Datatilsynet (Norway) - 23/03206: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 42: | Line 42: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1= | |National_Law_Name_1=Offentleglova | ||
|National_Law_Link_1= | |National_Law_Link_1=https://lovdata.no/dokument/NL/lov/2006-05-19-16 | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
Line 74: | Line 74: | ||
The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (''Offentleglova''). | The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (''Offentleglova''). | ||
The controller firstly argued that it processed this data in accordance with [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | The controller firstly argued that it processed this data for political advertising purposes in accordance with [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | ||
Finally, the controller noted that it had used a processor to send the emails. | |||
=== Holding === | === Holding === |
Latest revision as of 13:58, 17 September 2024
Datatilsynet - 23/03206 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(f) GDPR Article 14 GDPR Offentleglova |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 30.08.2024 |
Published: | 11.09.2024 |
Fine: | n/a |
Parties: | Stavanger Arbeiderparti |
National Case Number/Name: | 23/03206 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | fb |
The DPA issued a reprimand to a political party after it sent political advertisements to data subjects via emails. Even though the email addresses were obtained lawfully through a freedom of information request, the DPA found that the processing had no legal basis.
English Summary
Facts
On 20 August 2023, several parents of children in kindergartens received an email from the majority parties of a municipality.
After receiving this email, several data subjects filed a complaint with the DPA.
The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (Offentleglova).
The controller firstly argued that it processed this data for political advertising purposes in accordance with Article 6(1)(e) GDPR. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on Article 6(1)(f) GDPR.
Finally, the controller noted that it had used a processor to send the emails.
Holding
First of all, the DPA believed that the municipality rightfully disclosed the addresses, since the Freedom of Information Act provides for an appropriate legal basis for this processing.
Secondly, the DPA investigated who was the controller in the case at hand. Since the Stavanger Labour Party stated that it processed data also on behalf of the other majority parties, the DPA assumed that this entity was the controller.
Thirdly, the DPA analysed the legal basis. The DPA pointed out that the controller has failed to provide documentation about whether a legitimate interest assessment had been carried out.
However, the DPA further noted that it is clear that this processing had some negative consequences on data subjects, since the DPA received several complaints. According to the DPA, this shows that this processing operation was not foreseeable for data subjects.
Furthermore, the DPA pointed out that, even though the data was lawfully disclosed by the municipality, it was then used for a purpose outside the scope of the Freedom of Information Act.
In every case, the DPA found that this processing was lacking of legal basis since the controller failed to demonstrate its assessment.
Fourthly, the DPA recalled that the controller used a processor to send the emails and shared the data subjects’ email addresses with it. The DPA noted that no specific data processing agreement was entered into with the processor. However, the controller argued that it had accepted the Terms of Service while creating the account. The DPA accepted this argument since Article 28(3) GDPR does not impose any formal requirements.
Fifthly, the DPA found a violation of Article 14 GDPR since the controller failed to provide data subject with the information set by that article. The controller explicitly admitted this failure.
Sixthly, the DPA investigated the data retention period. The DPA found that the email addresses were deleted manually soon after the sending of the email and therefore found no violation on this point.
On these grounds, the DPA issued a reprimand to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Sissel Beate Fuglestad Your reference Our reference Date 23/03206-24 30.08.2024 Decision on reprimand - sending of political advertising by e-mail In August 2023, the Norwegian Data Protection Authority received several complaints from private individuals who had received an e-mail from the majority parties in Stavanger (Arbeiderpartiet, People's Party - FNB, Green Party De Green, Red, Center Party and SV). We decided to carry out investigations into the legality of the treatments that were the subject of the complaints. We sent, on the basis of the Personal Data Protection Regulation article 58 no. 1, letter a, a demand for statement to the Stavanger Labor Party on 8 September 2023. We received a reply on 28 September 2023. The Norwegian Data Protection Authority sent a request for further explanation on 1 November 2023, which was answered on November 7, 2023. In a letter of 22 July 2024, the Norwegian Data Protection Authority notified a decision on reprimand, cf. the personal protection regulation article 58 no. 2, letter b. In their reply of 23 August 2024, you have taken note of our notice, and we will make a final decision in line with the notice. 