Datatilsynet (Norway) - 20/02875-10 & 20/02875-11
Datatilsynet - 20/02875-10 & 20/02875-11 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6 GDPR Article 6(1)(e) GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 16.05.2022 |
Published: | 02.06.2022 |
Fine: | 150000 NOK |
Parties: | anonymous Norwegian Labour Inspection Authority (Arbeidstilsynet) |
National Case Number/Name: | 20/02875-10 & 20/02875-11 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | n/a |
The Norwegian DPA fined the Norwegian Labour Inspection Authority approximately €14,679 (150,000 NOK) for credit rating a one-person company without a legal basis. The DPA also reprimanded the controller for falsely informing the data subject that their data had not been processed.
English Summary
Facts
The data subject was a one-person company which provided assistence to businesses with various matters. One company that it had assisted and sold services to was under the Norwegian Labour Inspection Authority’s supervision. For this reason, the Norwegian Labour Inspection Authority credit assessed the data subject’s company. The data subject repeatedly asked whether the data of his one-person company was processed, to which the Norwegian Labour Inspection Authority replied that it had not. The Norwegian DPA considered whether the Norwegian Labour Inspection Authority had a legal basis under Article 6 GDPR for processing this data and whether it complied with the transparency requirements under Article 15 GDPR.
Holding
The DPA issued a fine of approximately €14,679 (150,000 NOK) against the Norwegian Labour Inspection Authority.
First, the DPA held that the Norwegian Labour Inspection Authority had no valid legal basis to process personal data and hence violated Article 6 GDPR. The Norwegian Labour Inspection Authority could only rely on the legal ground of processing where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller under Article 6(1)(e) GDPR if a supplementary legal basis had been laid out in Union or Member State law pursuant to Article 6(3) GDPR. Under the relevant domestic legislation (Working Environment Act), anyone who is subject to supervision by the Norwegian Labour Inspection Authority is obliged to provide information deemed necessary for the exercise of such supervision. The DPA held that since the processing of such personal data could result in criminal sanctions, this provision must be interpreted strictly and it does not apply to persons who are not directly subject to the Authority’s supervision. The Authority itself confirmed that the data subject, unlike the company that it assisted and sold services to, was not subject to its supervision. In addition, the personal data was obtained from a third party, not from the data subject. Hence, the DPA held that the supplementary legal basis did not apply and the Authority consequently did not have a legal basis to process the data subject’s personal data under Article 6(1)(e) GDPR.
Second, the DPA held that the Norwegian Labour Inspection Authority violated Article 15 GDPR by incorrectly informing the complainant that his personal data were not processed in the form of a credit assessment.
Comment
The DPA considered the processing of one-person companies‘ data to be personal data.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
ARBEIDSTILSYNET PO Box 4720 Torgarden Excluded from the public: 7468 TRONDHEIM Offl. § 13 cf. Popplyl. § 24 (1) 2. pkt. Their reference Our reference Date 20 / 02875-10 16.05.2022 Decision on infringement fee - Complaint about credit assessment - Arbeidstilsynet 1 Introduction We refer to our notice of decision on reprimand, order and infringement fee dated 15. November 2021. We also refer to their answer dated December 2, 2021. As it appears from their response, the Norwegian Labor Inspection Authority has accepted the infringement fee and the reprimand, and has none notes to the notice. The Norwegian Labor Inspection Authority has also attached updated routines for credit assessments, where it appears that no credit assessments are to be made in supervisory matters. The Norwegian Data Protection Authority has chosen to make two final decisions on the basis of the notification of 15 November 2021. This decision applies to credit assessments without a legal basis, cf. Article 6 (1) of the Privacy Regulation. The decision on reprimand is sent as a separate letter (doc. No. 20 / 02875-11). 2. Decision on order and infringement fine Pursuant to the Privacy Ordinance, Article 58 (2) (2) is imposed Arbeidstilsynet, org.nr. 974 761 211, to pay an infringement fee to the Treasury of NOK 150,000 for having obtained a credit assessment without a legal basis, cf. Article 6 (1) (e) of the Privacy Regulation. 3. Background of the case We received a complaint on 26 June 2020 that the Norwegian Labor Inspection Authority credit-rated the sole proprietorship , belonging (hereinafter «complaints»). Complainant is retired, but has some clients that he assists on an annual basis. Through complaints offers products and services such as internal control systems and quality assurance, as well as training. Postal address: Office address: Telephone: Org.nr: Website: PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO, On 17 January 2020, complainants were contacted for assistance with the preparation of Internal Control HSE for Malerfirmaet Sundt AS. The painting company Sundt AS was founded on 2 July 2019. On 31 March 2020, complainants were again contacted by Malerfirma Sundt AS for assistance with postal services supervision by the Norwegian Labor Inspection Authority. Complainants state that he contacted the case officer in Arbeidstilsynet 1 April to inform that a course which according to the plans was to be held 21. April was postponed indefinitely due to the corona situation. The course was intended as training by managers and safety representatives. Furthermore, complaints to the case officer explained what his sole proprietorships could assist Malerfirmaet Sundt AS with. A few days later, the complainant received a copy letter informing him that his sole proprietorships had been credit-rated by the Norwegian Labor Inspection Authority on 1 April. Complainants contacted Bisnode to find out who had rated his company. Bisnode referred complaints