Datatilsynet (Norway) - 20/02042: Difference between revisions
No edit summary |
|||
Line 50: | Line 50: | ||
}} | }} | ||
The Norwegian DPA (Datatilsynet) notified Innovation Norway that they will be fined €95,000 for multiple credit ratings of the | The Norwegian DPA (Datatilsynet) notified Innovation Norway that they will be fined €95,000 for multiple credit ratings of the complainant, when they had no legal basis under Article 6(1)(f) GDPR for such processing. They have until January 25 2021 to contest the fine. | ||
==English Summary== | ==English Summary== |
Revision as of 08:46, 5 January 2021
Datatilsynet - DT-20/02042 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(f) GDPR Article 33 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 04.01.2021 |
Published: | 04.01.2021 |
Fine: | 1000000 NOK |
Parties: | Complaintant (data subject - anonymized) Innovation Norge Innovation Norway |
National Case Number/Name: | DT-20/02042 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA (Datatilsynet) notified Innovation Norway that they will be fined €95,000 for multiple credit ratings of the complainant, when they had no legal basis under Article 6(1)(f) GDPR for such processing. They have until January 25 2021 to contest the fine.
English Summary
Facts
The complaintant was subjected to multiple credit ratings by Innovation Norway, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.
When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.
Dispute
Did Innovation Norway have a legal basis for conducting credit rating(s) of the complaintant?
Holding
The DPA found that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question, that they hadn't followed up on their own internal policies and procedures and that they should have notified the DPA of the personal data breach cf. Article 33 GDPR.
Comment
The complaintant was subjected to a total of ten credit ratings; one on the complaintant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.
The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
__________ PRESS RELEASE __________ Notification of infringement fee to Innovation Norway The Norwegian Data Protection Authority has sent Innovation Norway a notice of infringement fines of NOK 1 million. The case concerns four credit of an individual and his sole proprietorship without any basis for assessments treatment . Notification of infringement fee to Innovation Norway - Innovation Norway has not been able to point to a customer relationship, or a connection to complainants and his company, that could justify these credit assessments, says senior adviser Ida Småge Breidablikk. Innovation Norway has agreed that they did not have a treatment basis for the four credit assessments. The credit assessments took place over a period of 3 months. Must have a valid treatment basis A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person or sole proprietorship will pay a claim. A credit assessment will also show details about the company's finances, such as any payment remarks, voluntary mortgages and debt ratio. Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships. It is part of the case that the complainant's limited company has also been credit-rated six times. However, this is not covered by the privacy regulations, and the Data Inspectorate cannot sanction this. Experienced offensive - Credit information about sole proprietorships also says something about the owner's personal finances. It is private information that can not be collected by other companies unless it is objectively justified, says legal senior adviser Ida Småge Breidablikk. We understand that complaints react when he has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, she concludes. Innovation Norway has been given a deadline of 25 January to submit comments on the notification.