Datatilsynet (Norway) - 21/03656

From GDPRhub
Revision as of 10:36, 27 April 2022 by Cms (talk | contribs)
Datatilsynet (Norway) - 21/03656
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 12 GDPR
Article 12(2) GDPR
Article 14 GDPR
Article 14(5)(c) GDPR
Article 14(5)(a) GDPR
Article 15 GDPR
Article 55(1) GDPR
Article 56(1) GDPR
Norwegian Public Limited Liability Companies Act (allmennaksjeloven) § 4-10
Type: Investigation
Outcome: Violation Found
Started: 04.10.2021
Decided: 26.04.2022
Published: 27.04.2022
Fine: None
Parties: Mowi ASA
National Case Number/Name: 21/03656
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA held that shareholders are entitled to information under Article 14 GDPR when their personal data is processed by shareholder managers, and issued a reprimand against a company, ordering it to provide a data subject with this information.

English Summary

Facts

In April 2021, a data subject in Germany owning shares in the company Mowi ASA (controller) was notified by his bank that the controller had requested his personal data. After two unsuccessful attempts at getting information about this processing from the controller, the data subject lodged a complaint with the Norwegian DPA Datatilsynet, which initiated an investigation and contacted the controller.

The controller acknowledged that it had not responded to the data subject’s access request because the emails had ended up in the spam filter. It also confirmed that it did not provide information on the processing in question, directly to shareholders or in their privacy policy, but claimed it relied on the exceptions set out in Article 14(5)(a) and Article 14(5)(c) GDPR.

The DPA rejected this as it argued that the exceptions in Article 14(5) GDPR should be interpreted and applied narrowly and it is not sufficient to “assume” that a data subject has received the information required under Article 14 GDPR, as the controller did in this case. In addition, the DPA found the controller's privacy policy to be incomplete and misleading.

The controller did not raise any arguments to contest the DPA's conclusions and informed the DPA that it was in the process of updating their privacy policy, internal documentation and routines.

Holding

The DPA held that the controller had violated Article 14 GDPR and ordered it to take measures to ensure that data subjects, including shareholders whose personal data are processed pursuant to the Norwegian Public Limited Liability Companies Act, are provided with all of the information required by Article 14 GDPR, including by amending its privacy policy as necessary. The controller was also ordered to inform the DPA about its measures taken within four weeks.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 MOWI ASA
 Postboks 4102 Sandviken

 5835 BERGEN








Your reference          Our reference                                      Date
                        21/03656-12                                        26.04.2022



Reprimand and Compliance Order - Mowi ASA


    1. Introduction

The Norwegian Data Protection Authority (“Datatilsynet”, “we”, “us”, “our”) is the

independent supervisory authority responsible for monitoring the application of the General
Data Protection Regulation (“GDPR”) with respect to Norway.

On 2 March 2022, we notified Mowi ASA (“Mowi”, “you”, “your”, “the company”) of our

intention to issue a reprimand and compliance order for having violated Article 14 GDPR.

On 23 March 2022, Mowi acknowledged our advance notification without raising any

arguments to contest the conclusions or factual descriptions laid down in the advance
notification.


On 24 March 2022, Datatilsynet submitted a draft decision—which essentially reproduced the
above advance notification—to the other supervisory authorities concerned in accordance with
Article 60(3) GDPR. None of the other supervisory authorities concerned expressed a relevant

and reasoned objection to the draft decision within four weeks after having been consulted by
Datatilsynet.


Thus, the present decision is adopted in conformity with the advance notification we sent to
Mowi and the draft decision we submitted to the other supervisory authorities concerned.


    2. Decision

Pursuant to Article 58(2)(b) GDPR, Datatilsynet issues a reprimand against Mowi for:




1
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons withregard to the processingofpersonal data and onthe free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) OJ [2018] L 119/1.

Postal address:  Office addressPhone:         Ent.reg:        Home page:
P.O. Box 458 Sentrum Trelastgat+47 22 39 69 00974 761 467     www.datatilsynet.no/en/
N-0105 OSLO      N-0191 OSLO,    •   having infringed Article 14 GDPR by failing to provide all of the relevant information
        required therein.


Pursuant to Article 58(2)(d) GDPR, Datatilsynet orders Mowi to:

    •   take measures to ensure that data subjects (including Mowi’s shareholders whose

        personal data are processed pursuant to the Norwegian Public Limited Liability
        Companies Act) are provided with all of the information required byArticle 14 GDPR,
        including by amending its privacy policy as necessary. Such information shall be

        provided in a concise, transparent, intelligible and easily accessible form, using clear
        and plain language. Mowi shall notifythe measures taken for complying with this order
        to Datatilsynet within four weeks after having received the present decision.


    3. Factual Background


On 14 April 2021, a data subject residing in Germany who owned shares in Mowi was notified
by his German bank that Mowi had requested his personal data from the bank pursuant to a
                                                                                           3
Norwegian law (i.e., the Norwegian Public Limited Liability Companies Act, § 4-10).

After having received such a notification from his bank, the data subject wrote an email to

info@m4wi.com (i.e., the email address provided in Mowi’s privacy policy in effec5 at the
time) to exercise his right of access under Article 15 GDPR on 26 July2021. On 2 September
2021, the data subject sent the company a reminder of his request to the same email address,       6
                                           7
but he received no response from Mowi.

On 4 October 2021, the data subject sent a complaint against Mowi to Datatilsynet, in which

he essentially claimed that Mowi failed to comply with: (1) Article 14 GDPR, as the company
failed to inform him about the purposes for which his personal data have been collected; and
(2) Articles 12(3) and 15 GDPR, as the companydid not respond within the applicable deadline

to the access requests that the complainant sent to Mowi. The complainant also asked that
Datatilsynet order Mowi to respond to the request at hand pursuant to Article 58(2)(c) GDPR.       8


On 2 December 2021, Datatilsynet sent a letter to Mowi asking the company to provide its
views on the issues raised by the complainant, and we received the company’s response on 23
December 2021.   10


2
  Norwegian Public Limited Liability Companies Act (“Lov om allmennaksjeselskaper (allmennaksjeloven)”,
3OV-1997-06-13-45).
 See complaint dated 4 October 2021.
4 See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. All web links
provided in the present letter have been last accessed on 24 March 2022.
5See Annex I to the complaint dated 4 October 2021.
6See Annex II to the complaint dated 4 October 2021.
7See complaint dated 4 October 2021.
8
9Ibid.
10ee Krav om redegjørelse - Mowi ASA (ref: 21/03656-2).
  See DATATILSYNETS KRAV OM REDEGJØRELSE – MOWI ASA (ref: 514012) (hereinafter “Mowi’s
Reply to Datatilsynet”).