to the Norwegian Labor Inspection Authority. Complainants contacted the Norwegian Labor Inspection Authority on 16 April, and were transferred to the section leader in Oslo the switchboard. Complainants state that he called four times without receiving a reply. Complainant writes further that he left a message in which he asked to be called, without him being. Complainants again contacted the switchboard, which forwarded complaints to another section leader in Oslo. Complainant writes that this section leader informed him that «No one in the Norwegian Labor Inspection Authority can make a credit assessment or have access to programs to implement this. " On this at the time writes complaints that he had been informed by Bisnode that the Norwegian Labor Inspection Authority has access to credit rating of individuals through Proff Forvalt. Complainant states that he received information about Proff Forvalt from Bisnode when he contacted them April 16, as he wanted help investigating who had made the credit rating. Complainant urged Bisnode on May 11, where he was informed that Bisnode still tried to find the name and telephone number of the person in the Norwegian Labor Inspection Authority. After contacting the Norwegian Data Protection Authority, the complainant contacted the Norwegian Labor Inspection Authority's privacy representative on 11 or 12 May. Complainants received an e-mail on 14 May with the name of the person in question from the Norwegian Labor Inspection Authority who is to have made the credit assessment. The person who performed the credit rating was the same the caseworker who complains was contacted on 1 April. Complainant's inquiry about the credit rating was answered by the Norwegian Labor Inspection Authority on 20 May. Complainant writes that he does not have problems with supervisors carrying out checks, however wonders why he was credit-rated by the Norwegian Labor Inspection Authority. The Norwegian Data Protection Authority sent a request for a report to the Norwegian Labor Inspection Authority on 12 August 2020. We received a response 17 September 2020. Demand for further statement was sent on 1 February 2021, which was answered March 1, 2021. 2, the Norwegian Labor Inspection Authority justifies the credit assessment on the grounds that: «The credit assessment was made by the Department of Occupational Crime in connection with mapping of one of our cases. Your sole proprietorship had sold over time services to a company we have under supervision and which we are investigating further. In the connection, connections related to your sole proprietorship were discovered. By such studies it is common also to check networks and business connections to uncover any further links. In such an assessment is used publicly available registers, such as the brønnysund registers, bankruptcy registers, Proff Forvalt, m.fl. » Complainants emphasize that the first assignment was performed in January 2020, and that the next assignment was in in connection with postal supervision 31 March. The credit assessment was made on 1 April. Further wondering complains about why he was told that no one in the Norwegian Labor Inspection Authority could make one credit rating or have access to programs to accomplish this. 4. Legal background 4.1. Responsible for processing Article 4 (7) of the Privacy Regulation defines "data controller" as: […] A natural or legal person, a public authority, an institution or any other another body which alone or together with others determines the purpose of the processing of personal data and the means to be used; when the purpose and the means of treatment are laid down in Union law or in the Member States national law, the person responsible for processing, or the special criteria for designation by the person concerned, shall be determined by Union law or by the national law of the Member States 4.2. In particular on the legal basis for the collection of personal data as public authority Obtaining and storing credit information about individuals and sole proprietorships constitutes one processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and the Personal Data Act § 1. All processing of personal data must have a legal basis in accordance with the Privacy Ordinance Article 6 to be lawful. The basis for treatment must be determined before the treatment takes place When a public authority is to obtain credit information about an individual is Article 6 No. 1 letter e is the most relevant basis for treatment. Pursuant to Article 6 (1) (e), the processing of personal data must be necessary in order to: perform a task in the public interest or to exercise public authority as such treatment managers are required. 3, It follows from Article 6 (3) that a processing of personal data based on Article 6 no. 1 letter e must have a supplementary legal basis in national law. That means it the person responsible for processing may not invoke Article 6 (1) (e) alone as the court the basis of treatment. 4.3. Requirements for additional legislation pursuant to Article 6 (3) Article 6 (3) lays down minimum requirements for supplementary legislation. In the preparatory work, the Ministry discusses what may constitute a supplementary legal basis for the treatment: "In the Ministry's view, it must be assumed that at least the law and regulatory provisions may constitute a supplementary legal basis. " 1 The provision in Article 6 (3) further refers to the requirement for its content supplementary legal basis, including what shall be stated in the supplementary the legal basis, and what the supplementary legal basis may contain. It is clear from the wording of Article 6 (3) that the purpose of the treatment shall be: necessary to perform a task in the public interest or to exercise public authority as imposed on the controller. According to the wording of Article 6 (3), there must be a supplementary legal basis in the national the court, but it is not a requirement that the legal basis expressly regulates the processing of personal information. However, the purpose of the treatment must be necessary to perform tasks in the public interest or exercise public authority as such treatment managers are required. Both the preamble and the preparatory work refer to the European Convention on Human Rights. Of In the preparatory work, it is emphasized that if the processing of personal data constitutes an interference with the right to privacy pursuant to Article 102 of the Constitution or Article 8 of the ECHR, it may be necessary a more specific legal basis than that required by the wording of Article 6 (3) In the following, we have assumed that obtaining a credit rating involves an intervention in privacy. 