Datatilsynet (Norway) - 20/02875-10 & 20/02875-11
From GDPRhub
| Datatilsynet - 20/02875-10 & 20/02875-11 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 6 GDPR Article 6(1)(e) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 16.05.2022 |
| Published: | 02.06.2022 |
| Fine: | 150000 NOK |
| Parties: | anonymous Norwegian Labour Inspection Authority (Arbeidstilsynet) |
| National Case Number/Name: | 20/02875-10 & 20/02875-11 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Norwegian |
| Original Source: | Datatilsynet (in NO) |
| Initial Contributor: | n/a |
The Norwegian DPA fined the Norwegian Labour Inspection Authority approximately €14,679 (150,000 NOK) for credit rating a data subject without a legal basis. The DPA also reprimanded the controller for falsely informing the data subject that their data had not been processed.
English Summary
Facts
The data subject was a one-person company which provided assistance to other companies with various matters. One company that it had assisted and sold services to was under the Norwegian Labour Inspection Authority’s supervision. For this reason, the Norwegian Labour Inspection Authority credit assessed the data subject’s company. The data subject repeatedly asked whether data relating to their one-person company had been processed, to which the Norwegian Labour Inspection Authority replied that it had not.
The Norwegian DPA had to consider whether the Norwegian Labour Inspection Authority had a legal basis under Article 6 GDPR for processing the data subject's personal data and whether it complied with the requirements under Article 15 GDPR.
Holding
First, the DPA held that the Norwegian Labour Inspection Authority had no valid legal basis for processing the data subject's personal data and hence violated Article 6 GDPR. The DPA considered Article 6(1)(e) GDPR to be the only relevant legal basis. The Norwegian Labour Inspection Authority could only rely on the legal ground of processing where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller if a supplementary legal basis existed in Union or Member State law pursuant to Article 6(3) GDPR. Under the relevant domestic legislation (Working Environment Act), anyone who is subject to supervision by the Norwegian Labour Inspection Authority is obliged to provide information deemed necessary for the exercise of such supervision. The DPA held that since the processing of such personal data could result in criminal sanctions, this provision must be interpreted strictly and hence such obligation does not apply to persons who are not directly subject to the Norwegian Labour Inspection Authority’s supervision. The Authority itself confirmed that the data subject, unlike the company that it assisted and sold services to, was not subject to its supervision. In addition, the personal data was obtained from a third party, not from the data subject. Hence, the DPA held that the supplementary legal basis did not apply and the Norwegian Labour Inspection Authority consequently did not have a legal basis for processing the data subject’s personal data under Article 6(1)(e) GDPR.
Second, the DPA held that the Norwegian Labour Inspection Authority violated Article 15 GDPR by incorrectly informing the complainant that his personal data had not been processed in the form of a credit assessment.
Consequently, the DPA issued a fine of approximately €14,679 (150,000 NOK) against the Norwegian Labour Inspection Authority.
Comment
The DPA considered the processing of one-person companies‘ data to be personal data.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
ARBEIDSTILSYNET
PO Box 4720 Torgarden Excluded from the public:
7468 TRONDHEIM
Offl. § 13 cf. Popplyl. § 24 (1) 2.
pkt.
Their reference Our reference Date
20 / 02875-10 16.05.2022
Decision on infringement fee - Complaint about credit assessment - Arbeidstilsynet
1 Introduction
We refer to our notice of decision on reprimand, order and infringement fee dated 15.
November 2021. We also refer to their answer dated December 2, 2021. As it appears from
their response, the Norwegian Labor Inspection Authority has accepted the infringement fee and the reprimand, and has none
notes to the notice. The Norwegian Labor Inspection Authority has also attached updated routines for
credit assessments, where it appears that no credit assessments are to be made in
supervisory matters.
The Norwegian Data Protection Authority has chosen to make two final decisions on the basis of the notification of 15 November
2021. This decision applies to credit assessments without a legal basis, cf.
Article 6 (1) of the Privacy Regulation.
The decision on reprimand is sent as a separate letter (doc. No. 20 / 02875-11).
2. Decision on order and infringement fine
Pursuant to the Privacy Ordinance, Article 58 (2) (2) is imposed
Arbeidstilsynet, org.nr. 974 761 211, to pay an infringement fee to the Treasury of
NOK 150,000 for having obtained a credit assessment without a legal basis, cf.
Article 6 (1) (e) of the Privacy Regulation.
3. Background of the case
We received a complaint on 26 June 2020 that the Norwegian Labor Inspection Authority credit-rated the sole proprietorship
, belonging (hereinafter «complaints»).
Complainant is retired, but has some clients that he assists on an annual basis.
Through complaints offers products and services such as
internal control systems and quality assurance, as well as training.
Postal address: Office address: Telephone: Org.nr: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, On 17 January 2020, complainants were contacted for assistance with the preparation of Internal Control HSE
for Malerfirmaet Sundt AS. The painting company Sundt AS was founded on 2 July 2019.