                                                                                                  2,In its reply to Datatilsynet, Mowi acknowledged that it did not respond to the complainant’s
access request.11 However, it stated that this was due to the fact that both emails from the
complainant ended up in the spam folder of the company’s email inbox. Mowi also stated that
                                                                                            13
it would answer the data subject’s request after having responded to Datatilsynet’s inquiry.

Further, Mowi acknowledged that it did not provide any information on the processing at issue

in the present case, n14ther through its privacy policy nor directly to the data subject, pursuant
to Article 14 GDPR.      However, it took the view that it was not required to provide any
information on such processing, as it was entitled to rely on the exceptions set out in Article
14(5)(a) and (c) GDPR.  15


On 3 January 2022, Mowi sent the following response to the complainant:

        […] We would like first to express our sincere apologies for not responding to your

        access request within the deadline. We have had difficulties with extensive amounts of
        spam and phishing attempts towards this inbox, and your requests were caught in the
        clutter folder and unfortunately not detected as a legitimate claim through our regular
        routines and procedures. This is meant only as an explanation and not an excuse for

        our delay in responding. We can assure you that proper measures have been taken to
        avoid this happening again. We have established a new privacy inbox in relation our
        privacy policy on mowi.com, and have strengthened our follow-up procedures.


        Your request to Mowi was, with reference to your email of July 2021, prompted by our
        supplierNasdaq’srequesttoyourholdingbankfor thedisclosureofyourdata,pursuant
        to section 4-10 of the Norwegian PLC Act. You raised the question of why this request

        was made by Nasdaq and on this background submitted an access request.

        We will in the following explain the background for Mowi’s request, give an overview
        of what is requested, and the legal foundation for our request.


        NASDAQ OMX Corporate Solutions International Limited) (“Nasdaq”) is engaged by
        Mowi to provide Share Register Analysis Services. The processing of information
        gathered for the share register is governed through an Agreement and relevant

        supporting documents for processing of personal information. Nasdaq is registered in
        the UK and the transfer of personal data to UK is governed by Standard Contractual
        Clauses entered into between Mowi and Nasdaq. Specifically in relation to the Service,
        Nasdaq on behalf of Mowi ASA reaches out to various Custodian banks to request

        shareholder information pursuant to the Norwegian Public Limited Companies Act and
        GDPR regulation Article 6(1)(f).


1Ibid., answer to Q.5.
12Ibid., answer to Q.7.
13Ibid., answer to Q.5.
14Ibid., answer to Q.4 (stating: “Vi erkjenner at Mowi selv ikke har gitt informasjon om den aktuelle behandlingen
i sin personvernerklæring. Det har heller ikke vært direkte kommunikasjon med den registrerte.”).
15Ibid.




                                                                                               3,        The information collected by Nasdaq is simply the name of the shareholder. Further

        information that may be collected is address, country and number of shares held.

        The purpose of collecting the information is Mowi’s need to know who the shareholders

        are, pursuant to section 4-10 of the Norwegian PLC Act. Mowi uses this information to
        follow up investors and share relevant information about the corporation. As a listed
        corporation, our investor relations department meet with a lot of investors throughout

        the year. A shareholder overview of relevant investors is therefore needed to maintain
        proper investor relations services.


        According to the Agreement with Nasdaq, Mowi receives from Nasdaq information on
        shareholders holding 10,000 shares or more. This means that Mowi has not received
        specific information about you as a shareholder, but rather aggregated information of

        Custodian banks holding shares for smaller shareholders below the set threshold.

        Nasdaq holds the information as long as it is needed, but never longer than 5 years,
        whichever is first.


        You have the right to request rectification, erasure, and restriction of the personal data
        we process on you, and you may object to such processing. As you are aware, you also

        have the right to lodge a complaint with the supervisory authority (Norwegian Data
        Authorities). […]. 16


On 4 January 2022, the complainant informed Datatilsynet that it found the above response to
be satisfactory.17


On 2 March 2022, Datatilsynet notified Mowi of our intention to issue a repriman18and
compliance order against the company for having violated Article 14 GDPR. In that letter, we
outlinedthefactualbackgroundofthepresentcase; wedescribedthelegalandfactual grounds

on which we based our competence to ha20le the case as a lead supervisory authority under
Article 56 and Chapter VII GDPR;         we explained why—in our view—Mowi had violated
Article 14 GDPR, and the company’s arguments regarding the applicability of the exceptions
in Article 14(5)(a) and (c) GDPR are to be rejected;     21 and we described the main flaws in
                                                                                      22
Mowi’s transparency documentation and routines that the company must remedy.






16 See Mowi’s email to the complainant dated 3 January 2022 (hereinafter “Mowi’s Response to the

17mplainant”).
18See email from the complainant dated 4 January 2022.
19See Advance Notification – Reprimand and Compliance Order – Mowi ASA (ref: 21/03656-9).
  Ibid., section 3.
20Ibid., section 5.
21Ibid., section 6.2.
22Ibid.



                                                                                                  4,On 23 March 2022, Mowi sent us a letter in which the company acknowledged our advance
notification.3 In that latter, Mowi did not raise any arguments to contest the conclusions or
factual descriptions laid down in our advance notification. However, the company informed

Datatilsynet 24at Mowi is in the process of updating its privacy policy, internal documentation
and routines.

    4. Legal Background


    4.1. Scope of Application of the GDPR

Under Article 2(1) GDPR, the Regulation:

    […] applies to the processing of personal data wholly or partly by automated means and to

    the processing other than by automated means of personal data which form part of a filing
    system or are intended to form part of a filing system.