4.4. About the duty of internal control Pursuant to Article 24 of the Privacy Ordinance, all data controllers are obliged to be able to demonstrate that they process personal data in accordance with the law. If it stands in a reasonable relation to the treatment activities, the company shall implement appropriate guidelines for the protection of personal information. 1 Prp.L.56 LS (2017-2018), pp. 34. 4, Credit assessment is an intrusive processing of personal data and constitutes a large encroachment on individuals' right to privacy. The person responsible for treatment must therefore be able to document their internal routines or processes, so-called internal control, which meet the requirements for legal basis for credit assessment. The routines must describe when and how credit information is to be obtained and how to access it shall be granted, and shall ensure that credit assessments are not obtained without the requirement for legal authority being fulfilled. 5. The Danish Data Protection Agency's assessment 5.1. Responsible for processing Obtaining and storing credit information about individuals and sole proprietorships constitutes one processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and The Personal Data Act § 1. We assume that the Norwegian Labor Inspection Authority is responsible for processing the processing of personal data obtained through credit assessment. 5.2. The duty of internal control Based on the Norwegian Labor Inspection Authority's response, we assume that the audit did not have routines for the processing of personal data through Proff Forvalt at the time of control, or procedures to ensure that the data subject could exercise his rights and receive an answer without undue delay stay. It appears from the report that the Norwegian Labor Inspection Authority completed the mapping of personal data in December 2020, and that relevant measures are now being worked on as a result of this survey. The Norwegian Data Protection Authority has the competence to order the data controller to ensure that the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf. Article 58 (2) (d) of the Privacy Regulation. This is the background for the order to prepare routines for credit assessment. Arbeidstilsynet must develop routines that ensure that credit assessment only takes place when there is a legal basis for the credit rating. 5.3. Legal basis for the processing of personal data 5.3.1. Article 6 (1) (e) It follows from the Privacy Regulation Article 6 No. 1 letter e that the processing of personal data is only legal if the processing is necessary for public exercise authority imposed on the data controller. Furthermore, it follows from Article 6, paragraph 3, letter b, that the basis for the processing pursuant to Article 6 point 1 (e) shall be laid down in the national law of the Member State. There are certain requirements for it 5, supplementing the legal authority under the regulation and the regulation's advocacy point, which reviewed above. The processing of the complainant's personal data was carried out in order to supervise the regulations as falls to the Labor Inspectorate's area of responsibility. The treatment is thus the exercise of public authority imposed on the data controller. 5.3.2. Supplementary legal basis in the Working Environment Act § 18-5 In their response to our first requirement for an explanation, the Norwegian Labor Inspection Authority refers to the Working Environment Act («Aml.») Purpose provision and chapter 18 in general as the supplementary legal basis for the processing of the complainant's personal data. It is emphasized in the later statement that Arbeidstilsynet believes that the Working Environment Act § 18-5 is the supplementary legal basis, read in connection with § 18-4 and the Public Administration Act § 17. Arbeidstilsynet points out that they have one other understanding of the statutory provision than the one the Data Inspectorate based on our requirement further statement. The Data Inspectorate wrote in our demand for a further statement: "It appears, among other things, from § 18-5 that" anyone "who is" subject to supervision "by Arbeidstilsynet is obliged to provide information that is considered necessary for the exercise of supervision. As the Data Inspectorate reads the provision, it is directed at the activities that are below supervision, and imposes an obligation on them to disclose the information as the Norwegian Labor Inspection Authority needs. In the specific complaint to the Danish Data Protection Agency, it is unclear whether the complaints were below supervision, or whether the information was obtained as part of the supervision of another company. Furthermore, the credit rating is not obtained from complainants, but a third party. Third parties is correctly mentioned in the second paragraph, but then only about other inspections. It follows from § 18-6 that the Norwegian Labor Inspection Authority issues orders and makes the individual decisions that are necessary for the implementation of a number of provisions listed in § 18-6. However, it is not clear to the Norwegian Data Protection Authority that a credit rating is to be regarded as one orders or individual decisions, as required by § 18-6. " The Norwegian Labor Inspection Authority writes in the report that: «To ensure the Norwegian Labor Inspection Authority's competence, we have control powers in the Working Environment Act Chapter 18 which gives the right to access the business, and the right to demand information. In order for the Norwegian Labor Inspection Authority to be able to assess whether it is relevant to carry out (local) or digital) supervision, information gathering is an important part of the preparation, cf. point 1. The purpose of the rules in Chapter 18 is to provide the Norwegian Labor Inspection Authority with a sufficient basis to assess whether a business complies with the requirements of the law. An important part of this the assessment is whether we will establish supervision, with inspection and further information gathering. 