Datatilsynet (Norway) - 21/03656
Datatilsynet (Norway) - 21/03656 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 12 GDPR Article 12(2) GDPR Article 14 GDPR Article 14(5)(c) GDPR Article 14(5)(a) GDPR Article 15 GDPR Article 55(1) GDPR Article 56(1) GDPR Norwegian Public Limited Liability Companies Act (allmennaksjeloven) § 4-10 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 04.10.2021 |
Decided: | 26.04.2022 |
Published: | 27.04.2022 |
Fine: | None |
Parties: | Mowi ASA |
National Case Number/Name: | 21/03656 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA held that shareholders are entitled to information under Article 14 GDPR when their personal data is processed by shareholder managers, and issued a reprimand against a company, ordering it to provide a data subject with this information.
English Summary
Facts
In April 2021, a data subject in Germany owning shares in the company Mowi ASA (controller) was notified by his bank that the controller had requested his personal data. After two unsuccessful attempts at getting information about this processing from the controller, the data subject lodged a complaint with the Norwegian DPA Datatilsynet, which initiated an investigation and contacted the controller.
The controller acknowledged that it had not responded to the data subject’s access request because the emails had ended up in the spam filter. It also confirmed that it did not provide information on the processing in question, directly to shareholders or in their privacy policy, but claimed it relied on the exceptions set out in Article 14(5)(a) and Article 14(5)(c) GDPR.
The DPA rejected this as it argued that the exceptions in Article 14(5) GDPR should be interpreted and applied narrowly and it is not sufficient to “assume” that a data subject has received the information required under Article 14 GDPR, as the controller did in this case. In addition, the DPA found the controller's privacy policy to be incomplete and misleading.
The controller did not raise any arguments to contest the DPA's conclusions and informed the DPA that it was in the process of updating their privacy policy, internal documentation and routines.
Holding
The DPA held that the controller had violated Article 14 GDPR and ordered it to take measures to ensure that data subjects, including shareholders whose personal data are processed pursuant to the Norwegian Public Limited Liability Companies Act, are provided with all of the information required by Article 14 GDPR, including by amending its privacy policy as necessary. The controller was also ordered to inform the DPA about its measures taken within four weeks.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
MOWI ASA Postboks 4102 Sandviken 5835 BERGEN Your reference Our reference Date 21/03656-12 26.04.2022 Reprimand and Compliance Order - Mowi ASA 1. Introduction The Norwegian Data Protection Authority (“Datatilsynet”, “we”, “us”, “our”) is the independent supervisory authority responsible for monitoring the application of the General Data Protection Regulation (“GDPR”) with respect to Norway. On 2 March 2022, we notified Mowi ASA (“Mowi”, “you”, “your”, “the company”) of our intention to issue a reprimand and compliance order for having violated Article 14 GDPR. On 23 March 2022, Mowi acknowledged our advance notification without raising any arguments to contest the conclusions or factual descriptions laid down in the advance notification. On 24 March 2022, Datatilsynet submitted a draft decision—which essentially reproduced the above advance notification—to the other supervisory authorities concerned in accordance with Article 60(3) GDPR. None of the other supervisory authorities concerned expressed a relevant and reasoned objection to the draft decision within four weeks after having been consulted by Datatilsynet. Thus, the present decision is adopted in conformity with the advance notification we sent to Mowi and the draft decision we submitted to the other supervisory authorities concerned. 2. Decision Pursuant to Article 58(2)(b) GDPR, Datatilsynet issues a reprimand against Mowi for: 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons withregard to the processingofpersonal data and onthe free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ [2018] L 119/1. Postal address: Office addressPhone: Ent.reg: Home page: P.O. Box 458 Sentrum Trelastgat+47 22 39 69 00974 761 467 www.datatilsynet.no/en/ N-0105 OSLO N-0191 OSLO, • having infringed Article 14 GDPR by failing to provide all of the relevant information required therein. Pursuant to Article 58(2)(d) GDPR, Datatilsynet orders Mowi to: • take measures to ensure that data subjects (including Mowi’s shareholders whose personal data are processed pursuant to the Norwegian Public Limited Liability Companies Act) are provided with all of the information required byArticle 14 GDPR, including by amending its privacy policy as necessary. Such information shall be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Mowi shall notifythe measures taken for complying with this order to Datatilsynet within four weeks after having received the present decision. 