On 31 March 2020, complainants were again contacted by Malerfirma Sundt AS for assistance with postal services
supervision by the Norwegian Labor Inspection Authority. Complainants state that he contacted the case officer in
Arbeidstilsynet 1 April to inform that a course which according to the plans was to be held 21.
April was postponed indefinitely due to the corona situation. The course was intended as training
by managers and safety representatives. Furthermore, complaints to the case officer explained what his
sole proprietorships could assist Malerfirmaet Sundt AS with.
A few days later, the complainant received a copy letter informing him that his
sole proprietorships had been credit-rated by the Norwegian Labor Inspection Authority on 1 April.
Complainants contacted Bisnode to find out who had rated his company. Bisnode
referred complaints to the Norwegian Labor Inspection Authority.
Complainants contacted the Norwegian Labor Inspection Authority on 16 April, and were transferred to the section leader in Oslo
the switchboard. Complainants state that he called four times without receiving a reply. Complainant writes
further that he left a message in which he asked to be called, without him being.
Complainants again contacted the switchboard, which forwarded complaints to another section leader in Oslo.
Complainant writes that this section leader informed him that «No one in the Norwegian Labor Inspection Authority can
make a credit assessment or have access to programs to implement this. " On this
at the time writes complaints that he had been informed by Bisnode that the Norwegian Labor Inspection Authority has
access to credit rating of individuals through Proff Forvalt.
Complainant states that he received information about Proff Forvalt from Bisnode when he contacted
them April 16, as he wanted help investigating who had made
the credit rating. Complainant urged Bisnode on May 11, where he was informed that Bisnode
still tried to find the name and telephone number of the person in the Norwegian Labor Inspection Authority.
After contacting the Norwegian Data Protection Authority, the complainant contacted the Norwegian Labor Inspection Authority's privacy representative
on 11 or 12 May.
Complainants received an e-mail on 14 May with the name of the person in question from the Norwegian Labor Inspection Authority who is to have
made the credit assessment. The person who performed the credit rating was the same
the caseworker who complains was contacted on 1 April. Complainant's inquiry about the credit rating
was answered by the Norwegian Labor Inspection Authority on 20 May.
Complainant writes that he does not have problems with supervisors carrying out checks, however
wonders why he was credit-rated by the Norwegian Labor Inspection Authority.
The Norwegian Data Protection Authority sent a request for a report to the Norwegian Labor Inspection Authority on 12 August 2020. We received a response
17 September 2020. Demand for further statement was sent on 1 February 2021, which was
answered March 1, 2021.
2, the Norwegian Labor Inspection Authority justifies the credit assessment on the grounds that:
«The credit assessment was made by the Department of Occupational Crime in connection with
mapping of one of our cases. Your sole proprietorship had sold over time
services to a company we have under supervision and which we are investigating further. In the
connection, connections related to your sole proprietorship were discovered. By such
studies it is common also to check networks and business connections to
uncover any further links. In such an assessment is used publicly
available registers, such as the brønnysund registers, bankruptcy registers, Proff Forvalt,
m.fl. »
Complainants emphasize that the first assignment was performed in January 2020, and that the next assignment was in
in connection with postal supervision 31 March. The credit assessment was made on 1 April. Further wondering
complains about why he was told that no one in the Norwegian Labor Inspection Authority could make one
credit rating or have access to programs to accomplish this.
4. Legal background
4.1. Responsible for processing
Article 4 (7) of the Privacy Regulation defines "data controller" as:
[…] A natural or legal person, a public authority, an institution or any other
another body which alone or together with others determines the purpose of
the processing of personal data and the means to be used; when the purpose
and the means of treatment are laid down in Union law or in the Member States
national law, the person responsible for processing, or the special criteria for designation
by the person concerned, shall be determined by Union law or by the national law of the Member States
4.2. In particular on the legal basis for the collection of personal data as public
authority
Obtaining and storing credit information about individuals and sole proprietorships constitutes one
processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and
the Personal Data Act § 1.
All processing of personal data must have a legal basis in accordance with the Privacy Ordinance
Article 6 to be lawful. The basis for treatment must be determined before the treatment takes place
When a public authority is to obtain credit information about an individual is Article 6
No. 1 letter e is the most relevant basis for treatment.
Pursuant to Article 6 (1) (e), the processing of personal data must be necessary in order to:
perform a task in the public interest or to exercise public authority as such
treatment managers are required.
3, It follows from Article 6 (3) that a processing of personal data based on Article
6 no. 1 letter e must have a supplementary legal basis in national law. That means it
the person responsible for processing may not invoke Article 6 (1) (e) alone as the court
the basis of treatment.
4.3. Requirements for additional legislation pursuant to Article 6 (3)
Article 6 (3) lays down minimum requirements for supplementary legislation.
In the preparatory work, the Ministry discusses what may constitute a supplementary legal basis for
the treatment:
"In the Ministry's view, it must be assumed that at least the law and
regulatory provisions may constitute a supplementary legal basis. " 1
The provision in Article 6 (3) further refers to the requirement for its content
supplementary legal basis, including what shall be stated in the supplementary
the legal basis, and what the supplementary legal basis may contain.
