Personvernnemnda (Norway) - 2023-14 (21/01067)

From GDPRhub
Revision as of 19:27, 13 November 2023 by Riealeksandra (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
PVN - 2023-14 (21/01067)
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 57(1)(f) GDPR
Article 77 GDPR
Decided: 07.11.2023
Published: 09.11.2023
Parties:
National Case Number/Name: 2023-14 (21/01067)
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Norwegian
Original Source: Privacy Appeals Board (in Norwegian)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board overruled the DPA's decision to close a complaint case with just an informational letter to the controller, mandating them to assess the lawfulness of the processing, emphasising that the DPA cannot freely choose which cases to investigate or not.

English Summary

Facts

A data subject lodged a complaint with the Norwegian DPA, who decided to merely inform the controller of their GDPR obligations and closed the case without further investigation. Dissatisfied, the data subject contested the closure. After some back and forth, the DPA revisited but ultimately upheld their initial decision. Consequently, as per national procedures, the case was escalated to the Privacy Appeals Board. They were tasked with determining whether the DPA could close a case by simply issuing an informational letter to the controller, without assessing any GDPR breaches, or if the data subject could require the DPA to examine their case and decide on the legality of their personal data processing.

Holding

The Privacy Appeals Board overruled the DPA's decision and instructed them to reassess the case. Their reasoning was based on the data subject's right to lodge a complaint as per Article 77 GDPR, in conjunction with Recital 141, and Article 57(1)(f) GDPR.

The Board referenced an earlier decision (PVN-2017-09), acknowledging the DPA's discretion in determining the scope of their investigations. However, they emphasised that this discretion does not extend to selectively processing complaints. In instances like this, where facts are clear but legal interpretation is in question, the DPA is obliged to decide on the lawfulness of the processing. The Board believed that failing to do so would conflict with Article 77 GDPR.

Consequently, the DPA is required to assess the case and determine whether the controller unlawfully processed the data subject's personal data. If a violation is found, they must then consider the need for corrective actions in line with Article 58(2) GDPR.