3. Factual Background On 14 April 2021, a data subject residing in Germany who owned shares in Mowi was notified by his German bank that Mowi had requested his personal data from the bank pursuant to a 3 Norwegian law (i.e., the Norwegian Public Limited Liability Companies Act, § 4-10). After having received such a notification from his bank, the data subject wrote an email to info@m4wi.com (i.e., the email address provided in Mowi’s privacy policy in effec5 at the time) to exercise his right of access under Article 15 GDPR on 26 July2021. On 2 September 2021, the data subject sent the company a reminder of his request to the same email address, 6 7 but he received no response from Mowi. On 4 October 2021, the data subject sent a complaint against Mowi to Datatilsynet, in which he essentially claimed that Mowi failed to comply with: (1) Article 14 GDPR, as the company failed to inform him about the purposes for which his personal data have been collected; and (2) Articles 12(3) and 15 GDPR, as the companydid not respond within the applicable deadline to the access requests that the complainant sent to Mowi. The complainant also asked that Datatilsynet order Mowi to respond to the request at hand pursuant to Article 58(2)(c) GDPR. 8 On 2 December 2021, Datatilsynet sent a letter to Mowi asking the company to provide its views on the issues raised by the complainant, and we received the company’s response on 23 December 2021. 10 2 Norwegian Public Limited Liability Companies Act (“Lov om allmennaksjeselskaper (allmennaksjeloven)”, 3OV-1997-06-13-45). See complaint dated 4 October 2021. 4 See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. All web links provided in the present letter have been last accessed on 24 March 2022. 5See Annex I to the complaint dated 4 October 2021. 6See Annex II to the complaint dated 4 October 2021. 7See complaint dated 4 October 2021. 8 9Ibid. 10ee Krav om redegjørelse - Mowi ASA (ref: 21/03656-2). See DATATILSYNETS KRAV OM REDEGJØRELSE – MOWI ASA (ref: 514012) (hereinafter “Mowi’s Reply to Datatilsynet”). 2,In its reply to Datatilsynet, Mowi acknowledged that it did not respond to the complainant’s access request.11 However, it stated that this was due to the fact that both emails from the complainant ended up in the spam folder of the company’s email inbox. Mowi also stated that 13 it would answer the data subject’s request after having responded to Datatilsynet’s inquiry. Further, Mowi acknowledged that it did not provide any information on the processing at issue in the present case, n14ther through its privacy policy nor directly to the data subject, pursuant to Article 14 GDPR. However, it took the view that it was not required to provide any information on such processing, as it was entitled to rely on the exceptions set out in Article 14(5)(a) and (c) GDPR. 15 On 3 January 2022, Mowi sent the following response to the complainant: […] We would like first to express our sincere apologies for not responding to your access request within the deadline. We have had difficulties with extensive amounts of spam and phishing attempts towards this inbox, and your requests were caught in the clutter folder and unfortunately not detected as a legitimate claim through our regular routines and procedures. This is meant only as an explanation and not an excuse for our delay in responding. We can assure you that proper measures have been taken to avoid this happening again. We have established a new privacy inbox in relation our privacy policy on mowi.com, and have strengthened our follow-up procedures. Your request to Mowi was, with reference to your email of July 2021, prompted by our supplierNasdaq’srequesttoyourholdingbankfor thedisclosureofyourdata,pursuant to section 4-10 of the Norwegian PLC Act. You raised the question of why this request was made by Nasdaq and on this background submitted an access request. We will in the following explain the background for Mowi’s request, give an overview of what is requested, and the legal foundation for our request. NASDAQ OMX Corporate Solutions International Limited) (“Nasdaq”) is engaged by Mowi to provide Share Register Analysis Services. The processing of information gathered for the share register is governed through an Agreement and relevant supporting documents for processing of personal information. Nasdaq is registered in the UK and the transfer of personal data to UK is governed by Standard Contractual Clauses entered into between Mowi and Nasdaq. Specifically in relation to the Service, Nasdaq on behalf of Mowi ASA reaches out to various Custodian banks to request shareholder information pursuant to the Norwegian Public Limited Companies Act and GDPR regulation Article 6(1)(f). 1Ibid., answer to Q.5. 12Ibid., answer to Q.7. 13Ibid., answer to Q.5. 14Ibid., answer to Q.4 (stating: “Vi erkjenner at Mowi selv ikke har gitt informasjon om den aktuelle behandlingen i sin personvernerklæring. Det har heller ikke vært direkte kommunikasjon med den registrerte.”). 15Ibid. 3, The information collected by Nasdaq is simply the name of the shareholder. Further information that may be collected is address, country and number of shares held. The purpose of collecting the information is Mowi’s need to know who the shareholders are, pursuant to section 4-10 of the Norwegian PLC Act. Mowi uses this information to follow up investors and share relevant information about the corporation. As a listed corporation, our investor relations department meet with a lot of investors throughout the year. A shareholder overview of relevant investors is therefore needed to maintain proper investor relations services. According to the Agreement with Nasdaq, Mowi receives from Nasdaq information on shareholders holding 10,000 shares or more. This means that Mowi has not received specific information about you as a shareholder, but rather aggregated information of Custodian banks holding shares for smaller shareholders below the set threshold. Nasdaq holds the information as long as it is needed, but never longer than 5 years, whichever is first. You have the right to request rectification, erasure, and restriction of the personal data we process on you, and you may object to such processing. As you are aware, you also have the right to lodge a complaint with the supervisory authority (Norwegian Data Authorities). […]. 