Datatilsynet (Norway) - 20/02375: Difference between revisions
No edit summary |
No edit summary |
||
Line 25: | Line 25: | ||
|GDPR_Article_1=Article 6(1) GDPR | |GDPR_Article_1=Article 6(1) GDPR | ||
|GDPR_Article_Link_1=Article 6 GDPR#1 | |GDPR_Article_Link_1=Article 6 GDPR#1 | ||
|GDPR_Article_1=Article 6(1)(f) GDPR | |||
|GDPR_Article_Link_1=Article 6 GDPR#1#f | |||
|GDPR_Article_2=Article 24 GDPR | |GDPR_Article_2=Article 24 GDPR | ||
|GDPR_Article_Link_2=Article 24 GDPR | |GDPR_Article_Link_2=Article 24 GDPR |
Revision as of 12:31, 18 October 2021
Datatilsynet (Norway) - DT-20/02375 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(f) GDPR Article 24 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 21.09.2021 |
Published: | 06.10.2021 |
Fine: | 125000 NOK |
Parties: | Ultra-Technology AS |
National Case Number/Name: | DT-20/02375 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined Ultra-Technology AS €12,785 (NOK 125,000) for conducting an unlawful credit rating, breaching Article 6(1) GDPR, and requires the company to implement a policy for conducting credit ratings, cf. Article 24 GDPR.
English Summary
Facts
A person lodged a complaint to the Norwegian DPA (Datatilsynet) for having been subject to what they felt was an unlawful credit rating by the company Ultra-Technology AS. The company claimed legal grounds for this in Article 6(1)(f) GDPR, pursuing a third party's legitimate interest.
After receiving the DPA's notification of a fine, the company claimed they had other internal policies and procedures in place which would be sufficient for credit ratings. They also claimed that the intended fine was too high.
Holding
The Norwegian DPA (Datatilsynet) held that Ultra-Technology AS had no legal basis as per Article 6(1) GDPR to conduct the credit rating, because the legitimate interest must be based on the company's requirement and interest.
Consequently, the DPA fined the company €12,785 (NOK 125,000), reduced from NOK 175,000, however only due to the long case processing time (in line with the Norwegian Privacy Appeal Board's latest decisions) and not the company's request for a reduced fine.
The DPA also held that company must create a company policy and implement internal controls of their credit rating process, in line with Article 24.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
ADVOKATFIRMA ØGLÆND & CO AS Luramyrveien 25A Excluded from the public: Offl. § 13 cf. Popplyl. § 24 (1) 2. 4313 SANDNES pkt. Håkon Pinderød Eliassen Their reference Our reference Date 20 / 02375-9 21.09.2021 Decision on order and infringement fee - Credit assessment without legal basis - Ultra-Technology AS 1 Introduction We refer to our notice of decision on order and infringement fee of 21 December 2020. We received Ultra-Technology AS '("Ultra-Technology") comments on the notice via a lawyer Håkon Pinderød Eliassen in a letter dated 11 January 2021. Our comments on the comments follows below. Initially, we would like to apologize for the long case processing time. 2. Decision on order and infringement fine The Data Inspectorate makes the following decisions: 1. Pursuant to Article 58 (2) (2) of the Privacy Regulation, we impose Ultra- Technology AS, corporate identity number 925 887 498, an infringement fee to the Treasury of 125,000 NOK for having obtained credit information without a legal basis, cf. Article 6 (1) of the Privacy Regulation. 2. Pursuant to the Privacy Ordinance art. 58 No. 2 letter d is imposed Ultra- Technology AS to prepare written routines for credit assessment, cf. Article 24 of the Privacy Regulation, as the company did not have this on the control time. Our legal basis for issuing orders is Article 58 (2) of the Privacy Ordinance. Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 The OSLO deadline for implementing the orders is stated in section 7 of the decision. 3. Details of the facts of the case In your reply of 11 January 2021, you confirm that general manager Stig Seglem rated credit ("Complaints") through Ultra-Technology's access to credit rating tool, but denies that this has happened in violation of the Privacy Regulation. You confirm that the credit assessment was carried out in connection with, however states that Ultra-Technology had a legal basis for the credit rating that was carried out in that context. In the alternative, you state that the notified fee is too high. 4. Legal basis for obtaining credit information 4.1. Responsible for processing The Privacy Ordinance defines "data controller" as: […] A natural or legal person, a public authority, an institution or any other another body which alone or together with others determines the purpose of the processing of personal data and the means to be used; when the purpose and the means of treatment are laid down in Union law or in the Member States national law, the person responsible for processing, or the special criteria for appointment by the person concerned, shall be determined by Union law or by the national law of the Member States 4.2. Legal basis for obtaining credit information Obtaining credit information on individuals and sole proprietorships ("the registered") constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and the Personal Data Act § 1. Article 6 (1) of the Privacy Regulation requires that the data controller has a legal right basis for processing personal data. When a business must obtain credit information about the registered person without it being available consent, or the credit rating is strictly necessary to carry out an agreement with it registered, Article 6 (1) (f) is the most relevant legal basis. Article 6 (1) (f) requires that the collection of credit information is "necessary" to: safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration individual privacy. 