Datatilsynet (Norway) - 21/03656: Difference between revisions
From GDPRhub
mNo edit summary |
(added "GDPR" to Articles; adjusted pronouns) |
||
| Line 69: | Line 69: | ||
}} | }} | ||
The Norwegian DPA issued a reprimand and compliance order against a listed company that relied on the exceptions in [[Article 14 GDPR | The Norwegian DPA issued a reprimand and compliance order against a listed company that relied on the exceptions in [[Article 14 GDPR]]. The DPA held that shareholders are entitled to information when their personal data is processed by shareholder managers. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In April 2021, a data subject in Germany owning shares in the company Mowi ASA was notified by his bank that | In April 2021, a data subject in Germany owning shares in the company Mowi ASA (controller) was notified by his bank that the controller had requested his personal data. After two unsuccessful attempts at getting information about this processing from the controller, the data subject lodged a complaint with the Norwegian DPA Datatilsynet, which initiated an investigation and contacted the controller. | ||
The controller acknowledged that it had not responded to the data subject’s access request because the emails had ended up in the spam filter. It also confirmed that it did not provide information on the processing in question, directly to shareholders or in their privacy policy, but claimed it relied on the exceptions set out in [[Article 14 GDPR#5a|Article 14(5)(a)]] and [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]]. | |||
The DPA rejected this as | The DPA rejected this as it argued that the exceptions in [[Article 14 GDPR#5|Article 14(5) GDPR]] should be interpreted and applied narrowly and it is not sufficient to “assume” that a data subject has received the information required under [[Article 14 GDPR]], as the controller did in this case. In addition, the DPA found the controller's privacy policy to be incomplete and misleading. | ||
The controller did not raise any arguments to contest the DPA's conclusions and informed the DPA that | The controller did not raise any arguments to contest the DPA's conclusions and informed the DPA that it was in the process of updating their privacy policy, internal documentation and routines. | ||
=== Holding === | === Holding === | ||
The DPA held that the controller had violated [[Article 14 GDPR | The DPA held that the controller had violated [[Article 14 GDPR]] and ordered it to take measures to ensure that data subjects, including shareholders whose personal data are processed pursuant to [https://lovdata.no/dokument/NL/lov/1997-06-13-45 the Norwegian Public Limited Liability Companies Act], are provided with all of the information required by [[Article 14 GDPR]], including by amending its privacy policy as necessary. The controller was also ordered to inform the DPA about its measures taken within four weeks. | ||
== Comment == | == Comment == | ||
Revision as of 09:23, 27 April 2022
| Datatilsynet (Norway) - 21/03656 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 12 GDPR Article 12(2) GDPR Article 14 GDPR Article 14(5)(c) GDPR Article 14(5)(a) GDPR Article 15 GDPR Article 55(1) GDPR Article 56(1) GDPR Norwegian Public Limited Liability Companies Act (allmennaksjeloven) § 4-10 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 04.10.2021 |
| Decided: | 26.04.2022 |
| Published: | 27.04.2022 |
| Fine: | None |
| Parties: | Mowi ASA |
| National Case Number/Name: | 21/03656 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Norwegian Norwegian |
| Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
| Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA issued a reprimand and compliance order against a listed company that relied on the exceptions in Article 14 GDPR. The DPA held that shareholders are entitled to information when their personal data is processed by shareholder managers.
English Summary
Facts
In April 2021, a data subject in Germany owning shares in the company Mowi ASA (controller) was notified by his bank that the controller had requested his personal data. After two unsuccessful attempts at getting information about this processing from the controller, the data subject lodged a complaint with the Norwegian DPA Datatilsynet, which initiated an investigation and contacted the controller.
The controller acknowledged that it had not responded to the data subject’s access request because the emails had ended up in the spam filter. It also confirmed that it did not provide information on the processing in question, directly to shareholders or in their privacy policy, but claimed it relied on the exceptions set out in Article 14(5)(a) and Article 14(5)(c) GDPR.
The DPA rejected this as it argued that the exceptions in Article 14(5) GDPR should be interpreted and applied narrowly and it is not sufficient to “assume” that a data subject has received the information required under Article 14 GDPR, as the controller did in this case. In addition, the DPA found the controller's privacy policy to be incomplete and misleading.
The controller did not raise any arguments to contest the DPA's conclusions and informed the DPA that it was in the process of updating their privacy policy, internal documentation and routines.
Holding
The DPA held that the controller had violated Article 14 GDPR and ordered it to take measures to ensure that data subjects, including shareholders whose personal data are processed pursuant to the Norwegian Public Limited Liability Companies Act, are provided with all of the information required by Article 14 GDPR, including by amending its privacy policy as necessary. The controller was also ordered to inform the DPA about its measures taken within four weeks.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
MOWI ASA
Postboks 4102 Sandviken
5835 BERGEN
Your reference Our reference Date
21/03656-12 26.04.2022
Reprimand and Compliance Order - Mowi ASA
1. Introduction
The Norwegian Data Protection Authority (“Datatilsynet”, “we”, “us”, “our”) is the
independent supervisory authority responsible for monitoring the application of the General
Data Protection Regulation (“GDPR”) with respect to Norway.
On 2 March 2022, we notified Mowi ASA (“Mowi”, “you”, “your”, “the company”) of our
intention to issue a reprimand and compliance order for having violated Article 14 GDPR.
On 23 March 2022, Mowi acknowledged our advance notification without raising any
arguments to contest the conclusions or factual descriptions laid down in the advance
notification.
On 24 March 2022, Datatilsynet submitted a draft decision—which essentially reproduced the
above advance notification—to the other supervisory authorities concerned in accordance with
Article 60(3) GDPR. None of the other supervisory authorities concerned expressed a relevant
and reasoned objection to the draft decision within four weeks after having been consulted by
Datatilsynet.
Thus, the present decision is adopted in conformity with the advance notification we sent to
Mowi and the draft decision we submitted to the other supervisory authorities concerned.