Moreover, Article 3(1) GDPR provides that the Regulation:


    […] applies to the processing of personal data in the context of the activities of an
    establishment of a controller or a processor in the Union, regardless of whether the
    processing takes place in the Union or not.

    4.2. Definitions


The GDPR lays down the following definitions, which are relevant in the present case:

Pursuant to Article 4(1) GDPR:


    “personal data” means any information relating to an identified or identifiable natural
    person (“data subject”); an identifiable natural person is one who can be identified,
    directly or indirectly, in particular by reference to an identifier such as a name, an
    identification number, location data, an online identifier or to one or more factors specific
    to the physical, physiological, genetic, mental, economic, cultural or social identity of that

    natural person.

Pursuant to Article 4(2) GDPR:

    “processing” means any operation or set of operations which is performed on personal

    data or on sets of personal data, whether or not by automated means, such as collection,
    recording, organisation, structuring, storage, adaptation or alteration, retrieval,
    consultation, use, disclosure by transmission, dissemination or otherwise making available,
    alignment or combination, restriction, erasure or destruction.


23
  See DPA’S ADVANCE NOTIFICATION – REPRIMAND AND COMPLIANCE ORDER – MOWI ASA (ref:
244012).
  Ibid.



                                                                                               5,Pursuant to Article 4(7) GDPR:

    “controller” means the natural or legal person, public authority, agency or other body
    which, alone or jointly with others, determines the purposes and means of the processing
    of personal data; where the purposes and means of such processing are determined by
    Union or Member State law, the controller or the specific criteria for its nomination may
    be provided for by Union or Member State law.


Pursuant to Article 4(9) GDPR:

    “recipient” means a natural or legal person, public authority, agency or another body, to
    which the personal data are disclosed, whether a third party or not. However, public
    authorities which may receive personal data in the framework of a particular inquiry in
    accordance with Union or Member State law shall not be regarded as recipients; the

    processing of those data by those public authorities shall be in compliance with the
    applicable data protection rules according to the purposes of the processing.

    4.3. Obligations Regarding Information and Access to Personal Data

Article14 GDPR establishes whichinformation is tobeprovidedbyacontrollerwherepersonal
data have not been obtained from the data subjects. In particular, Article 14(1) to (4) provides

that:

    Where personal data have not been obtained from the data subject, the controller shall
    provide the data subject with the following information:

        (a) the identity and the contact details of the controller and, where applicable, of the

           controller's representative;

        (b) the contact details of the data protection officer, where applicable;

        (c) the purposes of the processing for which the personal data are intended as well as
           the legal basis for the processing;


        (d) the categories of personal data concerned;

        (e) the recipients or categories of recipients of the personal data, if any;

        (f) where applicable, that the controller intends to transfer personal data to a recipient
           in a third country or international organisation and the existence or absence of an
           adequacy decision by the Commission, or in the case of transfers referred to in

           Article 46 or 47, or the second subparagraph of Article 49(1), reference to the
           appropriate or suitable safeguards and the means to obtain a copy of them or where
           they have been made available.






                                                                                               6,    In addition to the information referred to in paragraph 1, the controller shall provide the
    data subject with the following information necessary to ensure fair and transparent
    processing in respect of the data subject:

        (a) the period for which the personal data will be stored, or if that is not possible, the
            criteria used to determine that period;


        (b) where the processing is based on point (f) of Article 6(1), the legitimate interests
            pursued by the controller or by a third party;

        (c) the existence of the right to request from the controller access to and rectification
            or erasure of personal data or restriction of processing concerning the data subject
            and to object to processing as well as the right to data portability;


        (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2),
            the existence of the right to withdraw consent at any time, without affecting the
            lawfulness of processing based on consent before its withdrawal;

        (e) the right to lodge a complaint with a supervisory authority;

        (f) from which source the personal data originate, and if applicable, whether it came

            from publicly accessible sources;

        (g) the existence of automated decision-making, including profiling, referred to in
            Article 22(1) and (4) and, at least in those cases, meaningful information about the
            logic involved, as well as the significance and the envisaged consequences of such
            processing for the data subject.


    The controller shall provide the information referred to in paragraphs 1 and 2:

        (a) within a reasonable period after obtaining the personal data, but at the latest within
            one month, having regard to the specific circumstances in which the personal data
            are processed;


        (b) if the personal data are to be used for communication with the data subject, at the
            latest at the time of the first communication to that data subject; or

        (c) if a disclosure to another recipient is envisaged, at the latest when the personal data
            are first disclosed.

    Where the controller intends to further process the personal data for a purpose other than

    that for which the personal data were obtained, the controller shall provide the data subject
    prior to that further processing with information on that other purpose and with any
    relevant further information as referred to in paragraph 2.

However, Article 14(5) establishes certain exceptions to the above information obligations:




                                                                                                  7,    Paragraphs 1 to 4 shall not apply where and insofar as:

        (a) the data subject already has the information;

        […]


        (c) obtaining or disclosure is expressly laid down by Union or Member State law to
            which the controller is subject and which provides appropriate measures to protect
            the data subject's legitimate interests; […]

Further, Article 15 GDPR reads:

        1. The data subject shall have the right to obtain from the controller confirmation as

        to whether or not personal data concerning him or her are being processed, and, where
        that is the case, access to the personal data and the following information:

        (a) the purposes of the processing;

        (b) the categories of personal data concerned;


        (c) the recipients or categories of recipient to whom the personal data have been or will
            be disclosed, in particular recipients in third countries or international
            organisations;

        (d) where possible, the envisaged period for which the personal data will be stored, or,
            if not possible, the criteria used to determine that period;


        (e) the existence of the right to request from the controller rectification or erasure of
            personal data or restriction of processing of personal data concerning the data
            subject or to object to such processing;

        (f) the right to lodge a complaint with a supervisory authority;


        (g) where the personal data are not collected from the data subject, any available
            information as to their source;

        (h) the existence of automated decision-making, including profiling, referred to in
            Article 22(1) and (4) and, at least in those cases, meaningful information about the
            logic involved, as well as the significance and the envisaged consequences of such
            processing for the data subject.


