 6
In the notes to the notified infringement fee, write the following:
«On the basis of Article 6 of the ECHR, in our opinion, it will hardly be permissible to use
the provisions alone as a basis for imposing penalties, as the Data Inspectorate proposes in the notification.
As far as we can see, the Data Inspectorate has not formulated a clear rule of action for imposing a fee
our case, neither as regards a breach of the principle of liability in Article 5 nor
the principle of legality in Article 6. Nor is there a distinction between these two acts in themselves
sentencing. "
The Personal Data Act of 2018 is intended to continue the Data Inspectorate's competence to impose
infringement fee for violation of the Personal Data Act of 2000. After the old
According to the Personal Data Act, data controllers could be fined for violating section 2 of the Act.
8 letter f, see section 46 of the Act. Section 8 letter f largely corresponds to Article 6 no. 1 of the Privacy Ordinance
letter f, which also regulates "balancing of interests" as a legal basis for processing
personal information.
7
Page 8
In the preparatory work for the Personal Data Act of 2018, the Ministry has clearly stated that
it shall be possible to impose infringement fines on infringers of Articles 5 and 6, as well as those
other articles listed in Article 83.5
The Privacy Board has also in recent practice confirmed that the person responsible for processing can be assigned
infringement fine for violation of the Privacy Regulation Article 6 No. 1 letter f.6
On the basis of this, we find it clear that Aquateknikk can be fined for violating
Article 5 (2) and Article 6 of the Privacy Regulation.
7.3. Assessment of whether an infringement fee is to be imposed
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Norwegian Data Protection Authority may impose
infringement fee after a discretionary overall assessment, but the listed factors add up
guidelines on the exercise of discretion by highlighting aspects that are to be given special weight.
(a) the nature, gravity and duration of the infringement, taking into account it;
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered
The principle of legality in the Privacy Ordinance Article 5 No. 1 and the requirement for a basis for processing in
Article 6 is one of the basic requirements that must be met when an enterprise processes
personal information.
Credit information is a type of personal information that is particularly worthy of protection, and which
Private individuals have an expectation that is not obtained by companies unless it is factual
justified in their relationship to them. The violation is therefore serious, and indicates that it is imposed
infringement fine.
Complainants have never had cooperation or other forms of agreements with Aquateknikk, but operate on the other hand
a competing business. The collection of credit information is characterized by curiosity,
as the company has obtained credit information first about the complainant's company, and then to
Conduct a credit rating of him personally at five minute intervals.
b) whether the infringement was committed intentionally or negligently
Aquateknikk acknowledges in its statement on 30 September 2019 that it was
, responsible for
, which performed the credit assessment of complaints. Furthermore, Aquateknikk writes that
had received instructions from the general manager that the complainant's company
was a company they were considering ordering
goods from and that it should therefore be credit assessed as a potential supplier.
It is unclear whether the instruction was to credit assess complaints in person or whether the instruction was to
credit rating company, but that complaints were checked personally by a misunderstanding. Regardless of whether
5 Prop. 56.L (2017-2018) point 20.3.1.
6 PVN-2019-09.
8
Page 9
the instruction went on the complainant's business or him person we emphasize that
is the business
primarily responsible for
. He should therefore check if the business had legal
basis for credit assessment of the owner of a limited liability company personally, since it was the limited liability company
Aquateknikk considered buying goods from. Instead, Bisnode's consumption log shows that
first rated
the corporation and then complain in person. This indicates that the action has been deliberate.
Regardless of whether the instruction from the general manager was based on a credit assessment of complaints in person or whether
this happened in the event of a misunderstanding, we assume that the company has shown negligence in obtaining
of credit information about complaints in person. This pulls in an aggravating direction.
c) any measures taken by the data controller or data processor to limit the damage
which the data subjects have suffered
It appears from the complainants' correspondence with Aquateknikk that, when asked by the complainants, they stated that
they had accidentally credit-rated him instead of his company and claim to have "interrupted" the search for
his credit information when they became aware of this error. Furthermore, the company informs by e-mail to
complains that they have deleted the credit information they obtained about him.
We do not trust the company's explanation that they "interrupted the search" as stated in Bisnodes
log that Aquateknikk has first credit-assessed the complainant's business and then the complainant personally.
(d) the degree of responsibility of the controller or processor, taking into account those
technical and organizational measures they have implemented in accordance with Articles 25 and 32
We emphasize that the violations were committed by
in the business,
as the Privacy Ordinance presupposes that compliance with the regulations is particularly anchored in
the management of an enterprise, cf. Article 5 (2).
We also emphasize that the credit assessment according to Aquateknikk's report was carried out in
compliance with the company's practice of credit rating all potential customers and suppliers. Further
we emphasize that Aquateknikk had a lack of awareness of the regulations, as well as neither technical
or organizational measures in the form of routines to ensure that the company's employees know the regulations for
obtaining credit information.
e) any previous violations committed by the data controller or data processor
The Norwegian Data Protection Authority does not know whether there have been previous violations.
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible
negative effects of it,
The company apologizes for the incident and has shown a willingness to contribute to the information of the case and to learn from it
the event by creating routines for credit ratings. These are moments that pull in mitigating
direction.
9
Page 10
On the other hand, through the documentation from Bisnode, we have become aware that the company does not
has stated that a credit assessment was first made of the complainant's company, and then the complainant personally.
This pulls in an aggravating direction.
g) the categories of personal data affected by the infringement
Special categories of personal data (sensitive personal data) are not affected by
the infringement in our case. However, information on salary, debt and creditworthiness is information such as
have a special need for protection due to their private nature.
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in which
the degree to which the controller or data processor has notified the infringement
We were notified of the breach of complaints. The company did not even report the infringement, and
did not disclose the collection of credit information about the complainant's company.
(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data processor with respect to the same subject matter, that said measures
complied with
We do not know that measures have previously been taken against the company with regard to the same
case subject.
(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42
We do not find this aspect relevant.
k) and any other aggravating or mitigating factor in the case, e.g. economic benefits that are
achieved, or losses that have been avoided, directly or indirectly, as a result of the violation
Access to competing companies' finances can constitute such an advantage or aggravating factor as
letter k mentions. However, the Data Inspectorate does not find it documented in the case that Aquateknikk has achieved this
such an advantage in obtaining credit information about complaints.
Aquateknikk's remarks
Aquateknikk has made several comments on our assessment of whether an infringement fee should be imposed,
as well as the amount of the notified fee.
In our assessment of whether an infringement fine should be imposed, you state that the breach should
sanctioned with a milder form of reaction than a fee on the basis of the company's financial
situation. You justify this further with a reference to a number of cases from the Danish
the Data Protection Authority, which is sanctioned with "serious criticism", as well as a number of cases from the Swedish
the Data Protection Authority, which is sanctioned with lower infringement fees than in our case and with others
affected.
10
Page 11
Our assessment of the comments
The Data Inspectorate and the Privacy Board's practice is that obtaining credit information without legal action
basis is sanctioned with infringement fines.7
Credit information is a type of personal information that is particularly worthy of protection, and which
Private individuals have an expectation that is not obtained by companies unless it is factual
justified in their relationship to them. The violation is therefore serious, and indicates that it is imposed
infringement fine.
Complainants have never had cooperation or other forms of agreements with Aquateknikk, but operate on the other hand
a competing business.
In cases not covered by the cooperation mechanism in Article 56 of the Privacy Regulation, it states
the national supervisory authority is free to discretion on the imposition and measurement of
infringement fines within the framework of Article 58 (1) (f), cf. Article 83.
The decisions you refer to from the Swedish and Danish data protection authorities do not deal with
obtaining credit ratings, and has no relevant fact for the present case. We consider
therefore the cases to have limited relevance and transfer value for the Data Inspectorate's assessment of
infringement fine.
On the basis of this, we maintain our assessment that an infringement fee should be imposed.
We also refer to our justification for why an infringement fee should be imposed in section 6.1 of the notice, and
Clause 7.3 of the decision.
7.4. Assessment of the size of the fee
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Norwegian Data Protection Authority may impose
infringement fee after a discretionary overall assessment, but the listed factors add up
guidelines on the exercise of discretion by highlighting aspects that are to be given special weight.
When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in
the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case in
section 6.1 of the notice, and the assessment of whether a fee should be imposed in section 7.3 of this decision.
Aquateknikk's remarks
You have written a list of the remarks you have to our assessment of whether the infringement fee should
imposed, and the measurement of the size of the fee:
- The violation applies to a single credit check of only one natural person.
- It was not of a lasting nature.