2The legitimate interest must be legal, clearly defined in advance, real and objectively justified in business. Which interests meet this depends on an assessment there, among other things what benefits the company achieves with the treatment, how important the interest is for the business, or whether the treatment has a public interest or safeguards non-profit interests which benefit more are relevant moments. Furthermore, the treatment in question must be "necessary" for purposes related to the beneficiary interests. That is, the business must consider whether it can achieve the purpose in a way that better safeguards privacy. One must therefore choose the treatment that is least invasive. Then the business must make a balance of interests to decide whether the individual Privacy outweighs the business' legitimate interest. What type of information is relevant to process, for example about obtaining the relevant information the information may be perceived as offensive, and what expectations the individual has of the processing of personal data are relevant factors in the balancing of interests. The now repealed Personal Data Regulations § 4-3 contained an additional condition that Credit information could only be obtained unless the business had a "factual need" for it credit information. Section 4-3 of the regulations is continued in accordance with the regulations on transitional rules on the processing of personal data § 4. 2 However, the Privacy Ordinance does not provide national room for maneuver for special regulation of obtaining credit information. We therefore believe that the requirement for "objective need" does not constitute one additional terms to Article 6 (1) (f). However, the assessment of whether the business has an "objective need" pursuant to section 4-3 of the regulations is close connection with the assessment pursuant to Article 6, paragraph 1, letter f. We therefore believe that earlier administrative practice regarding the requirement of objective need is still relevant when assessing an article 6 No. 1 letter f. 4.3. About the duty to written routines (internal control) According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to prove that they processes personal data in accordance with the law. If it stands in a reasonable relation to the treatment activities, the company shall implement appropriate guidelines for the protection of personal information. Credit rating is an intrusive processing of personal data and constitutes a large encroachment on individuals' right to privacy. Businesses must therefore be able to document their internal routines or processes, so-called internal control, which meet the requirement of objectivity by credit rating. 1 2Personal Information Regulations of 15 December 2000 no. 1265. Transitional rules on the processing of personal data of 15 June 2018 no. 877. The routines must describe when and how credit information is to be obtained and how to access it shall be provided, and shall ensure that credit assessments are not obtained without the requirement of objective need being fulfilled. Furthermore, the company must have routines for handling deviations. 5. The Data Inspectorate's assessment 5.1. Responsible for processing On 21 December 2020, the Data Inspectorate notified Ultra-Technology AS of the order and infringement fee (org. no. 987 204 265). This limited company, on the other hand, was deleted from the Register of Business Enterprises on 12 June 2021. 3 The announcement in the business register shows that the company Ultra-Technology AS (corp. No. 987 204 265) has been merged with the new company Ultra-Technology AS (corp. No. 925) 887 498). The merger notification was registered in the Register of Business Enterprises on 12 June 2021. The purpose of the articles of association and the activity / industry stated for the new company are identical to the first company: «Processing of metal and plastic materials as well as what is connected with this, including participating in other companies with similar business » Stig Nordby Seglem is listed as general manager and chairman of the board. We also assume that the workshop business the first company ran has been continued in the new company after 5 the merger. In our notice of decision, we assumed that Ultra-Technology AS (corporate identity no. 987 204 265) was responsible for processing the contested credit assessment performed by the general manager. The placement of the processing responsibility with the company for illegal credit assessments performed by general manager has support in the Privacy Board's decisions PVN-2017-02 Bertram Bil and PVN- 2020-21 Flisleggingssenter AS. The decisions have several similarities with our case, and concerned both general managers' use of the business's credit rating tool for private credit ratings. In our case, the company that is responsible for processing the credit assessment of complaints has merged with another company. 3https: //w2.brreg.no/enhet/sok/detalj.jsp? Orgnr = 987204265 (last visited 21.09.21). 4https: //w2.brreg.no/kunngjoring/hent_en.jsp? Kid = 20210000291533 & sokeverdi = 925887498 & spraak = nb (sist visited 21.09.21) 5https: //www.ultratech.biz/about-us (last visited 21.09.21). 