2. Decision
Pursuant to Article 58(2)(b) GDPR, Datatilsynet issues a reprimand against Mowi for:
1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons withregard to the processingofpersonal data and onthe free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) OJ [2018] L 119/1.
Postal address: Office addressPhone: Ent.reg: Home page:
P.O. Box 458 Sentrum Trelastgat+47 22 39 69 00974 761 467 www.datatilsynet.no/en/
N-0105 OSLO N-0191 OSLO, • having infringed Article 14 GDPR by failing to provide all of the relevant information
required therein.
Pursuant to Article 58(2)(d) GDPR, Datatilsynet orders Mowi to:
• take measures to ensure that data subjects (including Mowi’s shareholders whose
personal data are processed pursuant to the Norwegian Public Limited Liability
Companies Act) are provided with all of the information required byArticle 14 GDPR,
including by amending its privacy policy as necessary. Such information shall be
provided in a concise, transparent, intelligible and easily accessible form, using clear
and plain language. Mowi shall notifythe measures taken for complying with this order
to Datatilsynet within four weeks after having received the present decision.
3. Factual Background
On 14 April 2021, a data subject residing in Germany who owned shares in Mowi was notified
by his German bank that Mowi had requested his personal data from the bank pursuant to a
3
Norwegian law (i.e., the Norwegian Public Limited Liability Companies Act, § 4-10).
After having received such a notification from his bank, the data subject wrote an email to
info@m4wi.com (i.e., the email address provided in Mowi’s privacy policy in effec5 at the
time) to exercise his right of access under Article 15 GDPR on 26 July2021. On 2 September
2021, the data subject sent the company a reminder of his request to the same email address, 6
7
but he received no response from Mowi.
On 4 October 2021, the data subject sent a complaint against Mowi to Datatilsynet, in which
he essentially claimed that Mowi failed to comply with: (1) Article 14 GDPR, as the company
failed to inform him about the purposes for which his personal data have been collected; and
(2) Articles 12(3) and 15 GDPR, as the companydid not respond within the applicable deadline
to the access requests that the complainant sent to Mowi. The complainant also asked that
Datatilsynet order Mowi to respond to the request at hand pursuant to Article 58(2)(c) GDPR. 8
On 2 December 2021, Datatilsynet sent a letter to Mowi asking the company to provide its
views on the issues raised by the complainant, and we received the company’s response on 23
December 2021. 10
2
Norwegian Public Limited Liability Companies Act (“Lov om allmennaksjeselskaper (allmennaksjeloven)”,
3OV-1997-06-13-45).
See complaint dated 4 October 2021.
4 See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. All web links
provided in the present letter have been last accessed on 24 March 2022.
5See Annex I to the complaint dated 4 October 2021.
6See Annex II to the complaint dated 4 October 2021.
7See complaint dated 4 October 2021.
8
9Ibid.
10ee Krav om redegjørelse - Mowi ASA (ref: 21/03656-2).
See DATATILSYNETS KRAV OM REDEGJØRELSE – MOWI ASA (ref: 514012) (hereinafter “Mowi’s
Reply to Datatilsynet”).
2,In its reply to Datatilsynet, Mowi acknowledged that it did not respond to the complainant’s
access request.11 However, it stated that this was due to the fact that both emails from the
complainant ended up in the spam folder of the company’s email inbox. Mowi also stated that
13
it would answer the data subject’s request after having responded to Datatilsynet’s inquiry.
Further, Mowi acknowledged that it did not provide any information on the processing at issue
in the present case, n14ther through its privacy policy nor directly to the data subject, pursuant
to Article 14 GDPR. However, it took the view that it was not required to provide any
information on such processing, as it was entitled to rely on the exceptions set out in Article
14(5)(a) and (c) GDPR. 15
On 3 January 2022, Mowi sent the following response to the complainant:
[…] We would like first to express our sincere apologies for not responding to your
access request within the deadline. We have had difficulties with extensive amounts of
spam and phishing attempts towards this inbox, and your requests were caught in the
clutter folder and unfortunately not detected as a legitimate claim through our regular
routines and procedures. This is meant only as an explanation and not an excuse for
our delay in responding. We can assure you that proper measures have been taken to
avoid this happening again. We have established a new privacy inbox in relation our
privacy policy on mowi.com, and have strengthened our follow-up procedures.
Your request to Mowi was, with reference to your email of July 2021, prompted by our
supplierNasdaq’srequesttoyourholdingbankfor thedisclosureofyourdata,pursuant
to section 4-10 of the Norwegian PLC Act. You raised the question of why this request
was made by Nasdaq and on this background submitted an access request.
We will in the following explain the background for Mowi’s request, give an overview
of what is requested, and the legal foundation for our request.
NASDAQ OMX Corporate Solutions International Limited) (“Nasdaq”) is engaged by
Mowi to provide Share Register Analysis Services. The processing of information
gathered for the share register is governed through an Agreement and relevant
supporting documents for processing of personal information. Nasdaq is registered in
the UK and the transfer of personal data to UK is governed by Standard Contractual
Clauses entered into between Mowi and Nasdaq. Specifically in relation to the Service,
Nasdaq on behalf of Mowi ASA reaches out to various Custodian banks to request
shareholder information pursuant to the Norwegian Public Limited Companies Act and
GDPR regulation Article 6(1)(f).
1Ibid., answer to Q.5.
12Ibid., answer to Q.7.
13Ibid., answer to Q.5.
14Ibid., answer to Q.4 (stating: “Vi erkjenner at Mowi selv ikke har gitt informasjon om den aktuelle behandlingen
i sin personvernerklæring. Det har heller ikke vært direkte kommunikasjon med den registrerte.”).
15Ibid.
3, The information collected by Nasdaq is simply the name of the shareholder. Further
information that may be collected is address, country and number of shares held.