16 On 4 January 2022, the complainant informed Datatilsynet that it found the above response to be satisfactory.17 On 2 March 2022, Datatilsynet notified Mowi of our intention to issue a repriman18and compliance order against the company for having violated Article 14 GDPR. In that letter, we outlinedthefactualbackgroundofthepresentcase; wedescribedthelegalandfactual grounds on which we based our competence to ha20le the case as a lead supervisory authority under Article 56 and Chapter VII GDPR; we explained why—in our view—Mowi had violated Article 14 GDPR, and the company’s arguments regarding the applicability of the exceptions in Article 14(5)(a) and (c) GDPR are to be rejected; 21 and we described the main flaws in 22 Mowi’s transparency documentation and routines that the company must remedy. 16 See Mowi’s email to the complainant dated 3 January 2022 (hereinafter “Mowi’s Response to the 17mplainant”). 18See email from the complainant dated 4 January 2022. 19See Advance Notification – Reprimand and Compliance Order – Mowi ASA (ref: 21/03656-9). Ibid., section 3. 20Ibid., section 5. 21Ibid., section 6.2. 22Ibid. 4,On 23 March 2022, Mowi sent us a letter in which the company acknowledged our advance notification.3 In that latter, Mowi did not raise any arguments to contest the conclusions or factual descriptions laid down in our advance notification. However, the company informed Datatilsynet 24at Mowi is in the process of updating its privacy policy, internal documentation and routines. 4. Legal Background 4.1. Scope of Application of the GDPR Under Article 2(1) GDPR, the Regulation: […] applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Moreover, Article 3(1) GDPR provides that the Regulation: […] applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 4.2. Definitions The GDPR lays down the following definitions, which are relevant in the present case: Pursuant to Article 4(1) GDPR: “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Pursuant to Article 4(2) GDPR: “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 23 See DPA’S ADVANCE NOTIFICATION – REPRIMAND AND COMPLIANCE ORDER – MOWI ASA (ref: 244012). Ibid. 5,Pursuant to Article 4(7) GDPR: “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Pursuant to Article 4(9) GDPR: “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. 4.3. Obligations Regarding Information and Access to Personal Data Article14 GDPR establishes whichinformation is tobeprovidedbyacontrollerwherepersonal data have not been obtained from the data subjects. In particular, Article 14(1) to (4) provides that: Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) the categories of personal data concerned; (e) the recipients or categories of recipients of the personal data, if any; (f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. 6, In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; (b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; (c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability; (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; (e) the right to lodge a complaint with a supervisory authority; (f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The controller shall provide the information referred to in paragraphs 1 and 2: (a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; (b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or (c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. However, Article 14(5) establishes certain exceptions to the above information obligations: 7, Paragraphs 1 to 4 shall not apply where and insofar as: (a) the data subject already has the information; […] (c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; […] Further, Article 15 GDPR reads: 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 8, 3. The controller shall provide a copy of the personal data undergoing processing. For anyfurthercopiesrequestedbythedatasubject,thecontrollermaychargeareasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. Furthermore, Article 12(1) to (4) GDPR provides that: 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. 2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject. 3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. 4. Ifthe controller does not take action onthe request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. 4.4. Competence, Tasks and Powers of Supervisory Authorities under the GDPR Pursuant to Article 55(1) GDPR: Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State. 