6, It follows from the Working Environment Act § 18-5 that the Norwegian Labor Inspection Authority may require information from all who are subject to obligations under the law, cf. "anyone". The Norwegian Labor Inspection Authority has moved on at any time «unobstructed access to any place covered by the Act», cf. § 18-4. So that The Norwegian Labor Inspection Authority shall be able to fulfill its duty to investigate pursuant to section 17 of the Public Administration Act these provisions are not interpreted restrictively. However, we emphasize that the measures shall be necessary in connection with the individual audits / assessment of audits. " The Norwegian Labor Inspection Authority confirms in the report that complaints were not subject to supervision. In answer to question 3, the Norwegian Labor Inspection Authority elaborates on its view of the provision scope: «[…] Arbeidstilsynet [believes] this provision must be understood so that we can obtain information from the relevant supervisory object we are supervising or which we is considering conducting audits. " The Norwegian Data Protection Authority disagrees with the Norwegian Labor Inspection Authority's interpretation of the provision § 18-5 and will give reasons this below. We first want to comment on the requirement for legal authority after Article 6 (3) of the Privacy Regulation. The principle of legality As mentioned above, Article 6 (3) of the Privacy Ordinance sets out legal requirements the basis laid down in the Member State. It is a condition that the purpose of the treatment must be regulated in the national special legislation. The requirements for the clarity of the legal basis are affected, among other things, by how intrusive the processing of personal data is, and whether it is within the principle of legality area. The processing of personal data will be particularly intrusive in those cases where the processing may result in criminal sanctions. Interventional measures that may result in criminal proceedings sanctions, or sanctions that are to be regarded as penalties according to EMD practice, are relevant the principle of legality. It follows from Chapter 19 of the Working Environment Act that breaches of the Act can be punished by fines or prison, cf. also fvl. § 13b first paragraph letter 6. As the Norwegian Labor Inspection Authority processed the complainant's personal data, this could therefore result in criminal sanctions. The principle of legality thus sets a stricter requirement clarity of legal authority pursuant to the Privacy Ordinance Article 6 No. 1 letter e cf. cf. Article 6 No. 3. Working Environment Act § 18-5 The Working Environment Act § 18-5 reads: 7, «§ 18-5. Information (1) Everyone who is subject to supervision pursuant to this Act shall when the Labor Inspection Authority so requires and without prejudice to the duty of confidentiality, provide information that is deemed necessary the exercise of supervision. The Norwegian Labor Inspection Authority can decide in what form the information should be gis. (2) Information as mentioned in the first paragraph may also be required from other public authorities supervisory authorities without prejudice to the duty of confidentiality that otherwise applies. The duty to provide information only applies to the information that is necessary for that the supervisory authority shall be able to perform its tasks in accordance with the law » It is clear from the wording that "everyone" is connected to the person who is "subject to supervision" by Arbeidstilsynet. The obligation to "provide information" is also linked to the person who is subject to supervision. The information that may be required to be submitted is limited to information that is considered "Necessary for the exercise of supervision". "Anyone who is subject to supervision" The way the Data Inspectorate reads the Working Environment Act, there are no provisions that clarify when someone is subject to supervision. Whether someone is subject to supervision thus appears to be a matter of discretion assessment that the Norwegian Labor Inspection Authority is closest to taking. As mentioned above writes Arbeidstilsynet that complaints were not under supervision when he was credit-rated. In its response to us, the Norwegian Labor Inspection Authority shows that section 18-5 must be understood so that other parties as well Arbeidstilsynet is considering conducting further inspections of those covered by the provision, even if they at the time of obtaining information is not subject to supervision under the Working Environment Act provisions. Arbeidstilsynet emphasizes that the provision is aimed at "anyone" who is imposed obligations under the law. As the Data Inspectorate reads the wording and prepares, section 18-5 is specifically aimed at someone who is controlled by the Norwegian Labor Inspection Authority, and which is thus subject to supervision. The provision delimits such against others who are not subject to supervision by the Norwegian Labor Inspection Authority, as well as obtaining information from third parties not mentioned in other sections. The Norwegian Labor Inspection Authority has referred to the Public Administration Act § 17 and the Working Environment Act § 18-4 as support for their view of the scope of the provision. The Data Inspectorate cannot see that the regulations support one expanding interpretation of the wording in § 18-5. This comes especially at the forefront of the concrete the case, as the treatment actualizes the legality principle's requirement for clarity. The Data Inspectorate disagrees with the interpretation used by the Norwegian Labor Inspection Authority, and does not find evidence in the sources of law that the legislature has meant that also legal entities which are not subject to supervision may be covered by the scope of the provision. 