7 See bla. PVN-2019-15 and PVN-2017-02.
11
Page 12
- It happened in connection with a general and completely legitimate credit check of the company where it
the person in question is the owner, chairman of the board and general manager.
- It has not caused any financial loss to the person in question.
- It has not provided access to sensitive personal information.
- The violation has the character of being a personal, reckless miss in a system that does it
quick and easy for the user to credit check both businesses and individuals.
- Our client has not violated the privacy rules before.
- Our client has not obtained any financial benefits as a result of the violation.
- Our client is in danger of going bankrupt as a result of the COVID-19 pandemic and the announced
fee.
Our assessment of the comments
The violation fee must be effective, be in a reasonable proportion to the violation and work
deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in
each case. The fee should be set so high that it also has an effect beyond the specific case,
at the same time as the size of the fee must be in a reasonable proportion to the infringement and the business, cf.
Article 83 (1).
It follows from Article 83 (5) (a) that infringements of the fundamental principles of
treatment in the Privacy Regulation, including Articles 5, 6, 7 and 9, shall be sanctioned by higher
violation fee than other violations of the Privacy Ordinance.
Obtaining credit information about an individual or sole proprietorship without
basis for processing constitutes a violation of the basic principle of legality in
Article 5 (1) (a) of the Privacy Ordinance. This is personal data of a very private person
character, which the data subject has a high expectation of not obtaining unless it is factual
based on their relationship with a data controller. These are weighty moments that speak for one
fee of a certain size.
We place aggravating emphasis on the fact that the violation in our case was committed by a person responsible for
in the business, as the principle of liability in the Privacy Regulation Article 5 No. 2
presupposes a strong anchoring of the regulations in the treatment manager's management.
As we have explained in section 7.2 of the decision, the guilt claim for enterprises is objective, and it is therefore required
not that individuals in the business have acted intentionally or negligently for the Data Inspectorate to
be able to impose infringement fines.
Pursuant to Article 83 (2) (b) of the Privacy Regulation, the supervisory authority may nevertheless emphasize
whether the infringement was committed intentionally or negligently.
Aquateknikk acknowledges in its statement on 30 September 2019 that it was
, responsible for
, which performed the credit assessment of complaints. Furthermore, Aquateknikk writes that
had received instructions from the general manager that the complainant's company
was a company they were considering ordering
goods from and that it should therefore be credit assessed as a potential supplier.
12
Page 13
You write in your comments to the notice that the credit assessment of complaints personally took place as a result
of a misunderstanding between daily and responsible for
, and that it was all
«… An inconsiderate mistake that was made in connection with a completely ordinary
and legitimate credit check of the company where the person in question is both owner, chairman of the board and
CEO. In a hectic everyday life, it is probably easy to think that the financial
The relationship of such a key person to the business is relevant in a business
assessment of another player in the same industry. "
It is unclear whether the instruction from the general manager was to credit assess complaints in person or about the instruction
was to credit the company so that complaints were checked personally in case of a misunderstanding. Independent
whether the instruction went to the complainant's business or him as an individual, we emphasize that
is
the company's main responsible for
. He should therefore check on the business
had a legal basis for credit rating the owner of a corporation personally, as it were
the limited company Aquateknikk considered buying goods from. Instead, Bisnode's consumption log shows that
first assessed the corporation and then complain personally.
In accordance with the requirement of diligence, companies must familiarize themselves with which legislation applies
area, and organize the business in accordance with the framework that follows from the relevant regulations.
The principle of accountability in the Privacy Ordinance presupposes a strong anchoring of the regulations in
the company's management, and the same must apply to key people for procurement that relate to
purchases on credit. In view of this, the offense in our case must be described as negligent, and we emphasize
this in an aggravating direction in the calculation of the fee.
If the company's management had familiarized itself with the regulations and prepared better routines for
the business is our assessment that the risk of illegal collection of credit information could have been
reduced. We emphasize in an aggravating direction that the company's management has not been involved
place satisfactory organizational measures in the form of routines to comply with the regulations, cf.
Article 83 (2) (d) of the Privacy Regulation.
You write in your comments that the Data Inspectorate confuses credit checks of physical and legal
persons, and that we thereby emphasize matters that are outside our area of ​​authority in the assessment
of the gravity of the infringement. You justify this with the fact that we have emphasized that the business «regularly
credit checks companies in the form of 'customers', 'potential customers' and suppliers. ", and that we have emphasized
this in an aggravating direction. You further state that:
"Contrary to what one may get the impression of in the Data Inspectorate's notice, a credit check is a hero
legitimate and necessary tool to ensure an efficient and well-functioning business community. That our
client has not had written routines for credit checks of companies, and that such credit checks
may have been done to some extent, is not relevant in a case involving a credit check by one
natural person. "
According to Aquateknikk's consumption log at Bisnode, the company has credit-rated several natural persons
than limited companies in the period from December 2018 to January 2020. Our assessment is that this shows that
the business regularly processes credit information about natural persons and therefore should have established
routines that ensure that the credit assessments take place within the framework of the Privacy Ordinance.
13
Page 14
This is the background for our order to improve their internal control, as well as for us to emphasize
aggravating direction on the lack of written routines pursuant to Article 24 in the assessment of whether it should be imposed
infringement fee, and in the assessment of the amount of the fee, cf. the Privacy Ordinance Article 83 No. 2
letter d.
Furthermore, you refer to the Privacy Board's decision PVN-2019-15 as an argument that the fee in the
the present case should be dismissed. The case concerned an infringement fee of NOK 75,000
illegal collection of credit information and was processed in accordance with the Personal Data Act of 2000.
The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter
the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee
shall be determined concretely so that in each individual case it is effective, is in a reasonable relation to
the violation and acts as a deterrent. The main purpose of the infringement fee is contraception, ie that
the risk of being charged a fee shall have a deterrent effect and thereby contribute to increased compliance with
the regulations.8
By Skullerud et al. (2019), page 347, it appears:
Contraceptive considerations dictate that the fee for a violation must be set so high that this is in fact
perceived as an evil by the offender. This means that the offender's financial capacity should
have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender
hair. […] When assessing the financial viability of an enterprise, it may be relevant to look at
the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5.
And further:
The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities
should avoid establishing standardized fee rates. This applies even if national law allows for it
standardized rates, cf. the Public Administration Act § 43.
The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business.
This case is a violation of the basic principles of treatment in
the Privacy Ordinance, which basically calls for a fee of a certain size. It warned
the amount of 300,000 kroner is measured to act as a deterrent and preventive for the illegal
the processing of credit information, looking at the latest available accounting figures about the business
from 2018.
The company's finances are relevant in the assessment of what will constitute a preventive and deterrent
infringement fine.
Aquateknikk has made several comments about the company's finances, especially related to it
ongoing social situation as a result of the corona pandemic. You write in the comments
their that the business has experienced a very negative economic growth, and has attached preliminary
8 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019).
14
Page 15
accounting figures from 2020. The accounting figures show an estimated turnover for 2020 of approx. 12 million
NOK, and that the preliminary turnover as of 31.07.20 is approx. 8.4 million kroner.
Due to the challenging financial situation the business is in due to
The corona pandemic is our assessment that a lower fee could have the preventive and deterrent effect
the effect Article 83 presupposes.
After an overall assessment of the seriousness of the case and their comments about the company
financial situation, we have come to the conclusion that the final fee will be set at NOK 100,000. This constitutes
about. 1% of the company's estimated turnover in 2020, and is in our opinion sufficient
deterrent, effective, and proportionate to the unlawful treatment of
personal information that has occurred in the case.
For the other assessment of the size of the fee, we refer to the notification of decisions, sections 6.1 and 6.2, as well as
Clause 7.3 of the decision.
8. Right of appeal and further proceedings
You can appeal the decision. Any complaint must be sent to us within three weeks after this letter is
received (cf. the Public Administration Act §§ 28 and 29). If we uphold our decision, we will send the case
on to the Privacy Board for complaint handling.
If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after
the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act.
The deadline for implementing section 2 of the internal control order is 4 weeks after the expiry of the appeal deadline.
If you do not appeal the order point 2, you must send us one within this deadline
written confirmation, as well as documentation, that the order for internal control has been implemented.
9. Transparency and publicity
You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform you about
that all the documents are in principle public (cf. the Public Access to Information Act § 3.) If you think so
is a basis for exempting all or part of the document from public access, we ask you to justify
this.
The document is electronically approved and therefore has no handwritten signatures
</pre>
</pre>