4The question of processing responsibility when the legal person responsible for processing becomes merged with another is not regulated in the Privacy Ordinance. The answer must therefore depend on an interpretation of the rules for mergers of companies in the Companies Act. Section 13-2 of the Norwegian Companies Act reads as follows: (1) Mergers of companies are subject to the rules on mergers in this chapter company (the acquiring company) shall take over another company (the transferring the company) assets, rights and obligations as a whole towards that the shareholders of this company receive as consideration Shares in the acquiring company, or 2. such shares with a supplement that must not exceed 20 percent of the total the consideration (Our highlight) In our case, this means that the acquiring company (Ultra-Technology AS, corporate identity number 925 887 498), has taken over the transferring company (Ultra-Technology AS, corporate identity number 987 204 265) their assets, rights and obligations. In our opinion, the acquiring company has taken over the transferring company processing responsibility for the processing of personal data in the company. Our conclusion is after this that the acquiring company Ultra-Technology AS (corp. No. 925 887 498) is responsible for processing the transferring company's credit rating of complaints. Our decision on orders and infringement fees can thus be directed at Ultra-Technology AS (org. no. 925 887 498). 5.2. Written routines (internal control) Ultra-Technology confirms in the comments to the notice that the company has no written routines for credit ratings. You further write that you will not oppose an order to establish routines, but state the following: The fact that the company has not designed its own routines has its explanation. It is noted that the company already has an internal company routine, which involves following agreements contracts. The company is bound by contract law to comply the Personal Data Act by searching the register, through the objectivity criterion in contract one with Experian AS. This is the reason why the company has not seen a need for additional, internal guidelines. However, separate guidelines may be appropriate, such as refers to these, to avoid use that does not pursue legitimate interest. This is how it is not in this case. 5We have noticed the input, but can not see that it has any significance for our assessments in this case. We also refer to our account of the content of the Privacy Ordinance, Article 24, No. 1 and 2 above, in section 4.2. The person responsible for processing is obliged to implement technical and organizational measures as they are taken consideration of «the nature, scope, purpose and context of the treatment in which it is performed, as well as the risks of varying probability and severity for the rights of natural persons and freedoms ». If it is in a reasonable relation to the treatment activities, the measures shall include appropriate guidelines for the protection of personal data, cf. Article 24 (2). Credit ratings of individuals are an intrusive form of treatment of personal information. Access to credit rating tools therefore presupposes that The person in charge of processing takes appropriate measures to prevent illegal credit assessments carried out. In our opinion, written routines would have a preventive effect against the illegal one the credit assessment carried out in our case, and such routines will ensure that future credit ratings are only conducted by Ultra-Technology when the terms of the Privacy Ordinance is complied with. On the basis of this, we maintain our conclusion that it is necessary to impose Ultra- Technology to establish written routines for credit ratings. We also refer to our assessment in section 5.1 of the notice. 5.3. Legal basis for obtaining credit information The relevant legal basis for Ultra-Technology's collection of complaints credit information is the Privacy Regulation Article 6 No. 1 letter f. The question is whether the company had a legal basis in Article 6 (1) (f) on a daily basis manager obtained credit information on complaints Ultra-Technology's remarks Ultra-Technology states that the company pursued a "third party" "legitimate interest" then the general manager credit-rated complaints, and that the company thus fulfilled the condition of "Legitimate interest" in Article 6 (1) (f). The Data Inspectorate's assessment The relevant basis for processing the collection of credit information about complaints is Article 6 (1) (f) of the Privacy Regulation. 6The first condition that must be met is that Ultra-Technology AS had a «entitled interest ”in obtaining the information. Proposition 47 of the Privacy Ordinance states that in the assessment of whether an interest is justified, among other things, the data subject's expectations based on the relationship shall be taken into account between the data controller and the data subject. Emphasis should also be placed on whether it is on the time of collection was foreseeable for the data subjects that the information would be processed for the current purpose. The credit assessment was carried out on the basis of However, the legitimate interest must be justified on the basis of the company's objective needs and interest. As the credit assessment was carried out via the access to Ultra- Technology AS, we believe the company was responsible for processing the credit assessment. According to the Brønnøysund Register Center, Ultra-Technology AS operates with «Processing of metal and plastic materials and what is connected with this, including participating in other companies with similar business ». In our view, therefore, the complainants had no expectation that Ultra- Technology AS was to process her credit information in connection with The Privacy Board has recently handed down the decision PVN-2020-21, which supports our understanding of the law. In the decision, the tribunal upheld the Data Inspectorate's order and infringement fee NOK 150,000 to "Flisleggingsfirma AS" for an illegal credit assessment. The fact of the matter was that the general manager of the tiling company had rated his neighbor in credit connection with construction work on the neighbor's property to investigate whether the person had ability to pay for themselves if something should go wrong. In the decision, the tribunal states the following about the requirement for a legitimate interest in Article 6 (1) (f) of the Privacy