It is clear from the wording of Article 6 (3) that the purpose of the treatment shall be:
necessary to perform a task in the public interest or to exercise public authority
as imposed on the controller.
According to the wording of Article 6 (3), there must be a supplementary legal basis in the national
the court, but it is not a requirement that the legal basis expressly regulates the processing of
personal information. However, the purpose of the treatment must be necessary to perform
tasks in the public interest or exercise public authority as such
treatment managers are required.
Both the preamble and the preparatory work refer to the European Convention on Human Rights. Of
In the preparatory work, it is emphasized that if the processing of personal data constitutes an interference with
the right to privacy pursuant to Article 102 of the Constitution or Article 8 of the ECHR, it may be necessary
a more specific legal basis than that required by the wording of Article 6 (3)
In the following, we have assumed that obtaining a credit rating involves an intervention in
privacy.
4.4. About the duty of internal control
Pursuant to Article 24 of the Privacy Ordinance, all data controllers are obliged to be able to demonstrate that
they process personal data in accordance with the law. If it stands in a reasonable relation to
the treatment activities, the company shall implement appropriate guidelines for the protection of
personal information.
1
Prp.L.56 LS (2017-2018), pp. 34.
4, Credit assessment is an intrusive processing of personal data and constitutes a large
encroachment on individuals' right to privacy. The person responsible for treatment must therefore be able to
document their internal routines or processes, so-called internal control, which meet the requirements for
legal basis for credit assessment.
The routines must describe when and how credit information is to be obtained and how to access it
shall be granted, and shall ensure that credit assessments are not obtained without the requirement for legal authority being
fulfilled.
5. The Danish Data Protection Agency's assessment
5.1. Responsible for processing
Obtaining and storing credit information about individuals and sole proprietorships constitutes one
processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and
The Personal Data Act § 1. We assume that the Norwegian Labor Inspection Authority is responsible for processing
the processing of personal data obtained through credit assessment.
5.2. The duty of internal control
Based on the Norwegian Labor Inspection Authority's response, we assume that the audit did not have routines for
the processing of personal data through Proff Forvalt at the time of control, or
procedures to ensure that the data subject could exercise his rights and receive an answer without undue delay
stay. It appears from the report that the Norwegian Labor Inspection Authority completed the mapping of
personal data in December 2020, and that relevant measures are now being worked on as a result of
this survey.
The Norwegian Data Protection Authority has the competence to order the data controller to ensure that
the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf.
Article 58 (2) (d) of the Privacy Regulation.
This is the background for the order to prepare routines for credit assessment. Arbeidstilsynet
must develop routines that ensure that credit assessment only takes place when there is a legal
basis for the credit rating.
5.3. Legal basis for the processing of personal data
5.3.1. Article 6 (1) (e)
It follows from the Privacy Regulation Article 6 No. 1 letter e that the processing of
personal data is only legal if the processing is necessary for public exercise
authority imposed on the data controller.
Furthermore, it follows from Article 6, paragraph 3, letter b, that the basis for the processing pursuant to Article 6
point 1 (e) shall be laid down in the national law of the Member State. There are certain requirements for it
5, supplementing the legal authority under the regulation and the regulation's advocacy point, which
reviewed above.
The processing of the complainant's personal data was carried out in order to supervise the regulations as
falls to the Labor Inspectorate's area of responsibility. The treatment is thus the exercise of public
authority imposed on the data controller.
5.3.2. Supplementary legal basis in the Working Environment Act § 18-5
In their response to our first requirement for an explanation, the Norwegian Labor Inspection Authority refers to the Working Environment Act
(«Aml.») Purpose provision and chapter 18 in general as the supplementary legal basis for
the processing of the complainant's personal data. It is emphasized in the later statement that
Arbeidstilsynet believes that the Working Environment Act § 18-5 is the supplementary legal basis, read in
connection with § 18-4 and the Public Administration Act § 17. Arbeidstilsynet points out that they have one
other understanding of the statutory provision than the one the Data Inspectorate based on our requirement
further statement.
The Data Inspectorate wrote in our demand for a further statement:
"It appears, among other things, from § 18-5 that" anyone "who is" subject to supervision "by
Arbeidstilsynet is obliged to provide information that is considered necessary for the exercise of
supervision.
As the Data Inspectorate reads the provision, it is directed at the activities that are below
supervision, and imposes an obligation on them to disclose the information as the Norwegian Labor Inspection Authority
needs. In the specific complaint to the Danish Data Protection Agency, it is unclear whether the complaints were below
supervision, or whether the information was obtained as part of the supervision of another company.
Furthermore, the credit rating is not obtained from complainants, but a third party. Third parties
is correctly mentioned in the second paragraph, but then only about other inspections.
It follows from § 18-6 that the Norwegian Labor Inspection Authority issues orders and makes the individual decisions that are
necessary for the implementation of a number of provisions listed in § 18-6.
