Datatilsynet (Norway) - 21/02293
Datatilsynet - 21/02293 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1) GDPR Article 6(1)(f) GDPR Article 24 GDPR Article 58(2) GDPR Article 58(2)(d) GDPR Article 58(2)(i) GDPR Article 83 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 15.06.2021 |
Decided: | 25.08.2022 |
Published: | 09.09.2022 |
Fine: | 200000 NOK |
Parties: | Recover AS |
National Case Number/Name: | 21/02293 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA fined a company €20,000 for an unlawful credit rating of an incorrect person with a similar name to a new customer, and instructed them to implement new routines for credit ratings.
English Summary
Facts
The Norwegian DPA (Datatilsynet) investigated a complaint from a data subject who had been credit rated by a company they had no relationship with. The company admitted they had no cooperation, customer relationship or any form of connection with the data subject, but argued that the credit rating was a mistake. A project manager at the company had used Google to find the invoicing address to a new customer and then mixed up this person with the data subject when conducting the actual credit rating.
The company claimed that the DPA should not impose a fine, because they had not been registered with any prior violations.
Holding
The DPA held that the company had conducted an unlawful credit rating in violation of Article 6(1)(f) GDPR, issued a €20,000 fine and ordered them to implement internal controls of their credit rating process in line with Article 24 GDPR.
Despite the controller's arguments against a fine, the DPA noted the following aggravating factors in support of a fine: - Credit ratings are a significant intrusion into data subjects' private life. - The controller conducts a significant number of credit ratings. - Lack of sufficient routines for conducting credit ratings (that would likely have prevented the mistake). - The mistake could have been easily avoided by confirming the address directly with the new customer.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
RECOVER AS Kristoffer Robins vei 13 Except for the public: 0978 OSLO Official § 13, cf. Personal Data Act § 24 first paragraph 2nd period Your reference Our reference Date 21/02293-10 25/08/2022 Decision on order and infringement fee - Credit assessment without legal proceedings basis - Recover AS 1 Introduction We refer to our notice of decision on order and infringement fee of 28 February 2022. We received your comments on the notice on March 14, 2022. Our comments on the comments follow below. 2. Decision on orders The Norwegian Data Protection Authority adopts the following order: 1. Pursuant to the Personal Protection Regulation article 58 no. 2 letter i, Recover AS is ordered, Company No. 995 761 440, to pay an infringement fee to the Treasury of NOK 200,000 for having obtained credit assessment without a legal basis, cf. the data protection regulation article 6 no. 1 letter f. 2. Pursuant to the Personal Protection Regulation article 58 no. 2 letter d, Recover AS is ordered to improve internal control and routines for credit assessments, cf. the personal data protection regulation article 24. Our authority for making orders is the Personal Protection Regulation article 58 no. 2. The deadline for carrying out the orders appears in section 11 of the decision. 3. More about the facts of the case On 15 June 2021, we received a complaint from hereinafter "complainant"), that Recover AS had carried out a credit assessment of her on 27 May 2021. The complainant states that the person in question has had no cooperation, customer relationship or other connection to their business. In your response to our demand for an explanation, you confirm that the complainant is neither a customer of yours, or has another relationship with Recover AS. The credit assessment was carried out on the basis of a assignment you had with a new customer. You state that your project manager did a search on Postal address: Office address: Telephone: Org. no: Website: PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLOGoogle to find the invoice address of the customer. The project manager used Google because the assignment was at the customer's cottage, and you did not have the address. You also describe that complaints had roughly the same name as your customer. Based on the transmitted dialogue between you and the complainant, we have assumed that the complainant made you aware of the incident. The Norwegian Data Protection Authority sent a notice of decision on orders and infringement fees on 28 February 2022. Recover AS sent comments to this notice on 14 March 2022. 4. Legal background 4.1 Processing of credit information Obtaining and storing credit information about individuals and sole proprietorships constitutes a processing of personal data, cf. the Personal Protection Ordinance Article 4 No. 2 and Act on processing of personal data of 15 June 2018 No. 38 (Personal Data Act) § 1. Article 6 No. 1 of the Personal Data Protection Regulation requires that all processing of personal data has a legal basis. When a business must obtain credit information about the registered person without that there is consent, or the credit assessment is strictly necessary to carry out one agreement with the data subject, Article 6 no. 1 letter f is the most relevant legal basis. According to the old Personal Data Act of 2000, an additional requirement applied that the business must have a "genuine need" to obtain credit information. This is evident from 1 § 4-3 of the personal data regulations, which according to the transition rules have been continued as applicable straight. The new Credit Information Act also continues the requirement of "substantial need" for