        2.   Where personal data are transferred to a third country or to an international
        organisation, the data subject shall have the right to be informed of the appropriate
        safeguards pursuant to Article 46 relating to the transfer.





                                                                                                8,        3. The controller shall provide a copy of the personal data undergoing processing. For
        anyfurthercopiesrequestedbythedatasubject,thecontrollermaychargeareasonable
        fee based on administrative costs. Where the data subject makes the request by
        electronic means, and unless otherwise requested by the data subject, the information
        shall be provided in a commonly used electronic form.

        4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the

        rights and freedoms of others.

    Furthermore, Article 12(1) to (4) GDPR provides that:

        1. The controller shall take appropriate measures to provide any information referred
        to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating
        to processing to the data subject in a concise, transparent, intelligible and easily

        accessible form, using clear and plain language, in particular for any information
        addressed specifically to a child. The information shall be provided in writing, or by
        other means, including, where appropriate, by electronic means. When requested by the
        data subject, the information may be provided orally, provided that the identity of the
        data subject is proven by other means.

        2. The controller shall facilitate the exercise of data subject rights under Articles 15

        to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on
        the request of the data subject for exercising his or her rights under Articles 15 to 22,
        unless the controller demonstrates that it is not in a position to identify the data subject.

        3. The controller shall provide information on action taken on a request under Articles
        15 to 22 to the data subject without undue delay and in any event within one month of

        receipt of the request. That period may be extended by two further months where
        necessary, taking into account the complexity and number of the requests. The
        controller shall inform the data subject of any such extension within one month of
        receipt of the request, together with the reasons for the delay. Where the data subject
        makes the request by electronic form means, the information shall be provided by
        electronic means where possible, unless otherwise requested by the data subject.


        4. Ifthe controller does not take action onthe request of the data subject, the controller
        shall inform the data subject without delay and at the latest within one month of receipt
        of the request of the reasons for not taking action and on the possibility of lodging a
        complaint with a supervisory authority and seeking a judicial remedy.

    4.4. Competence, Tasks and Powers of Supervisory Authorities under the GDPR


Pursuant to Article 55(1) GDPR:

    Each supervisory authority shall be competent for the performance of the tasks assigned to
    and the exercise of the powers conferred on it in accordance with this Regulation on the
    territory of its own Member State.




                                                                                                9,Further, Article 56(1) reads as follows:

    Without prejudice to Article 55, the supervisory authority of the main establishment or of
    the single establishment of the controller or processor shall be competent to act as lead
    supervisory authority for the cross-border processing carried out by that controller or
    processor in accordance with the procedure provided in Article 60.


The term “main establishment” is defined in Article 4(16) GDPR as follows:

    “main establishment” means:

        (a) as regards a controller with establishments in more than one Member State, the
            placeof its central administrationin theUnion,unlessthedecisions onthe purposes

            and means of the processing of personal data are taken in another establishment of
            the controller in the Union and the latter establishment has the power to have such
            decisions implemented, in which case the establishment having taken such decisions
            is to be considered to be the main establishment; […].

The term “cross-border processing” is defined in Article 4(23) as follows:


    “cross-border processing” means either:

        (a) processing of personal data which takes place in the context of the activities of
            establishments in more than one Member State of a controller or processor in the
            Union where the controller or processor is established in more than one Member
            State; or


        (b) processing of personal data which takes place in the context of the activities of a
            single establishment of a controller or processor in the Union but which
            substantially affects or is likely to substantially affect data subjects in more than one
            Member State.

Pursuant to Article 58(2) GDPR:


        Each supervisory authority shall have all of the following corrective powers:

        (a) to issue warnings to a controller or processor that intended processing operations
            are likely to infringe provisions of this Regulation;

        (b) to issuereprimands toa controller or aprocessorwhereprocessingoperations have

            infringed provisions of this Regulation;

        (c) to order the controller or the processor to comply with the data subject's requests
            to exercise his or her rights pursuant to this Regulation;





                                                                                              10,        (d) to order the controller or processor to bring processing operations into compliance
            with the provisions of this Regulation, where appropriate, in aspecified manner and
            within a specified period;


        (e) to order the controller to communicate a personal data breach to the data subject;

        (f) to impose a temporary or definitive limitation including a ban on processing;

        (g) to order the rectification or erasure of personal data or restriction of processing
            pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients

            to whom the personal data have been disclosed pursuant to Article 17(2)and Article
            19;

        (h) to withdraw a certification or to order the certification body to withdraw a
            certification issued pursuant to Articles 42 and 43, or to order the certification body

            not to issue certification if the requirements for the certification are not or are no
            longer met;

        (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of
            measures referred to in this paragraph, depending on the circumstances of each
            individual case;


        (j) to order the suspension of data flows to a recipient in a third country or to an
            international organisation.

    4.5. EEA and Norwegian Law


The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”)
Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint
Committee Decision”).   25

Article 1(b) of the EEA Joint Committee Decision provides that:


    […] the terms “Member State(s)” and “supervisory authorities” shall be understood to
    include, in addition to their meaning in the Regulation, the EFTA States and their
    supervisory authorities, respectively.


Further, Article 1(c) of the EEA Joint Committee Decision reads as follows:

    References to Union law or Union data protection provisions shall be understood as
    referring to the EEA Agreement or data protection provisions contained therein,
    respectively.


25
   Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 amending Annex XI (Electronic
communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in
Article 101) to the EEA Agreement OJ [2018] L 183/23.



                                                                                                11,The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal

Data Act and the GDPR entered into force in Norway on 20 July 2018.

    5. Datatilsynet’s Competence


Mowi is one of the largest seafood companies in the world. It has its headquarter in Norway,
but has operations in at least 25 countries, including Belgium, Czech Republic, France,
Germany, Ireland, the Netherlands, Italy, Poland, Spain, and Sweden. Moreover, Mowi is listed
ontheOsloStockExchange(OSE)anditssharealsotradesontheUSOTCmarket. Therefore,       27
it has shareholders in several EU/EEA countries, includingin Germany(where the complainant

resides).