9,Further, Article 56(1) reads as follows: Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60. The term “main establishment” is defined in Article 4(16) GDPR as follows: “main establishment” means: (a) as regards a controller with establishments in more than one Member State, the placeof its central administrationin theUnion,unlessthedecisions onthe purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; […]. The term “cross-border processing” is defined in Article 4(23) as follows: “cross-border processing” means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. Pursuant to Article 58(2) GDPR: Each supervisory authority shall have all of the following corrective powers: (a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; (b) to issuereprimands toa controller or aprocessorwhereprocessingoperations have infringed provisions of this Regulation; (c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation; 10, (d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in aspecified manner and within a specified period; (e) to order the controller to communicate a personal data breach to the data subject; (f) to impose a temporary or definitive limitation including a ban on processing; (g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2)and Article 19; (h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; (j) to order the suspension of data flows to a recipient in a third country or to an international organisation. 4.5. EEA and Norwegian Law The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”) Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint Committee Decision”). 25 Article 1(b) of the EEA Joint Committee Decision provides that: […] the terms “Member State(s)” and “supervisory authorities” shall be understood to include, in addition to their meaning in the Regulation, the EFTA States and their supervisory authorities, respectively. Further, Article 1(c) of the EEA Joint Committee Decision reads as follows: References to Union law or Union data protection provisions shall be understood as referring to the EEA Agreement or data protection provisions contained therein, respectively. 25 Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 amending Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement OJ [2018] L 183/23. 11,The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal Data Act and the GDPR entered into force in Norway on 20 July 2018. 5. Datatilsynet’s Competence Mowi is one of the largest seafood companies in the world. It has its headquarter in Norway, but has operations in at least 25 countries, including Belgium, Czech Republic, France, Germany, Ireland, the Netherlands, Italy, Poland, Spain, and Sweden. Moreover, Mowi is listed ontheOsloStockExchange(OSE)anditssharealsotradesontheUSOTCmarket. Therefore, 27 it has shareholders in several EU/EEA countries, includingin Germany(where the complainant resides). Thus, Mowi has several establishments in the EU/EEA, including in Norway, and in the context of the activities of these establishments it processes personal data, including personal data of its shareholders. Therefore, the GDPR applies to such data processing activities in accordance with Article 3(1) GDPR. With respect to the processing of the personal data of its shareholders (including the complainant) in accordance with § 4-10 of the Norwegian Public Limited Liability Companies Act, Mowi qualifies as a controller (within the meaning of Article 4(7) GDPR), as it is Mowi that decide(d) to collect and process shareholder information—through its processor NASDAQ OMX Corporate Solutions International Limited—to “follow up investors and share relevant information about the corporation”. 28 As Mowi has a main establishment (within the meaning of Article 4(16) GDPR) in the EEA and its processing of shareholder information is cross-border (within the meaning of Article 4(23)GDPR),the cooperationmechanism and procedure set out in Articles 56(1)and60 GDPR apply to the present case. Further, given that Mowi’s main establishment is located in Norway, Datatilsynet is competent to act as lead supervisory authority in the case at hand pursuant to Article 56(1) GDPR. 6. Datatilsynet’s Assessment 6.1. Mowi’s Failure to Respond to the Complainant’s Access Request Under Article 12(3) GDPR, controllers are required to respond to access requests submitted pursuanttoArticle15GDPR“withoutunduedelayandinanyeventwithinonemonthofreceipt of the request.” However, in exceptional circumstances, that period may be extended by two further months. 26Act No 38 of 15 June 2018 relating to the processing of personal data (“personopplysningsloven”). 27See: <https://mowi.com/>. 28 See Mowi’s Reply to Datatilsynet; Mowi’s Response to the Complainant. 12,Inthepresent case,Mowihasacknowledged thatit failedtorespondtothecomplainant’saccess request within the above deadline. 29 However, Mowi stated that this was due to the fact that 30 both emails from the complainant ended up in the spam folder of the company’s email inbox. Under Article 12(2) GDPR, controllers have an obligation to “facilitate the exercise” of the data subject right under Article 15 GDPR. This entails—among other things—that controllers should take adequate technical and organizational measures to ensure that they can receive and handle in a timely manner the access requests they receive from data subjects. In the words of the European Data Protection Board (EDPB): The controller should provide appropriate and user-friendly communication channels that can easily be used by the data subject.31 This means that, although controllers remain free to decide which specific communication channelshouldbeused forsubmittingaccess requests,theymustensurethatthecommunication channel they implement is easy to use and effective. Thus, if a controller decides to receive access requests via email, it must make sure that the email account it uses for this purpose implements state-of-the-art anti-spam protection—which does not treat legitimate access requests as spam—and/or that it monitors the spam folder on a regular basis to identify the presence of possible legitimate access requests. Effective anti-spam solutions (e.g., CAPTCHA solutions) do exist and should be adequately considered by the controller, in accordance with its accountability obligations under the GDPR. 32 In the present case, Mowi’s anti-spam solution failed to “facilitate” the exercise of the right under Article 15 GDPR, in breach of Article 12(2) GDPR, as it treated a legitimate access request as spam twice, leading to such a request remaining unanswered for over 5 months. Nonetheless, we consider such an infringement to be minor, for the following reasons: • It appears to have affected a single data subject who was eventually satisfied with the delayed reply it received from Mowi; 34 • To date, Datatilsynet has not received any other complaints concerning Mowi’s compliance with Articles 12(2) and 15 GDPR; and 29 30Ibid. Ibid. 31EDPB, Guidelines 01/2022 on data subject rights - Right of access (Version 1.0, Adopted on 18 January) (hereinafter “EDPB Guidelines on the Right of Access”), p. 2. 