disclosure of credit information. The new law has been adopted and entered into force on 1 July 2022. However, the Personal Data Protection Regulation does not provide national room for action to specifically regulate it individual recipients' processing of credit information. The new Credit Information Act has therefore, only the credit reporting companies are subject to the obligation, and not the individual the business that orders credit information. The consequence of this is that "actual need" is not directly an additional condition for the individual the business that collects credit information. Their collection is thus regulated by the personal protection regulation article 6 no. 1 letter f. Assessments related to a business has a "factual need" according to the Personal Data Regulations § 4-3 is, however, closely related with the assessment according to Article 6 no. 1 letter f. Previous practice related to "actual need" is therefore still relevant when assessing "legitimate interest" as a basis for processing. 1 2Transitional rules on the processing of personal data (FOR-2018-06-15-877). Act on the processing of information in credit reporting activities (LOV-2019-12-20-109). 24.2 The Personal Data Protection Regulation article 6 no. 1 letter f – "legitimate interest" Article 6 no. 1 letter f requires that the collection of credit information is "necessary" to look after a "legitimate interest" which, after a balance of interests, outweighs the consideration of the individual's privacy. The legitimate interest must be legal, clearly defined in advance, real and factually justified in the business. Recital 47 of the personal data protection regulation states that in the assessment of whether an interest is justified, among other things, account must be taken of the data subject's expectations based on the relationship between the controller and the data subject. Emphasis must also be placed on that if, at the time of collection, it was foreseeable to the data subjects that the information would be processed for the relevant purpose. Which interests fulfill this depends on an overall assessment of, among other things, which benefits the business obtains from the processing, how important the interest is to the business, whether the processing is in the public interest or safeguards the non-profit interests that come more for good, see the Article 29 Group's statement.3 Furthermore, the relevant processing of personal data must be necessary for this the interest. This means that the business must assess whether it can achieve its purpose in a way that better safeguards privacy. You must therefore choose the treatment that is least invasive. The business must then carry out a balancing of interests to decide whether the individual's privacy outweighs the business's legitimate interest. What type of information it is a question of whether there are relevant points for the balancing of interests, e.g. whether these are worthy of protection and whether the person has an expectation of having the personal data in peace. It is also relevant to consider the disadvantages of processing personal data inflicts on the person, whether the processing of the personal data is perceived as offensive, whether the treatment is suitable for creating fear or anxiety, and what measures the company has in place implemented to reduce the privacy consequences. 4.3 Relevant practice linked to the Personal Data Regulations § 4-3 – "actual need" According to § 4-3 of the Personal Data Regulations, a credit assessment can only be obtained when a business has a "factual need" for the information, for example in connection with a purchase on credit. As a general rule, there must therefore be a credit element. This will typically be when the business must provide credit to a customer and needs to see if the person in question is creditworthy. 3 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, pages 24 and 25. 3 The Privacy Board has elaborated on the additional condition of factual need in several cases, among other things PVN-2006-03 KLP, PVN-2010-05 Credit assessment and PVN-2017-02 Bertram Bil. IN the latter case referred the tribunal to the following statement from PVN-2006-03 KLP: "The purpose of a credit assessment is normally to map whether a potential customer is creditworthy, and thus whether the company wishes to enter into an agreement with the person concerned. This means that when credit information is requested, the objective requirement will apply be fulfilled when the orderer is to use the credit information in connection with his assessment of credit risk, for example in the case of a commitment for a loan or an agreement on a current account services that are billed in arrears, typically mobile phone subscriptions, subscriptions to satellite television etc.” The tribunal also referred to the statement in PVN-2010-05 Credit assessment, where it was stated that the the opposite of "actual need" is "curiosity and a peeping tom". 