Thus, Mowi has several establishments in the EU/EEA, including in Norway, and in the context
of the activities of these establishments it processes personal data, including personal data of

its shareholders. Therefore, the GDPR applies to such data processing activities in accordance
with Article 3(1) GDPR.

With respect to the processing of the personal data of its shareholders (including the
complainant) in accordance with § 4-10 of the Norwegian Public Limited Liability Companies

Act, Mowi qualifies as a controller (within the meaning of Article 4(7) GDPR), as it is Mowi
that decide(d) to collect and process shareholder information—through its processor NASDAQ
OMX Corporate Solutions International Limited—to “follow up investors and share relevant
information about the corporation”. 28


As Mowi has a main establishment (within the meaning of Article 4(16) GDPR) in the EEA
and its processing of shareholder information is cross-border (within the meaning of Article
4(23)GDPR),the cooperationmechanism and procedure set out in Articles 56(1)and60 GDPR

apply to the present case. Further, given that Mowi’s main establishment is located in Norway,
Datatilsynet is competent to act as lead supervisory authority in the case at hand pursuant to
Article 56(1) GDPR.

    6. Datatilsynet’s Assessment


    6.1. Mowi’s Failure to Respond to the Complainant’s Access Request

Under Article 12(3) GDPR, controllers are required to respond to access requests submitted

pursuanttoArticle15GDPR“withoutunduedelayandinanyeventwithinonemonthofreceipt
of the request.” However, in exceptional circumstances, that period may be extended by two
further months.






26Act No 38 of 15 June 2018 relating to the processing of personal data (“personopplysningsloven”).
27See: <https://mowi.com/>.
28
  See Mowi’s Reply to Datatilsynet; Mowi’s Response to the Complainant.



                                                                                             12,Inthepresent case,Mowihasacknowledged thatit failedtorespondtothecomplainant’saccess
request within the above deadline.  29 However, Mowi stated that this was due to the fact that
                                                                                                30
both emails from the complainant ended up in the spam folder of the company’s email inbox.

Under Article 12(2) GDPR, controllers have an obligation to “facilitate the exercise” of the data
subject right under Article 15 GDPR. This entails—among other things—that controllers

should take adequate technical and organizational measures to ensure that they can receive and
handle in a timely manner the access requests they receive from data subjects. In the words of
the European Data Protection Board (EDPB):


    The controller should provide appropriate and user-friendly communication channels that
    can easily be used by the data subject.31


This means that, although controllers remain free to decide which specific communication
channelshouldbeused forsubmittingaccess requests,theymustensurethatthecommunication
channel they implement is easy to use and effective. Thus, if a controller decides to receive

access requests via email, it must make sure that the email account it uses for this purpose
implements state-of-the-art anti-spam protection—which does not treat legitimate access
requests as spam—and/or that it monitors the spam folder on a regular basis to identify the

presence of possible legitimate access requests. Effective anti-spam solutions (e.g., CAPTCHA
solutions) do exist and should be adequately considered by the controller, in accordance with
its accountability obligations under the GDPR.  32


In the present case, Mowi’s anti-spam solution failed to “facilitate” the exercise of the right
under Article 15 GDPR, in breach of Article 12(2) GDPR, as it treated a legitimate access
request as spam twice, leading to such a request remaining unanswered for over 5 months.


Nonetheless, we consider such an infringement to be minor, for the following reasons:


    •   It appears to have affected a single data subject who was eventually satisfied with the
        delayed reply it received from Mowi;  34


    •   To date, Datatilsynet has not received any other complaints concerning Mowi’s
        compliance with Articles 12(2) and 15 GDPR; and








29
30Ibid.
  Ibid.
31EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version 1.0, Adopted on 18 January)
(hereinafter “EDPB Guidelines on the Right of Access”), p. 2.
32Arts. 5(2) and 24 GDPR.
33Cf. rec. 148 GDPR.
34See Mowi’s Reply to Datatilsynet, answer to Q.7.



                                                                                               13,    •   After Datatilsynet’s inquiry, Mowi created a new email address to be used for sending

        access req35sts, which according to the company has enhanced filters for spam and
        phishing.


In light of the above, we find that—in the present case—it is not warranted to issue any
corrective measures for this infringement, and considers the matter concerning Mowi’s failure
to reply to the complainant’s access request to be amicably settled. However, this is without
prejudice to the possibility of opening future inquiries to verify whether the new email account

set up by Mowi enables the company to comply with Articles 12(2) and 15 GDPR.

    6.2. Mowi’s Failure to Comply with Article 14 GDPR


In the present case, Mowi acknowledged that it did process—through it processor NASDAQ
OMX Corporate Solutions International Limited—the personal data of the complainant,            37 as
                                                       38
well as the personal data of other shareholders,          under the Norwegian Public Limited
Companies Act. It also stated that such personal data were and are normally obtained from
“various Custodian banks”,   39 and not directly from the individual shareholders.


Further, Mowi acknowledged that it did not provide any information on the processing of
shareholder information pursuant to the Norwegian Public Limited Companies Act, neither
directly to the data subject nor in its privacy policy.40 Indeed, Mowi’s privacy policy in effect

at the time of the complaint simply stated:

        This privacy notice applies for processing of personal data carried out by Mowi for any

        persons not employed by Mowi.

        […]


        Mowi collects personal data by/fromdirect contactwithyou,onlineforms,third parties,
        newsletters etc.


        […]


        The legal basis and the purpose for41owi’s processing of your personal data is based
        on your consent, and direct mail.




35Ibid. (stating: “Mowi har […] gjort tiltak for at dette ikke skal skje igjen. Det er opprettet en ny epostadresse for
slike henvendelser (privacy@mowi.com) med forbedrede filtre for spam og phishing”).
36Cf. rec. 131 GDPR.
37
38Mowi’s Reply to Datatilsynet, answers to Q.1.
  Mowi’s Response to the Complainant (stating: “Nasdaq on behalf of Mowi ASA reaches out to various
39stodian banks to request shareholder information pursuant to the Norwegian Public Limited Companies Act”).
  Ibid.
40Mowi’s Reply to Datatilsynet, answer to Q.4 (stating: “Vi erkjenner at Mowi selv ikke har gitt informasjon om
den aktuelle behandlingen i sin personvernerklæring”).
41See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>.