Latest revision as of 18:55, 5 March 2022

Datatilsynet - 20/02291
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 100000 NOK
Parties: n/a
National Case Number/Name: 20/02291
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (~€9,700) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) and 5(1)(a) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24.

English Summary

Facts

The company Aquateknikk AS credit rated an individual and his business, despite having no customer relationship or any other affiliation with either. According to the complainant, the credit rating was conducted because he operates a competing business.

Aquateknikk stated that the credit rating of the complainant personally was a mistake, as the intended target of the credit rating was the complainant's business. However, the DPA found from their credit rating logs from Bisnode, the credit rating bureau, that Aquateknikk had credit rated the complainant's company first and then the complainant personally, "indicating that the action was intentional". The DPA commented that they don't believe Aquateknikk's explanation and noted that the credit rating seems to have been conducted due to "nosiness".

Dispute

Did Aquateknikk have legal grounds for processing the personal data of the complainant for a credit rating, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit ratings in their business?

Holding

No, Aquateknikk did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 100,000.

They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA.

Comment

The company was initially notified of a NOK 300,000 fine. Due to the COVID-19 pandemic, however, the company argued that their financial situation had worsened and such a major fine would be very detrimental and, possibly, lead to bankruptcy. After reviewing the preliminary 2020 financial results of the company, the DPA reduced the fine to NOK 100,000, stating that this would be sufficiently "effective, proportionate and dissuasive" as per Article 83(1).

