Datatilsynet (Norway) - 23/03206: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 74: | Line 74: | ||
The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (''Offentleglova''). | The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (''Offentleglova''). | ||
The controller firstly argued that it processed this data in accordance with [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | The controller firstly argued that it processed this data for political advertising purposes in accordance with [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | ||
Finally, the controller noted that it had used a processor to send the emails. | |||
=== Holding === | === Holding === | ||
Latest revision as of 13:58, 17 September 2024
| Datatilsynet - 23/03206 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 6(1)(f) GDPR Article 14 GDPR Offentleglova |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 30.08.2024 |
| Published: | 11.09.2024 |
| Fine: | n/a |
| Parties: | Stavanger Arbeiderparti |
| National Case Number/Name: | 23/03206 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Norwegian |
| Original Source: | Datatilsynet (in NO) |
| Initial Contributor: | fb |
The DPA issued a reprimand to a political party after it sent political advertisements to data subjects via emails. Even though the email addresses were obtained lawfully through a freedom of information request, the DPA found that the processing had no legal basis.
English Summary
Facts
On 20 August 2023, several parents of children in kindergartens received an email from the majority parties of a municipality.
After receiving this email, several data subjects filed a complaint with the DPA.
The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (Offentleglova).
The controller firstly argued that it processed this data for political advertising purposes in accordance with Article 6(1)(e) GDPR. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on Article 6(1)(f) GDPR.
Finally, the controller noted that it had used a processor to send the emails.
Holding
First of all, the DPA believed that the municipality rightfully disclosed the addresses, since the Freedom of Information Act provides for an appropriate legal basis for this processing.
Secondly, the DPA investigated who was the controller in the case at hand. Since the Stavanger Labour Party stated that it processed data also on behalf of the other majority parties, the DPA assumed that this entity was the controller.
Thirdly, the DPA analysed the legal basis. The DPA pointed out that the controller has failed to provide documentation about whether a legitimate interest assessment had been carried out.
However, the DPA further noted that it is clear that this processing had some negative consequences on data subjects, since the DPA received several complaints. According to the DPA, this shows that this processing operation was not foreseeable for data subjects.
Furthermore, the DPA pointed out that, even though the data was lawfully disclosed by the municipality, it was then used for a purpose outside the scope of the Freedom of Information Act.
In every case, the DPA found that this processing was lacking of legal basis since the controller failed to demonstrate its assessment.
Fourthly, the DPA recalled that the controller used a processor to send the emails and shared the data subjects’ email addresses with it. The DPA noted that no specific data processing agreement was entered into with the processor. However, the controller argued that it had accepted the Terms of Service while creating the account. The DPA accepted this argument since Article 28(3) GDPR does not impose any formal requirements.
Fifthly, the DPA found a violation of Article 14 GDPR since the controller failed to provide data subject with the information set by that article. The controller explicitly admitted this failure.
Sixthly, the DPA investigated the data retention period. The DPA found that the email addresses were deleted manually soon after the sending of the email and therefore found no violation on this point.
On these grounds, the DPA issued a reprimand to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Sissel Beate Fuglestad
Your reference Our reference Date
23/03206-24 30.08.2024
Decision on reprimand - sending of political advertising by e-mail
In August 2023, the Norwegian Data Protection Authority received several complaints from private individuals who had received an e-mail
from the majority parties in Stavanger (Arbeiderpartiet, People's Party - FNB, Green Party De
Green, Red, Center Party and SV). We decided to carry out investigations into the legality
of the treatments that were the subject of the complaints.
We sent, on the basis of the Personal Data Protection Regulation article 58 no. 1, letter a, a demand for
statement to the Stavanger Labor Party on 8 September 2023. We received a reply on 28
September 2023. The Norwegian Data Protection Authority sent a request for further explanation on 1 November 2023,
which was answered on November 7, 2023.
In a letter of 22 July 2024, the Norwegian Data Protection Authority notified a decision on reprimand, cf.
the personal protection regulation article 58 no. 2, letter b. In their reply of 23 August 2024,
you have taken note of our notice, and we will make a final decision in line with the notice.
1. Background of the case
The e-mail in question was sent on 20 August 2023 in connection with the municipal elections and
the recipients were parents of children in kindergartens and schools in Stavanger municipality. Parents'
contact information had been handed over by Stavanger municipality to the Majority Parties in
Stavanger in accordance with the Public Act. In the complaints the Norwegian Data Protection Authority has received, questions are asked
by the legality of the municipality's and the Plural parties' processing of personal data.
The case has also been discussed in the media.