                                                                                                 14,However,initsfirstreplytoDatatilsynet,Mowitooktheviewthatitwasnot requiredtoprovide
any information on the processing at hand pursuant to Article 14(5)(a) and (c) GDPR. In this
regard, Mowi argued:


        The complainant has bought shares in Mowi via his bank, where the bank acts as the
        custodian of the shareholding. It is assumed that in this connection the complainant has

        become aware that information about him is disclosed to the company in which he buys
        shares. This must also be seen in connection with the Public Limited Liability
        Companies Act §4-10 fourth paragraph where it is explicitly stated that the company
        has an unconditional right to receive information from the custodian about who is the

        underlying owner of the shares covered by the custodian assignment, and how many
        shares each individual owns. It must be assumed that a shareholder who uses a
        custodian is familiar withthis provision.Mowi is thereforeof theopinionthat nofurther
        information is necessary, cf. Article [sic] 15 a) and c) of the GDPR. (our translation)   42


In our view, Mowi’s arguments regarding the applicability of the exceptions in Article 14(5)(a)
and (c) in the context at issue in the present case are to be rejected. This is for the reasons

outlined below.

First, as noted by the EDPB, the exceptions in Article 14(5) should be interpreted and applied
narrowly. Thus, any broad derogation from the information obligations laid down in Article

14—such as the one that Mowi advocates for—should be rejected.

Secondly, Article 14(5)(a) sets out an exception to the information obligations in Article 14,

which applies “where and insofar as” the data subject already has the information. Thus, this
exception applies only if the controller can “demonstrate (and document) what information the
data subject already has, how and when they received it”. Thus, to rely on this exception, it is
notsufficientto“assume”thatadatasubjecthasreceivedtheinformationrequiredunderArticle

14, as Mowi did in this case. Indeed, Mowi did not produce anyevidence that the complainant’s




42Mowi’s Reply to Datatilsynet, answer to Q.4 (stating in Norwegian: “Klageren har kjøpt aksjer i Mowi via sin
bank, hvor banken opptrer som forvalter av aksjeposten. Det forutsettes at klager i den forbindelse har blitt kjent
med at opplysninger om ham formidles til selskapet han kjøper aksjer i. Dette må også sees i sammenheng med
allmennaksjeloven §4-10 fjerde avsnitt hvor det uttrykkelig fremkommer at selskapet har en ubetinget rett til å få
opplyst fra forvalteren hvem som er underliggende eier av de aksjer forvalteroppdraget omfatter, og om hvor

mange aksjer hver enkelt eier. Det må forutsettes at en aksjonær som benytter forvalter også er kjent med denne
bestemmelsen. Mowi er derfor av den oppfatning at det ikke er nødvendig med ytterligere informasjon, jfr.
personvernforordningens artikkel [sic] 15 a) og c). Vi erkjenner at Mowi selv ikke har gitt informasjon om den
aktuelle behandlingen i sin personvernerklæring. Det har heller ikke vært direkte kommunikasjon med den
registrerte. På bakgrunn av saken vil vi gjennomgå våre rutiner for informasjon for å vurdere om slik informasjon
skal gis direkte, eller på annen hensiktsmessig måte”). Note that Mowi has acknowledged that in this passage it
intended to refer to Article 14(5)(a) and (c), and not to Article 15. See Mowi’s email to Datatilsynet dated 23
December 2021.
43Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01, Adopted on
As last Revised and Adopted on11 April 2018) (hereinafter “Transparency Guidelines”), para. 57. Such guidelines
have been endorsed by the EDPB. See EDPB, Endorsement 1/2018 (25 May 2018).
44Ibid., para. 56.




                                                                                                  15,bank provided him with any information on Mowi’s processing of his personal data; it just
assumed it. 45


Further, the exception in Article 14(5)(a) only applies “insofar as” the data subject has the
information required in Article 14(1) to (2). This means that this exception applies only with
respect to the specific information that the data subject actually has. However, the controller

must supplement that information to ensure that the data subject has a complete set of the
information listed in Article 14(1) to (2). In this regard, it should be noted that at least some—
if not all—of the information listed in Article 14(1) to (2) was not available to the complainant.

For instance, the complainant was not aware at least of the following:

    •   The legal basis for the processing under the GDPR (Article 14(1)(c)). According to
                                                           47
        Mowi,therelevantlegal basiswasArticle6(1)(f). Nonetheless,Mowi’sprivacypolicy
        only mentioned consent as a legal basis for the “processing of personal data carried out
        by Mowi for any persons not employed by Mowi” (emphasis added), and the Public

        Limited Liability Companies Act does not provide any information on the legal basis to
        be relied on under the GDPR for processing shareholder information.

    •   The recipients or categories of recipients of the personal data (Article 14(1)(e)). In its

        replies to Datatilsynet and the complainant, Mowi stated that shareholder information
        is disclosed to NASDAQ OMX Corporate Solutions International Limited,          49 although
        Mowi’s privacy policy stated that “personal data are not to be disclosed to third parties
                                                                 50
        unless Mowi is obliged to disclose such information”,       and no such obligation exists
        under the Norwegian Public Limited Liability Companies Act with respect to third
        parties such as NASDAQ.


    •   Information on international data transfers and suitable safeguards (Article 14(1)(f)). In
        its reply to the complainant, Mowi stated that “Nasdaq is registered in the UK and the

        transfer of personal data to UK is51overned by Standard Contractual Clauses entered
        into between Mowi and Nasdaq”. However,Mowi’sprivacypolicystated: “Mowi will
        not transfer your personal data to third countries outside the EU/EEA unless you have
        you have expressly been informed [and consented to] otherwise”.