However, it is not clear to the Norwegian Data Protection Authority that a credit rating is to be regarded as one
orders or individual decisions, as required by § 18-6. "
The Norwegian Labor Inspection Authority writes in the report that:
«To ensure the Norwegian Labor Inspection Authority's competence, we have control powers in the Working Environment Act
Chapter 18 which gives the right to access the business, and the right to demand information.
In order for the Norwegian Labor Inspection Authority to be able to assess whether it is relevant to carry out (local)
or digital) supervision, information gathering is an important part of the preparation, cf.
point 1. The purpose of the rules in Chapter 18 is to provide the Norwegian Labor Inspection Authority with a sufficient basis
to assess whether a business complies with the requirements of the law. An important part of this
the assessment is whether we will establish supervision, with inspection and further
information gathering.
6, It follows from the Working Environment Act § 18-5 that the Norwegian Labor Inspection Authority may require information from
all who are subject to obligations under the law, cf. "anyone". The Norwegian Labor Inspection Authority has moved on
at any time «unobstructed access to any place covered by the Act», cf. § 18-4. So that
The Norwegian Labor Inspection Authority shall be able to fulfill its duty to investigate pursuant to section 17 of the Public Administration Act
these provisions are not interpreted restrictively. However, we emphasize that the measures
shall be necessary in connection with the individual audits / assessment of audits. "
The Norwegian Labor Inspection Authority confirms in the report that complaints were not subject to supervision.
In answer to question 3, the Norwegian Labor Inspection Authority elaborates on its view of the provision
scope:
«[…] Arbeidstilsynet [believes] this provision must be understood so that we can obtain
information from the relevant supervisory object we are supervising or which we
is considering conducting audits. "
The Norwegian Data Protection Authority disagrees with the Norwegian Labor Inspection Authority's interpretation of the provision § 18-5 and will give reasons
this below. We first want to comment on the requirement for legal authority after
Article 6 (3) of the Privacy Regulation.
The principle of legality
As mentioned above, Article 6 (3) of the Privacy Ordinance sets out legal requirements
the basis laid down in the Member State. It is a condition that the purpose of the treatment must
be regulated in the national special legislation.
The requirements for the clarity of the legal basis are affected, among other things, by how intrusive
the processing of personal data is, and whether it is within the principle of legality
area.
The processing of personal data will be particularly intrusive in those cases where the processing
may result in criminal sanctions. Interventional measures that may result in criminal proceedings
sanctions, or sanctions that are to be regarded as penalties according to EMD practice, are relevant
the principle of legality.
It follows from Chapter 19 of the Working Environment Act that breaches of the Act can be punished by fines or
prison, cf. also fvl. § 13b first paragraph letter 6.
As the Norwegian Labor Inspection Authority processed the complainant's personal data, this could therefore result in
criminal sanctions. The principle of legality thus sets a stricter requirement
clarity of legal authority pursuant to the Privacy Ordinance Article 6 No. 1 letter e cf. cf. Article 6 No.
3.
Working Environment Act § 18-5
The Working Environment Act § 18-5 reads:
7, Ǥ 18-5. Information
(1) Everyone who is subject to supervision pursuant to this Act shall when the Labor Inspection Authority so requires
and without prejudice to the duty of confidentiality, provide information that is deemed necessary
the exercise of supervision. The Norwegian Labor Inspection Authority can decide in what form the information should be
gis.
(2) Information as mentioned in the first paragraph may also be required from other public authorities
supervisory authorities without prejudice to the duty of confidentiality that otherwise applies.
The duty to provide information only applies to the information that is necessary for that
the supervisory authority shall be able to perform its tasks in accordance with the law »
It is clear from the wording that "everyone" is connected to the person who is "subject to supervision" by
Arbeidstilsynet.
The obligation to "provide information" is also linked to the person who is subject to supervision.
The information that may be required to be submitted is limited to information that is considered
"Necessary for the exercise of supervision".
"Anyone who is subject to supervision"
The way the Data Inspectorate reads the Working Environment Act, there are no provisions that clarify when someone is
subject to supervision. Whether someone is subject to supervision thus appears to be a matter of discretion
assessment that the Norwegian Labor Inspection Authority is closest to taking. As mentioned above writes
Arbeidstilsynet that complaints were not under supervision when he was credit-rated.
In its response to us, the Norwegian Labor Inspection Authority shows that section 18-5 must be understood so that other parties as well
Arbeidstilsynet is considering conducting further inspections of those covered by the provision, even if they
at the time of obtaining information is not subject to supervision under the Working Environment Act
provisions. Arbeidstilsynet emphasizes that the provision is aimed at "anyone" who is
imposed obligations under the law.
As the Data Inspectorate reads the wording and prepares, section 18-5 is specifically aimed at someone who
is controlled by the Norwegian Labor Inspection Authority, and which is thus subject to supervision. The provision delimits
such against others who are not subject to supervision by the Norwegian Labor Inspection Authority, as well as obtaining
information from third parties not mentioned in other sections.