In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine.

It's also worth noting that the lawyer representing Aquateknikk argued that Article 6(1)(e), "processing is necessary for the performance of a task carried out in the public interest", could be a valid legal basis for processing personal data in credit ratings, however this was firmly rejected by the DPA, stating that the company doesn't have a "public interest", nor an additional legal basis as required by this legal grounds (letter e).

While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4).

Further Resources

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-gebyr-aquateknikk/

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/aquateknikk-as-far-gebyr/

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Page 1
AQUATEKNIKK AS
Tjemslandshagen 26
4360 VARHAUG
Offl. § 13 cf. Popplyl. § 24 (1) 2.
pkt.
Their reference
Our reference
Date
20 / 02225-6
Decision on order and infringement fee - Credit assessment without legal action
basis - Aquateknikk AS
1 Introduction
We refer to our notice of decision of 3 June 2020. We received Aquateknikk AS ("Aquateknikk") his comments on the notice on 1 September 2020 from lawyer in main organization Virke. Our comments on the comments follow below.
2. Decision on order
The Data Inspectorate adopts the following order:
Pursuant to Article 58 (2) (i) of the Privacy Ordinance, the following is imposed
Aquateknikk AS, org. No. 919 766 751, to pay an infringement fee to the Treasury
NOK 100,000 for having obtained credit information without a legal basis, cf.
Article 6 (1) (f) of the Privacy Regulation.
2. Pursuant to the Privacy Ordinance art. 58 no. 2 letter d is imposed on Aquateknikk
AS to improve its internal control over credit assessment, cf. the Privacy Ordinance
Article 24, as this is deficient.
Our legal basis for issuing orders is Article 58 (2) of the Privacy Ordinance.
The background and reasons for the decision follow below.
The deadline for implementing the orders is stated in section 8 of the decision.
Postal address:
Office address:
Telephone:
Fax:
Company No:
Website:
PO Box 458 Sentrum Tollbugt 3
22 39 69 00
22 42 23 50
974 761 467
www.datatilsynet.no
0105 OSLO
01/04/21
Page 2
3. Details of the facts of the case
In your reply of 1 September, you admit to having credit-rated complaints illegal, and explain that this was
«An inconsiderate mistake that was made in connection with a completely ordinary
and legitimate credit check of the company where the person in question is both owner, chairman of the board and
CEO.". Furthermore, you explain the credit rating with the following:
«It probably quickly made me think that the financial conditions of such a key person for
the business is relevant in a business assessment of another player in the same industry ».
Furthermore, you have several comments on both the assessment of the imposition and the size of the notification
the violation fee of 300,000 kroner. You state, among other things, that the business has reduced
turnover as a result of the corona pandemic, and that an infringement charge of this magnitude will have
very negative consequences for companies and involves the risk of bankruptcy. You have attached a preliminary
annual accounts for 2019, and also points out that a fee of NOK 300,000 will amount to more than 2.5% of
the company's expected turnover in 2020. In addition, you have referred to practice from the Swedish and the
the Danish Data Protection Authority, as well as previous practice from the Privacy Board.
You have also made current remarks related to the Data Inspectorate's right to impose an infringement fee
for violations of the Privacy Regulation Articles 5 and 6.
Finally, you write:
«Aquateknikk AS takes this matter very seriously, and has implemented measures to avoid similar
violations should be able to happen again. The notified fee in combination with the COVID-19 pandemic
nevertheless involves great uncertainty regarding the company's opportunities to survive in it
immediate future. The individual preventive considerations that can normally justify a punitive response
is thus absent in this case. As mentioned above, in our opinion it exists rather
no general preventive considerations that indicate such a severe reaction ».
4. Legal basis for obtaining credit information
Obtaining credit information on individuals and sole proprietorships ("the registered")
constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and
the Personal Data Act § 1.
Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a
legal basis.
When a company must obtain credit information about the registered person without it being available
consent, or the credit rating is strictly necessary to carry out an agreement with it
registered, Article 6 (1) (f) is the most relevant legal basis.
Article 6 (1) (f) requires that the collection of credit information is "necessary" to:
safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration
2
Page 3
individual privacy.
The legitimate interest must be legal, clearly defined in advance, real and objectively justified
in business. Which interests meet this depends on an assessment there, among other things
what benefits the company achieves with the treatment, how important the interest is for the company,
or whether the treatment has a public interest or safeguards non-profit interests
which benefit more are relevant moments.
Furthermore, the treatment in question must be "necessary" for purposes related to the beneficiary
interests. That is, the business must consider whether it can achieve the purpose in a way that
better safeguards privacy. One must therefore choose the treatment that is least invasive.
Then the business must make a balance of interests to decide whether the individual
Privacy outweighs the business' legitimate interest. What type of information
it is relevant to process, for example whether obtaining the relevant information can
perceived as offensive, and what expectations the individual has for the treatment of
the personal data, are relevant factors in the balancing of interests.
The now repealed Personal Data Regulations § 4-31 contained an additional condition that
Credit information could only be obtained unless the business had a "factual need" for it
credit information.
Section 4-3 of the regulations is continued in accordance with the regulations on transitional rules on the processing of
personal data § 42.
However, the Privacy Ordinance does not provide national room for maneuver for special regulation of the collection of
credit information. We therefore believe that the requirement for "factual need" does not constitute an additional condition to the article
6 No. 1 letter f.
However, the assessment of whether the business has a "factual need" pursuant to section 4-3 of the regulations is close
connection with the assessment pursuant to Article 6, paragraph 1, letter f. We therefore believe that earlier
administrative practice regarding the requirement of objective need is still relevant when assessing Article 6 (1)
letter f.
5. On the duty of internal control
According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to demonstrate that they process
personal data in accordance with the law. If it stands in a reasonable relation to
the treatment activities, the company shall implement appropriate guidelines for the protection of
personal information.
Credit assessment is an intrusive processing of personal data and constitutes a significant violation
of individual privacy. Companies must therefore be able to document their internal routines or
processes (internal control), which meets the requirement for a legal basis for credit assessment.
1 Personal Data Regulations of 15 December 2000 no. 1265.
2 Transitional rules on the processing of personal data of 15 June 2018 no. 877.
3
Page 4
The routines must describe when and how credit information is to be obtained and how access is to be provided.
and shall ensure that credit assessments are not obtained without the requirement of a legal basis being met. Further
the company must have routines for non-conformance handling.