    •   The period for which the personal data will be stored (Article 14(2)(a)). In its reply to
        the complainant, Mowi stated: “Nasdaq holds the information as long as it is needed,

        but never longer than 5 years, whichever is first.” However, no such information was




45
46Mowi’s Reply to Datatilsynet, answer to Q.4 (stating: “Det forutsettes at klager …”, emphasis added).
47Transparency Guidelines, para. 56.
  Mowi’s Reply to Datatilsynet, answer to Q.2.
48See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>.
49Mowi’s Reply to Datatilsynet, answer to Q.3; Mowi’s Response to the Complainant. In should be noted that
processors qualify as recipients under Article 4(9) GDPR. See Transparency Guidelines, page 37.
50See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>.
51Mowi’s Response to the Complainant.



                                                                                                16,        mentioned in Mowi’s privacypolicy, nor does the Norwegian Public Limited Liability
        Companies Act regulate such a retention period.


Thirdly, the exception in Article 14(5)(c) applies when the following two conditions are met:
(1) “obtaining or disclosure is expressly laid down by Union or Member State law to which the
controller is subject”; and (2) such law “provides appropriate measures to protect the data

subject’s legitimate interests”.

As for the first condition, the EDPB noted that:


    Such a law must directly address the data controller and the obtaining or disclosure in
    question should be mandatory upon the data controller. Accordingly, the data controller

    must be able to demonstrate how the law in question applie53to them and requires them to
    either obtain or disclose the personal data in question. (emphasis added)

In this regard, it should be noted that—as acknowledged by Mowi —§ 4-10 of the Norwegian

Public Limited Liability Companies Act provides for a “right” which enables Mowi to obtain
shareholder information; it does not require Mowi to obtain such information. Indeed, Mowi
claimed that the legal basis for processing shareholder information pursuant to the Norwegian

Public Limited Liability Companies Act is Article 6(1)(f), and not Article 6(1)(c) GDPR. Thus,
the first condition laid down in Article 14(5)(c) is not met in the present case.


For completeness purposes, it should be noted that also the second condition set out in Article
14(5)(c) is not met in thepresent case, as Mowi failed to demonstrate that the Norwegian Public
Limited Liability Companies Act provides appropriate measures to protect the data subjects’
(i.e., the shareholders’) legitimate interests and how Mowi complied with such appropriate

measures. As noted by the EDPB:

    While it is for Union or Member State law to frame the law such that it provides

    “appropriate measures to protect the data subject’s legitimate interests”, the data
    controller should ensure (and be able to demonstrate) that its obtaining or disclosure of
    personal data complies with those measures.     56


In any event, it should be noted that, even when a controller is able to rely on the exception in
Article 14(5)(c):




52See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>.
53
54Transparency Guidelines, para. 66.
  Mowi’sReplytoDatatilsynet, answertoQ.4(statinginNorwegian:“[…]allmennaksjeloven§4-10fjerdeavsnitt
hvor det uttrykkelig fremkommer at selskapet har en ubetinget rett til å få opplyst fra forvalteren hvem som er
underliggende eier av de aksjer forvalteroppdraget omfatter, og om hvor mange aksjer hver enkelt eier”; emphasis
added).
55Norwegian Public Limited Liability Companies Act, § 4-10, which reads in Norwegian: “Dersomselskapet eller
en offentlig myndighet krever det, plikter forvalteren å gi opplysninger om hvem som eier de aksjer
forvalteroppdraget omfatter, og om hvor mange aksjer hver enkelt eier”.
56Transparency Guidelines, para. 66.



                                                                                                  17,    the data controller should make it clear to data subjects that it obtains or discloses personal
    data in accordance with the law in question, unless there is a legal prohibition preventing
    the data controller from doing so. 57


Fourthly,Mowi’sprivacypolicyineffectatthetimeofthecomplaintwouldhaveledessentially
any data subject to believe that the “processing of personal data carried out by Mowi for any

persons not employed by Mowi,” including “personal data by/from […] third parties” would
exclusively take place on the basis of the data subject’s consent, for advertising purposes (“The
legal basis and the purpose for Mowi’s processing of your personal data is based on your
consent, and direct mail”) (emphasis added). Thus, any data subject/shareholder who would

have reasonably relied on the information provided in Mowi’s privacy policy would have most
likely concluded that Mowi did not process personal data for any other purpose or legal basis.
This kind of incomplete and misleading communication is incompatible with the transparency
principle set out in Article 5(1)(a) GDPR.


In this regard, it should be noted that—after the opening of Datatilsynet’s inquiry—Mowi
partially amended its privacy policy on 20 December 2021, and its privacy policy no longer
                                                                                 59
refers exclusively to consent as a legal basis for Mowi’s processing activities.

In light ofthe above, theinformation obligations laid downin Article14 GDPR were applicable
to Mowi. Thus, Mowi violated Article 14, as it failed to provide all of the information required

under that Article within one month after having obtained the complainant’s personal data from
his bank.60


In ourview, such aviolation warrants theimpositionofareprimandpursuant to Article58(2)(b)
GDPR. This is because the complainant was eventually provided with the information he
wished to obtain—albeit with a considerable delay—and hence the detriment suffered by the
complainant was minimal in practice, which is confirmed by the fact that the complainant was

satisfied with Mowi’s delayed reply. However, Mowi’s approach with regard to its obligations
under Article 14 entails that similar violations have likely taken place with respect to other
shareholders andmayreoccurinthefuture. Thus,theadoptionofacorrectivemeasureappears
to be appropriate in this case, in particular to discourage future similar instances of non-

compliance, and uphold the data protection rights of other shareholders.

In addition, while the scope of our inquirydid not cover a full review of Mowi’s privacy policy

in effect at the time of the present decision, we note that the privacy policy as last amended in
December 2021 appears to be insufficient to comply with the transparency obligations that
Mowi has under the GDPR. For instance:

57
58Ibid.
  See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. The Norwegian
version of the privacy policy stated, more clearly: “rettsgrunnlaget for Mowis behandling av personopplysningene
dine er ditt samtykke, og formålet er utsendelse av reklame”.
59See: <https://mowi.com/about/privacy-policy/>.
60Art. 14(3)(a) GDPR.
61Note that Mowi stated that “Nasdaq on behalf of Mowi ASA reaches out to various Custodian banks to request
shareholder information pursuant to the Norwegian Public Limited Companies Act” (emphasis added). See
Mowi’s Response to the Complainant.