The Norwegian Labor Inspection Authority has referred to the Public Administration Act § 17 and the Working Environment Act § 18-4 as support for
their view of the scope of the provision. The Data Inspectorate cannot see that the regulations support one
expanding interpretation of the wording in § 18-5. This comes especially at the forefront of the concrete
the case, as the treatment actualizes the legality principle's requirement for clarity.
The Data Inspectorate disagrees with the interpretation used by the Norwegian Labor Inspection Authority, and does not find
evidence in the sources of law that the legislature has meant that also legal entities which are not
subject to supervision may be covered by the scope of the provision.
8, In this case, it is also difficult to see that the provision in the Working Environment Act fulfills
the requirements for a supplementary legal basis, regardless of whether the complaints were subject to supervision or not.
The subject of duty according to aml. § 18-5 is the person who is subject to supervision. In this case has
However, the Norwegian Labor Inspection Authority obtained the complainant's credit information from Bisnode as one
third party.
Our assessment is that AML § 18-5 does not give the Norwegian Labor Inspection Authority authority to obtain complaints
personal information from a third party, as the Authority has done through obtaining
credit information from Bisnode in this case.
The conclusion is that the Norwegian Labor Inspection Authority did not have a legal basis for credit assessing complaints, cf.
Article 6 (1) (e) of the Privacy Regulation, cf. Article 6 (3).
5.4. Written routines (internal control)
In its reply of 2 December 2021, the Norwegian Labor Inspection Authority refers to notification of infringement fines for new employees
routines for the use of credit ratings. The routines are attached to the answer.
The routines describe the tools that the Norwegian Labor Inspection Authority has available to obtain
credit ratings. The function that enables the collection of credit ratings is linked to
and built into the systems that provide up-to-date information within credit and
market information.
The routines state that the Norwegian Labor Inspection Authority has not made an assessment of whether and, if so, in
which cases and how credit assessments are to be used in connection with supervisory cases. The
it is stated in the routine that the function is not to be used.
The Norwegian Data Protection Authority expects that information about the new routines will be clearly disseminated internally
the organization. The Norwegian Data Protection Authority also expects a thorough assessment of
legality if it is considered to introduce the use of credit ratings at a later date.
Based on the submitted routine, we therefore waive our conclusion in the notification of decision as
instructs the Norwegian Labor Inspection Authority to establish internal control for credit assessments.
Infringement fee
6.1. General information about infringement fines
Violation fees are a tool to ensure effective compliance and enforcement of
the personal data regulations.
In accordance with the practice of the Supreme Court, cf. Rt. 2012 page 1556, we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights
(ECHR) Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to
charge fee.
9, We refer in this connection to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMK).
Section 46, first paragraph, of the Public Administration Act states:
When it is stipulated by law that an administrative sanction may be imposed on an enterprise,
the sanction can be imposed even if no individual has shown guilt.
In judgment HR-2021-797-A, the Supreme Court has assumed that the objective responsibility for
corporate punishment that follows from the Penal Code § 27 is not compatible with the concept of punishment in the ECHR as such
it is interpreted by the EMD. The Supreme Court states in the judgment that the person who has acted on behalf of
the company must have shown guilt, and that general negligence is sufficient to fulfill this.
The Ministry of Justice has stated that the same must be used in administrative cases
sanctions.
As infringement fines are considered a penalty under the ECHR, we assume that we can only
impose an infringement fine on an enterprise if the person who has acted on behalf of the enterprise has
shown guilt, and that general negligence is sufficient, cf. HR-2021-797-A.
6.2. The guilt claim when imposing an infringement fine
In order for the Data Inspectorate to be able to impose an infringement fee on the Norwegian Labor Inspection Authority, it is therefore required that
the person who has acted on behalf of the audit has shown guilt. In this case, our assessment is that
intent is the current form of guilt.
The intent requirement follows from general basic legal principles, and these principles are
codified in the Penal Code § 22. It follows from the provision:
"Intention exists when someone commits an act that covers the description of the act in a
penalty:
a) with intent,
b) with awareness that the action certainly or most likely covers
the description of the act, or
c) considers it possible that the action covers the description of the act, and chooses to
act even if that should be the case. "
It follows from the second paragraph of the provision, however, that «[t] he presumption exists even if the offender
is not aware that the act is illegal, cf. § 26 ». There is thus no requirement that one
knew that the act was against the law.
10, It follows from the Penal Code § 26 that «[d] a who at the time of the action due to ignorance
if legal rules are unknown that the act is illegal, is punished when the ignorance is negligent. " IN
according to the requirement of diligence, companies must familiarize themselves with which legislation
applies to the area, and organize the business in accordance with the framework that follows from it
current regulations.
In this case, the Norwegian Labor Inspection Authority has acknowledged in its statement that the inspector in the Norwegian Labor Inspection Authority
has deliberately credit-rated complaints to investigate whether there was a need for supervision
the business. We refer to a letter from the Norwegian Data Protection Authority to the Norwegian Labor Inspection Authority dated 31.07.2020, in particular
questions 4 and 5.
We assume that the inspector in the Norwegian Labor Inspection Authority acted on behalf of the Norwegian Labor Inspection Authority when he
credit-rated complaints.