8, In this case, it is also difficult to see that the provision in the Working Environment Act fulfills the requirements for a supplementary legal basis, regardless of whether the complaints were subject to supervision or not. The subject of duty according to aml. § 18-5 is the person who is subject to supervision. In this case has However, the Norwegian Labor Inspection Authority obtained the complainant's credit information from Bisnode as one third party. Our assessment is that AML § 18-5 does not give the Norwegian Labor Inspection Authority authority to obtain complaints personal information from a third party, as the Authority has done through obtaining credit information from Bisnode in this case. The conclusion is that the Norwegian Labor Inspection Authority did not have a legal basis for credit assessing complaints, cf. Article 6 (1) (e) of the Privacy Regulation, cf. Article 6 (3). 5.4. Written routines (internal control) In its reply of 2 December 2021, the Norwegian Labor Inspection Authority refers to notification of infringement fines for new employees routines for the use of credit ratings. The routines are attached to the answer. The routines describe the tools that the Norwegian Labor Inspection Authority has available to obtain credit ratings. The function that enables the collection of credit ratings is linked to and built into the systems that provide up-to-date information within credit and market information. The routines state that the Norwegian Labor Inspection Authority has not made an assessment of whether and, if so, in which cases and how credit assessments are to be used in connection with supervisory cases. The it is stated in the routine that the function is not to be used. The Norwegian Data Protection Authority expects that information about the new routines will be clearly disseminated internally the organization. The Norwegian Data Protection Authority also expects a thorough assessment of legality if it is considered to introduce the use of credit ratings at a later date. Based on the submitted routine, we therefore waive our conclusion in the notification of decision as instructs the Norwegian Labor Inspection Authority to establish internal control for credit assessments. Infringement fee 6.1. General information about infringement fines Violation fees are a tool to ensure effective compliance and enforcement of the personal data regulations. In accordance with the practice of the Supreme Court, cf. Rt. 2012 page 1556, we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights (ECHR) Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to charge fee. 9, We refer in this connection to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMK). Section 46, first paragraph, of the Public Administration Act states: When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual has shown guilt. In judgment HR-2021-797-A, the Supreme Court has assumed that the objective responsibility for corporate punishment that follows from the Penal Code § 27 is not compatible with the concept of punishment in the ECHR as such it is interpreted by the EMD. The Supreme Court states in the judgment that the person who has acted on behalf of the company must have shown guilt, and that general negligence is sufficient to fulfill this. The Ministry of Justice has stated that the same must be used in administrative cases sanctions. As infringement fines are considered a penalty under the ECHR, we assume that we can only impose an infringement fine on an enterprise if the person who has acted on behalf of the enterprise has shown guilt, and that general negligence is sufficient, cf. HR-2021-797-A. 6.2. The guilt claim when imposing an infringement fine In order for the Data Inspectorate to be able to impose an infringement fee on the Norwegian Labor Inspection Authority, it is therefore required that the person who has acted on behalf of the audit has shown guilt. In this case, our assessment is that intent is the current form of guilt. The intent requirement follows from general basic legal principles, and these principles are codified in the Penal Code § 22. It follows from the provision: "Intention exists when someone commits an act that covers the description of the act in a penalty: a) with intent, b) with awareness that the action certainly or most likely covers the description of the act, or c) considers it possible that the action covers the description of the act, and chooses to act even if that should be the case. " It follows from the second paragraph of the provision, however, that «[t] he presumption exists even if the offender is not aware that the act is illegal, cf. § 26 ». There is thus no requirement that one knew that the act was against the law. 10, It follows from the Penal Code § 26 that «[d] a who at the time of the action due to ignorance if legal rules are unknown that the act is illegal, is punished when the ignorance is negligent. " IN according to the requirement of diligence, companies must familiarize themselves with which legislation applies to the area, and organize the business in accordance with the framework that follows from it current regulations. In this case, the Norwegian Labor Inspection Authority has acknowledged in its statement that the inspector in the Norwegian Labor Inspection Authority has deliberately credit-rated complaints to investigate whether there was a need for supervision the business. We refer to a letter from the Norwegian Data Protection Authority to the Norwegian Labor Inspection Authority dated 31.07.2020, in particular questions 4 and 5. We assume that the inspector in the Norwegian Labor Inspection Authority acted on behalf of the Norwegian Labor Inspection Authority when he credit-rated complaints. Our conclusion is therefore that the violation was committed intentionally by the Norwegian Labor Inspection Authority. The guilt requirement for imposing an infringement fee is thus fulfilled. 