Through the Norwegian Data Protection Authority's investigation into the matter, it has emerged that the Majority Parties
sent a request for access to the joint post office for Education and training in the municipality, at
on behalf of the cooperation parties (Arbeiderpartiet, Folkets Parti, SV, Rødt, MDC and
Center Party). The request for access was worded as follows:
Postal address: Office address: Telephone: Organization number: Website:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO «Hello. Can we have access to the lists of children of kindergarten age and 1st and 2nd graders in
Stavanger with contact information for all parents. Preferably also email. Such lists are given to both
churches and private schools - and is (unfortunately) public information"
The majority parties have stated that the request for access was clearly limited to sensitive
information, they did not want to be given their name, date of birth or telephone number.
Through the access request, information on addresses and e-mail addresses was released.
The email addresses were uploaded to the program Brevo, and the information was then deleted at
The majority parties. It is also stated that the email addresses were to be deleted by Brevo by agreement
after the sending of the e-mails in question had been completed.
2. The Norwegian Data Protection Authority's investigation
In what follows, the Norwegian Data Protection Authority reviews the various topics considered in the case.
2.1. Delivery from Stavanger municipality
Any processing of personal data requires a legal basis to be legal.
The Personal Data Protection Regulation sets out various alternative legal bases. In addition to
personal data protection regulation, special regulations may authorize the processing of
personal data.
The municipality's disclosure of personal data was made following a request for access
public law, and the requirement for a legal basis for this processing activity is considered fulfilled.
2.2. The majority party's processing of information
2.2.1. What personal data was received and processed by
The majority parties
Through the reports to the Norwegian Data Protection Authority, Stavanger Labor Party has on behalf of
The majority parties stated that through the access requirement they collected contact information for everyone
parents with children of kindergarten age and the first two stages of primary school.
The municipality was explicitly asked not to disclose names of guardians or children, date of birth,
telephone etc. The information that was handed over to the Majority Parties contained information about
school/grade, street address and email address.
The information that was forwarded to Brevo consisted exclusively of a list of
email addresses.
Email addresses are considered personal data, and in the following we assume that
The privacy regulations also apply to the disclosure of this information to
Letter.
2 2.2.2. The purpose of the processing of personal data (collection and so on
processing) in connection with sending e-mails
A basic principle in the privacy regulations is the requirement for purpose determination. It follows
of the personal protection regulation article 5 no. 1 letter b) that the purpose of processing of
personal data must be specifically and explicitly stated. The statement of purpose determines
including which information is relevant and necessary.
Through the Norwegian Data Protection Authority's investigation of the matter, it appears clear that the purpose of
The majority parties were to first get an overview of the guardian's contact information, then to
be able to send out targeted and relevant information to parents in connection with
municipal election 2023.
It has been stated that it was desirable to inform parents about the consequences for
the parents of young children with the position of the various party groupings, information that became
considered "generally useful".
2.2.3. Processing responsibility
The Danish Data Protection Authority has investigated who is responsible for the collection and use of data
personal data for sending the e-mail that the complaints are about.
Following our demand for an explanation, it is stated that information collection and sending of
e-mail was made on behalf of said majority parties. Stavanger is responsible for processing
Labor Party.
The Personal Data Protection Regulation and the accountability principle require that there is clarity about who
is responsible for the processing of personal data, also when using
data processors. See, among other things, Article 5 No. 2 and Article 29.
In the case of shared/joint responsibility, the distribution of responsibility must be determined in an open manner, cf. Article 26.
Stavanger Arbeiderparti has stated that they are responsible for processing, on behalf of
The majority parties. No agreement indicating other responsibilities has been presented.
The Norwegian Data Protection Authority has therefore assumed that it is the Stavanger Labor Party that alone is
controller for the processing of personal data to which the case relates.
2.2.4. The legal basis for the processing(s)
2.2.4.1. About the basis in question
When personal information is obtained through access in accordance with the Public Service Act, it must be further used
of the information take place in accordance with the rules in the Personal Data Act and
the personal data protection regulation. Basic principles for processing personal data are
laid down in the personal data protection regulation art. 5 no. 1 letter a - f. The principle of legality implies
that there must be a legal basis for the processing of personal data. It has to
3 there is a legal basis for all processing activities carried out in this case
including the delivery to Brevo and the sending of e-mails.
Personal data protection regulation art. 6 no. 1 contains six alternative legal grounds (letter a -
f).
Initially, the Stavanger Labor Party stated that the relevant legal basis for their
processing of personal data was the personal data protection regulation article 6, no. 1 letter e).
The Norwegian Data Protection Authority refuted in a letter of 1 November 2023 that this option could be used for it
current treatment.
The Stavanger Labor Party has since stated that they have a legal basis in article 6, no. 1, letter
f). According to this provision, processing of personal data may be lawful if it
is necessary for purposes related to the legitimate interests pursued by it
data controller. The provision requires that a balance be made and that
controllers must decide whether the interests or rights of the data subject and
freedoms and the need to protect personal data must take precedence over the legitimate interest.