Our conclusion is therefore that the violation was committed intentionally by the Norwegian Labor Inspection Authority.
The guilt requirement for imposing an infringement fee is thus fulfilled.
6.3. Assessment of whether an infringement fee is to be imposed
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
to the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate can
impose infringement fines after a discretionary overall assessment, but they listed
the moments lay down guidelines for the exercise of discretion by highlighting moments that should
special emphasis is placed on.
We will here assess the relevant factors on an ongoing basis.
a) the nature, severity and duration of the infringement, taking into account it
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered,
The principle of legality in the Privacy Regulation Article 5 No. 1 and the requirement to
basis of treatment in Article 6 is one of the basic requirements that must be met when one
the data controller processes personal data.
The Norwegian Data Protection Authority does not find that the Working Environment Act § 18-5 is a sufficient supplementary legal basis
so that the Norwegian Labor Inspection Authority could credit assess complaints.
A credit rating is the result of compiling personal information from many different sources
sources, and shows a number that indicates the probability that a person will pay a claim. One
Credit rating will also show details about individuals personal finances, including any
payment remarks, voluntary mortgages and debt ratio. This is private information
as private individuals have an expectation that is not obtained by state supervisory authorities
without legal basis
11, When particularly personal data worthy of protection have been obtained without a legal basis to the contrary
this that the violation is serious and that the Danish Data Protection Agency responds with a violation fee.
b) whether the infringement was committed intentionally or negligently,
We assume that the Norwegian Labor Inspection Authority's case officer has deliberately credit-assessed complaints, and that
the violation is thus committed intentionally.
c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects,
We do not find this aspect relevant.
d) the degree of responsibility of the data controller or data processor, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32,
Arbeidstilsynet has stated in response to the requirement for an explanation that there were no routines or
guidelines for the processing of personal data. It thus appears that it does not
were some internal rules for how the business card in Proff Forvalt should be used, and below
what prerequisites. It is assumed that if measures had been taken in advance, would
this could have meant that the credit assessment in this case had not been carried out.
We emphasize in an aggravating direction that the Norwegian Labor Inspection Authority lacks knowledge of the rules
for obtaining credit information, and that Arbeidstilsynet, according to the information, had neither
technical or organizational measures in the form of routines to ensure compliance with the regulations.
It is particularly aggravating that the Norwegian Labor Inspection Authority, as the supervisory authority, has not assessed the supervision
had a legal basis for using the credit assessment tool.
e) any previous violations committed by the data controller or
the data processor,
The Data Inspectorate is not aware of any previous violations. Following that appeal
was created, a breach of the personal data security has been reported for completed
credit assessment by the Norwegian Labor Inspection Authority. We do not emphasize this relationship.
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it,
This is not relevant in the case.
g) the categories of personal data affected by the infringement,
12, Special categories of personal data (sensitive personal data) are not affected by
the infringement in our case. However, information on salary, debt and creditworthiness is
information that has a special need for protection due to its private nature.
The categories of personal data that are affected are therefore moving in an aggravating direction.
h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified
the infringement,
We were notified of the violation of complaints, as well as through reported violations
personal data security by the Norwegian Labor Inspection Authority.
(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data processor with respect to the same subject matter that that mentioned
measures are complied with,
We do not know that measures have previously been taken against the Authority with regard to the same
case subject.
(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42,
We do not find this aspect relevant.
k) and any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement
The Norwegian Data Protection Authority has not established that the Norwegian Labor Inspection Authority has had financial benefits, or avoided them
direct or indirect loss as a result of the infringement. It can also not be stated others
conditions in a mitigating direction.
The Norwegian Data Protection Authority has also not taken into account the Norwegian Labor Inspection Authority's financial capacity.
The Data Inspectorate "shall prepare and decide the case without undue delay", cf. § 11 first
joint. When imposing administrative sanctions that are considered to be penalties under the ECHR
Article 6, the requirements of a fair trial will be relevant. Among other things, it is required that the cases
must be clarified "within a reasonable time", cf. Article 6 (1) of the ECHR. The provision is intended to take into account
to the strain it is for individuals and businesses and live for a long time in the uncertain
about the outcome of a potential case.
The starting point for the assessment of the case processing time in the area of criminal law is when
there is a criminal charge under the ECHR, cf. Neumeister v. Austria, § 18. Regarding when it
if there is an accusation within the meaning of the convention, the EMD has stated in Deweer v. Belgium § 46 that
13, «The" charge "could, for the purposes of Article 6 par. 1 (art. 6-1), be defined as the
official notification given to an individual by the competent authority of an allegation
that he has committed a criminal offense. "
The Norwegian Data Protection Authority understands this as meaning that the person who has potentially broken the law is considered
charged from the time the person in question has received an official announcement of the charge.
What is considered to be within a reasonable time will vary from case to case, in practice from the EMD has
the limit for what has been considered within the total case processing time laid at around 5 years. 2
However, a distinction must be made between long case processing time and total inactivity. By total
inactivity, the limit for breakage is lower. In Norwegian case law, the Supreme Court has ruled that
the limit for breaches of Article 6 (1) of the ECHR is around one year's stay, cf. HR-2016-225-S
avs. 32. The term length of stay is understood in this context as periods of total inactivity, cf.