Regulation: The law's requirement that the processing (collection of credit information) must be necessary for purposes related to the legitimate interest of the controller, implies that the interest safeguarded by the data controller must be legal and actually justified. It is Flisleggingsfirma AS that buys services from Bisnode and that is why Flisleggingsfirma AS which must have a legitimate interest in checking the credit information about A. There is no customer relationship between A and Flisleggingsfirma AS and Flisleggingsfirma AS obviously has no legitimate interest in making one credit rating of A. In this case, the general manager of Flisleggingsfirma AS, B, who has used the company's online access to Bisnode for private purposes, namely to 7 credit rating a neighbor to investigate her financial situation because he was worried about whether the initiated construction work on the neighboring plot would inflict his property financial damage for which he would claim compensation. (Our emphasis). B's use of the service from Bisnode for private purposes is clearly in violation of the law. The tribunal agrees with the Norwegian Data Protection Authority that the credit assessment entails a basic violation of A's privacy rights. The tribunal agrees with the Authority's assessment and concludes in the same way as the audit that there was no legal basis for credit rating A. When Flisleggingsfirma AS does not have a legitimate interest in the treatment, it is not necessary for the tribunal to consider the other conditions in Article 6 No. 1 letter f, then all the conditions must be met in order to satisfy the law's requirements for treatment basis. The decision has several similarities with the case against Ultra-Technology, in that both cases apply the general manager's use of the company's credit rating tool for private purposes outside the business' business area. On the basis of this, we maintain our assessment that the requirement of "legitimate interest" in Article 6 (1) (f) of the Privacy Regulation is not complied with. It is therefore not necessary for the Norwegian Data Protection Authority to assess whether the credit rating was "Necessary" for the purpose and whether the legitimate interest of the company exceeded the considerations complainant's privacy. The conclusion is that Ultra-Technology AS had no legal basis under Article 6 no. 1 letter f to process the credit information on complaints obtained on 27 August 2019. We also refer to our assessment of the legal basis in the notice, section 5.2. Infringement fee 6.1. General information about infringement fines Violation fees are a tool to ensure effective compliance and enforcement of the personal data regulations. In accordance with the Supreme Court's practice, cf. Rt. 2012 page 1556, we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights (ECHR) Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to charge fee. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a 8forvaltningsorgan, which is directed against a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMF). Section 46, first paragraph, of the Public Administration Act states: When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual has shown guilt. In Prop. 62 L (2015-2016) page 199 it is stated about § 46: The wording that ‘no individual has shown guilt’ is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. Responsibility is therefore basically objective. In judgment HR-2021-797-A, the Supreme Court has assumed that the objective responsibility for corporate punishment that follows from the Penal Code § 27 is not compatible with the concept of punishment in the ECHR as such it is interpreted by the EMD. The Supreme Court states in the judgment that whoever has acted on behalf of the company must have shown guilt, and that general negligence is sufficient to fulfill this. As infringement fines are considered a penalty under the ECHR, we assume that we can only impose an infringement fine on an enterprise if the person who has acted on behalf of the enterprise has shown guilt, and that general negligence is sufficient, cf. HR-2021-797-A. 6.2. The guilt claim when imposing an infringement fee In order for the Data Inspectorate to be able to impose an infringement fee on Ultra Technology AS, it is therefore required that the person who has acted on behalf of the company has shown guilt. In this case, our assessment that intent is the actual form of guilt. The intent requirement follows from general basic legal principles, and these principles are codified in the Penal Code § 22. It follows from the provision: "Intention exists when someone commits an act that covers the description of the act in a penalty: a) with intent, b) with awareness that the action certainly or most likely covers the description of the act, or c) considers it possible that the action covers the description of the act, and chooses to act even if that were the case. " ‘ It follows from the second paragraph of the provision, however, that «[t] he presumption exists even if the offender is not aware that the act is illegal, cf. § 26 ». There is thus no requirement that one knew that the act was against the law. 9 It follows from the Penal Code § 26 that «[d] one who at the time of the action due to ignorance if legal rules are unknown that the act is illegal, is punished when the ignorance is negligent. " IN According to the requirement of diligence, companies must familiarize themselves with which legislation applies to the area, and organize the business in accordance with the framework that follows from it current regulations. In this case, Ultra-Technology AS has acknowledged in its statement that the company's general manager deliberately credit-rated complaints in connection with We assume that the general manager acted on behalf of the company when he credit-rated complaints, cf. section 5.3 of the decision, and that the credit assessment was a deliberate and willful act. Our conclusion is therefore that the infringement was committed intentionally by Ultra-Technology AS. The guilt requirement for imposing an infringement fee is thus fulfilled. 6.3. Our assessment of whether an infringement fee should be imposed When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account to the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate can impose infringement fines after a discretionary overall assessment, but they listed the moments lay down guidelines for the exercise of discretion by highlighting moments that should special weight is given. Here we will assess the relevant aspects on an ongoing basis. (a) the nature, gravity and duration of the infringement, taking into account it; the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered The principle of legality in the Privacy Ordinance Article 5 No. 1 letter a and the requirement for legal basis in Article 6 (1) is among the basic requirements to be met when a business processes personal data. In this case, we have come to the conclusion that Ultra- Technlogy violated the provision of Article 6 (1), as the relevant personal data became obtained without a legal basis. This suggests that the infringement was serious. The Privacy Board has also stated this about the illegal credit assessment that was implemented in PVN-2020-21: This is a serious violation of the Privacy Ordinance. The principle of legality in Article 5 (1) and the requirement for a basis for processing in Article 6 represents basic requirements for the processing of personal data. These are broken. Private individuals have an expectation that companies do not collect credit information about them without this being justified in a legitimate interest with 10 business as a result of a real customer relationship. Collection of credit information has in this case happened for a purpose completely outside the business' business area and for the general manager's personal use outside the business. He has no doubt acted intentionally. Any error regarding the legal rules is not excusable, cf. the principle in Penal Code § 26. Furthermore, credit information is a type of personal information that is particularly worthy of protection, and as individuals have an expectation that is not obtained by businesses unless it is objectively justified in their relationship with them. The infringement is therefore serious and indicates that an infringement fine is imposed. A single illegal credit rating will not be a long-term breach. On it on the other hand, the damage has already occurred and it cannot be reversed after the personal data has been obtained illegally. Furthermore, one person is affected by the violation, and one credit assessment was made of complaints. b) whether the infringement was committed intentionally or negligently Ultra-Technology AS acknowledges in its statement that the credit assessments were obtained deliberately for use in. We therefore assume that the violation was committed intentionally. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects We do not see that such measures have been taken by Ultra-Technology AS. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 In an aggravating direction, we emphasize that the violations were committed by the general manager in the business, as the Privacy Ordinance presupposes that compliance with the regulations is particularly rooted in the management of an enterprise, cf. Article 5 No. 2. e) any previous violations committed by the data controller or the data processor The Norwegian Data Protection Authority is not aware of any previous violations. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it 11Ultra-Technology AS has contributed to the information of the case by responding to our request for statement. According to guidelines from the Article 29 Working Party, adopted by the Privacy Council ("EDPB"), it is not appropriate to place mitigating emphasis on cooperation that is anyway required by the Privacy Ordinance. We do not see that it exists by the way co-operation considerations in our case, and therefore does not find this aspect relevant. g) the categories of personal data affected by the infringement Special categories of personal data (sensitive personal data) are not affected by the infringement in our case. However, information on salary, debt and creditworthiness is information that has a special need for protection due to its private nature. This draws in an aggravating direction, and advocates the imposition of infringement fines. The Privacy Board has assessed this correspondingly in its decision PVN-2020-21: Although the information affected by the infringement does not belong to the group in particular categories of information in Article 9, then represent credit information on individuals information of a private nature that the individual may have reason to desire remains private. This, too, is therefore a factor in an aggravating direction. h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement We do not find this aspect relevant. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data controller with respect to the same subject matter, that mentioned measures are complied with We do not know that measures have previously been taken against the company with regard to the same case subject. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 We do not find this aspect relevant. 6 Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, WP 253, page 14. 12k) and any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement We do not see that there are other aggravating or mitigating factors in the case. Based on the assessment above, the Data Inspectorate concludes that an infringement fee should be imposed. The The next question is the size of the fee. 6.4. Assessment of the size of the fee Ultra-Technology has stated that the notified fee is "significantly too high", and that this «Reserved for elaboration». The company has not submitted documentation or presented others arguments that justify why the company believes the notified fee is too high. When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in the question of whether a fee should be charged, cf. Article 83 (2). The points we have pointed out in section 6.2 speak in favor of a fee of a certain size. In aggravating direction, we place particular emphasis on the fact that the credit assessment took place by a deliberate act, that the principle of legality is one of the most basic principles for the treatment of personal data, and the nature of the personal data affected by the infringement. It follows from Article 83 (1) of the Privacy Regulation that infringement fines must be set specifically so that in each case it is effective, stands in a reasonable relation to the violation and acts as a deterrent. The main purpose of the infringement fee is contraception, ie the risk of being charged a fee shall act as a deterrent and contribute to increased compliance with the regulations. 7 By Bergseng Skullerud et al., 2019, commentary on the Privacy Ordinance, page 347 it appears: Contraceptive considerations dictate that the fee for a violation must be set so high that this actually perceived as an evil by the offender. This means that the offender financial ability should be important in the measurement, so that the fee is higher the more stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a companies, it may be relevant to look at the company's total global annual turnover in previous financial year, cf. art. 83 Nos. 4 and 5. And further: 7 See updated version of the commentary to the Privacy Ordinance by Bergseng Skullerud, Rønnevik, Skorstad and Engh Pellerud (2019) p. 343. 13 The consideration of ensuring an individual assessment in each individual case indicates that Regulators should avoid establishing standardized fee rates. This applies even if national law allows for standardized rates, cf. the Public Administration Act § 43. The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual the business. We therefore place emphasis on the company's finances. According to publicly available documents, Ultra-Technology AS is registered with one turnover of NOK 20,158,000 in 2019, and an annual profit of NOK 3,191,000. The business is continuing registered with a very good solvency. We also add that the Privacy Board in PVN-2020-21 stated that an infringement fee of NOK 150,000 for an illegal credit assessment of a sole proprietorship «in any case is not for loud". On the basis of this, the Data Inspectorate basically finds no reason to adjust it down notified the fee of 175,000 kroner. However, the case processing time at the audit is important for the measurement of the infringement fee, cf. the Privacy Ordinance art. 83 No. 2 letter k, cf. The Personal Welfare Board's decision in case PVN-2021-03. We asked Ultra-Technology to explain the case in our letter dated 29 April 2020. We notified then a decision on the infringement fee in our letter of 21 December 2020. When the audit imposes decisions on fees have taken approx. 10 months since the notice, and approx. one and a half years ago the Authority contacted Ultra-Technology for the first time. In line with the Privacy Board's practice, we therefore reduce the notified fee to DKK 125,000 on the basis of the long case processing time. Our conclusion is after this that Ultra-Technology will be fined NOK 125,000. We also refer to our assessment of the size of the fee in the notice, sections 6.2 and 6.3. 7. Right of appeal and further proceedings You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will forward the case to the Privacy Board for complaint processing. If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act. The deadline for implementing section 2 of the order on written routines (internal control) is 4 weeks after expiry of the time limit for appeal. If you do not appeal the order point 2, you must within this deadline 14You must send us a written confirmation, as well as documentation, of that order internal control has been completed. 8. Publicity, transparency and duty of confidentiality We will inform you that all documents are in principle public, cf. § 3 of the Public Access to Information Act If you believe there is a basis for exempting all or part of it the document from public access, we ask you to justify this. The Norwegian Data Protection Authority has a duty of confidentiality about who has complained to us, and about the complainant's personal relationship. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and Section 13 of the Public Administration Act As a party to the case, you may nevertheless be made aware of such information from the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You are also entitled for access to the case documents, cf. the Public Administration Act § 18. We point out that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority the complainant's identity, personal circumstances and other identifying information, and that you only may use this information to the extent necessary to safeguard the interests their in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that Violation of this duty of confidentiality can be punished according to the Penal Code § 209. If you have questions about the case, you can contact Ole Martin Moe by e-mail omm@datatilsynet.no or telephone 22 39 69 59. With best regards Jørgen Skorstad department director Ole Martin Moe legal adviser The document is electronically approved and therefore has no handwritten signatures Copy to: 15