The person responsible must therefore both explain the legitimate interests and assess whether
the processing may have an impact on the interests of the data subjects. Next, a
balance between these before it can be established that a treatment has a legal basis
the alternative in the personal data protection regulation article 6 no. 1 letter f).
We note that there is no requirement for such assessments to be in writing
the privacy regulations. However, it is difficult to demonstrate compliance without assessments
be documented.
We also refer in that context to the obligation to provide information in the Personal Data Protection Ordinance
article 14 no. 2 letter b) implies that the registered persons are entitled to receive the information which
is necessary to ensure fair and open treatment. It is specified in the provision that
if the legal basis for the processing follows from Article 6 no. 1 letter f, it shall
are informed about the legitimate interests pursued by the data controller.
We asked the Majority Parties to explain the balancing of interests that was carried out before
the processing started, including how privacy considerations were assessed and emphasised, cf.
personal data protection regulation art. 6 no. 1 letter f. We further requested that any written
documentation was attached to the statement.
2.2.4.2. The assessments carried out by the Stavanger Labor Party
The Stavanger Labor Party has stated that the assessments they carried out were not documented
in writing.
It is therefore difficult for the Norwegian Data Protection Authority to take a position on the assessment of authorization for
the processing of personal data was carried out lawfully. In the absence of documentation on
Stavanger Arbeiderparti's assessments, we have therefore based the information that is
obtained through our case management.
4 The Stavanger Labor Party has explained what legitimate interests they have based on. The
states that the e-mail was carefully assessed in relation to the Personal Data Protection Regulation art 6 no. 1 letter
f, precisely because it can be difficult to know which instruments are legitimate to use
in connection with an election campaign. They state that they were aware that the legitimate interest
"must be legal, clearly defined in advance, real and factually justified in the business".
Stavanger Arbeiderparti further believes that in connection with an election campaign it must be within
the concept of "legitimate interest" for a political party to send out targeted political information.
They indicate that in an election campaign it is in the public interest to clarify and inform about them
consequences different political positions will have for voters, and that so targeted
information is important for voters to be able to make knowledge-based choices.
They further state that election campaign material, distributed via e-mail, does not differ in principle
election campaign material distributed via other channels, as long as the email addresses are public
available.
Stavanger Labor Party states that they also considered alternative distribution methods of theirs
political messages. Among other things, they had an offer from Posten Norge AS for
target group-specific mailings, i.e. in the direction of what is called Direct Mail (DM). This
the alternative was not assessed as less intrusive than the e-mail that was chosen. One
alternatives that were also considered were direct actions linked to nurseries, small schools, etc.,
but it was considered less appropriate than an email distribution.
The conclusion of the Stavanger Labor Party was that it must be possible as part of a political election campaign
is justified in carrying out such an e-mail based on a "legitimate interest", i.a. a. to get
out a political message, which is the main purpose of running an election campaign.
Through the Norwegian Data Protection Authority's proceedings, it has not been documented that Stavanger
The Labor Party has carried out such an assessment of the interests of those registered. It is neither
described or submitted documentation that shows that the assessments have taken place in this way
the privacy regulation article 6 no. 1, letter f requires. This applies
the treatment activities in all stages; the collection through the request for access to the municipality,
the compilation the municipality had to prepare, the processing by the Stavanger Labor Party,
the transmission to Brevo or through the sending of e-mails.
The second most relevant alternative was not considered less invasive compared to
privacy considerations. In addition, they considered that privacy considerations were well taken care of, through the fact that it was
sent a limited amount of personal data, only email addresses, to Brevo.
2.2.4.3. The Norwegian Data Protection Authority's assessment
Stavanger Arbeiderparti has to a small extent explained that they have assessed those registered
interests. However, to a certain extent it has been expressed that the access requirement they aimed at
the municipality could have some negative effects, all the while they themselves in the access request
uses the word "unfortunately" about the scope of public law.
5 Admittedly, several alternative solutions were considered, but the Norwegian Data Protection Authority considers that they were not
carried out an assessment of the privacy consequences of the processing itself.
The case has attracted great interest and has led to several complaints to the Norwegian Data Protection Authority from those registered. The
It appears obvious to the Norwegian Data Protection Authority that the processing has actually had a negative impact on
those registered. We assume that this treatment has caused reactions, among other reasons
it was not predictable for those to whom it applies.
The access requirement that was directed at the municipality involved a compilation of
personal data that should have been assessed by the Stavanger Labor Party, even if there is one
legal delivery by the municipality. The disclosure consisted of compiled information such as
was tailored for a purpose outside the scope of public law. This should too
been taken into account in the assessment. We note that the negative consequences of the access requirement
was also pointed out by the Stavanger Labor Party at the same time as the claim was made.
