Datatilsynet (Norway): Difference between revisions

From GDPRhub
No edit summary
(merged appeals sections, removed the second one)
 
(6 intermediate revisions by 2 users not shown)
Line 41: Line 41:
|}
|}


''Datatilsynet'' is the national Data Protection Authority for Norway, headquartered in Oslo. Datatilsynet is an independent body established in 1980, through the [https://app.uio.no/ub/ujur/oversatte-lover/data/lov-19780609-048-eng.pdf Act No. 48 of 9 June 1978 relating to personal data filing systems, etc.] § 2. Through information, dialogue, complaints handling and inspection, Datatilsynet oversees the GDPR in Norway and supervises that authorities, companies, organisations and individuals follow data protection legislation.  
''Datatilsynet'' is the national Data Protection Authority (DPA) for Norway, headquartered in Oslo. The DPA is an independent body established in 1980, through the [https://app.uio.no/ub/ujur/oversatte-lover/data/lov-19780609-048-eng.pdf Act No. 48 of 9 June 1978 relating to personal data filing systems, etc.] § 2. Through information, dialogue, complaints handling and inspection, Datatilsynet oversees the GDPR in Norway and supervises that authorities, companies, organisations and individuals follow data protection legislation.  


==Structure==
==Structure==
Datatilsynet is financed by the Norwegian government and administratively subordinate to the [https://www.regjeringen.no/en/dep/kdd/min/id509/ Ministry of Local Government and Regional Development].  
The DPA is financed by the Norwegian government and administratively subordinate to the [https://www.regjeringen.no/en/dep/kdd/min/id509/ Ministry of Local Government and Regional Development].  


Datatilsynet is organized in a legal department, a department for technology, analysis and security, a communications department and an administrative department. The legal department is further organized in different sections.
The DPA is organized in a legal department, a department for technology, analysis and security, a communications department and an administrative department. The legal department is further organized in different sections.


====Legal Department====
====Legal Department====


=====Department for the enforcement of rules, international cooperation and sanctions=====
=====Department for the enforcement of rules, international cooperation and sanctions=====
The department for the enforcement of rules, international cooperation and sanctions have the overarching responsibility for the legal development at Datatilsynet, as well as the international work, for instance with the EDPB.  
The department for the enforcement of rules, international cooperation and sanctions have the overarching responsibility for the legal development at the DPA, as well as the international work, for instance with the EDPB.  


The department have three different sections:
The department have three different sections:
Line 73: Line 73:


===Applicable Procedural Law===
===Applicable Procedural Law===
Datatilsynet is, like all other public bodies in Norway, bound by the [https://lovdata.no/dokument/NLE/lov/1967-02-10 Public Administration Act of 1967] (''Forvaltningsloven'') and the [https://lovdata.no/dokument/NLE/lov/2006-05-19-16?q=Freedom%20of%20Information%20Act Freedom of Information Act of 2009] (''Offentleglova'').  
The DPA is, like all other public bodies in Norway, bound by the [https://lovdata.no/dokument/NLE/lov/1967-02-10 Public Administration Act of 1967] (''Forvaltningsloven'') and the [https://lovdata.no/dokument/NLE/lov/2006-05-19-16?q=Freedom%20of%20Information%20Act Freedom of Information Act of 2009] (''Offentleglova''). As a main rule, all case documents are subject to public access in accordance with Section 3 of this Act.  


===Complaints Procedure under Art 77 GDPR===
===Complaints Procedure under Art 77 GDPR===
There are no formal requirements by law.   
There are no formal requirements by law.   


Datatilsynet informs on their website that complaints must be sent in written form to their postal address and that they're working to get a secure electronic complaint form in place (this is not yet in place as per August 2022). However, they will process complaints sent to their general email address (postkasse@datatilsynet.no).   
The DPA informs on their website that complaints must be sent in written form to their postal address and that they're working to get a secure electronic complaint form in place (this is not yet in place as per August 2022). However, they will process complaints sent to their general email address (postkasse@datatilsynet.no).   


To ensure "effective case processing", Datatilsynet encourages that the data subject first contacts the controller to try to resolve the case, as well as attaching any such correspondance and other documentation to the complaint. However, this is not a requirement.  
To ensure "effective case processing", the DPA encourages that the data subject first contacts the controller to try to resolve the case, as well as attaching any such correspondance and other documentation to the complaint. However, this is not a requirement.  


'''When submitting a complaint, the complainant should include:'''  
'''When submitting a complaint, the complainant should include:'''  
Line 91: Line 91:
The former practice of requiring complainants to fulfil certain obligations to file a complaint was ended, as there are no basis under GDPR to impose such additional requirements.  
The former practice of requiring complainants to fulfil certain obligations to file a complaint was ended, as there are no basis under GDPR to impose such additional requirements.  