32Arts. 5(2) and 24 GDPR. 33Cf. rec. 148 GDPR. 34See Mowi’s Reply to Datatilsynet, answer to Q.7. 13, • After Datatilsynet’s inquiry, Mowi created a new email address to be used for sending access req35sts, which according to the company has enhanced filters for spam and phishing. In light of the above, we find that—in the present case—it is not warranted to issue any corrective measures for this infringement, and considers the matter concerning Mowi’s failure to reply to the complainant’s access request to be amicably settled. However, this is without prejudice to the possibility of opening future inquiries to verify whether the new email account set up by Mowi enables the company to comply with Articles 12(2) and 15 GDPR. 6.2. Mowi’s Failure to Comply with Article 14 GDPR In the present case, Mowi acknowledged that it did process—through it processor NASDAQ OMX Corporate Solutions International Limited—the personal data of the complainant, 37 as 38 well as the personal data of other shareholders, under the Norwegian Public Limited Companies Act. It also stated that such personal data were and are normally obtained from “various Custodian banks”, 39 and not directly from the individual shareholders. Further, Mowi acknowledged that it did not provide any information on the processing of shareholder information pursuant to the Norwegian Public Limited Companies Act, neither directly to the data subject nor in its privacy policy.40 Indeed, Mowi’s privacy policy in effect at the time of the complaint simply stated: This privacy notice applies for processing of personal data carried out by Mowi for any persons not employed by Mowi. […] Mowi collects personal data by/fromdirect contactwithyou,onlineforms,third parties, newsletters etc. […] The legal basis and the purpose for41owi’s processing of your personal data is based on your consent, and direct mail. 35Ibid. (stating: “Mowi har […] gjort tiltak for at dette ikke skal skje igjen. Det er opprettet en ny epostadresse for slike henvendelser (privacy@mowi.com) med forbedrede filtre for spam og phishing”). 36Cf. rec. 131 GDPR. 37 38Mowi’s Reply to Datatilsynet, answers to Q.1. Mowi’s Response to the Complainant (stating: “Nasdaq on behalf of Mowi ASA reaches out to various 39stodian banks to request shareholder information pursuant to the Norwegian Public Limited Companies Act”). Ibid. 40Mowi’s Reply to Datatilsynet, answer to Q.4 (stating: “Vi erkjenner at Mowi selv ikke har gitt informasjon om den aktuelle behandlingen i sin personvernerklæring”). 41See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. 14,However,initsfirstreplytoDatatilsynet,Mowitooktheviewthatitwasnot requiredtoprovide any information on the processing at hand pursuant to Article 14(5)(a) and (c) GDPR. In this regard, Mowi argued: The complainant has bought shares in Mowi via his bank, where the bank acts as the custodian of the shareholding. It is assumed that in this connection the complainant has become aware that information about him is disclosed to the company in which he buys shares. This must also be seen in connection with the Public Limited Liability Companies Act §4-10 fourth paragraph where it is explicitly stated that the company has an unconditional right to receive information from the custodian about who is the underlying owner of the shares covered by the custodian assignment, and how many shares each individual owns. It must be assumed that a shareholder who uses a custodian is familiar withthis provision.Mowi is thereforeof theopinionthat nofurther information is necessary, cf. Article [sic] 15 a) and c) of the GDPR. (our translation) 42 In our view, Mowi’s arguments regarding the applicability of the exceptions in Article 14(5)(a) and (c) in the context at issue in the present case are to be rejected. This is for the reasons outlined below. First, as noted by the EDPB, the exceptions in Article 14(5) should be interpreted and applied narrowly. Thus, any broad derogation from the information obligations laid down in Article 14—such as the one that Mowi advocates for—should be rejected. Secondly, Article 14(5)(a) sets out an exception to the information obligations in Article 14, which applies “where and insofar as” the data subject already has the information. Thus, this exception applies only if the controller can “demonstrate (and document) what information the data subject already has, how and when they received it”. Thus, to rely on this exception, it is notsufficientto“assume”thatadatasubjecthasreceivedtheinformationrequiredunderArticle 14, as Mowi did in this case. Indeed, Mowi did not produce anyevidence that the complainant’s 42Mowi’s Reply to Datatilsynet, answer to Q.4 (stating in Norwegian: “Klageren har kjøpt aksjer i Mowi