Alternatives to the chosen solution that were considered were direct actions associated with kindergartens,
small school etc., but it was considered less appropriate than an e-mail distribution.
Stavanger Arbeiderparti has not confirmed that they have surveyed or assessed
the privacy interests of the data subjects in the relevant processing.
The privacy consequences are therefore also not weighted against the legitimate interest
the purpose of the treatment was to safeguard.
The Norwegian Data Protection Authority believes that the missing assessments, which a controller is required to
carried out according to the Personal Data Protection Ordinance, Article 6 No. 1, letter f, must be considered a breach
on the Personal Data Protection Regulation.
2.2.5. Use of data processor
The majority parties used the Brevo service for sending emails. It is stated that Brevo only
was given a list of e-mail addresses.
At the request of the Norwegian Data Protection Authority, it has been stated that no data processor agreement was entered into with
Letter. Stavanger Arbeiderparti points out that the "Terms of Service" was approved when it was created
account and that the "Privacy policy" has been read through.
The Personal Protection Regulation Article 28 No. 3 requires that processing of personal data which
carried out by a data processor must be subject to an agreement. The provision states in more detail what
such an agreement must regulate, but there are no formal requirements.
The Danish Data Protection Authority has not investigated the supplier Brevo and any special requirements
should have been stipulated in the specific agreement. We have also not reviewed the company's "Terms
of Service" or "Privacy policy" to which reference is made.
We assume that the Stavanger Labor Party has assessed that the agreement with Brevo is comprehensive
for the processing of information they must carry out on their behalf.
6 2.3. What information is given to the registered cf. the Personal Protection Ordinance art.
14.
Stavanger Arbeiderparti confirms that no information about the treatment has been given to them
registered, and that this is not in accordance with Article 14 of the Personal Data Protection Regulation.
2.4. Storage period for the personal data
The Norwegian Data Protection Authority asked for an explanation of the content of the agreement with regard to the deletion of
the personal data at Brevo, and whether confirmation was obtained that the deletion was
been carried out.
The Stavanger Labor Party has stated that the personal data was deleted for those persons who
had access to the email addresses the day after dispatch. The personal data that was loaded
up with Brevo, was also deleted the same day. The account with Brevo has also been deleted, as this was one
one-off mailing.
They have assumed that the deletion at Brevo was "non-reversible" and that all data would remain
permanently deleted within 30 days at the latest. The address list (email addresses) was deleted manually
from the account prior to the account being deleted. No confirmation has been requested from Brevo
beyond this.
The Norwegian Data Protection Authority assumes that the deletion has been carried out. We clarify that a
The data processing agreement must also contain terms that include the deletion of information, see
point 6.
3. Decision on reprimand
The Norwegian Data Protection Authority's case management has revealed that the processing of personal data in
in connection with the majority parties' e-mail sending of political messages has resulted in several
breach of the privacy regulations.
Paragraph 148 of the Personal Protection Ordinance states that sanctions should be imposed for
breach of the regulation, including infringement fees. The preface allows for it to know less
infringements may be given a reprimand instead of an infringement fee. It can, among other things
emphasis is placed on whether the breach has entailed a high risk for the rights of the data subjects.
The Norwegian Data Protection Authority has come to the conclusion that a decision on reprimands for the infringements must be made. We
has emphasized in the assessment that the collection of personal data from the municipalities had
valid legal basis through public law. Furthermore, we have emphasized what was processed
personal data to a very limited extent, and that they were deleted as soon as the purpose of
treatment was achieved. We consider that the violations did not pose a high risk for them
data subject's rights.
7 The Danish Data Protection Authority nevertheless believes that it is necessary to react, and takes this into account in
the personal protection regulation article 58 no. 2, letter b decision on reprimand for the following
Violations:
1. Inadequate assessments when using the Personal Protection Regulation Article 6 no. 1, letter
f as a legal basis for processing personal data and
2. failure to comply with the duty to provide information about the treatment to them
registered, cf. Article 14 of the Personal Data Protection Ordinance.
See above for further justification of our assessments of the various conditions.
4. Access to appeal
This decision can be appealed in accordance with Chapter VI of the Public Administration Act. Any complaint must
sent to the Norwegian Data Protection Authority within three weeks of receipt of the decision. If we maintain
our decision, the case will be forwarded to the Personal Protection Board for processing.
Any questions can be directed to postkasse@datatilsynet.no.
With kind regards
Camilla Nervik
section manager
The document is electronically approved and therefore has no handwritten signatures
Copy to: STAVANGER ARBEIDERPARTI
8