Comment

Comment from initial contributor RAW: This is a really interesting case, not least considering that other DPAs also just close cases without investigating whether personal data was actually processed unlawfully. I've experienced this myself with both the Norwegian and Swedish DPAs.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Norwegian Privacy Board's decision on 7 November 2023 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin, Malin Tønseth)
The case concerns a complaint from A against the Danish Data Protection Authority's decision on 28 November 2022, where the Danish Data Protection Authority closed a case without carrying out further investigations and without deciding whether A's rights under the Personal Data Act had been breached.
The course of action
A contacted the Norwegian Data Protection Authority on 4 March 2021 because he believed that his privacy rights had been violated by the administrator lawyer Kjell Holst Sæther in X AS, its bankruptcy estate.
A and a business partner previously ran X AS. Bankruptcy was opened in the business on 25 August 2020. In connection with the bankruptcy proceedings, the trustee sent, among other things, the trustee's report of 1 October 2020 to the creditors, the debtor and the bankruptcy register, cf. section 120 fourth paragraph of the Bankruptcy Act. The report mentions a police report against A and the business partner from the owner of the house where the company ran its business.
On 28 November 2022, the Danish Data Protection Authority wrote a letter to the administrator of the bankruptcy estate with the heading "Notification of duty - Basic requirements for the processing of personal data" in which the Danish Data Protection Authority explained the rules in the Personal Data Protection Regulation, without the Danish Data Protection Authority deciding whether the law had been broken or not. The Norwegian Data Protection Authority also sent a letter to A and informed that the matter had been closed with the Norwegian Data Protection Authority having sent the trustee a letter pointing out the obligation. The Norwegian Data Protection Authority writes about the decision:
"The case is hereby closed. For your information, our decision to deal with the case by pointing out duties is not a single decision according to Section 2 first paragraph letter b of the Public Administration Act. You cannot therefore appeal the decision. It follows from Section 28 of the Public Administration Act."
A then complained to the Civil Ombudsman, who did not take the case into consideration as it had not been finally decided in the administration. In a letter dated 8 February 2023 to PVN-2021-07, the civil ombudsman pointed to PVN-2021-07 and wrote: "In the case in question, the Personal Data Protection Board came to the conclusion that the Data Protection Authority's decision to close the case without deciding whether the complainant's personal data had been processed illegally had to be considered a decision which was decisive for her rights and thus a single decision, cf. section 2 of the Administration Act".
A then complained about the Norwegian Data Protection Authority's conclusion of the case. The complaint was received by the Norwegian Data Protection Authority on 14 February 2023. The Norwegian Data Protection Authority made the following decision on 20 March 2023:
"The complaint is rejected on the basis that the conditions for the right to appeal do not exist. Our decision to close the case in accordance with Article 57 no. 1 letter f is not a single decision, cf. the Public Administration Act § 2 first paragraph letter b, cf. letter a, and the right of appeal under the Public Administration Act § 28 therefore does not apply."
It appears from the letter that the decision on rejection can be appealed, cf. sections 28 and 29 of the Administration Act.
On 30 March 2023, A appealed against the rejection decision. The Norwegian Data Protection Authority assessed the complaint and made the following decision on 26 April 2023:
"The complaint against the Norwegian Data Protection Authority's decision to reject the complaint is upheld, and the Norwegian Data Protection Authority's decision of 20 March 2023 is hereby reversed. Our decision to close the case in accordance with Article 57 no. 1 letter f is a single decision, cf. the Public Administration Act § 2 first paragraph letter b, cf. letter a, and you have the right to appeal under the Public Administration Act."
Regarding the further proceedings, the inspectorate writes:
"The Norwegian Data Protection Authority will shortly carry out a new assessment of your original complaint that we closed the case without carrying out further investigations. If we uphold the decision not to carry out further investigations into the case, we will send the case to the Personal Data Protection Board for complaint processing, cf. Personal Data Act § 22. In that case, you will receive a copy of our letter to the Personal Data Protection Board."
After a new assessment, the Norwegian Data Protection Authority maintained its decision to close the case without carrying out further investigations and without deciding whether A's personal data had been processed illegally. The case was forwarded to the Personal Protection Board on 5 June 2023. A was informed about the case in a letter from the board, and was given the opportunity to make comments. He has not filed any comments.
The case was dealt with at the board's meeting on 7 November 2023. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin and Malin Tønseth. Investigation leader Anette Klem Funderud was also present.
Briefly about the Norwegian Data Protection Authority's assessment when the case is submitted to the tribunal
The Norwegian Data Protection Authority explains at the outset that the complaint was submitted too late, but that it should nevertheless be considered because the party cannot be charged for having missed the deadline, cf. Norwegian Public Administration Act section 31 letter a. incorrect information about A's right of appeal.
About its assessment of the complaint, the Norwegian Data Protection Authority writes:
"In this case, we have reviewed and assessed the information we have received from complaints. On the basis of the complaint, we looked up [X] AS Konkursbo with organization number [...], in the Enhetsregisteret in the Brønnøysund registers. We were then informed that the bankruptcy estate was deleted on 5 August 2021. On this basis, we did not consider it appropriate to carry out further investigations into the case, and the case was thus closed from our side on the basis of Article 57 no. 1 letter f of the Personal Data Protection Ordinance.
At the same time as we closed the case, we sent a letter to the former trustee of X AS Konkursbo, where we gave guidance on the basic requirements for the processing of personal data (notice of duty).
We cannot see that anything new appears in the complaint that provides grounds for changing our decision to close the case without further investigation."
As's view of the case in brief
The trustee of X AS violated his privacy when on 6 October 2020 he sent out the trustee's report to him and 23 other recipients in which allegations were made that A was involved in several criminal offences. In the report, it is quoted from a police report in which A is accused, among other things, of having contributed to the embezzlement of goods from the bankruptcy estate.
Bostyrer has disclosed information that is subject to confidentiality to several actors, suppliers and persons. The accusations have been made without evidence, and the spread of the information has ruined his reputation.
The Norwegian Privacy Board's assessment
The tribunal agrees with the Norwegian Data Protection Authority that the complaint should be taken under consideration, cf. the Administration Act section 31 first paragraph letter a, since A cannot be blamed for having submitted the complaint too late.
The question for the tribunal is whether the Norwegian Data Protection Authority can choose to close a case by sending an information letter to the data controller without deciding whether the Personal Data Act has been breached, or whether A can demand that the Norwegian Data Protection Authority processes the case and decides whether his personal data has been unlawfully processed.
After A received the trustee's report in which one of the claimants' report against him was mentioned, he complained to the trustee to the Danish Data Protection Authority on 4 March 2021. A thereby exercised his right to complain to a supervisory authority pursuant to Article 77 of the Personal Protection Regulation, cf. the regulation's recital 141. Article 77 stipulates that anyone who "considers that the processing of personal data concerning the person concerned is in breach of this regulation" has the right to lodge a complaint with the supervisory authority, and that the supervisory authority to which the complaint is lodged "must inform the complainant of the course of complaint processing and the outcome of the complaint ». It also follows from Section 11 a of the Public Administration Act that the administrative body must prepare and decide the case without undue delay.
The Norwegian Data Protection Authority's tasks follow from Article 57 of the Personal Data Protection Ordinance. According to the provision, the Data Protection Authority shall process a complaint submitted by a registered person and investigate, to the extent that it is appropriate, the subject of the complaint and notify the complainant of the course and outcome of the investigation within a reasonable period, cf. the Personal Data Protection Ordinance article 57 no. 1 letter f.
In a number of cases, the tribunal has assumed that the supervisory authority has a certain freedom to decide how extensive investigations the individual case requires. In PVN-2017-09, the tribunal states:
"The Privacy Board assumes that the Norwegian Data Protection Authority, as a supervisory authority under the Personal Data Act, has the opportunity to prioritize cases to a certain extent in the form that not all inquiries are treated equally thoroughly. Such a prioritization requires that the Norwegian Data Protection Authority in the relevant case has fulfilled its duty to investigate and provide information so that the case is sufficiently informed, cf. Norwegian Administrative Procedure Act § 17, and that the Norwegian Data Protection Authority's exercise of discretion with regard to how thoroughly they assess the legality of the relevant processing of personal data appears sound . In this soundness assessment, privacy considerations will be central, cf. the purpose of the law in section 1."
However, this does not mean that the Norwegian Data Protection Authority can freely choose which complaints to process and which it chooses not to process. The flexibility allowed by the law will, as the tribunal sees it, primarily apply to how extensive investigations of the facts are necessary and/or appropriate. In a case like this, where there is no doubt about the fact, but a question of interpretation of the law, the supervisory authority cannot choose not to take a decision on whether the processing is legal or not. Such freedom of choice would, in the tribunal's opinion, be contrary to Article 77 of the Personal Data Protection Ordinance.
The Norwegian Data Protection Authority must therefore carry out a material assessment of the case and decide whether the trustee has processed A's personal data without having a valid basis for processing, and if he has, assess whether corrective measures should be decided, cf. the privacy regulation article 58 no. 2.
In PVN-2020-07, the tribunal assumed that the Norwegian Data Protection Authority's choice of reaction to the data controllers was not a decision aimed at the data subjects and therefore not decisive for their rights and obligations. However, this is something different from the right to have personal data assessed about oneself processed illegally.
The case is returned to the Norwegian Data Protection Authority for a substantive assessment of whether A's personal data has been processed illegally or not.
The decision is unanimous.
Resolution
The Danish Data Protection Authority's decision is annulled and the case is returned to the Danish Data Protection Authority for new processing.
Oslo, 7 November 2023
Mari Bø Haugstad
Manager