6.3. Assessment of whether an infringement fee is to be imposed When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account to the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate can impose infringement fines after a discretionary overall assessment, but they listed the moments lay down guidelines for the exercise of discretion by highlighting moments that should special emphasis is placed on. We will here assess the relevant factors on an ongoing basis. a) the nature, severity and duration of the infringement, taking into account it the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered, The principle of legality in the Privacy Regulation Article 5 No. 1 and the requirement to basis of treatment in Article 6 is one of the basic requirements that must be met when one the data controller processes personal data. The Norwegian Data Protection Authority does not find that the Working Environment Act § 18-5 is a sufficient supplementary legal basis so that the Norwegian Labor Inspection Authority could credit assess complaints. A credit rating is the result of compiling personal information from many different sources sources, and shows a number that indicates the probability that a person will pay a claim. One Credit rating will also show details about individuals personal finances, including any payment remarks, voluntary mortgages and debt ratio. This is private information as private individuals have an expectation that is not obtained by state supervisory authorities without legal basis 11, When particularly personal data worthy of protection have been obtained without a legal basis to the contrary this that the violation is serious and that the Danish Data Protection Agency responds with a violation fee. b) whether the infringement was committed intentionally or negligently, We assume that the Norwegian Labor Inspection Authority's case officer has deliberately credit-assessed complaints, and that the violation is thus committed intentionally. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, We do not find this aspect relevant. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32, Arbeidstilsynet has stated in response to the requirement for an explanation that there were no routines or guidelines for the processing of personal data. It thus appears that it does not were some internal rules for how the business card in Proff Forvalt should be used, and below what prerequisites. It is assumed that if measures had been taken in advance, would this could have meant that the credit assessment in this case had not been carried out. We emphasize in an aggravating direction that the Norwegian Labor Inspection Authority lacks knowledge of the rules for obtaining credit information, and that Arbeidstilsynet, according to the information, had neither technical or organizational measures in the form of routines to ensure compliance with the regulations. It is particularly aggravating that the Norwegian Labor Inspection Authority, as the supervisory authority, has not assessed the supervision had a legal basis for using the credit assessment tool. e) any previous violations committed by the data controller or the data processor, The Data Inspectorate is not aware of any previous violations. Following that appeal was created, a breach of the personal data security has been reported for completed credit assessment by the Norwegian Labor Inspection Authority. We do not emphasize this relationship. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it, This is not relevant in the case. g) the categories of personal data affected by the infringement, 12, Special categories of personal data (sensitive personal data) are not affected by the infringement in our case. However, information on salary, debt and creditworthiness is information that has a special need for protection due to its private nature. The categories of personal data that are affected are therefore moving in an aggravating direction. h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement, We were notified of the violation of complaints, as well as through reported violations personal data security by the Norwegian Labor Inspection Authority. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter that that mentioned measures are complied with, We do not know that measures have previously been taken against the Authority with regard to the same case subject. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42, We do not find this aspect relevant. k) and any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement The Norwegian Data Protection Authority has not established that the Norwegian Labor Inspection Authority has had financial benefits, or avoided them direct or indirect loss as a result of the infringement. It can also not be stated others conditions in a mitigating direction. The Norwegian Data Protection Authority has also not taken into account the Norwegian Labor Inspection Authority's financial capacity. The Data Inspectorate "shall prepare and decide the case without undue delay", cf. § 11 first joint. When imposing administrative sanctions that are considered to be penalties under the ECHR Article 6, the requirements of a fair trial will be relevant. Among other things, it is required that the cases must be clarified "within a reasonable time", cf. Article 6 (1) of the ECHR. The provision is intended to take into account to the strain it is for individuals and businesses and live for a long time in the uncertain about the outcome of a potential case. The starting point for the assessment of the case processing time in the area of criminal law is when there is a criminal charge under the ECHR, cf. Neumeister v. Austria, § 18. Regarding when it if there is an accusation within the meaning of the convention, the EMD has stated in Deweer v. Belgium § 46 that 13, «The" charge "could, for the purposes of Article 6 par. 1 (art. 6-1), be defined as the official notification given to an individual by the competent authority of an allegation that he has committed a criminal offense. " The Norwegian Data Protection Authority understands this as meaning that the person who has potentially broken the law is considered charged from the time the person in question has received an official announcement of the charge. What is considered to be within a reasonable time will vary from case to case, in practice from the EMD has the limit for what has been considered within the total case processing time laid at around 5 years. 