HR-2016-225-S avs. 33. However, poor progress will also be included in the assessment of whether
the case processing time has become too long, cf. HR-2016-225-S para. 33.
The question of the limit on the imposition of administrative sanctions has not been considered
Supreme Court. However, it has been up in the Court of Appeal and the District Court in cases related to
imposition of additional tax. Gulating Court of Appeal has assessed it as total inactivity at one
year was not a breach and this thus did not lead to a deduction, cf. LG-2020-130954. Oslo
the district court has ruled that 16 months entails a breach, but that this is in the lower tier, cf.
TOSLO-2019-136118.
The workload of the authorities dealing with the case has generally not been considered
as relevant for the assessment of breaches by the EMD, cf. Eckle v. Germany, § 92.
In its practice, the Privacy Board has also commented on the significance of case processing time for
imposition of infringement fines.
In PVN-2021-03, the Privacy Board emphasizes that the facts of the case became essentially
clarified in May 2019, while it took over a year before the audit notified the order and infringement fee.
In PVN-2021-09, the Privacy Board also emphasized the long case processing time at
supervision. In that case, six months had passed since the audit received a report of a breach
personal data security until a statement was requested. After receiving
the statement took approx. four months before notice of decision was sent, and then ten months
from the notice was sent until the decision was made. After the company complained, it went further
three months before the case was received by the Privacy Board.
A long period of inactivity could in itself also be a breach of ECHR art 6 no. 1. cf. Rt-
2005-1210 and HR-2016-225-S. In a case concerning additional tax, the Court of Appeal came to that total
2
See the EMD's compilation of relevant case law in its guide on Article 6 in the field of criminal law, p. 63,
https://www.echr.coe.int/Documents/Guide_Art_6_criminal_ENG.pdf
14, length of stay of 20 months not qualified for violation of ECHR art. 6 No. 1, nor basis
to reduce the additional tax, cf. LG-2020-130954.
The timeline in this case is as follows:
- The complaint was received on 30 June 2020.
- Our request for a statement was sent on 12 August 2020.
- We received a response to our request for a statement on 19 September 2020.
- We sent a request for a further report to the Norwegian Labor Inspection Authority on 1 February 2021.
- The Data Inspectorate received a response to our request for a further report on 1 March 2021.
Notification of a decision on infringement fines was sent on 15 November 2021.
- Response to notification of decision on infringement fine was received on 6 December 2021.
In the case, the Norwegian Labor Inspection Authority was officially informed by the Norwegian Data Protection Authority that there was an accusation
a potential offense in our first request for a statement dated 12 August 2020.
The Data Inspectorate assumes that there was an indictment under the ECHR at this time, and by
assessment of the case processing time starting point for the respondent, we add this
the time due. When we assess the case processing time in the following, we thus refer to
this time and not when the complaint was received.
From the time we received a response to our first request for a statement in September 2020 until we sent out a request
for a further statement in February 2021, it took about four months. This period
did not consist of total inactivity, as conversations and discussions were held, among other things
with other caseworkers about the case. From response to the demand for further statements was
received for notification of decision was sent in mid-November 2021, it went a little over eight
months.
In the time between the response received to further statements and the notification of a decision was issued
As before in the case processing process, there have been ongoing discussions about the case with others
caseworkers and immediate management around the issuance of the notice and the final decision.
However, there has been no active case processing throughout the period. In this particular case estimates
we estimate that there may have been around four months of total inactivity.
Following this, the Data Inspectorate assumes that the case has had a total case processing time of more than one
and a half year where the amount of total inactivity has been around 4 months.
Our assessment is that neither the case processing time nor the time of total inactivity constitutes a breach
on the ECHR, and that it does not prevent us from imposing infringement fees in this case.
Based on the assessment above, the Danish Data Protection Agency concludes that an infringement fee should be imposed. The
The next question is the size of the fee.
6.4. Assessment of the size of the fee
When measuring the size of the fee, emphasis shall be placed on the same assessment factors
as in the question of whether fee should be imposed. We therefore refer to the assessments of the case
15, severity above. The infringement fee must be effective, be in a reasonable proportion to
the violation and act as a deterrent. This means that the supervisory authority must make one
concrete, discretionary assessment in each individual case.
The fee should be set so high that it also has an effect beyond the specific case, at the same time as
the amount of the fee must be in a reasonable proportion to the infringement and the activity, cf. Article 83
no 1.
The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter
the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that
infringement fines shall be determined specifically so that in each individual case it is effective, it says
in a reasonable proportion to the violation and acts as a deterrent. The main purpose of
infringement fines are contraception, ie the risk of being charged a fee must work
3
deterrent and thereby contribute to increased compliance with the regulations.