Datatilsynet also has an electronic form for anonymous tips on their website.  
The DPA also has an electronic form for anonymous tips on their website.  


Read more on [https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/hvordan-kan-jeg-klage-til-datatilsynet/ datatilsynet.no]
Read more on [https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/hvordan-kan-jeg-klage-til-datatilsynet/ datatilsynet.no]


===''Ex Officio'' Procedures under Art 57 GDPR===
===''Ex Officio'' Procedures under Art 57 GDPR===
Datatilsynet can carry out their own investigations based on own findings, like cases they've been aware of through the media. They have done this on several occasions already.  
The DPA can carry out their own investigations based on own findings, like cases they've been aware of through the media. They have done this on several occasions already.  


===Appeals===
===Appeals===


======Administrative======
======Administrative======
The term “''Varsel om vedtak''” refers to the notice of a pending decision. The defendant has the opportunity to comment on and appeal the decision. If they appeal, and Datatilsynet upholds their decision, it is then submitted to the ''Personvernnemda'' (the Privacy Appeal Board), an independent body tasked to manage appeals.   
When the DPA has made a decision they will first send the recipient an '''advance notification''' (“''varsel om vedtak''”) as per the Norwegian Public Administration Act Section 16. The recipient gets three weeks to respond with their comments or remarks ("written representations"). If they raise any objections, the DPA will reassess the case and can, consequently, change parts of or their whole decision.   


Personvernnemda has the authority to overturn decisions issued by Datatilsynet. Personvernnemda's decisions are final under the administrative procedure, but can be appealed to the courts.
The DPA will then send the recipient the '''final decision''', who may now appeal the decision if they still object to the outcome. In that case, they have another three weeks to respond with a written complaint.   
 
Norwegian administrative law ([https://www.sdir.no/en/shipping/legislation/laws/procedure-in-cases-concerning-the-public-administration/ Section 28 Public Administration Act]) allows for what resembles an internal appeals procedure with the DPA itself. This provision most likely can be considered as one of the 'other administrative or non-judicial' remedies, which [[Article 78 GDPR|Article 78(2) GDPR]] refers to.   
 
If the DPA decides to uphold their decision, they will transfer the case to ''Personvernnemnda'' (the Privacy Appeals Board)'','' an independent body tasked to manage appeals established under the Norwegian Personal Data Act Section 22. Personvernnemda has the authority to overturn decisions issued by the DPA, in part or in full. Their decisions are final under the administrative procedure, but can be appealed to the courts.  
 
Decisions can, however, be appealed to the national courts, starting in the first instance, ''tingretten''. 


======Court======
======Court======
Line 110: Line 116:
==Practical Information==
==Practical Information==
===Known problems===
===Known problems===
Case processing can extend over months and even years due to too few resources. Datatilsynet has been reprimanded several times because of this by the Privacy Appeals Board.
Case processing can extend over months and even years due to too few resources. The DPA has been criticized several times because of this by the Privacy Appeals Board.


===Filing an appeal===
==Statistics==
Decision can be appealed, in which case Datatilsynet will review the case. If they uphold their decision, it is then submitted to Personvernnemda (the Privacy Appeal Board). They have the authority to overturn decisions and these are final under the administrative procedure.  
===Funding===
The DPA is financed by the Norwegian government and gets their budget allocation every December from the Ministry of Local Government and Regional Development. The funding for 2022 is NOK 69 830 000, approx. €7,234,039.


Decisions can, however, be appealed to the national courts, starting in the first instance, ''tingretten''.
Historical numbers ([https://www.datatilsynet.no/om-datatilsynet/arsmeldinger/arsrapport-for-2021/ Datatilsynet's annual report 2021]):


==Statistics==
* 2021: NOK 67 845 000
===Funding===
* 2020: NOK 66 703 000
Datatilsynet is financed by the Norwegian government and their budget for 2020 is NOK 66 478 000 (approx. EUR 6 200 000).
* 2019: NOK 57 672 000
* 2018: NOK 54 411 000
 
===Personell===
The DPA had 72 employees as per 31 December 2021, with 56 full-time, 6 temporary project positions related to the regulatory sandbox and 10 students on 25% engagement working on the DPA's guidance service over the phone. About 58% are women and 42% men.
 