6. The Data Inspectorate's assessment
6.1. The duty to have written routines for the processing of personal data ("internal control")
Aquateknikk did not have internal control when the credit assessment took place, but has prepared a routine 18.
October 2019 and sent this to the Danish Data Protection Agency. In our notice, we assessed that the submitted routine was
deficient. The routine does not contain a description of the requirement for a legal basis
Article 6 of the Privacy Regulation. It also does not specify who can obtain it
credit information on, in addition to the fact that only "new customers and existing customers" are to be credit assessed and
that this should never be private individuals.
You have not submitted new routines in your comments for notification of decisions.
A written routine, or internal control, pursuant to Article 24 (2) of the Privacy Regulation shall be a
work tools for management and employees in a company to ensure and document compliance with
the Privacy Regulation.
In order for the routine for obtaining credit assessments to fulfill this, the company must make it visible
the requirements of the Privacy Ordinance for the processing of personal data, including the relevant information
legal basis for credit assessments of sole proprietorships and natural persons. Internal control
should also provide examples of when credit rating will be legal in the business to ensure and demonstrate that
their processing of credit information takes place in accordance with the Privacy Ordinance, cf. Article 24 no.
1 and 2.
Improvement of the routines may have a preventive effect against unlawful implementation
credit ratings.
The Norwegian Data Protection Authority has the competence to order the data controller to ensure that
the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf.
Article 58 (2) (d) of the Privacy Regulation.
This is the background for the order to prepare routines for credit assessment. Aquateknikk must prepare
a written routine that ensures that credit assessments of sole proprietorships and natural persons only take place
when the requirements of the Privacy Ordinance are met.
We also refer to our assessment of the submitted routine in section 5.1 of the notification of decision.
You will find information and guidance on the legal bases on our websites
https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/behandlingsgrunnlag/.
4
Page 5
6.2. Legal basis for obtaining credit information
6.2.1. Choice of legal basis
In your comments on the notification of decisions, you argue that Article 6 (1) of the Privacy Regulation
letter e "necessary to perform a task in the public interest" may be a relevant legal
basis for obtaining credit information. Furthermore, you write that «The Data Inspectorate has not opened for
this in the notice, but instead stated that the balancing of interests pursuant to Article 6 f) is the only relevant one
legal basis, without further justification. ».
In order for a data controller to be able to use letter e as a basis for processing, it is required
the Privacy Ordinance that there is a supplementary national legal basis that regulates the task
the data controller performs in the public interest.
In the preparatory work for a new Credit Information Act3 , the Ministry assumes that
credit information companies perform a task in the public interest, and that
The Credit Information Act will constitute a supplementary national legal basis, cf. the Privacy Ordinance
Article 6 (1) (e) and Article 6 (3).4
Our assessment is that Aquateknikk neither performs a task in the public interest, nor has one
supplementary national legal basis that can authorize the contested credit assessment in the case.
In our case, Aquateknikk has not obtained consent from complainants, nor was the credit rating
necessary for the implementation of an agreement on complaints, cf. Article 6 (1) (b). Article 6 (1)
letter f «balancing of interests» is therefore the relevant legal basis for the credit assessment in the case.
6.2.2. Assessment of the Privacy Regulation, Article 6, paragraph 1, letter f - «balancing of interests»
The question is whether Aquateknikk had a legal basis in the Privacy Ordinance Article 6 No. 1
letter f for obtaining the complainant's credit information.
The first condition that must be met for the processing of the complainant's credit information to be
it is legal that Aquateknikk had a "legitimate interest" in obtaining the information.
The requirement of "legitimate interest" is to a large extent a continuation of the same requirement in the previous one
the Personal Data Act of 2000 § 8 first paragraph, letter f.
Proposition 47 of the Privacy Ordinance states that in assessing whether an interest is justified,
among other things, the data subject's expectations based on the relationship between it shall be taken into account
data controller and the data subject. Emphasis should also be placed on whether it is on
the time of collection was foreseeable for the data subjects that the information would be processed for it
current purpose.
3 LOV-2019-12-20-109.
4 Prop.139 L (2018-2019) point 3.3.1.
5
Page 6
In the statement and comments to the notice, you acknowledge that you have personally assessed credit complaints at a
error, and that the intention was to credit rating his corporation.
Aquateknikk has obtained credit information about an individual without any kind of customer relationship,
supplier relationship or other connection to their business. Complaints drive a competitor
business, and had no expectation that Aquateknikk would treat his personal
credit information, nor was it foreseeable for him that the company would collect this.
In our opinion, Aquateknikk did not have a legitimate interest in obtaining complaints
credit information.
We do not consider it appropriate to assess the requirement of "necessity", as our assessment is that
the business did not have a legitimate interest in carrying out the credit assessment.
We will nevertheless say something brief about the third condition in Article 6, paragraph 1, letter f. This is the specific one
the balance of interests between the company's interest in processing personal data and it
data subjects' privacy interests.
Credit information is a type of personal information that is particularly worthy of protection. One
Credit rating is the result of compiling personal information from many different sources, and shows
a number that indicates the probability that a person will pay a claim. A credit rating will too
show details about individuals' personal finances, including any payment remarks, volunteers
mortgages and debt ratio. This is private information that individuals have an expectation of
not obtained by companies unless it is objectively justified in their relationship with them.
Private individuals should therefore enjoy special protection against obtaining credit information.
Consideration of the complainant's right to privacy weighs heavily in the processing of this type of personal data,
and significantly heavier than the company's need to obtain credit information about an individual
without any connection to their business.
The conclusion is after this that Aquateknikk had no legal basis under Article 6, paragraph 1, letter f
to obtain the complainant's credit information.
7. Infringement fee
7.1. General information about infringement fines
Infringement fees are a tool to ensure effective compliance and enforcement of
the personal data regulations. We believe it is necessary to react to the violation, cf.
Article 83 of the Privacy Regulation.
In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that the infringement fee is
to be regarded as a punishment under Article 6 of the European Convention on Human Rights
clear overriding probability of offenses in order to impose a fee. The case and the question of to
impose infringement fines is assessed on the basis of this evidentiary requirement.
6
Page 7
In this connection, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a
administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects
against a committed violation of law, regulation or individual decision, and which is considered a punishment
under the European Convention on Human Rights (ECHR).
For companies, the guilt assessment is unique. Section 46, first paragraph, of the Public Administration Act states:
When it is stipulated in law that an administrative sanction may be imposed on an enterprise,
the sanction is imposed even if no individual has shown guilt.
In Prop. 62 L (2015-2016) page 199 it is stated about § 46:
The wording that 'no individual has shown guilt' is taken from the section on
corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore
as a starting point objectively.
Aquateknikk has made a number of comments on the Data Inspectorate's right to impose
infringement fine for breach of the Privacy Regulation Article 5 (2) and (6) (f). In addition
have you submitted comments on the assessment of whether an infringement fee should be imposed, as well
the assessment of the size of the fee.
Their comments do not change our assessment that an infringement fee should be imposed, but are significant
for the measurement of the fee size. We will comment on the comments below.
7.2. The Data Inspectorate's right to impose infringement fines for breaches of the Privacy Ordinance
Articles 5 and 6
In the notes to the notified infringement fee, write the following:
«On the basis of Article 6 of the ECHR, in our opinion, it will hardly be permissible to use
the provisions alone as a basis for imposing penalties, as the Data Inspectorate proposes in the notification.
As far as we can see, the Data Inspectorate has not formulated a clear rule of action for imposing a fee
our case, neither as regards a breach of the principle of liability in Article 5 nor
the principle of legality in Article 6. Nor is there a distinction between these two acts in themselves
sentencing. "
The Personal Data Act of 2018 is intended to continue the Data Inspectorate's competence to impose
infringement fee for violation of the Personal Data Act of 2000. After the old
According to the Personal Data Act, data controllers could be fined for violating section 2 of the Act.
8 letter f, see section 46 of the Act. Section 8 letter f largely corresponds to Article 6 no. 1 of the Privacy Ordinance
letter f, which also regulates "balancing of interests" as a legal basis for processing
personal information.
7
Page 8
In the preparatory work for the Personal Data Act of 2018, the Ministry has clearly stated that
it shall be possible to impose infringement fines on infringers of Articles 5 and 6, as well as those
other articles listed in Article 83.5
The Privacy Board has also in recent practice confirmed that the person responsible for processing can be assigned
infringement fine for violation of the Privacy Regulation Article 6 No. 1 letter f.6
On the basis of this, we find it clear that Aquateknikk can be fined for violating
Article 5 (2) and Article 6 of the Privacy Regulation.
7.3. Assessment of whether an infringement fee is to be imposed
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Norwegian Data Protection Authority may impose
infringement fee after a discretionary overall assessment, but the listed factors add up
guidelines on the exercise of discretion by highlighting aspects that are to be given special weight.
(a) the nature, gravity and duration of the infringement, taking into account it;
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered
The principle of legality in the Privacy Ordinance Article 5 No. 1 and the requirement for a basis for processing in
Article 6 is one of the basic requirements that must be met when an enterprise processes
personal information.
Credit information is a type of personal information that is particularly worthy of protection, and which
Private individuals have an expectation that is not obtained by companies unless it is factual
justified in their relationship to them. The violation is therefore serious, and indicates that it is imposed
infringement fine.
Complainants have never had cooperation or other forms of agreements with Aquateknikk, but operate on the other hand
a competing business. The collection of credit information is characterized by curiosity,
as the company has obtained credit information first about the complainant's company, and then to
Conduct a credit rating of him personally at five minute intervals.
b) whether the infringement was committed intentionally or negligently
Aquateknikk acknowledges in its statement on 30 September 2019 that it was
, responsible for
, which performed the credit assessment of complaints. Furthermore, Aquateknikk writes that
had received instructions from the general manager that the complainant's company
was a company they were considering ordering
goods from and that it should therefore be credit assessed as a potential supplier.
It is unclear whether the instruction was to credit assess complaints in person or whether the instruction was to
credit rating company, but that complaints were checked personally by a misunderstanding. Regardless of whether
5 Prop. 56.L (2017-2018) point 20.3.1.
6 PVN-2019-09.
8
Page 9
the instruction went on the complainant's business or him person we emphasize that
is the business
primarily responsible for
. He should therefore check if the business had legal
basis for credit assessment of the owner of a limited liability company personally, since it was the limited liability company
Aquateknikk considered buying goods from. Instead, Bisnode's consumption log shows that
first rated
the corporation and then complain in person. This indicates that the action has been deliberate.
Regardless of whether the instruction from the general manager was based on a credit assessment of complaints in person or whether
this happened in the event of a misunderstanding, we assume that the company has shown negligence in obtaining
of credit information about complaints in person. This pulls in an aggravating direction.
c) any measures taken by the data controller or data processor to limit the damage
which the data subjects have suffered
It appears from the complainants' correspondence with Aquateknikk that, when asked by the complainants, they stated that
they had accidentally credit-rated him instead of his company and claim to have "interrupted" the search for
his credit information when they became aware of this error. Furthermore, the company informs by e-mail to
complains that they have deleted the credit information they obtained about him.
We do not trust the company's explanation that they "interrupted the search" as stated in Bisnodes
log that Aquateknikk has first credit-assessed the complainant's business and then the complainant personally.
(d) the degree of responsibility of the controller or processor, taking into account those
technical and organizational measures they have implemented in accordance with Articles 25 and 32
We emphasize that the violations were committed by
in the business,
as the Privacy Ordinance presupposes that compliance with the regulations is particularly anchored in
the management of an enterprise, cf. Article 5 (2).
We also emphasize that the credit assessment according to Aquateknikk's report was carried out in
compliance with the company's practice of credit rating all potential customers and suppliers. Further
we emphasize that Aquateknikk had a lack of awareness of the regulations, as well as neither technical
or organizational measures in the form of routines to ensure that the company's employees know the regulations for
obtaining credit information.
e) any previous violations committed by the data controller or data processor
The Norwegian Data Protection Authority does not know whether there have been previous violations.
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible
negative effects of it,
The company apologizes for the incident and has shown a willingness to contribute to the information of the case and to learn from it
the event by creating routines for credit ratings. These are moments that pull in mitigating
direction.
9
Page 10
On the other hand, through the documentation from Bisnode, we have become aware that the company does not