                                                                                                18,    •   Under “legal basis and purpose”, Mowi’s privacy policy—which applies to the
        “processing of personal data carried out by Mowi for any persons not employed by
        Mowi” (emphasis added)—simplyreplicates the wordingof Article 6(1) GDPR without

        clarifying the actual purposes of, and legal basis for, the specific data processing
        activities envisaged by Mowi so as to allow the data subject to assess, on the basis of
        his or her own situation , what legal basis/purpose(s) apply. The privacypolicymerely
        states:


        “Mowi may process Personal Data relating to Users if one of the following applies:

        Users have given their consent for one or more specific purposes. Note: Under some

        legislation Mowi maybe allowed to process Personal Data until the User objects to such
        processing (“opt-out”), without having to rely on consent or any other of the following
        legal bases. This, however, does not apply, whenever the processing of Personal Data
        is subject to European data protection law;


        provision of Data is necessaryfor the performance of an agreement with the User and/or
        for any pre-contractual obligations thereof;


        processingis necessaryforcompliancewith alegal obligationto whichMowi is subject;

        processing is related to a task that is carried out in the public interest or in the exercise
        of official authority vested in Mowi;


        processing is necessary for the purposes of the legitimate interests pursued by Mowi or
        by a third party.

        In any case, Mowi will gladly help to clarify the specific legal basis that applies to the

        processing, and in particular whether the provision of Personal Data is a statutory or
        contractual requirement, or a requirement necessary to enter into a contract.”  63


    •   With regard to international data transfers, the privacy policy states: “Mowi will not
        transfer your personal data to third countries outside the EU/EEA unless you have you
        have expressly been informed [and consented to] otherwise”,        64 although Mowi has
        acknowledged that it transfers at least shareholder information to NASDAQ in the UK,

        without consent.

    •   With regard to data retention periods, the privacy policy states that “Personal Data shall
        be processed and stored for as long as required by the purpose they have been collected
             65
        for,” without providing any additional information that would enable the data subject


62Cf. Transparency Guidelines, page 9.
63See: <https://mowi.com/about/privacy-policy/>.
64Ibid.
65Ibid.




                                                                                                19,        to assess, on the basis of his or her own situation, what the retention period will be for
                               66
        specific data/purposes.

The examples provided above show that—if Mowi’s privacypolicyis at least partiallyintended
to provide the information required by Article 14 GDPR, as it seems to be the case, given that

the privacy policy states that “Mowi collects personal data by/from direct contact with you,
online forms, third parties, newsletters etc.” (emphasis added)—to ensure full compliance with
Article 14 Mowi not only needs to make sure that its shareholders are given the necessary
information when their personal data are processed in accordance with the Norwegian Public
Limited Liability Companies Act (as outlined above); Mowi also needs to ensure that the

company’s privacy policy intended to provide information on the collection of personal data
from third parties is appropriately phrased and includes all of the information required under
the GDPR.


Mowi has already indicated its intention to update its privacy policy, and transparency
documentation and routines. In particular, after having received Datatilsynet’ advance
notification, Mowi informed Datatilsynet of its intention to introduce the following changes to
its privacy policy:


        It shall include information on processing of the personal data of shareholders,
        collected via third parties such as Nasdaq.

        It shall describe Mowi’s legal basis for processing shareholders personal data. The

        legalbasisisGDPRarticle6(1)(f),onaccountof Mowi’slegimitateinterestinknowing
        its investors, in order to follow-upinvestors andprovidethese withrelevant information
        on the company. As a listed corporation, our investor relations department meet with a
        lot of investors throughout the year. A shareholder overview of relevant investors is

        therefore needed to maintain proper investor relations services.

        The privacy policy shall describe that data processors may be recipients of the personal
        data processed, cf. the GDPR article 14 (1) (e).


        International data transfers and suitable safeguards shall be described, cf. GDPR
        article 14 (1) (f), e.g. transfers to Nasdaq on the basis of Standard Contractual Clauses.

        The information on retention periods in accordance with GDPR article 14 (2) (a) shall
                          67
        be supplemented.

Further,thecompanystatedthat “[a]llupdatedinformationintheprivacypolicywillbeupdated
correspondingly in Mowi’s internal documentation and routines.”     68




66Transparency Guidelines, page 38.
67See DPA’S ADVANCE NOTIFICATION – REPRIMAND AND COMPLIANCE ORDER – MOWI ASA
(ref: 514012).
68
  Ibid.



                                                                                               20,Nonetheless, to make sure that these changes are actually and properly implemented, we deem
it necessary to formally order Mowi to bring its information routines and documentation into
compliance with Article 14 GDPR, and to notify the measures taken for complying with such

ordertoDatatilsynetwithinfourweeksafterhavingreceivedthepresentdecision,inaccordance
with Article 58(2)(d) GDPR.

While the present inquiry has only focused on Mowi’s compliance with Articles 12, 14 and 15
GDPR in connection with the above-mentioned complaint, this is without prejudice to the

possibility of opening future inquiries to assess Mowi’s compliance with Article 13 GDPR,
including with respect to its privacy policy.

    7. Right of Appeal

As this decision has been adopted pursuant to Article 56 and Chapter VII GDPR, the present

decision may be appealed before Oslo District Court (“Oslo tingrett”) in accordance with Article
78(1) GDPR, Article 25 ofthe Norwegian Data Protection Act, and Article 4-4(4) ofthe Norwegian
Dispute Act.69

Kind regards


Tobias Judin
Head of International


                                                                    Luca Tosoni

                                                                    Senior Legal Advisor

This letter has electronic approval and is therefore not signed



















69
  Act of 17 June 2005 no. 90 relating to mediation and procedure in civil disputes (Lov om mekling og rettergang
i sivile tvister (tvisteloven)).




                                                                                             21