4.4 About the duty to implement suitable technical and organizational measures According to Article 24 of the Personal Data Protection Regulation, the data controller must carry out appropriate technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance with the Personal Data Act and the Personal Data Protection Ordinance. If it is in a reasonable relationship with the processing activities, the business must take action suitable guidelines for the protection of personal data. Credit assessment is an intrusive processing of personal data and constitutes a large interference with individuals' right to privacy. Businesses that implement credit ratings must therefore document their internal routines or processes (internal control), which safeguards the requirement for objectivity in credit assessment. The routines must describe when and how credit information can be obtained and how access is to be granted. The routines must ensure that credit information is not obtained without the requirement of factual need having been met. 5. The Norwegian Data Protection Authority's assessment 5.1. Processing responsibility The person who determines the purposes and means for the processing of personal data is data controller, cf. the personal data protection regulation article 4 no. 7. The data controller is responsible for the processing of personal data taking place in line with the fundamentals the principles in the Personal Data Protection Regulation and must be able to demonstrate this, cf. the Personal Data Protection Regulation Article 5 No. 2. A business is responsible for the processing of personal data carried out by an employee when the processing has taken place through the company's activities. It is Recover AS that has 4 The European Privacy Council's guidelines, EDPB Guidelines 07/2020 on the concept of controller and processor in the GDPR, p. 10. 4 agreement with Bisnode and which, in our opinion, has determined the purpose and means of the credit rating. It is our assessment - and also not in dispute - that Recover AS is responsible for processing the relevant credit check of complaints. 5.2. The duty of internal control and the principle of accountability Recover AS has presented its routine for credit assessments, but this is very general formulated. Among other things, it provides no guidance on when there is a justified interest in undertaking credit check. The routine is therefore not suitable to ensure that the credit assessments you carry out take place in compliance with Article 6 no. 1 letter f. Their routine also does not state who can carry out credit assessments internally the business. It is clear that the finance department is responsible. In this case was however, it was a project manager who carried out the credit check. In our opinion, the routine is not suitable for creating an understanding of when and who can carry out a credit check. The routine gives rather lack of clarity as to why a credit check is being carried out. In our opinion, better written routines would have a preventive effect against the illegal the credit assessment carried out in our case, and such routines will ensure that future Credit assessments are only carried out by Recover AS when the conditions in the data protection regulation is met, and that the company credit assesses the right person. After spring assessment, the defective routines constitute a breach of Article 24 In its comments to the Norwegian Data Protection Authority's notice, Recover AS first refers to extracts from our website. The extract is primarily intended as a guide for private individuals who have had a credit assessment, while other parts of the website are intended for businesses. We understand that Recover AS believes that the information on our website is not good enough. We emphasizes that our websites are only intended as general guidance. We have by the way updated information regarding internal control for businesses. Having said that, the accountability principle requires a strong anchoring of the regulations in the company's management, cf. the personal protection regulation article 5 no. 2. Companies are with others word responsible for familiarizing themselves with the privacy regulations, including assessing when they legally can carry out a credit assessment, and adapt its guidelines and internal control to this, cf. art. 24 In its routines, Recover AS should highlight Article 6. No. 1 letter f as relevant processing basis for their business, as well as ensure organizational measures that ensure that the requirements in the Personal Protection Regulation are met before credit information on private individuals and sole proprietorships are obtained. The Norwegian Data Protection Authority has the competence to order the data controller to ensure that the processing activities take place in accordance with the provisions of the Personal Data Protection Ordinance, cf. 5personal protection regulation article 58 no. 2 letter d. This is the background for the order to improve routines for credit assessment. Recover AS must improve the routines to ensure that credit assessment only takes place when the conditions in the data protection regulation is fulfilled. 5.3. Processing basis for obtaining credit information The question is whether Recover AS had a legal basis according to Article 6 no. 1 letter f then you credit assessed complaints. The first condition that must be met for the processing to be legal is that Recover AS had a "legitimate interest" in obtaining the information. Recover AS has confirmed that the complainant has no customer relationship or other connection the business. You write that the collection took place as a result of a mix-up of names. Regardless of whether it was done deliberately or not, Recover AS has caught up credit information about an individual without any kind of customer relationship, supplier relationship or other connection to the business. There is agreement between the parties that the credit assessment should not have been carried out. Complaints had no expectation that Recover AS would process the complainant's credit information and it was nor can it be expected that the business would obtain the information. Our assessment is that the requirement for "legitimate interest" in the Personal Data Protection Regulation Article 6 No. 1 letter f is not fulfilled. As the company has not fulfilled the first condition, we do not consider it appropriate to assess the last two conditions of necessity and the specific balancing of interests in the article 6 no. 1 letter f. Based on this, our conclusion is that Recover AS has obtained the complainant's information credit information without a legal basis, cf. the data protection regulation article 6 no. 1. 