Historical numbers ([https://www.datatilsynet.no/om-datatilsynet/arsmeldinger/arsrapport-for-2021/ Datatilsynet's annual report 2021]):


===Personal===
* 2021: 72 (64 FTEs)
Datatilsynet has about 55 staff members in 2020 with approx. 60% women and 40% men.
* 2020: 65 (60 FTEs)
* 2019: 45
* 2018: 41


===Caseload===
===Caseload===
From Datatilsynet's annual report 2019; number of:
The caseload has increased significantly since the GDPR came into effect. The DPA informs that cases take at least 3-6 months, often significantly longer. The Privacy Appeals Board has criticized the DPA for this several times and they have even [[Personvernnemnda (Norway) - 2021-09 & PVN-2021-15 (20/01790)|reduced administrative fines]] as a result.


* Complaints: 1,916
Historical numbers ([https://www.datatilsynet.no/om-datatilsynet/arsmeldinger/arsrapport-for-2021/ Datatilsynet's annual report 2021]):
* Complaints where children were involved: 11%
{| class="wikitable"
* Decisions: 285
|+
* Complaints on decisions: 23
!
* Administrative fines: 10
!2018
* Cases sent to the Privacy Appeal Board: 16
!2019
* New cases: 3,118
!2020
* Recorded documents: 5,096 incoming and 3,531 outgoing
!2021
* Requests for access (to Datatilsynet's cases/documents): 3,437
|-
* Documents given access to where content has been redacted: 409
|Caseload
* Documents denied access to: 256
|2654
* Inquiries to the helpline (phone): 7,186, of which 3% are from DPO's, 49% from businesses and 48% from private individuals
|3118
* Media coverage: 4,233 news pieces
|3271
|3474
|-
|Reported data breaches
|1 275
|1 893
|2 008
|2 255
|-
|Decisions
|246
|285
|252
|306
|-
|Complaints on decisions
|28
|23
|38
|43
|-
|Reversed decisions
|
|
|
|6
|-
|Cases sent to the Privacy Appeal Board
|17
|16
|22
|26
|-
|Sanctions
|14
|10
|13
|26
|}


===Decisions and fines===
===Decisions and fines===
Central decisions from 2015 [https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/ are available on this page]. Decisions from the past couple of years [[:Category:Datatilsynet (Norway)|are summarized on the GDPRhub here]].
Central decisions from 2015 (ongoing) [https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/ are available on this page]. Decisions made as per the GDPR [[:Category:Datatilsynet (Norway)|are summarized on the GDPRhub here]].


===Annual Reports===
===Annual Reports===
Datatilsynet's annual reports from 2009 [https://www.datatilsynet.no/om-datatilsynet/arsmeldinger/ are available on this page].
The DPA's annual reports from 2009 (ongoing) [https://www.datatilsynet.no/om-datatilsynet/arsmeldinger/ are available on this page].


==References==
==References==

Latest revision as of 06:40, 26 March 2023

Datatilsynet
LogoNO.png
Name: Datatilsynet
Abbreviation : Datatilsynet
Jurisdiction: Norway
Head: Line Coll
Deputy: n/a
Adress: Tollbugata 3

0152 Oslo

NORWAY

Webpage: datatilsynet.no
Email: postkasse@datatilsynet.no
Phone: +47 22 39 69 00
Twitter: @datatilsynet
Procedural Law: Public Administration Act (Forvaltningsloven) (in EN), Freedom of Information Act (Offentleglova) (in EN)
Decision Database: Important decisions (in NO)
Translated Decisions: Category:Datatilsynet (Norway)
Head Count: Approx. 72
Budget: NOK 66 845 000 (€6,924,808) (2021)[1]

Datatilsynet is the national Data Protection Authority (DPA) for Norway, headquartered in Oslo. The DPA is an independent body established in 1980, through the Act No. 48 of 9 June 1978 relating to personal data filing systems, etc. § 2. Through information, dialogue, complaints handling and inspection, Datatilsynet oversees the GDPR in Norway and supervises that authorities, companies, organisations and individuals follow data protection legislation.

Structure

The DPA is financed by the Norwegian government and administratively subordinate to the Ministry of Local Government and Regional Development.

The DPA is organized in a legal department, a department for technology, analysis and security, a communications department and an administrative department. The legal department is further organized in different sections.

Legal Department

Department for the enforcement of rules, international cooperation and sanctions

The department for the enforcement of rules, international cooperation and sanctions have the overarching responsibility for the legal development at the DPA, as well as the international work, for instance with the EDPB.

The department have three different sections:

Section for public services

The section for public services have the main responsibility for police- and justice sector, immigration administration, the health sector, public administration and the school- and kindergarden sector.

Section for private services

The section for private services have the main responsibility for the banking and financing sector, privacy in the workplace, violations on the internet, camera surveillance, audio recordings and the like.

International Section

The international section have the main responsibility for the transfer of personal data to third-countries and international cooperation.

Department for technology, analysis and security

The department for technology, analysis and security have the overarching responsibility for digitalisation, carrying out supervisory tasks and the methodology in relation to this, security of processing, technical analysis, as well as strategic work. The department consist of a staff with security and technical experts, as well as a section for analysis, research and politics.