has stated that a credit assessment was first made of the complainant's company, and then the complainant personally.
This pulls in an aggravating direction.
g) the categories of personal data affected by the infringement
Special categories of personal data (sensitive personal data) are not affected by
the infringement in our case. However, information on salary, debt and creditworthiness is information such as
have a special need for protection due to their private nature.
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in which
the degree to which the controller or data processor has notified the infringement
We were notified of the breach of complaints. The company did not even report the infringement, and
did not disclose the collection of credit information about the complainant's company.
(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data processor with respect to the same subject matter, that said measures
complied with
We do not know that measures have previously been taken against the company with regard to the same
case subject.
(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42
We do not find this aspect relevant.
k) and any other aggravating or mitigating factor in the case, e.g. economic benefits that are
achieved, or losses that have been avoided, directly or indirectly, as a result of the violation
Access to competing companies' finances can constitute such an advantage or aggravating factor as
letter k mentions. However, the Data Inspectorate does not find it documented in the case that Aquateknikk has achieved this
such an advantage in obtaining credit information about complaints.
Aquateknikk's remarks
Aquateknikk has made several comments on our assessment of whether an infringement fee should be imposed,
as well as the amount of the notified fee.
In our assessment of whether an infringement fine should be imposed, you state that the breach should
sanctioned with a milder form of reaction than a fee on the basis of the company's financial
situation. You justify this further with a reference to a number of cases from the Danish
the Data Protection Authority, which is sanctioned with "serious criticism", as well as a number of cases from the Swedish
the Data Protection Authority, which is sanctioned with lower infringement fees than in our case and with others
affected.
10
Page 11
Our assessment of the comments
The Data Inspectorate and the Privacy Board's practice is that obtaining credit information without legal action
basis is sanctioned with infringement fines.7
Credit information is a type of personal information that is particularly worthy of protection, and which
Private individuals have an expectation that is not obtained by companies unless it is factual
justified in their relationship to them. The violation is therefore serious, and indicates that it is imposed
infringement fine.
Complainants have never had cooperation or other forms of agreements with Aquateknikk, but operate on the other hand
a competing business.
In cases not covered by the cooperation mechanism in Article 56 of the Privacy Regulation, it states
the national supervisory authority is free to discretion on the imposition and measurement of
infringement fines within the framework of Article 58 (1) (f), cf. Article 83.
The decisions you refer to from the Swedish and Danish data protection authorities do not deal with
obtaining credit ratings, and has no relevant fact for the present case. We consider
therefore the cases to have limited relevance and transfer value for the Data Inspectorate's assessment of
infringement fine.
On the basis of this, we maintain our assessment that an infringement fee should be imposed.
We also refer to our justification for why an infringement fee should be imposed in section 6.1 of the notice, and
Clause 7.3 of the decision.
7.4. Assessment of the size of the fee
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Norwegian Data Protection Authority may impose
infringement fee after a discretionary overall assessment, but the listed factors add up
guidelines on the exercise of discretion by highlighting aspects that are to be given special weight.
When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in
the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case in
section 6.1 of the notice, and the assessment of whether a fee should be imposed in section 7.3 of this decision.
Aquateknikk's remarks
You have written a list of the remarks you have to our assessment of whether the infringement fee should
imposed, and the measurement of the size of the fee:
- The violation applies to a single credit check of only one natural person.
- It was not of a lasting nature.
7 See bla. PVN-2019-15 and PVN-2017-02.
11
Page 12
- It happened in connection with a general and completely legitimate credit check of the company where it
the person in question is the owner, chairman of the board and general manager.
- It has not caused any financial loss to the person in question.
- It has not provided access to sensitive personal information.
- The violation has the character of being a personal, reckless miss in a system that does it
quick and easy for the user to credit check both businesses and individuals.
- Our client has not violated the privacy rules before.
- Our client has not obtained any financial benefits as a result of the violation.
- Our client is in danger of going bankrupt as a result of the COVID-19 pandemic and the announced
fee.
Our assessment of the comments
The violation fee must be effective, be in a reasonable proportion to the violation and work
deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in
each case. The fee should be set so high that it also has an effect beyond the specific case,
at the same time as the size of the fee must be in a reasonable proportion to the infringement and the business, cf.
Article 83 (1).
It follows from Article 83 (5) (a) that infringements of the fundamental principles of
treatment in the Privacy Regulation, including Articles 5, 6, 7 and 9, shall be sanctioned by higher
violation fee than other violations of the Privacy Ordinance.
Obtaining credit information about an individual or sole proprietorship without
basis for processing constitutes a violation of the basic principle of legality in
Article 5 (1) (a) of the Privacy Ordinance. This is personal data of a very private person
character, which the data subject has a high expectation of not obtaining unless it is factual
based on their relationship with a data controller. These are weighty moments that speak for one
fee of a certain size.
We place aggravating emphasis on the fact that the violation in our case was committed by a person responsible for
in the business, as the principle of liability in the Privacy Regulation Article 5 No. 2
presupposes a strong anchoring of the regulations in the treatment manager's management.
As we have explained in section 7.2 of the decision, the guilt claim for enterprises is objective, and it is therefore required
not that individuals in the business have acted intentionally or negligently for the Data Inspectorate to
be able to impose infringement fines.
Pursuant to Article 83 (2) (b) of the Privacy Regulation, the supervisory authority may nevertheless emphasize
whether the infringement was committed intentionally or negligently.
Aquateknikk acknowledges in its statement on 30 September 2019 that it was
, responsible for
, which performed the credit assessment of complaints. Furthermore, Aquateknikk writes that
had received instructions from the general manager that the complainant's company
was a company they were considering ordering
goods from and that it should therefore be credit assessed as a potential supplier.
12
Page 13
You write in your comments to the notice that the credit assessment of complaints personally took place as a result
of a misunderstanding between daily and responsible for
, and that it was all
«… An inconsiderate mistake that was made in connection with a completely ordinary
and legitimate credit check of the company where the person in question is both owner, chairman of the board and