6. Violation fee 6.1. General information on infringement fees The Personal Protection Regulation article 58 no. 2 letter i gives the Norwegian Data Protection Authority the authority to impose infringement fee in accordance with Article 83. Violation fees are to be considered punishment according to the European Convention on Human Rights (ECHR) article 6. A clear preponderance of probability for an offense is necessary so that we shall be able to impose an infringement fee. Section 46 first paragraph of the Public Administration Act states: When it is stipulated in law that an administrative sanction can be imposed on an enterprise, the sanction can be imposed even if no individual has proven guilty. 6 However, the Supreme Court has determined that the objective responsibility for corporate punishment in the Criminal Code is not compatible with the ECHR. The Supreme Court has stated that the person who has acted on behalf of the company must have proven guilty, and that general negligence is sufficient to fulfill the culpability requirement. The Ministry of Justice and Emergency Preparedness has specified in a letter of 12 May 2021 that the same applies as a starting point in cases of administrative sanctions, and the ministry has stated that the Supreme Court judgment must be used as a basis for imposing infringement fees on undertakings. 6.2. Our assessment of the fault claim In order for the Data Protection Authority to be able to impose an infringement fee on Recover AS, the person who has acted must have proven guilty on behalf of the company. Ordinary negligence is sufficient. You write that the credit assessment of complaints occurred as a result of a confusion of names. The company was actually supposed to credit another new customer, but didn't know hers address. You therefore looked up the complainant's name on Google, but confused the new customer's name with the complainant's name and thus credit assessed the wrong person. In our opinion, Recover AS could have avoided the credit check by having more thorough procedures for credit assessment. The confusion was due, among other things, to a search on Google instead of a search at credit reference agency. Our assessment is that this must be characterized as clearly negligent by the project manager, as we are considered to have acted on behalf of the company in the credit assessment of complaints. The culpability requirement for imposing an infringement fee has thus been fulfilled. 6.3. Assessment of whether an infringement fee should be imposed When assessing whether a fee should be imposed and when measuring, the Norwegian Data Protection Authority must take this into account to the points in the Personal Data Protection Regulation article 83 no. 2 letter a) to k). The Norwegian Data Protection Authority can impose an infringement fee after a discretionary overall assessment, but those listed the elements guide the exercise of discretion by highlighting elements that must is given particular weight. Here, we will assess the relevant points continuously. a) the nature, severity and duration of the infringement, taking into account it the nature, extent or purpose of the processing concerned as well as the number of registered persons who are affected, and the extent of the damage they have suffered The principle of legality in the Personal Protection Regulation Article 5 No. 1 and the requirement for a legal basis i Article 6 is one of the basic requirements that must be met when a business processes personal data. 7Credit information is a type of personal information that is particularly worthy of protection, and as private individuals have an expectation not to be obtained by businesses unless that is factually justified in their relationship with them. The violation is therefore serious, and indicates that an infringement fee is imposed. A credit rating is the result of a compilation of personal data from many different sources sources, and shows a number indicating the probability that a person will pay a claim. One credit assessment will also show details of individuals' private finances, including any payment notices, voluntary pledges and debt ratio. This is private information as private individuals have an expectation not to be obtained by businesses unless that is factually justified in their relationship with them. The violation is therefore serious, and this indicates that an infringement fee is imposed. Recover AS submitted objections to our application and understanding of Art. 58. You think we must provide other corrective measures in lieu of infringement fees. Personal data protection regulation art. 83 nos. 4 and 5 indicate which violations can be sanctioned with an infringement fee. The highest maximum amount for infringement fees can be found in No. 5, which includes, among other things, violations of basic privacy principles, cf. letter a. You lacked processing grounds for the credit assessment, and this constitutes a breach of the legality principle, which is one of these basic privacy principles, cf. art. 5 letter a, cf. art. 6. When Art. 83 no. 5 sets the highest maximum fine level for such violations, it is precisely intended to reflect the seriousness of such violations. According to article 58 (2) letter i, the Norwegian Data Protection Authority has authority to, "[…] depending on the circumstances of each individual case", to impose infringement fee according to species. 