By Skullerud et al. (2019), page 347, it appears:
"Contraceptive considerations dictate that the fee for a violation must be set so high that this
actually perceived as an evil by the offender. This means that the offender
financial ability should be important in the measurement, so that the fee is higher the more
stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a
companies, it may be relevant to look at the company's total global annual turnover in
previous financial year, cf. art. 83 Nos. 4 and 5. »
And further:
«The consideration of ensuring an individual assessment in each individual case indicates that
Regulators should avoid establishing standardized fee rates. This applies
even if national law allows for standardized rates, cf. the Public Administration Act § 43. »
The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual
the business.
In our case, it is a question of a public enterprise, and the audit thus has no turnover from
previous financial year to look at when measuring. The measurement must thus be based on them
the other points of Article 83.
Article 83 (5) of the Privacy Regulation sets a higher maximum amount for fees when the case
deals with violations of the basic principles of treatment of
personal data in accordance with Articles 5 and 6 of the Privacy Regulation.
In our case, the Norwegian Labor Inspection Authority lacked a legal basis for obtaining credit information
complaints (principle of legality). In addition, the business lacked technical and organizational measures
for compliance with the privacy regulations (liability principle). In addition, has
Arbeidstilsynet violated the right of access (the principle of openness). The violations in the case thus affect
3Skullerud et al. (2019).
16, several of the basic principles for the processing of personal data in
Article 5 (1) and (2) of the Privacy Regulation.
In an aggravating direction, we place particular emphasis on the fact that the violations in the case have been committed by a public authority
supervisory authority.
The Norwegian Data Protection Authority considers that the breach of the right of access is caused by the lack of internal control
and routines that led to the credit assessment being made illegal in the first place. Eventually
the violation of the right of access has already been sanctioned through its own reprimand, we have not
emphasized this breach in an aggravating direction for the measurement of the size of the fee.
Previous practice is relevant when measuring the size of the fee.
The Privacy Board concluded in PVN-2020-21 that an infringement fee of DKK 150,000 «in
at least not too high ”in the specific case that was dealt with. The case has similarities with
present case, in that there was no legal basis for the treatment and that
the company's internal control was deficient.
In case 20/02042 ("Innovation Norway"), an infringement fee of NOK 1,000,000 was imposed
for four illegal credit assessments against complainants in the case and the sole proprietorship of the person in question.
In case 20/02375, a company was fined 175,000 kroner. Because of
the case processing time in the specific case, the fee was reduced to 125,000 kroner. IN
In determining the infringement fee, the Data Inspectorate must consider whether the case processing time should be
pull in a mitigating direction, cf. the Privacy Ordinance Article 83 No. 1 letter k, cf.
The Privacy Board's decision PVN-2021-03.
As mentioned above, we asked the Norwegian Labor Inspection Authority to explain the case in our letter dated 12 August
2020. We demanded a more detailed explanation in our letter dated 1 February 2021. When the audit imposes
decisions on fees have been slightly more than 5 months since the notice, and over one and a half years
since the Norwegian Data Protection Agency contacted the Norwegian Labor Inspection Authority for the first time.
The Data Inspectorate's total processing time in this case and PVN-2021-03, where the infringement fee
was reduced due to long case processing time, is fairly similar. It speaks for itself
the infringement fine is also reduced in this case.
On the other hand, in dealing with this complaint, in contrast to PVN-2021-03,
There has been a need to clarify the matter by sending out two requests for statements, and
accompanying case processing. It points in the direction that in the case processing of this
the complaint has needed some more time than in PVN-2021-03. When the Data Inspectorate makes decisions
for a fee, it will have been a little over five months since the decision was announced. That separates the case from
the above, in that in that case it took ten months from the first notice until the final decision was made
sent out.
The difference between the cases in terms of time from issued notice to final decision, as well as a somewhat
greater complexity, pulls in the Data Inspectorate's opinion in the direction of not reducing the fee
due to long case processing time. The fee should be set so high that it is effective and achievable
sufficient deterrent effect.
17, We want to clarify that such violations must not occur, and that all public bodies that
processes personal data must be aware of their responsibility. General preventive considerations
thus asserts itself in the case.
After an overall assessment of the case and especially with regard to the seriousness of the violation, we have
concluded that an infringement fee of NOK 150,000 is considered correct.
7. Right of appeal and further proceedings
You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will
forward the case to the Privacy Board for complaint processing.
8. Publicity, transparency and duty of confidentiality
We will inform you that all the documents are basically public, cf.
§ 3 of the Public Access to Information Act If you believe there is a basis for exempting all or part of it
the document from public access, we ask you to justify this.
The Data Inspectorate has a duty of confidentiality about who has complained to us, and about the complainant's personal
relationship. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and
Section 13 of the Public Administration Act As a party to the case, you may nevertheless be made aware of such
information from the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You are also right
for access to the case documents, cf. the Public Administration Act § 18.
If you have any questions, you can contact Kristian Bygnes on telephone 22 39 69 63.
With best regards
Jørgen Skorstad
department director, law
Kristian Bygnes
legal adviser
The document is electronically approved and therefore has no handwritten signatures
Copy to:
18