1. Background of the case The e-mail in question was sent on 20 August 2023 in connection with the municipal elections and the recipients were parents of children in kindergartens and schools in Stavanger municipality. Parents' contact information had been handed over by Stavanger municipality to the Majority Parties in Stavanger in accordance with the Public Act. In the complaints the Norwegian Data Protection Authority has received, questions are asked by the legality of the municipality's and the Plural parties' processing of personal data. The case has also been discussed in the media. Through the Norwegian Data Protection Authority's investigation into the matter, it has emerged that the Majority Parties sent a request for access to the joint post office for Education and training in the municipality, at on behalf of the cooperation parties (Arbeiderpartiet, Folkets Parti, SV, Rødt, MDC and Center Party). The request for access was worded as follows: Postal address: Office address: Telephone: Organization number: Website: PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO «Hello. Can we have access to the lists of children of kindergarten age and 1st and 2nd graders in Stavanger with contact information for all parents. Preferably also email. Such lists are given to both churches and private schools - and is (unfortunately) public information" The majority parties have stated that the request for access was clearly limited to sensitive information, they did not want to be given their name, date of birth or telephone number. Through the access request, information on addresses and e-mail addresses was released. The email addresses were uploaded to the program Brevo, and the information was then deleted at The majority parties. It is also stated that the email addresses were to be deleted by Brevo by agreement after the sending of the e-mails in question had been completed. 2. The Norwegian Data Protection Authority's investigation In what follows, the Norwegian Data Protection Authority reviews the various topics considered in the case. 2.1. Delivery from Stavanger municipality Any processing of personal data requires a legal basis to be legal. The Personal Data Protection Regulation sets out various alternative legal bases. In addition to personal data protection regulation, special regulations may authorize the processing of personal data. The municipality's disclosure of personal data was made following a request for access public law, and the requirement for a legal basis for this processing activity is considered fulfilled. 2.2. The majority party's processing of information 2.2.1. What personal data was received and processed by The majority parties Through the reports to the Norwegian Data Protection Authority, Stavanger Labor Party has on behalf of The majority parties stated that through the access requirement they collected contact information for everyone parents with children of kindergarten age and the first two stages of primary school. The municipality was explicitly asked not to disclose names of guardians or children, date of birth, telephone etc. The information that was handed over to the Majority Parties contained information about school/grade, street address and email address. The information that was forwarded to Brevo consisted exclusively of a list of email addresses. Email addresses are considered personal data, and in the following we assume that The privacy regulations also apply to the disclosure of this information to Letter. 2 2.2.2. The purpose of the processing of personal data (collection and so on processing) in connection with sending e-mails A basic principle in the privacy regulations is the requirement for purpose determination. It follows of the personal protection regulation article 5 no. 1 letter b) that the purpose of processing of personal data must be specifically and explicitly stated. The statement of purpose determines including which information is relevant and necessary. Through the Norwegian Data Protection Authority's investigation of the matter, it appears clear that the purpose of The majority parties were to first get an overview of the guardian's contact information, then to be able to send out targeted and relevant information to parents in connection with municipal election 2023. It has been stated that it was desirable to inform parents about the consequences for the parents of young children with the position of the various party groupings, information that became considered "generally useful". 2.2.3. Processing responsibility The Danish Data Protection Authority has investigated who is responsible for the collection and use of data personal data for sending the e-mail that the complaints are about. Following our demand for an explanation, it is stated that information collection and sending of e-mail was made on behalf of said majority parties. Stavanger is responsible for processing Labor Party. The Personal Data Protection Regulation and the accountability principle require that there is clarity about who is responsible for the processing of personal data, also when using data processors. See, among other things, Article 5 No. 2 and Article 29. In the case of shared/joint responsibility, the distribution of responsibility must be determined in an open manner, cf. Article 26. Stavanger Arbeiderparti has stated that they are responsible for processing, on behalf of The majority parties. No agreement indicating other responsibilities has been presented. The Norwegian Data Protection Authority has therefore assumed that it is the Stavanger Labor Party that alone is controller for the processing of personal data to which the case relates. 2.2.4. The legal basis for the processing(s) 2.2.4.1. About the basis in question When personal information is obtained through access in accordance with the Public Service Act, it must be further used of the information take place in accordance with the rules in the Personal Data Act and the personal data protection regulation. Basic principles for processing personal data are laid down in the personal data protection regulation art. 5 no. 1 letter a - f. The principle of legality implies that there must be a legal basis for the processing of personal data. It has to 3 there is a legal basis for all processing activities carried out in this case including the delivery to Brevo and the sending of e-mails. Personal data protection regulation art. 6 no. 1 contains six alternative legal grounds (letter a - f). Initially, the Stavanger Labor Party stated that the relevant legal basis for their processing of personal data was the personal data protection regulation article 6, no. 1 letter e). The Norwegian Data Protection Authority refuted in a letter of 1 November 2023 that this option could be used for it current treatment. The Stavanger Labor Party has since stated that they have a legal basis in article 6, no. 1, letter f). According to