2 However, a distinction must be made between long case processing time and total inactivity. By total inactivity, the limit for breakage is lower. In Norwegian case law, the Supreme Court has ruled that the limit for breaches of Article 6 (1) of the ECHR is around one year's stay, cf. HR-2016-225-S avs. 32. The term length of stay is understood in this context as periods of total inactivity, cf. HR-2016-225-S avs. 33. However, poor progress will also be included in the assessment of whether the case processing time has become too long, cf. HR-2016-225-S para. 33. The question of the limit on the imposition of administrative sanctions has not been considered Supreme Court. However, it has been up in the Court of Appeal and the District Court in cases related to imposition of additional tax. Gulating Court of Appeal has assessed it as total inactivity at one year was not a breach and this thus did not lead to a deduction, cf. LG-2020-130954. Oslo the district court has ruled that 16 months entails a breach, but that this is in the lower tier, cf. TOSLO-2019-136118. The workload of the authorities dealing with the case has generally not been considered as relevant for the assessment of breaches by the EMD, cf. Eckle v. Germany, § 92. In its practice, the Privacy Board has also commented on the significance of case processing time for imposition of infringement fines. In PVN-2021-03, the Privacy Board emphasizes that the facts of the case became essentially clarified in May 2019, while it took over a year before the audit notified the order and infringement fee. In PVN-2021-09, the Privacy Board also emphasized the long case processing time at supervision. In that case, six months had passed since the audit received a report of a breach personal data security until a statement was requested. After receiving the statement took approx. four months before notice of decision was sent, and then ten months from the notice was sent until the decision was made. After the company complained, it went further three months before the case was received by the Privacy Board. A long period of inactivity could in itself also be a breach of ECHR art 6 no. 1. cf. Rt- 2005-1210 and HR-2016-225-S. In a case concerning additional tax, the Court of Appeal came to that total 2 See the EMD's compilation of relevant case law in its guide on Article 6 in the field of criminal law, p. 63, https://www.echr.coe.int/Documents/Guide_Art_6_criminal_ENG.pdf 14, length of stay of 20 months not qualified for violation of ECHR art. 6 No. 1, nor basis to reduce the additional tax, cf. LG-2020-130954. The timeline in this case is as follows: - The complaint was received on 30 June 2020. - Our request for a statement was sent on 12 August 2020. - We received a response to our request for a statement on 19 September 2020. - We sent a request for a further report to the Norwegian Labor Inspection Authority on 1 February 2021. - The Data Inspectorate received a response to our request for a further report on 1 March 2021. Notification of a decision on infringement fines was sent on 15 November 2021. - Response to notification of decision on infringement fine was received on 6 December 2021. In the case, the Norwegian Labor Inspection Authority was officially informed by the Norwegian Data Protection Authority that there was an accusation a potential offense in our first request for a statement dated 12 August 2020. The Data Inspectorate assumes that there was an indictment under the ECHR at this time, and by assessment of the case processing time starting point for the respondent, we add this the time due. When we assess the case processing time in the following, we thus refer to this time and not when the complaint was received. From the time we received a response to our first request for a statement in September 2020 until we sent out a request for a further statement in February 2021, it took about four months. This period did not consist of total inactivity, as conversations and discussions were held, among other things with other caseworkers about the case. From response to the demand for further statements was received for notification of decision was sent in mid-November 2021, it went a little over eight months. In the time between the response received to further statements and the notification of a decision was issued As before in the case processing process, there have been ongoing discussions about the case with others caseworkers and immediate management around the issuance of the notice and the final decision. However, there has been no active case processing throughout the period. In this particular case estimates we estimate that there may have been around four months of total inactivity. Following this, the Data Inspectorate assumes that the case has had a total case processing time of more than one and a half year where the amount of total inactivity has been around 4 months. Our assessment is that neither the case processing time nor the time of total inactivity constitutes a breach on the ECHR, and that it does not prevent us from imposing infringement fees in this case. Based on the assessment above, the Danish Data Protection Agency concludes that an infringement fee should be imposed. The The next question is the size of the fee. 6.4. Assessment of the size of the fee When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in the question of whether fee should be imposed. We therefore refer to the assessments of the case 15, severity above. The infringement fee must be effective, be in a reasonable proportion to the violation and act as a deterrent. This means that the supervisory authority must make one concrete, discretionary assessment in each individual case. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the amount of the fee must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no 1. The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that infringement fines shall be determined specifically so that in each individual case it is effective, it says in a reasonable proportion to the violation and acts as a deterrent. The main purpose of infringement fines are contraception, ie the risk of being charged a fee must work 3 deterrent and thereby contribute to increased compliance with the regulations. By Skullerud et al. (2019), page 347, it appears: "Contraceptive considerations dictate that the fee for a violation must be set so high that this actually perceived as an evil by the offender. This means that the offender financial ability should be important in the measurement, so that the fee is higher the more stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a companies, it may be relevant to look at the company's total global annual turnover in previous financial year, cf. art. 83 Nos. 4 and 5. » And further: «The consideration of ensuring an individual assessment in each individual case indicates that Regulators should avoid establishing standardized fee rates. This applies even if national law allows for standardized rates, cf. the Public Administration Act § 43. » The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual the business. In our case, it is a question of a public enterprise, and the audit thus has no turnover from previous financial year to look at when measuring. The measurement must thus be based on them the other points of Article 83. Article 83 (5) of the Privacy Regulation sets a higher maximum amount for fees when the case deals with violations of the basic principles of treatment of personal data in accordance with Articles 5 and 6 of the Privacy Regulation. In our case, the Norwegian Labor Inspection Authority lacked a legal basis for obtaining credit information complaints (principle of legality). In addition, the business lacked technical and organizational measures for compliance with the privacy regulations (liability principle). In addition, has Arbeidstilsynet violated the right of access (the principle of openness). The violations in the case thus affect 3Skullerud et al. (2019). 16, several of the basic principles for the processing of personal data in Article 5 (1) and (2) of the Privacy Regulation. In an aggravating direction, we place particular emphasis on the fact that the violations in the case have been committed by a public authority supervisory authority. The Norwegian Data Protection Authority considers that the breach of the right of access is caused by the lack of internal control and routines that led to the credit assessment being made illegal in the first place. Eventually the violation of the right of access has already been sanctioned through its own reprimand, we have not emphasized this breach in an aggravating direction for the measurement of the size of the fee. Previous practice is relevant when measuring the size of the fee. The Privacy Board concluded in PVN-2020-21 that an infringement fee of DKK 150,000 «in at least not too high ”in the specific case that was dealt with. The case has similarities with present case, in that there was no legal basis for the treatment and that the company's internal control was deficient. In case 20/02042 ("Innovation Norway"), an infringement fee of NOK 1,000,000 was imposed for four illegal credit assessments against complainants in the case and the sole proprietorship of the person in question. In case 20/02375, a company was fined 175,000 kroner. Because of the case processing time in the specific case, the fee was reduced to 125,000 kroner. IN In determining the infringement fee, the Data Inspectorate must consider whether the case processing time should be pull in a mitigating direction, cf. the Privacy Ordinance Article 83 No. 1 letter k, cf. The Privacy Board's decision PVN-2021-03. As mentioned above, we asked the Norwegian Labor Inspection Authority to explain the case in our letter dated 12 August 2020. We demanded a more detailed explanation in our letter dated 1 February 2021. When the audit imposes decisions on fees have been slightly more than 5 months since the notice, and over one and a half years since the Norwegian Data Protection Agency contacted the Norwegian Labor Inspection Authority for the first time. The Data Inspectorate's total processing time in this case and PVN-2021-03, where the infringement fee was reduced due to long case processing time, is fairly similar. It speaks for itself the infringement fine is also reduced in this case. On the other hand, in dealing with this complaint, in contrast to PVN-2021-03, There has been a need to clarify the matter by sending out two requests for statements, and accompanying case processing. It points in the direction that in the case processing of this the complaint has needed some more time than in PVN-2021-03. When the Data Inspectorate makes decisions for a fee, it will have been a little over five months since the decision was announced. That separates the case from the above, in that in that case it took ten months from the first notice until the final decision was made sent out. The difference between the cases in terms of time from issued notice to final decision, as well as a somewhat greater complexity, pulls in the Data Inspectorate's opinion in the direction of not reducing the fee due to long case processing time. The fee should be set so high that it is effective and achievable sufficient deterrent effect. 17, We want to clarify that such violations must not occur, and that all public bodies that processes personal data must be aware of their responsibility. General preventive considerations thus asserts itself in the case. After an overall assessment of the case and especially with regard to the seriousness of the violation, we have concluded that an infringement fee of NOK 150,000 is considered correct. 7. Right of appeal and further proceedings You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will forward the case to the Privacy Board for complaint processing. 8. Publicity, transparency and duty of confidentiality We will inform you that all the documents are basically public, cf. § 3 of the Public Access to Information Act If you believe there is a basis for exempting all or part of it the document from public access, we ask you to justify this. The Data Inspectorate has a duty of confidentiality about who has complained to us, and about the complainant's personal relationship. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and Section 13 of the Public Administration Act As a party to the case, you may nevertheless be made aware of such information from the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You are also right for access to the case documents, cf. the Public Administration Act § 18. If you have any questions, you can contact Kristian Bygnes on telephone 22 39 69 63. With best regards Jørgen Skorstad department director, law Kristian Bygnes legal adviser The document is electronically approved and therefore has no handwritten signatures Copy to: 18