CEO. In a hectic everyday life, it is probably easy to think that the financial
The relationship of such a key person to the business is relevant in a business
assessment of another player in the same industry. "
It is unclear whether the instruction from the general manager was to credit assess complaints in person or about the instruction
was to credit the company so that complaints were checked personally in case of a misunderstanding. Independent
whether the instruction went to the complainant's business or him as an individual, we emphasize that
is
the company's main responsible for
. He should therefore check on the business
had a legal basis for credit rating the owner of a corporation personally, as it were
the limited company Aquateknikk considered buying goods from. Instead, Bisnode's consumption log shows that
first assessed the corporation and then complain personally.
In accordance with the requirement of diligence, companies must familiarize themselves with which legislation applies
area, and organize the business in accordance with the framework that follows from the relevant regulations.
The principle of accountability in the Privacy Ordinance presupposes a strong anchoring of the regulations in
the company's management, and the same must apply to key people for procurement that relate to
purchases on credit. In view of this, the offense in our case must be described as negligent, and we emphasize
this in an aggravating direction in the calculation of the fee.
If the company's management had familiarized itself with the regulations and prepared better routines for
the business is our assessment that the risk of illegal collection of credit information could have been
reduced. We emphasize in an aggravating direction that the company's management has not been involved
place satisfactory organizational measures in the form of routines to comply with the regulations, cf.
Article 83 (2) (d) of the Privacy Regulation.
You write in your comments that the Data Inspectorate confuses credit checks of physical and legal
persons, and that we thereby emphasize matters that are outside our area of ​​authority in the assessment
of the gravity of the infringement. You justify this with the fact that we have emphasized that the business «regularly
credit checks companies in the form of 'customers', 'potential customers' and suppliers. ", and that we have emphasized
this in an aggravating direction. You further state that:
"Contrary to what one may get the impression of in the Data Inspectorate's notice, a credit check is a hero
legitimate and necessary tool to ensure an efficient and well-functioning business community. That our
client has not had written routines for credit checks of companies, and that such credit checks
may have been done to some extent, is not relevant in a case involving a credit check by one
natural person. "
According to Aquateknikk's consumption log at Bisnode, the company has credit-rated several natural persons
than limited companies in the period from December 2018 to January 2020. Our assessment is that this shows that
the business regularly processes credit information about natural persons and therefore should have established
routines that ensure that the credit assessments take place within the framework of the Privacy Ordinance.
13
Page 14
This is the background for our order to improve their internal control, as well as for us to emphasize
aggravating direction on the lack of written routines pursuant to Article 24 in the assessment of whether it should be imposed
infringement fee, and in the assessment of the amount of the fee, cf. the Privacy Ordinance Article 83 No. 2
letter d.
Furthermore, you refer to the Privacy Board's decision PVN-2019-15 as an argument that the fee in the
the present case should be dismissed. The case concerned an infringement fee of NOK 75,000
illegal collection of credit information and was processed in accordance with the Personal Data Act of 2000.
The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter
the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee
shall be determined concretely so that in each individual case it is effective, is in a reasonable relation to
the violation and acts as a deterrent. The main purpose of the infringement fee is contraception, ie that
the risk of being charged a fee shall have a deterrent effect and thereby contribute to increased compliance with
the regulations.8
By Skullerud et al. (2019), page 347, it appears:
Contraceptive considerations dictate that the fee for a violation must be set so high that this is in fact
perceived as an evil by the offender. This means that the offender's financial capacity should
have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender
hair. […] When assessing the financial viability of an enterprise, it may be relevant to look at
the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5.
And further:
The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities
should avoid establishing standardized fee rates. This applies even if national law allows for it
standardized rates, cf. the Public Administration Act § 43.
The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business.
This case is a violation of the basic principles of treatment in
the Privacy Ordinance, which basically calls for a fee of a certain size. It warned
the amount of 300,000 kroner is measured to act as a deterrent and preventive for the illegal
the processing of credit information, looking at the latest available accounting figures about the business
from 2018.
The company's finances are relevant in the assessment of what will constitute a preventive and deterrent
infringement fine.
Aquateknikk has made several comments about the company's finances, especially related to it
ongoing social situation as a result of the corona pandemic. You write in the comments
their that the business has experienced a very negative economic growth, and has attached preliminary
8 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019).
14
Page 15
accounting figures from 2020. The accounting figures show an estimated turnover for 2020 of approx. 12 million
NOK, and that the preliminary turnover as of 31.07.20 is approx. 8.4 million kroner.
Due to the challenging financial situation the business is in due to
The corona pandemic is our assessment that a lower fee could have the preventive and deterrent effect
the effect Article 83 presupposes.
After an overall assessment of the seriousness of the case and their comments about the company
financial situation, we have come to the conclusion that the final fee will be set at NOK 100,000. This constitutes
about. 1% of the company's estimated turnover in 2020, and is in our opinion sufficient
deterrent, effective, and proportionate to the unlawful treatment of
personal information that has occurred in the case.
For the other assessment of the size of the fee, we refer to the notification of decisions, sections 6.1 and 6.2, as well as
Clause 7.3 of the decision.
8. Right of appeal and further proceedings
You can appeal the decision. Any complaint must be sent to us within three weeks after this letter is
received (cf. the Public Administration Act §§ 28 and 29). If we uphold our decision, we will send the case
on to the Privacy Board for complaint handling.
If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after
the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act.
The deadline for implementing section 2 of the internal control order is 4 weeks after the expiry of the appeal deadline.
If you do not appeal the order point 2, you must send us one within this deadline
written confirmation, as well as documentation, that the order for internal control has been implemented.
9. Transparency and publicity
You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform you about
that all the documents are in principle public (cf. the Public Access to Information Act § 3.) If you think so
is a basis for exempting all or part of the document from public access, we ask you to justify
this.
The document is electronically approved and therefore has no handwritten signatures