this provision, processing of personal data may be lawful if it is necessary for purposes related to the legitimate interests pursued by it data controller. The provision requires that a balance be made and that controllers must decide whether the interests or rights of the data subject and freedoms and the need to protect personal data must take precedence over the legitimate interest. The person responsible must therefore both explain the legitimate interests and assess whether the processing may have an impact on the interests of the data subjects. Next, a balance between these before it can be established that a treatment has a legal basis the alternative in the personal data protection regulation article 6 no. 1 letter f). We note that there is no requirement for such assessments to be in writing the privacy regulations. However, it is difficult to demonstrate compliance without assessments be documented. We also refer in that context to the obligation to provide information in the Personal Data Protection Ordinance article 14 no. 2 letter b) implies that the registered persons are entitled to receive the information which is necessary to ensure fair and open treatment. It is specified in the provision that if the legal basis for the processing follows from Article 6 no. 1 letter f, it shall are informed about the legitimate interests pursued by the data controller. We asked the Majority Parties to explain the balancing of interests that was carried out before the processing started, including how privacy considerations were assessed and emphasised, cf. personal data protection regulation art. 6 no. 1 letter f. We further requested that any written documentation was attached to the statement. 2.2.4.2. The assessments carried out by the Stavanger Labor Party The Stavanger Labor Party has stated that the assessments they carried out were not documented in writing. It is therefore difficult for the Norwegian Data Protection Authority to take a position on the assessment of authorization for the processing of personal data was carried out lawfully. In the absence of documentation on Stavanger Arbeiderparti's assessments, we have therefore based the information that is obtained through our case management. 4 The Stavanger Labor Party has explained what legitimate interests they have based on. The states that the e-mail was carefully assessed in relation to the Personal Data Protection Regulation art 6 no. 1 letter f, precisely because it can be difficult to know which instruments are legitimate to use in connection with an election campaign. They state that they were aware that the legitimate interest "must be legal, clearly defined in advance, real and factually justified in the business". Stavanger Arbeiderparti further believes that in connection with an election campaign it must be within the concept of "legitimate interest" for a political party to send out targeted political information. They indicate that in an election campaign it is in the public interest to clarify and inform about them consequences different political positions will have for voters, and that so targeted information is important for voters to be able to make knowledge-based choices. They further state that election campaign material, distributed via e-mail, does not differ in principle election campaign material distributed via other channels, as long as the email addresses are public available. Stavanger Labor Party states that they also considered alternative distribution methods of theirs political messages. Among other things, they had an offer from Posten Norge AS for target group-specific mailings, i.e. in the direction of what is called Direct Mail (DM). This the alternative was not assessed as less intrusive than the e-mail that was chosen. One alternatives that were also considered were direct actions linked to nurseries, small schools, etc., but it was considered less appropriate than an email distribution. The conclusion of the Stavanger Labor Party was that it must be possible as part of a political election campaign is justified in carrying out such an e-mail based on a "legitimate interest", i.a. a. to get out a political message, which is the main purpose of running an election campaign. Through the Norwegian Data Protection Authority's proceedings, it has not been documented that Stavanger The Labor Party has carried out such an assessment of the interests of those registered. It is neither described or submitted documentation that shows that the assessments have taken place in this way the privacy regulation article 6 no. 1, letter f requires. This applies the treatment activities in all stages; the collection through the request for access to the municipality, the compilation the municipality had to prepare, the processing by the Stavanger Labor Party, the transmission to Brevo or through the sending of e-mails. The second most relevant alternative was not considered less invasive compared to privacy considerations. In addition, they considered that privacy considerations were well taken care of, through the fact that it was sent a limited amount of personal data, only email addresses, to Brevo. 2.2.4.3. The Norwegian Data Protection Authority's assessment Stavanger Arbeiderparti has to a small extent explained that they have assessed those registered interests. However, to a certain extent it has been expressed that the access requirement they aimed at the municipality could have some negative effects, all the while they themselves in the access request uses the word "unfortunately" about the scope of public law. 5 Admittedly, several alternative solutions were considered, but the Norwegian Data Protection Authority considers that they were not carried out an assessment of the privacy consequences of the processing itself. The case has attracted great interest and has led to several complaints to the Norwegian Data Protection Authority from those registered. The It appears obvious to the Norwegian Data Protection Authority that the processing has actually had a negative impact on those registered. We assume that this treatment has caused reactions, among other reasons it was not predictable for those to whom it applies. The access requirement