The purpose of collecting the information is Mowi’s need to know who the shareholders
are, pursuant to section 4-10 of the Norwegian PLC Act. Mowi uses this information to
follow up investors and share relevant information about the corporation. As a listed
corporation, our investor relations department meet with a lot of investors throughout
the year. A shareholder overview of relevant investors is therefore needed to maintain
proper investor relations services.
According to the Agreement with Nasdaq, Mowi receives from Nasdaq information on
shareholders holding 10,000 shares or more. This means that Mowi has not received
specific information about you as a shareholder, but rather aggregated information of
Custodian banks holding shares for smaller shareholders below the set threshold.
Nasdaq holds the information as long as it is needed, but never longer than 5 years,
whichever is first.
You have the right to request rectification, erasure, and restriction of the personal data
we process on you, and you may object to such processing. As you are aware, you also
have the right to lodge a complaint with the supervisory authority (Norwegian Data
Authorities). […]. 16
On 4 January 2022, the complainant informed Datatilsynet that it found the above response to
be satisfactory.17
On 2 March 2022, Datatilsynet notified Mowi of our intention to issue a repriman18and
compliance order against the company for having violated Article 14 GDPR. In that letter, we
outlinedthefactualbackgroundofthepresentcase; wedescribedthelegalandfactual grounds
on which we based our competence to ha20le the case as a lead supervisory authority under
Article 56 and Chapter VII GDPR; we explained why—in our view—Mowi had violated
Article 14 GDPR, and the company’s arguments regarding the applicability of the exceptions
in Article 14(5)(a) and (c) GDPR are to be rejected; 21 and we described the main flaws in
22
Mowi’s transparency documentation and routines that the company must remedy.
16 See Mowi’s email to the complainant dated 3 January 2022 (hereinafter “Mowi’s Response to the
17mplainant”).
18See email from the complainant dated 4 January 2022.
19See Advance Notification – Reprimand and Compliance Order – Mowi ASA (ref: 21/03656-9).
Ibid., section 3.
20Ibid., section 5.
21Ibid., section 6.2.
22Ibid.
4,On 23 March 2022, Mowi sent us a letter in which the company acknowledged our advance
notification.3 In that latter, Mowi did not raise any arguments to contest the conclusions or
factual descriptions laid down in our advance notification. However, the company informed
Datatilsynet 24at Mowi is in the process of updating its privacy policy, internal documentation
and routines.
4. Legal Background
4.1. Scope of Application of the GDPR
Under Article 2(1) GDPR, the Regulation:
[…] applies to the processing of personal data wholly or partly by automated means and to
the processing other than by automated means of personal data which form part of a filing
system or are intended to form part of a filing system.
Moreover, Article 3(1) GDPR provides that the Regulation:
[…] applies to the processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union, regardless of whether the
processing takes place in the Union or not.
4.2. Definitions
The GDPR lays down the following definitions, which are relevant in the present case:
Pursuant to Article 4(1) GDPR:
“personal data” means any information relating to an identified or identifiable natural
person (“data subject”); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person.
Pursuant to Article 4(2) GDPR:
“processing” means any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.
23
See DPA’S ADVANCE NOTIFICATION – REPRIMAND AND COMPLIANCE ORDER – MOWI ASA (ref:
244012).
Ibid.
5,Pursuant to Article 4(7) GDPR:
“controller” means the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the processing
of personal data; where the purposes and means of such processing are determined by
Union or Member State law, the controller or the specific criteria for its nomination may
be provided for by Union or Member State law.
Pursuant to Article 4(9) GDPR:
“recipient” means a natural or legal person, public authority, agency or another body, to
which the personal data are disclosed, whether a third party or not. However, public
authorities which may receive personal data in the framework of a particular inquiry in
accordance with Union or Member State law shall not be regarded as recipients; the
processing of those data by those public authorities shall be in compliance with the
applicable data protection rules according to the purposes of the processing.
4.3. Obligations Regarding Information and Access to Personal Data
Article14 GDPR establishes whichinformation is tobeprovidedbyacontrollerwherepersonal
data have not been obtained from the data subjects. In particular, Article 14(1) to (4) provides
that:
Where personal data have not been obtained from the data subject, the controller shall
provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the
controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as
the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient
in a third country or international organisation and the existence or absence of an
adequacy decision by the Commission, or in the case of transfers referred to in
Article 46 or 47, or the second subparagraph of Article 49(1), reference to the
appropriate or suitable safeguards and the means to obtain a copy of them or where
they have been made available.
6, In addition to the information referred to in paragraph 1, the controller shall provide the
data subject with the following information necessary to ensure fair and transparent
processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible, the
criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests
pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to and rectification
or erasure of personal data or restriction of processing concerning the data subject
and to object to processing as well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2),
the existence of the right to withdraw consent at any time, without affecting the
lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it came
from publicly accessible sources;
(g) the existence of automated decision-making, including profiling, referred to in
Article 22(1) and (4) and, at least in those cases, meaningful information about the
logic involved, as well as the significance and the envisaged consequences of such
processing for the data subject.
The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period after obtaining the personal data, but at the latest within
one month, having regard to the specific circumstances in which the personal data
are processed;
(b) if the personal data are to be used for communication with the data subject, at the
latest at the time of the first communication to that data subject; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data
are first disclosed.
Where the controller intends to further process the personal data for a purpose other than
that for which the personal data were obtained, the controller shall provide the data subject
prior to that further processing with information on that other purpose and with any
relevant further information as referred to in paragraph 2.
However, Article 14(5) establishes certain exceptions to the above information obligations:
7, Paragraphs 1 to 4 shall not apply where and insofar as:
(a) the data subject already has the information;
[…]
(c) obtaining or disclosure is expressly laid down by Union or Member State law to
which the controller is subject and which provides appropriate measures to protect
the data subject's legitimate interests; […]
Further, Article 15 GDPR reads:
1. The data subject shall have the right to obtain from the controller confirmation as
to whether or not personal data concerning him or her are being processed, and, where
that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will
be disclosed, in particular recipients in third countries or international
organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or,
if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of
personal data or restriction of processing of personal data concerning the data
subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available
information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in
Article 22(1) and (4) and, at least in those cases, meaningful information about the
logic involved, as well as the significance and the envisaged consequences of such
processing for the data subject.