via sin bank, hvor banken opptrer som forvalter av aksjeposten. Det forutsettes at klager i den forbindelse har blitt kjent med at opplysninger om ham formidles til selskapet han kjøper aksjer i. Dette må også sees i sammenheng med allmennaksjeloven §4-10 fjerde avsnitt hvor det uttrykkelig fremkommer at selskapet har en ubetinget rett til å få opplyst fra forvalteren hvem som er underliggende eier av de aksjer forvalteroppdraget omfatter, og om hvor mange aksjer hver enkelt eier. Det må forutsettes at en aksjonær som benytter forvalter også er kjent med denne bestemmelsen. Mowi er derfor av den oppfatning at det ikke er nødvendig med ytterligere informasjon, jfr. personvernforordningens artikkel [sic] 15 a) og c). Vi erkjenner at Mowi selv ikke har gitt informasjon om den aktuelle behandlingen i sin personvernerklæring. Det har heller ikke vært direkte kommunikasjon med den registrerte. På bakgrunn av saken vil vi gjennomgå våre rutiner for informasjon for å vurdere om slik informasjon skal gis direkte, eller på annen hensiktsmessig måte”). Note that Mowi has acknowledged that in this passage it intended to refer to Article 14(5)(a) and (c), and not to Article 15. See Mowi’s email to Datatilsynet dated 23 December 2021. 43Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01, Adopted on As last Revised and Adopted on11 April 2018) (hereinafter “Transparency Guidelines”), para. 57. Such guidelines have been endorsed by the EDPB. See EDPB, Endorsement 1/2018 (25 May 2018). 44Ibid., para. 56. 15,bank provided him with any information on Mowi’s processing of his personal data; it just assumed it. 45 Further, the exception in Article 14(5)(a) only applies “insofar as” the data subject has the information required in Article 14(1) to (2). This means that this exception applies only with respect to the specific information that the data subject actually has. However, the controller must supplement that information to ensure that the data subject has a complete set of the information listed in Article 14(1) to (2). In this regard, it should be noted that at least some— if not all—of the information listed in Article 14(1) to (2) was not available to the complainant. For instance, the complainant was not aware at least of the following: • The legal basis for the processing under the GDPR (Article 14(1)(c)). According to 47 Mowi,therelevantlegal basiswasArticle6(1)(f). Nonetheless,Mowi’sprivacypolicy only mentioned consent as a legal basis for the “processing of personal data carried out by Mowi for any persons not employed by Mowi” (emphasis added), and the Public Limited Liability Companies Act does not provide any information on the legal basis to be relied on under the GDPR for processing shareholder information. • The recipients or categories of recipients of the personal data (Article 14(1)(e)). In its replies to Datatilsynet and the complainant, Mowi stated that shareholder information is disclosed to NASDAQ OMX Corporate Solutions International Limited, 49 although Mowi’s privacy policy stated that “personal data are not to be disclosed to third parties 50 unless Mowi is obliged to disclose such information”, and no such obligation exists under the Norwegian Public Limited Liability Companies Act with respect to third parties such as NASDAQ. • Information on international data transfers and suitable safeguards (Article 14(1)(f)). In its reply to the complainant, Mowi stated that “Nasdaq is registered in the UK and the transfer of personal data to UK is51overned by Standard Contractual Clauses entered into between Mowi and Nasdaq”. However,Mowi’sprivacypolicystated: “Mowi will not transfer your personal data to third countries outside the EU/EEA unless you have you have expressly been informed [and consented to] otherwise”. • The period for which the personal data will be stored (Article 14(2)(a)). In its reply to the complainant, Mowi stated: “Nasdaq holds the information as long as it is needed, but never longer than 5 years, whichever is first.” However, no such information was 45 46Mowi’s Reply to Datatilsynet, answer to Q.4 (stating: “Det forutsettes at klager …”, emphasis added). 47Transparency Guidelines, para. 56. Mowi’s Reply to Datatilsynet, answer to Q.2. 48See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. 49Mowi’s Reply to Datatilsynet, answer to Q.3; Mowi’s Response to the Complainant. In should be noted that processors qualify as recipients under Article 4(9) GDPR. See Transparency Guidelines, page 37. 50See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. 51Mowi’s Response to the Complainant. 16, mentioned in Mowi’s privacypolicy, nor does the Norwegian Public Limited Liability Companies Act regulate such a retention period. Thirdly, the exception in Article 14(5)(c) applies when the following two conditions are met: (1) “obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject”; and (2) such law “provides appropriate measures to protect the data subject’s legitimate interests”. As for the first condition, the EDPB noted that: Such a law must directly address the data controller and the obtaining or disclosure in question should be mandatory upon the data controller. Accordingly, the data controller must be able to demonstrate how the law in question applie53to them and requires them to either obtain or disclose the personal data in question. (emphasis added) In this regard, it should be noted that—as acknowledged by Mowi —§ 4-10 of the Norwegian Public Limited Liability Companies Act provides for a “right” which enables Mowi to obtain shareholder information; it does not require Mowi to obtain such information. Indeed, Mowi claimed that the legal basis for processing shareholder information pursuant to the Norwegian Public Limited Liability Companies Act is Article 6(1)(f), and not Article 6(1)(c) GDPR. Thus, the first condition laid down in Article 14(5)(c) is not met in the present case. For completeness purposes, it should be noted that also the second condition set out in Article 14(5)(c) is not met in thepresent case, as Mowi failed to demonstrate that the Norwegian Public Limited Liability Companies Act provides appropriate measures to protect the data subjects’ (i.e., the shareholders’) legitimate interests and how Mowi complied with such appropriate measures. As noted by the EDPB: While it is for Union or Member State law to frame the law such that it provides “appropriate measures to protect the data subject’s legitimate interests”, the data controller should ensure (and be able to demonstrate) that its obtaining or disclosure of personal data complies with those measures. 56 In any event, it should be noted that, even when a controller is able to rely on the exception in Article 14(5)(c): 52See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. 53 54Transparency Guidelines, para. 66. Mowi’sReplytoDatatilsynet, answertoQ.4(statinginNorwegian:“[…]allmennaksjeloven§4-10fjerdeavsnitt hvor det uttrykkelig fremkommer at selskapet har en ubetinget rett til å få opplyst fra forvalteren hvem som er underliggende eier av de aksjer forvalteroppdraget omfatter, og om hvor mange aksjer hver enkelt eier”; emphasis added). 55Norwegian Public Limited Liability Companies Act, § 4-10, which reads in Norwegian: “Dersomselskapet eller en offentlig myndighet krever det, plikter forvalteren å gi opplysninger om hvem som eier de aksjer forvalteroppdraget omfatter, og om hvor mange aksjer hver enkelt eier”. 56Transparency Guidelines, para. 66. 17, the data controller should make it clear to data subjects that it obtains or discloses personal data in accordance with the law in question, unless there is a legal prohibition preventing the data controller from doing so. 57 Fourthly,Mowi’sprivacypolicyineffectatthetimeofthecomplaintwouldhaveledessentially any data subject to believe that the “processing of personal data carried out by Mowi for any persons not employed by Mowi,” including “personal data by/from […] third parties” would exclusively take place on the basis of the data subject’s consent, for advertising purposes (“The legal basis and the purpose for Mowi’s processing of your personal data is based on your consent, and direct mail”) (emphasis added). Thus, any data subject/shareholder who would have reasonably relied on the information provided in Mowi’s privacy policy would have most likely concluded that Mowi did not process personal data for any other purpose or legal basis. This kind of incomplete and misleading communication is incompatible with the transparency principle set out in Article 5(1)(a) GDPR. In this regard, it should be noted that—after the opening of Datatilsynet’s inquiry—Mowi partially amended its privacy policy on 20 December 2021, and its privacy policy no longer 59 refers exclusively to consent as a legal basis for Mowi’s processing activities. In light ofthe above, theinformation obligations laid downin Article14 GDPR were applicable to Mowi. Thus, Mowi violated Article 14, as it failed to provide all of the information required under that Article within one month after having obtained the complainant’s personal data from his bank.60 In ourview, such aviolation warrants theimpositionofareprimandpursuant to Article58(2)(b) GDPR. This is because the complainant was eventually provided with the information he wished to obtain—albeit with a considerable delay—and hence the detriment suffered by the complainant was minimal in practice, which is confirmed by the fact that the complainant was satisfied with Mowi’s delayed reply. However, Mowi’s approach with regard to its obligations under Article 14 entails that similar violations have likely taken place with respect to other shareholders andmayreoccurinthefuture. Thus,theadoptionofacorrectivemeasureappears to be appropriate in this case, in particular to discourage future similar instances of non- compliance, and uphold the data protection rights of other shareholders. In addition, while the scope of our inquirydid not cover a full review of Mowi’s privacy policy in effect at the time of the present decision, we note that the privacy policy as last amended in December 2021 appears to be insufficient to comply with the transparency obligations that Mowi has under the GDPR. For instance: 57 58Ibid. See: <https://web.archive.org/web/20210814074115/https://mowi.com/about/privacy-policy/>. The Norwegian version of the privacy policy stated, more clearly: “rettsgrunnlaget for Mowis behandling av personopplysningene dine er ditt samtykke, og formålet er utsendelse av reklame”. 59See: <https://mowi.com/about/privacy-policy/>. 60Art. 14(3)(a) GDPR. 61Note that Mowi stated that “Nasdaq on behalf of Mowi ASA reaches out to various Custodian banks to request shareholder information pursuant to the Norwegian Public Limited Companies Act” (emphasis added). See Mowi’s Response to the Complainant. 18, • Under “legal basis and purpose”, Mowi’s privacy policy—which applies to the “processing of personal data carried out by Mowi for any persons not employed by Mowi” (emphasis added)—simplyreplicates the wordingof Article 6(1) GDPR without clarifying the actual purposes of, and legal basis for, the specific data processing activities envisaged by Mowi so as to allow the data subject to assess, on the basis of his or her own situation , what legal basis/purpose(s) apply. The privacypolicymerely states: “Mowi may process Personal Data relating to Users if one of the following applies: Users have given their consent for one or more specific purposes. Note: Under some legislation Mowi maybe allowed to process Personal Data until the User objects to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law; provision of Data is necessaryfor the performance of an agreement with the User and/or for any pre-contractual obligations thereof; processingis necessaryforcompliancewith alegal obligationto whichMowi is subject; processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in Mowi; processing is necessary for the purposes of the legitimate interests pursued by Mowi or by a third party. In any case, Mowi will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.” 63 • With regard to international data transfers, the privacy policy states: “Mowi will not transfer your personal data to third countries outside the EU/EEA unless you have you have expressly been informed [and consented to] otherwise”, 64 although Mowi has acknowledged that it transfers at least shareholder information to NASDAQ in the UK, without consent. • With regard to data retention periods, the privacy policy states that “Personal Data shall be processed and stored for as long as required by the purpose they have been collected 65 for,” without providing any additional information that would enable the data subject 62Cf. Transparency Guidelines, page 9. 63See: <https://mowi.com/about/privacy-policy/>. 64Ibid. 65Ibid. 19, to assess, on the basis of his or her own situation, what the retention period will be for 66 specific data/purposes. The examples provided above show that—if Mowi’s privacypolicyis at least partiallyintended to provide the information required by Article 14 GDPR, as it seems to be the case, given that the privacy policy states that “Mowi collects personal data by/from direct contact with you, online forms, third parties, newsletters etc.” (emphasis added)—to ensure full compliance with Article 14 Mowi not only needs to make sure that its shareholders are given the necessary information when their personal data are processed in accordance with the Norwegian Public Limited Liability Companies Act (as outlined above); Mowi also needs to ensure that the company’s privacy policy intended to provide information on the collection of personal data from third parties is appropriately phrased and includes all of the information required under the GDPR. Mowi has already indicated its intention to update its privacy policy, and transparency documentation and routines. In particular, after having received Datatilsynet’ advance notification, Mowi informed Datatilsynet of its intention to introduce the following changes to its privacy policy: It shall include information on processing of the personal data of shareholders, collected via third parties such as Nasdaq. It shall describe Mowi’s legal basis for processing shareholders personal data. The legalbasisisGDPRarticle6(1)(f),onaccountof Mowi’slegimitateinterestinknowing its investors, in order to follow-upinvestors andprovidethese withrelevant information on the company. As a listed corporation, our investor relations department meet with a lot of investors throughout the year. A shareholder overview of relevant investors is therefore needed to maintain proper investor relations services. The privacy policy shall describe that data processors may be recipients of the personal data processed, cf. the GDPR article 14 (1) (e). International data transfers and suitable safeguards shall be described, cf. GDPR article 14 (1) (f), e.g. transfers to Nasdaq on the basis of Standard Contractual Clauses. The information on retention periods in accordance with GDPR article 14 (2) (a) shall 67 be supplemented. Further,thecompanystatedthat “[a]llupdatedinformationintheprivacypolicywillbeupdated correspondingly in Mowi’s internal documentation and routines.” 68 66Transparency Guidelines, page 38. 67See DPA’S ADVANCE NOTIFICATION – REPRIMAND AND COMPLIANCE ORDER – MOWI ASA (ref: 514012). 68 Ibid. 20,Nonetheless, to make sure that these changes are actually and properly implemented, we deem it necessary to formally order Mowi to bring its information routines and documentation into compliance with Article 14 GDPR, and to notify the measures taken for complying with such ordertoDatatilsynetwithinfourweeksafterhavingreceivedthepresentdecision,inaccordance with Article 58(2)(d) GDPR. While the present inquiry has only focused on Mowi’s compliance with Articles 12, 14 and 15 GDPR in connection with the above-mentioned complaint, this is without prejudice to the possibility of opening future inquiries to assess Mowi’s compliance with Article 13 GDPR, including with respect to its privacy policy. 7. Right of Appeal As this decision has been adopted pursuant to Article 56 and Chapter VII GDPR, the present decision may be appealed before Oslo District Court (“Oslo tingrett”) in accordance with Article 78(1) GDPR, Article 25 ofthe Norwegian Data Protection Act, and Article 4-4(4) ofthe Norwegian Dispute Act.69 Kind regards Tobias Judin Head of International Luca Tosoni Senior Legal Advisor This letter has electronic approval and is therefore not signed 69 Act of 17 June 2005 no. 90 relating to mediation and procedure in civil disputes (Lov om mekling og rettergang i sivile tvister (tvisteloven)). 21