that was directed at the municipality involved a compilation of personal data that should have been assessed by the Stavanger Labor Party, even if there is one legal delivery by the municipality. The disclosure consisted of compiled information such as was tailored for a purpose outside the scope of public law. This should too been taken into account in the assessment. We note that the negative consequences of the access requirement was also pointed out by the Stavanger Labor Party at the same time as the claim was made. Alternatives to the chosen solution that were considered were direct actions associated with kindergartens, small school etc., but it was considered less appropriate than an e-mail distribution. Stavanger Arbeiderparti has not confirmed that they have surveyed or assessed the privacy interests of the data subjects in the relevant processing. The privacy consequences are therefore also not weighted against the legitimate interest the purpose of the treatment was to safeguard. The Norwegian Data Protection Authority believes that the missing assessments, which a controller is required to carried out according to the Personal Data Protection Ordinance, Article 6 No. 1, letter f, must be considered a breach on the Personal Data Protection Regulation. 2.2.5. Use of data processor The majority parties used the Brevo service for sending emails. It is stated that Brevo only was given a list of e-mail addresses. At the request of the Norwegian Data Protection Authority, it has been stated that no data processor agreement was entered into with Letter. Stavanger Arbeiderparti points out that the "Terms of Service" was approved when it was created account and that the "Privacy policy" has been read through. The Personal Protection Regulation Article 28 No. 3 requires that processing of personal data which carried out by a data processor must be subject to an agreement. The provision states in more detail what such an agreement must regulate, but there are no formal requirements. The Danish Data Protection Authority has not investigated the supplier Brevo and any special requirements should have been stipulated in the specific agreement. We have also not reviewed the company's "Terms of Service" or "Privacy policy" to which reference is made. We assume that the Stavanger Labor Party has assessed that the agreement with Brevo is comprehensive for the processing of information they must carry out on their behalf. 6 2.3. What information is given to the registered cf. the Personal Protection Ordinance art. 14. Stavanger Arbeiderparti confirms that no information about the treatment has been given to them registered, and that this is not in accordance with Article 14 of the Personal Data Protection Regulation. 2.4. Storage period for the personal data The Norwegian Data Protection Authority asked for an explanation of the content of the agreement with regard to the deletion of the personal data at Brevo, and whether confirmation was obtained that the deletion was been carried out. The Stavanger Labor Party has stated that the personal data was deleted for those persons who had access to the email addresses the day after dispatch. The personal data that was loaded up with Brevo, was also deleted the same day. The account with Brevo has also been deleted, as this was one one-off mailing. They have assumed that the deletion at Brevo was "non-reversible" and that all data would remain permanently deleted within 30 days at the latest. The address list (email addresses) was deleted manually from the account prior to the account being deleted. No confirmation has been requested from Brevo beyond this. The Norwegian Data Protection Authority assumes that the deletion has been carried out. We clarify that a The data processing agreement must also contain terms that include the deletion of information, see point 6. 3. Decision on reprimand The Norwegian Data Protection Authority's case management has revealed that the processing of personal data in in connection with the majority parties' e-mail sending of political messages has resulted in several breach of the privacy regulations. Paragraph 148 of the Personal Protection Ordinance states that sanctions should be imposed for breach of the regulation, including infringement fees. The preface allows for it to know less infringements may be given a reprimand instead of an infringement fee. It can, among other things emphasis is placed on whether the breach has entailed a high risk for the rights of the data subjects. The Norwegian Data Protection Authority has come to the conclusion that a decision on reprimands for the infringements must be made. We has emphasized in the assessment that the collection of personal data from the municipalities had valid legal basis through public law. Furthermore, we have emphasized what was processed personal data to a very limited extent, and that they were deleted as soon as the purpose of treatment was achieved. We consider that the violations did not pose a high risk for them data subject's rights. 7 The Danish Data Protection Authority nevertheless believes that it is necessary to react, and takes this into account in the personal protection regulation article 58 no. 2, letter b decision on reprimand for the following Violations: 1. Inadequate assessments when using the Personal Protection Regulation Article 6 no. 1, letter f as a legal basis for processing personal data and 2. failure to comply with the duty to provide information about the treatment to them registered, cf. Article 14 of the Personal Data Protection Ordinance. See above for further justification of our assessments of the various conditions. 4. Access to appeal This decision can be appealed in accordance with Chapter VI of the Public Administration Act. Any complaint must sent to the Norwegian Data Protection Authority within three weeks of receipt of the decision. If we maintain our decision, the case will be forwarded to the Personal Protection Board for processing. Any questions can be directed to postkasse@datatilsynet.no. With kind regards Camilla Nervik section manager The document is electronically approved and therefore has no handwritten signatures Copy to: STAVANGER ARBEIDERPARTI 8