2. Where personal data are transferred to a third country or to an international
organisation, the data subject shall have the right to be informed of the appropriate
safeguards pursuant to Article 46 relating to the transfer.
8, 3. The controller shall provide a copy of the personal data undergoing processing. For
anyfurthercopiesrequestedbythedatasubject,thecontrollermaychargeareasonable
fee based on administrative costs. Where the data subject makes the request by
electronic means, and unless otherwise requested by the data subject, the information
shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the
rights and freedoms of others.
Furthermore, Article 12(1) to (4) GDPR provides that:
1. The controller shall take appropriate measures to provide any information referred
to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating
to processing to the data subject in a concise, transparent, intelligible and easily
accessible form, using clear and plain language, in particular for any information
addressed specifically to a child. The information shall be provided in writing, or by
other means, including, where appropriate, by electronic means. When requested by the
data subject, the information may be provided orally, provided that the identity of the
data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15
to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on
the request of the data subject for exercising his or her rights under Articles 15 to 22,
unless the controller demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request under Articles
15 to 22 to the data subject without undue delay and in any event within one month of
receipt of the request. That period may be extended by two further months where
necessary, taking into account the complexity and number of the requests. The
controller shall inform the data subject of any such extension within one month of
receipt of the request, together with the reasons for the delay. Where the data subject
makes the request by electronic form means, the information shall be provided by
electronic means where possible, unless otherwise requested by the data subject.
4. Ifthe controller does not take action onthe request of the data subject, the controller
shall inform the data subject without delay and at the latest within one month of receipt
of the request of the reasons for not taking action and on the possibility of lodging a
complaint with a supervisory authority and seeking a judicial remedy.
4.4. Competence, Tasks and Powers of Supervisory Authorities under the GDPR
Pursuant to Article 55(1) GDPR:
Each supervisory authority shall be competent for the performance of the tasks assigned to
and the exercise of the powers conferred on it in accordance with this Regulation on the
territory of its own Member State.
9,Further, Article 56(1) reads as follows:
Without prejudice to Article 55, the supervisory authority of the main establishment or of
the single establishment of the controller or processor shall be competent to act as lead
supervisory authority for the cross-border processing carried out by that controller or
processor in accordance with the procedure provided in Article 60.
The term “main establishment” is defined in Article 4(16) GDPR as follows:
“main establishment” means:
(a) as regards a controller with establishments in more than one Member State, the
placeof its central administrationin theUnion,unlessthedecisions onthe purposes
and means of the processing of personal data are taken in another establishment of
the controller in the Union and the latter establishment has the power to have such
decisions implemented, in which case the establishment having taken such decisions
is to be considered to be the main establishment; […].
The term “cross-border processing” is defined in Article 4(23) as follows:
“cross-border processing” means either:
(a) processing of personal data which takes place in the context of the activities of
establishments in more than one Member State of a controller or processor in the
Union where the controller or processor is established in more than one Member
State; or
(b) processing of personal data which takes place in the context of the activities of a
single establishment of a controller or processor in the Union but which
substantially affects or is likely to substantially affect data subjects in more than one
Member State.
Pursuant to Article 58(2) GDPR:
Each supervisory authority shall have all of the following corrective powers:
(a) to issue warnings to a controller or processor that intended processing operations
are likely to infringe provisions of this Regulation;
(b) to issuereprimands toa controller or aprocessorwhereprocessingoperations have
infringed provisions of this Regulation;
(c) to order the controller or the processor to comply with the data subject's requests
to exercise his or her rights pursuant to this Regulation;
10, (d) to order the controller or processor to bring processing operations into compliance
with the provisions of this Regulation, where appropriate, in aspecified manner and
within a specified period;
(e) to order the controller to communicate a personal data breach to the data subject;
(f) to impose a temporary or definitive limitation including a ban on processing;
(g) to order the rectification or erasure of personal data or restriction of processing
pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients
to whom the personal data have been disclosed pursuant to Article 17(2)and Article
19;
(h) to withdraw a certification or to order the certification body to withdraw a
certification issued pursuant to Articles 42 and 43, or to order the certification body
not to issue certification if the requirements for the certification are not or are no
longer met;
(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of
measures referred to in this paragraph, depending on the circumstances of each
individual case;
(j) to order the suspension of data flows to a recipient in a third country or to an
international organisation.
4.5. EEA and Norwegian Law
The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”)
Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint
Committee Decision”). 25
Article 1(b) of the EEA Joint Committee Decision provides that:
[…] the terms “Member State(s)” and “supervisory authorities” shall be understood to
include, in addition to their meaning in the Regulation, the EFTA States and their
supervisory authorities, respectively.
Further, Article 1(c) of the EEA Joint Committee Decision reads as follows:
References to Union law or Union data protection provisions shall be understood as
referring to the EEA Agreement or data protection provisions contained therein,
respectively.
25
Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 amending Annex XI (Electronic
communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in
Article 101) to the EEA Agreement OJ [2018] L 183/23.
11,The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal
Data Act and the GDPR entered into force in Norway on 20 July 2018.
5. Datatilsynet’s Competence
Mowi is one of the largest seafood companies in the world. It has its headquarter in Norway,
but has operations in at least 25 countries, including Belgium, Czech Republic, France,
Germany, Ireland, the Netherlands, Italy, Poland, Spain, and Sweden. Moreover, Mowi is listed
ontheOsloStockExchange(OSE)anditssharealsotradesontheUSOTCmarket. Therefore, 27
it has shareholders in several EU/EEA countries, includingin Germany(where the complainant
resides).