Applicable Material Law in Norway

When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through the Personal Data Act. The Personal Data Act is divided into nine chapters with 34 paragraphs, followed by the GDPR full text.

Procedural Information

Applicable Procedural Law

The DPA is, like all other public bodies in Norway, bound by the Public Administration Act of 1967 (Forvaltningsloven) and the Freedom of Information Act of 2009 (Offentleglova). As a main rule, all case documents are subject to public access in accordance with Section 3 of this Act.

Complaints Procedure under Art 77 GDPR

There are no formal requirements by law.

The DPA informs on their website that complaints must be sent in written form to their postal address and that they're working to get a secure electronic complaint form in place (this is not yet in place as per August 2022). However, they will process complaints sent to their general email address (postkasse@datatilsynet.no).

To ensure "effective case processing", the DPA encourages that the data subject first contacts the controller to try to resolve the case, as well as attaching any such correspondance and other documentation to the complaint. However, this is not a requirement.

When submitting a complaint, the complainant should include:

  • The name of the controller
  • A description of what the complaint is about
  • Their contact information (name, phone number and postal address only)
  • Copies of any correspondance with the controller

The former practice of requiring complainants to fulfil certain obligations to file a complaint was ended, as there are no basis under GDPR to impose such additional requirements.

The DPA also has an electronic form for anonymous tips on their website.

Read more on datatilsynet.no

Ex Officio Procedures under Art 57 GDPR

The DPA can carry out their own investigations based on own findings, like cases they've been aware of through the media. They have done this on several occasions already.

Appeals

Administrative

When the DPA has made a decision they will first send the recipient an advance notification (“varsel om vedtak”) as per the Norwegian Public Administration Act Section 16. The recipient gets three weeks to respond with their comments or remarks ("written representations"). If they raise any objections, the DPA will reassess the case and can, consequently, change parts of or their whole decision.

The DPA will then send the recipient the final decision, who may now appeal the decision if they still object to the outcome. In that case, they have another three weeks to respond with a written complaint.

Norwegian administrative law (Section 28 Public Administration Act) allows for what resembles an internal appeals procedure with the DPA itself. This provision most likely can be considered as one of the 'other administrative or non-judicial' remedies, which Article 78(2) GDPR refers to.

If the DPA decides to uphold their decision, they will transfer the case to Personvernnemnda (the Privacy Appeals Board), an independent body tasked to manage appeals established under the Norwegian Personal Data Act Section 22. Personvernnemda has the authority to overturn decisions issued by the DPA, in part or in full. Their decisions are final under the administrative procedure, but can be appealed to the courts.

Decisions can, however, be appealed to the national courts, starting in the first instance, tingretten.

Court

Decisions can also be appealed to the courts, starting in the first instance, tingretten.

Practical Information

Known problems

Case processing can extend over months and even years due to too few resources. The DPA has been criticized several times because of this by the Privacy Appeals Board.

Statistics

Funding

The DPA is financed by the Norwegian government and gets their budget allocation every December from the Ministry of Local Government and Regional Development. The funding for 2022 is NOK 69 830 000, approx. €7,234,039.

Historical numbers (Datatilsynet's annual report 2021):

  • 2021: NOK 67 845 000
  • 2020: NOK 66 703 000
  • 2019: NOK 57 672 000
  • 2018: NOK 54 411 000

Personell

The DPA had 72 employees as per 31 December 2021, with 56 full-time, 6 temporary project positions related to the regulatory sandbox and 10 students on 25% engagement working on the DPA's guidance service over the phone. About 58% are women and 42% men.

Historical numbers (Datatilsynet's annual report 2021):

  • 2021: 72 (64 FTEs)
  • 2020: 65 (60 FTEs)
  • 2019: 45
  • 2018: 41

Caseload

The caseload has increased significantly since the GDPR came into effect. The DPA informs that cases take at least 3-6 months, often significantly longer. The Privacy Appeals Board has criticized the DPA for this several times and they have even reduced administrative fines as a result.

Historical numbers (Datatilsynet's annual report 2021):

2018 2019 2020 2021
Caseload 2654 3118 3271 3474
Reported data breaches 1 275 1 893 2 008 2 255
Decisions 246 285 252 306
Complaints on decisions 28 23 38 43
Reversed decisions 6
Cases sent to the Privacy Appeal Board 17 16 22 26
Sanctions 14 10 13 26

Decisions and fines

Central decisions from 2015 (ongoing) are available on this page. Decisions made as per the GDPR are summarized on the GDPRhub here.

Annual Reports

The DPA's annual reports from 2009 (ongoing) are available on this page.

References

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB