Datatilsynet (Norway) - 20/02225: Difference between revisions
m (Cp moved page Datatilsynet - 20/02291 to Datatilsynet - 20/02225) |
(Updated with DPA decision) |
||
| Line 20: | Line 20: | ||
|Date_Published= | |Date_Published= | ||
|Year= | |Year= | ||
|Fine= | |Fine=100000 | ||
|Currency=NOK | |Currency=NOK | ||
| Line 50: | Line 50: | ||
|Initial_Contributor=n/a | |Initial_Contributor=n/a | ||
| | | | ||
}} | |GDPR_Article_4=Article 5(1)(a) GDPR}} | ||
Datatilsynet | The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (~€9,700) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) and 5(1)(a) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
The company Aquateknikk AS credit rated | The company Aquateknikk AS credit rated an individual and his business, despite having no customer relationship or any other affiliation with either. According to the complainant, the credit rating was conducted because he operates a competing business. | ||
Aquateknikk stated that the credit rating of the complainant personally was a mistake, as the intended target of the credit rating was the complainant's business. However, the DPA found from their credit rating logs from Bisnode, the credit rating bureau, that Aquateknikk had credit rated the complainant's company first and then the complainant personally, "indicating that the action was intentional". The DPA commented that they don't believe Aquateknikk's explanation and noted that the credit rating seems to have been conducted due to "nosiness". | |||
=== Dispute === | ===Dispute=== | ||
Did Aquateknikk have legal grounds for processing the personal data of the complainant for a credit rating, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit ratings in their business? | |||
=== Holding === | ===Holding=== | ||
No, Aquateknikk did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 100,000. | |||
They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA. | |||
== Comment == | ==Comment== | ||
The | The company was initially notified of a NOK 300,000 fine. Due to the COVID-19 pandemic, however, the company argued that their financial situation had worsened and such a major fine would be very detrimental and, possibly, lead to bankruptcy. After reviewing the preliminary 2020 financial results of the company, the DPA reduced the fine to NOK 100,000, stating that this would be sufficiently "effective, proportionate and dissuasive" as per Article 83(1). | ||
In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine. | |||
While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4). | |||
== English Machine Translation of the Decision == | ==Further Resources== | ||
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-gebyr-aquateknikk/ | |||
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/aquateknikk-as-far-gebyr/ | |||
==English Machine Translation of the Decision== | |||
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details. | The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details. | ||
<pre> | <pre> | ||
https://www.datatilsynet.no/contentassets/c5f433a97050467497810b9e891d5b83/vedtak-om-palegg-og-overtredelsesgebyr---aquateknikk-as.pdf | |||
</pre> | </pre> | ||
Revision as of 07:28, 22 January 2021
| Datatilsynet - 20/02291 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 5(2) GDPR Article 6(1)(f) GDPR Article 24 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 100000 NOK |
| Parties: | n/a |
| National Case Number/Name: | 20/02291 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Norwegian |
| Original Source: | Datatilsynet (in NO) |
| Initial Contributor: | n/a |
The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (~€9,700) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) and 5(1)(a) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24.
English Summary
Facts
The company Aquateknikk AS credit rated an individual and his business, despite having no customer relationship or any other affiliation with either. According to the complainant, the credit rating was conducted because he operates a competing business.
Aquateknikk stated that the credit rating of the complainant personally was a mistake, as the intended target of the credit rating was the complainant's business. However, the DPA found from their credit rating logs from Bisnode, the credit rating bureau, that Aquateknikk had credit rated the complainant's company first and then the complainant personally, "indicating that the action was intentional". The DPA commented that they don't believe Aquateknikk's explanation and noted that the credit rating seems to have been conducted due to "nosiness".
Dispute
Did Aquateknikk have legal grounds for processing the personal data of the complainant for a credit rating, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit ratings in their business?
Holding
No, Aquateknikk did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 100,000.
They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA.
Comment
The company was initially notified of a NOK 300,000 fine. Due to the COVID-19 pandemic, however, the company argued that their financial situation had worsened and such a major fine would be very detrimental and, possibly, lead to bankruptcy. After reviewing the preliminary 2020 financial results of the company, the DPA reduced the fine to NOK 100,000, stating that this would be sufficiently "effective, proportionate and dissuasive" as per Article 83(1).
In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine.
While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4).
Further Resources
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-gebyr-aquateknikk/
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/aquateknikk-as-far-gebyr/
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
https://www.datatilsynet.no/contentassets/c5f433a97050467497810b9e891d5b83/vedtak-om-palegg-og-overtredelsesgebyr---aquateknikk-as.pdf