Thus, Mowi has several establishments in the EU/EEA, including in Norway, and in the context
of the activities of these establishments it processes personal data, including personal data of
its shareholders. Therefore, the GDPR applies to such data processing activities in accordance
with Article 3(1) GDPR.
With respect to the processing of the personal data of its shareholders (including the
complainant) in accordance with § 4-10 of the Norwegian Public Limited Liability Companies
Act, Mowi qualifies as a controller (within the meaning of Article 4(7) GDPR), as it is Mowi
that decide(d) to collect and process shareholder information—through its processor NASDAQ
OMX Corporate Solutions International Limited—to “follow up investors and share relevant
information about the corporation”. 28
As Mowi has a main establishment (within the meaning of Article 4(16) GDPR) in the EEA
and its processing of shareholder information is cross-border (within the meaning of Article
4(23)GDPR),the cooperationmechanism and procedure set out in Articles 56(1)and60 GDPR
apply to the present case. Further, given that Mowi’s main establishment is located in Norway,
Datatilsynet is competent to act as lead supervisory authority in the case at hand pursuant to
Article 56(1) GDPR.
6. Datatilsynet’s Assessment
6.1. Mowi’s Failure to Respond to the Complainant’s Access Request
Under Article 12(3) GDPR, controllers are required to respond to access requests submitted
pursuanttoArticle15GDPR“withoutunduedelayandinanyeventwithinonemonthofreceipt
of the request.” However, in exceptional circumstances, that period may be extended by two
further months.
26Act No 38 of 15 June 2018 relating to the processing of personal data (“personopplysningsloven”).
27See: <https://mowi.com/>.
28
See Mowi’s Reply to Datatilsynet; Mowi’s Response to the Complainant.
12,Inthepresent case,Mowihasacknowledged thatit failedtorespondtothecomplainant’saccess
request within the above deadline. 29 However, Mowi stated that this was due to the fact that
30
both emails from the complainant ended up in the spam folder of the company’s email inbox.
Under Article 12(2) GDPR, controllers have an obligation to “facilitate the exercise” of the data
subject right under Article 15 GDPR. This entails—among other things—that controllers
should take adequate technical and organizational measures to ensure that they can receive and
handle in a timely manner the access requests they receive from data subjects. In the words of
the European Data Protection Board (EDPB):
The controller should provide appropriate and user-friendly communication channels that
can easily be used by the data subject.31
This means that, although controllers remain free to decide which specific communication
channelshouldbeused forsubmittingaccess requests,theymustensurethatthecommunication
channel they implement is easy to use and effective. Thus, if a controller decides to receive
access requests via email, it must make sure that the email account it uses for this purpose
implements state-of-the-art anti-spam protection—which does not treat legitimate access
requests as spam—and/or that it monitors the spam folder on a regular basis to identify the
presence of possible legitimate access requests. Effective anti-spam solutions (e.g., CAPTCHA
solutions) do exist and should be adequately considered by the controller, in accordance with
its accountability obligations under the GDPR. 32
In the present case, Mowi’s anti-spam solution failed to “facilitate” the exercise of the right
under Article 15 GDPR, in breach of Article 12(2) GDPR, as it treated a legitimate access
request as spam twice, leading to such a request remaining unanswered for over 5 months.
Nonetheless, we consider such an infringement to be minor, for the following reasons:
• It appears to have affected a single data subject who was eventually satisfied with the
delayed reply it received from Mowi; 34
• To date, Datatilsynet has not received any other complaints concerning Mowi’s
compliance with Articles 12(2) and 15 GDPR; and
29
30Ibid.
Ibid.
31EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version 1.0, Adopted on 18 January)
(hereinafter “EDPB Guidelines on the Right of Access”), p. 2.
32Arts. 5(2) and 24 GDPR.
33Cf. rec. 148 GDPR.
34See Mowi’s Reply to Datatilsynet, answer to Q.7.
13, • After Datatilsynet’s inquiry, Mowi created a new email address to be used for sending
access req35sts, which according to the company has enhanced filters for spam and
phishing.
In light of the above, we find that—in the present case—it is not warranted to issue any
corrective measures for this infringement, and considers the matter concerning Mowi’s failure
to reply to the complainant’s access request to be amicably settled. However, this is without
prejudice to the possibility of opening future inquiries to verify whether the new email account
set up by Mowi enables the company to comply with Articles 12(2) and 15 GDPR.
6.2. Mowi’s Failure to Comply with Article 14 GDPR
In the present case, Mowi acknowledged that it did process—through it processor NASDAQ
OMX Corporate Solutions International Limited—the personal data of the complainant, 37 as
38
well as the personal data of other shareholders, under the Norwegian Public Limited
Companies Act. It also stated that such personal data were and are normally obtained from
“various Custodian banks”, 39 and not directly from the individual shareholders.
Further, Mowi acknowledged that it did not provide any information on the processing of
shareholder information pursuant to the Norwegian Public Limited Companies Act, neither
directly to the data subject nor in its privacy policy.40 Indeed, Mowi’s privacy policy in effect
at the time of the complaint simply stated:
This privacy notice applies for processing of personal data carried out by Mowi for any
persons not employed by Mowi.
[…]
Mowi collects personal data by/fromdirect contactwithyou,onlineforms,third parties,
newsletters etc.
[…]
The legal basis and the purpose for41owi’s processing of your personal data is based
on your consent, and direct mail.
35Ibid. (stating: “Mowi har […] gjort tiltak for at dette ikke skal skje igjen. Det er opprettet en ny epostadresse for
slike henvendelser (privacy@mowi.com) med forbedrede filtre for spam og phishing”).
36Cf. rec. 131 GDPR.
37
38Mowi’s Reply to Datatilsynet, answers to Q.1.
Mowi’s Response to the Complainant (stating: “Nasdaq on behalf of Mowi ASA reaches out to various
39stodian banks to request shareholder information pursuant to the Norwegian Public Limited Companies Act”).
Ibid.
40Mowi’s Reply to Datatilsynet, answer to Q.4 (stating: “Vi erkjenner at Mowi selv ikke har gitt informasjon om
den aktuelle behandlingen i sin personvernerklæring”).
41See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>.
14,However,initsfirstreplytoDatatilsynet,Mowitooktheviewthatitwasnot requiredtoprovide
any information on the processing at hand pursuant to Article 14(5)(a) and (c) GDPR. In this
regard, Mowi argued:
The complainant has bought shares in Mowi via his bank, where the bank acts as the
custodian of the shareholding. It is assumed that in this connection the complainant has
become aware that information about him is disclosed to the company in which he buys
shares. This must also be seen in connection with the Public Limited Liability
Companies Act §4-10 fourth paragraph where it is explicitly stated that the company
has an unconditional right to receive information from the custodian about who is the
underlying owner of the shares covered by the custodian assignment, and how many
shares each individual owns. It must be assumed that a shareholder who uses a
custodian is familiar withthis provision.Mowi is thereforeof theopinionthat nofurther
information is necessary, cf. Article [sic] 15 a) and c) of the GDPR. (our translation) 42
In our view, Mowi’s arguments regarding the applicability of the exceptions in Article 14(5)(a)
and (c) in the context at issue in the present case are to be rejected. This is for the reasons
outlined below.
First, as noted by the EDPB, the exceptions in Article 14(5) should be interpreted and applied
narrowly. Thus, any broad derogation from the information obligations laid down in Article
14—such as the one that Mowi advocates for—should be rejected.
Secondly, Article 14(5)(a) sets out an exception to the information obligations in Article 14,
which applies “where and insofar as” the data subject already has the information. Thus, this
exception applies only if the controller can “demonstrate (and document) what information the
data subject already has, how and when they received it”. Thus, to rely on this exception, it is
notsufficientto“assume”thatadatasubjecthasreceivedtheinformationrequiredunderArticle
14, as Mowi did in this case. Indeed, Mowi did not produce anyevidence that the complainant’s
42Mowi’s Reply to Datatilsynet, answer to Q.4 (stating in Norwegian: “Klageren har kjøpt aksjer i Mowi via sin
bank, hvor banken opptrer som forvalter av aksjeposten. Det forutsettes at klager i den forbindelse har blitt kjent
med at opplysninger om ham formidles til selskapet han kjøper aksjer i. Dette må også sees i sammenheng med
allmennaksjeloven §4-10 fjerde avsnitt hvor det uttrykkelig fremkommer at selskapet har en ubetinget rett til å få
opplyst fra forvalteren hvem som er underliggende eier av de aksjer forvalteroppdraget omfatter, og om hvor
mange aksjer hver enkelt eier. Det må forutsettes at en aksjonær som benytter forvalter også er kjent med denne
bestemmelsen. Mowi er derfor av den oppfatning at det ikke er nødvendig med ytterligere informasjon, jfr.
personvernforordningens artikkel [sic] 15 a) og c). Vi erkjenner at Mowi selv ikke har gitt informasjon om den
aktuelle behandlingen i sin personvernerklæring. Det har heller ikke vært direkte kommunikasjon med den
registrerte. På bakgrunn av saken vil vi gjennomgå våre rutiner for informasjon for å vurdere om slik informasjon
skal gis direkte, eller på annen hensiktsmessig måte”). Note that Mowi has acknowledged that in this passage it
intended to refer to Article 14(5)(a) and (c), and not to Article 15. See Mowi’s email to Datatilsynet dated 23
December 2021.
43Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01, Adopted on
As last Revised and Adopted on11 April 2018) (hereinafter “Transparency Guidelines”), para. 57. Such guidelines
have been endorsed by the EDPB. See EDPB, Endorsement 1/2018 (25 May 2018).
44Ibid., para. 56.
15,bank provided him with any information on Mowi’s processing of his personal data; it just
assumed it. 45
Further, the exception in Article 14(5)(a) only applies “insofar as” the data subject has the
information required in Article 14(1) to (2). This means that this exception applies only with
respect to the specific information that the data subject actually has. However, the controller
must supplement that information to ensure that the data subject has a complete set of the
information listed in Article 14(1) to (2). In this regard, it should be noted that at least some—
if not all—of the information listed in Article 14(1) to (2) was not available to the complainant.
For instance, the complainant was not aware at least of the following:
• The legal basis for the processing under the GDPR (Article 14(1)(c)). According to
47
Mowi,therelevantlegal basiswasArticle6(1)(f). Nonetheless,Mowi’sprivacypolicy
only mentioned consent as a legal basis for the “processing of personal data carried out
by Mowi for any persons not employed by Mowi” (emphasis added), and the Public
Limited Liability Companies Act does not provide any information on the legal basis to
be relied on under the GDPR for processing shareholder information.
• The recipients or categories of recipients of the personal data (Article 14(1)(e)). In its
replies to Datatilsynet and the complainant, Mowi stated that shareholder information
is disclosed to NASDAQ OMX Corporate Solutions International Limited, 49 although
Mowi’s privacy policy stated that “personal data are not to be disclosed to third parties
50
unless Mowi is obliged to disclose such information”, and no such obligation exists
under the Norwegian Public Limited Liability Companies Act with respect to third
parties such as NASDAQ.
• Information on international data transfers and suitable safeguards (Article 14(1)(f)). In
its reply to the complainant, Mowi stated that “Nasdaq is registered in the UK and the
transfer of personal data to UK is51overned by Standard Contractual Clauses entered
into between Mowi and Nasdaq”. However,Mowi’sprivacypolicystated: “Mowi will
not transfer your personal data to third countries outside the EU/EEA unless you have
you have expressly been informed [and consented to] otherwise”.
• The period for which the personal data will be stored (Article 14(2)(a)). In its reply to
the complainant, Mowi stated: “Nasdaq holds the information as long as it is needed,
but never longer than 5 years, whichever is first.” However, no such information was
45
46Mowi’s Reply to Datatilsynet, answer to Q.4 (stating: “Det forutsettes at klager …”, emphasis added).
47Transparency Guidelines, para. 56.
Mowi’s Reply to Datatilsynet, answer to Q.2.
48See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>.
49Mowi’s Reply to Datatilsynet, answer to Q.3; Mowi’s Response to the Complainant. In should be noted that
processors qualify as recipients under Article 4(9) GDPR. See Transparency Guidelines, page 37.
50See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>.
51Mowi’s Response to the Complainant.
16, mentioned in Mowi’s privacypolicy, nor does the Norwegian Public Limited Liability
Companies Act regulate such a retention period.
Thirdly, the exception in Article 14(5)(c) applies when the following two conditions are met:
(1) “obtaining or disclosure is expressly laid down by Union or Member State law to which the
controller is subject”; and (2) such law “provides appropriate measures to protect the data
subject’s legitimate interests”.
As for the first condition, the EDPB noted that:
Such a law must directly address the data controller and the obtaining or disclosure in
question should be mandatory upon the data controller. Accordingly, the data controller
must be able to demonstrate how the law in question applie53to them and requires them to
either obtain or disclose the personal data in question. (emphasis added)
In this regard, it should be noted that—as acknowledged by Mowi —§ 4-10 of the Norwegian
Public Limited Liability Companies Act provides for a “right” which enables Mowi to obtain
shareholder information; it does not require Mowi to obtain such information. Indeed, Mowi
claimed that the legal basis for processing shareholder information pursuant to the Norwegian
Public Limited Liability Companies Act is Article 6(1)(f), and not Article 6(1)(c) GDPR. Thus,
the first condition laid down in Article 14(5)(c) is not met in the present case.
For completeness purposes, it should be noted that also the second condition set out in Article
14(5)(c) is not met in thepresent case, as Mowi failed to demonstrate that the Norwegian Public
Limited Liability Companies Act provides appropriate measures to protect the data subjects’
(i.e., the shareholders’) legitimate interests and how Mowi complied with such appropriate
measures. As noted by the EDPB:
While it is for Union or Member State law to frame the law such that it provides
“appropriate measures to protect the data subject’s legitimate interests”, the data
controller should ensure (and be able to demonstrate) that its obtaining or disclosure of
personal data complies with those measures. 56
In any event, it should be noted that, even when a controller is able to rely on the exception in
Article 14(5)(c):
52See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>.
53
54Transparency Guidelines, para. 66.
Mowi’sReplytoDatatilsynet, answertoQ.4(statinginNorwegian:“[…]allmennaksjeloven§4-10fjerdeavsnitt
hvor det uttrykkelig fremkommer at selskapet har en ubetinget rett til å få opplyst fra forvalteren hvem som er
underliggende eier av de aksjer forvalteroppdraget omfatter, og om hvor mange aksjer hver enkelt eier”; emphasis
added).
55Norwegian Public Limited Liability Companies Act, § 4-10, which reads in Norwegian: “Dersomselskapet eller
en offentlig myndighet krever det, plikter forvalteren å gi opplysninger om hvem som eier de aksjer
forvalteroppdraget omfatter, og om hvor mange aksjer hver enkelt eier”.
56Transparency Guidelines, para. 66.
17, the data controller should make it clear to data subjects that it obtains or discloses personal
data in accordance with the law in question, unless there is a legal prohibition preventing
the data controller from doing so. 57
Fourthly,Mowi’sprivacypolicyineffectatthetimeofthecomplaintwouldhaveledessentially
any data subject to believe that the “processing of personal data carried out by Mowi for any
persons not employed by Mowi,” including “personal data by/from […] third parties” would
exclusively take place on the basis of the data subject’s consent, for advertising purposes (“The
legal basis and the purpose for Mowi’s processing of your personal data is based on your
consent, and direct mail”) (emphasis added). Thus, any data subject/shareholder who would
have reasonably relied on the information provided in Mowi’s privacy policy would have most
likely concluded that Mowi did not process personal data for any other purpose or legal basis.
This kind of incomplete and misleading communication is incompatible with the transparency
principle set out in Article 5(1)(a) GDPR.
In this regard, it should be noted that—after the opening of Datatilsynet’s inquiry—Mowi
partially amended its privacy policy on 20 December 2021, and its privacy policy no longer
59
refers exclusively to consent as a legal basis for Mowi’s processing activities.
In light ofthe above, theinformation obligations laid downin Article14 GDPR were applicable
to Mowi. Thus, Mowi violated Article 14, as it failed to provide all of the information required
under that Article within one month after having obtained the complainant’s personal data from
his bank.60
In ourview, such aviolation warrants theimpositionofareprimandpursuant to Article58(2)(b)
GDPR. This is because the complainant was eventually provided with the information he
wished to obtain—albeit with a considerable delay—and hence the detriment suffered by the
complainant was minimal in practice, which is confirmed by the fact that the complainant was
satisfied with Mowi’s delayed reply. However, Mowi’s approach with regard to its obligations
under Article 14 entails that similar violations have likely taken place with respect to other
shareholders andmayreoccurinthefuture. Thus,theadoptionofacorrectivemeasureappears
to be appropriate in this case, in particular to discourage future similar instances of non-
compliance, and uphold the data protection rights of other shareholders.
In addition, while the scope of our inquirydid not cover a full review of Mowi’s privacy policy
in effect at the time of the present decision, we note that the privacy policy as last amended in
December 2021 appears to be insufficient to comply with the transparency obligations that
Mowi has under the GDPR. For instance:
57
58Ibid.
See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. The Norwegian
version of the privacy policy stated, more clearly: “rettsgrunnlaget for Mowis behandling av personopplysningene
dine er ditt samtykke, og formålet er utsendelse av reklame”.
59See: <https://mowi.com/about/privacy-policy/>.
60Art. 14(3)(a) GDPR.
61Note that Mowi stated that “Nasdaq on behalf of Mowi ASA reaches out to various Custodian banks to request
shareholder information pursuant to the Norwegian Public Limited Companies Act” (emphasis added). See
Mowi’s Response to the Complainant.
18, • Under “legal basis and purpose”, Mowi’s privacy policy—which applies to the
“processing of personal data carried out by Mowi for any persons not employed by
Mowi” (emphasis added)—simplyreplicates the wordingof Article 6(1) GDPR without
clarifying the actual purposes of, and legal basis for, the specific data processing
activities envisaged by Mowi so as to allow the data subject to assess, on the basis of
his or her own situation , what legal basis/purpose(s) apply. The privacypolicymerely
states:
“Mowi may process Personal Data relating to Users if one of the following applies:
Users have given their consent for one or more specific purposes. Note: Under some
legislation Mowi maybe allowed to process Personal Data until the User objects to such
processing (“opt-out”), without having to rely on consent or any other of the following
legal bases. This, however, does not apply, whenever the processing of Personal Data
is subject to European data protection law;
provision of Data is necessaryfor the performance of an agreement with the User and/or
for any pre-contractual obligations thereof;
processingis necessaryforcompliancewith alegal obligationto whichMowi is subject;
processing is related to a task that is carried out in the public interest or in the exercise
of official authority vested in Mowi;
processing is necessary for the purposes of the legitimate interests pursued by Mowi or
by a third party.
In any case, Mowi will gladly help to clarify the specific legal basis that applies to the
processing, and in particular whether the provision of Personal Data is a statutory or
contractual requirement, or a requirement necessary to enter into a contract.” 63
• With regard to international data transfers, the privacy policy states: “Mowi will not
transfer your personal data to third countries outside the EU/EEA unless you have you
have expressly been informed [and consented to] otherwise”, 64 although Mowi has
acknowledged that it transfers at least shareholder information to NASDAQ in the UK,
without consent.
• With regard to data retention periods, the privacy policy states that “Personal Data shall
be processed and stored for as long as required by the purpose they have been collected
65
for,” without providing any additional information that would enable the data subject
62Cf. Transparency Guidelines, page 9.
63See: <https://mowi.com/about/privacy-policy/>.
64Ibid.
65Ibid.
19, to assess, on the basis of his or her own situation, what the retention period will be for
66
specific data/purposes.
The examples provided above show that—if Mowi’s privacypolicyis at least partiallyintended
to provide the information required by Article 14 GDPR, as it seems to be the case, given that
the privacy policy states that “Mowi collects personal data by/from direct contact with you,
online forms, third parties, newsletters etc.” (emphasis added)—to ensure full compliance with
Article 14 Mowi not only needs to make sure that its shareholders are given the necessary
information when their personal data are processed in accordance with the Norwegian Public
Limited Liability Companies Act (as outlined above); Mowi also needs to ensure that the
company’s privacy policy intended to provide information on the collection of personal data
from third parties is appropriately phrased and includes all of the information required under
the GDPR.
Mowi has already indicated its intention to update its privacy policy, and transparency
documentation and routines. In particular, after having received Datatilsynet’ advance
notification, Mowi informed Datatilsynet of its intention to introduce the following changes to
its privacy policy:
It shall include information on processing of the personal data of shareholders,
collected via third parties such as Nasdaq.
It shall describe Mowi’s legal basis for processing shareholders personal data. The
legalbasisisGDPRarticle6(1)(f),onaccountof Mowi’slegimitateinterestinknowing
its investors, in order to follow-upinvestors andprovidethese withrelevant information
on the company. As a listed corporation, our investor relations department meet with a
lot of investors throughout the year. A shareholder overview of relevant investors is
therefore needed to maintain proper investor relations services.
The privacy policy shall describe that data processors may be recipients of the personal
data processed, cf. the GDPR article 14 (1) (e).
International data transfers and suitable safeguards shall be described, cf. GDPR
article 14 (1) (f), e.g. transfers to Nasdaq on the basis of Standard Contractual Clauses.
The information on retention periods in accordance with GDPR article 14 (2) (a) shall
67
be supplemented.
Further,thecompanystatedthat “[a]llupdatedinformationintheprivacypolicywillbeupdated
correspondingly in Mowi’s internal documentation and routines.” 68
66Transparency Guidelines, page 38.
67See DPA’S ADVANCE NOTIFICATION – REPRIMAND AND COMPLIANCE ORDER – MOWI ASA
(ref: 514012).
68
Ibid.
20,Nonetheless, to make sure that these changes are actually and properly implemented, we deem
it necessary to formally order Mowi to bring its information routines and documentation into
compliance with Article 14 GDPR, and to notify the measures taken for complying with such
ordertoDatatilsynetwithinfourweeksafterhavingreceivedthepresentdecision,inaccordance
with Article 58(2)(d) GDPR.
While the present inquiry has only focused on Mowi’s compliance with Articles 12, 14 and 15
GDPR in connection with the above-mentioned complaint, this is without prejudice to the
possibility of opening future inquiries to assess Mowi’s compliance with Article 13 GDPR,
including with respect to its privacy policy.
7. Right of Appeal
As this decision has been adopted pursuant to Article 56 and Chapter VII GDPR, the present
decision may be appealed before Oslo District Court (“Oslo tingrett”) in accordance with Article
78(1) GDPR, Article 25 ofthe Norwegian Data Protection Act, and Article 4-4(4) ofthe Norwegian
Dispute Act.69
Kind regards
Tobias Judin
Head of International
Luca Tosoni
Senior Legal Advisor
This letter has electronic approval and is therefore not signed
69
Act of 17 June 2005 no. 90 relating to mediation and procedure in civil disputes (Lov om mekling og rettergang
i sivile tvister (tvisteloven)).
21