83 "[…] in addition to, or instead of" other measures. Our assessment is that the circumstances warrant the imposition of an infringement fee. This is also in line with ours administrative practice, see, among other things, case 20/04401, 20/02042 and case 20/02220, which all concerned credit ratings without a legal basis. The Norwegian Personal Protection Board has also on a number of occasions upheld decisions on the imposition of fees in cases on credit assessment without a legal basis, see e.g. PVN-2019-15 and PVN-2020-21. IN in the latter case, the tribunal stated the following: The tribunal agrees with the Norwegian Data Protection Authority that an infringement fee should be imposed and finds after an assessment of the various points that a fee of NOK 150,000 in any case not is too high. The tribunal has below reference to section 34 third paragraph of the Public Administration Act limited access to set the fee higher. In its assessment, the tribunal has placed emphasis on the following conditions: This is a serious breach of the data protection regulation. The principle of legality in Article 5 No. 1 and the requirement for processing grounds in Article 6 represents basic requirements for the processing of personal data. These are broken. Private individuals have an expectation that businesses do not catch up 8 credit information about them without this being justified by a legitimate interest of the business as a result of a real customer relationship. […] Even if the information affected by the breach does not particularly belong to the group categories of information in Article 9, then credit information represents about individuals information of a private nature that the individual may have reason to wish remains private. This, too, is therefore a moment in a tightening direction. b) whether the infringement was committed intentionally or negligently The violation was committed negligently, see our assessment of guilt under section 6.2. c) any measures taken by the controller or data processor to limit the damage that the data subjects have suffered Recover AS has not disclosed that measures have been implemented to limit the damage as it is registered have suffered. d) the controller's or data processor's degree of responsibility, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32 The principle of responsibility requires a strong anchoring of the regulations in the management of businesses cf. the personal protection regulation article 5 no. 2 The Norwegian Data Protection Authority emphasizes that Recover AS lacks technical and organizational measures to ensure that the collection of credit assessments is carried out in accordance with the Personal Data Protection Regulation, cf. species. 24. We would like to emphasize that credit assessments entail a significant intrusion into the private life of those who are credit assessed. We have emphasized this in a stricter direction. We have also emphasized that Recover has approx. 37,000 assignments a year. You have stated that you always credit check new ones customers and thus carries out a significant number of credit assessments. You object that you have no previously registered infringements, and that this speaks against impose an infringement fee. Our assessment is that the deficient routines, in light of the high the number of credit ratings as well as the fundamental error committed through the confusion in the case suggests imposing an infringement fee. We also emphasize that adequate routines for obtaining the correct invoice address could be had averted the incident in question. e) any previous violations committed by the data controller or the data processor 9 The Norwegian Data Protection Authority is not aware of any previous violations. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it the possible negative effects of it We do not consider this point to be relevant. g) the categories of personal data affected by the breach Special categories of personal data (sensitive personal data) are not affected the violation in our case. However, information about salary, debt and creditworthiness is information that has a special need for protection due to its private nature. This speaks for the imposition of an infringement fee, and there is also established practice for imposing infringement fee for corresponding offences. h) in what way the supervisory authority became aware of the infringement, in particular if and where applicable to what extent the data controller or data processor has notified the violation We were informed about the case through the inquiry from the complainant i) if measures mentioned in Article 58 no. 2 have previously been taken against the person concerned data controller or data processor with regard to the same subject matter, that mentioned measures are observed You point out that the Norwegian Data Protection Authority has not previously made a decision against you, especially in light of the amount of credit assessments you carry out, and that this point advocates not imposing infringement fee. We do not share this opinion. On the contrary, we mean the deficient ones the routines show that you have not implemented suitable technical and organizational measures, cf. art. 24. We believe this is taken seriously considering the large number of credit assessments you have performs annually, and consequently strengthens our assessment of imposing an infringement fee. That earlier measures have not been taken against you with regard to the same subject matter, therefore not added special weight. j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms pursuant to Article 42 The Norwegian Data Protection Authority does not find this aspect relevant. k) and any other aggravating or mitigating factor in the case, e.g. financial benefits gained, or loss avoided, directly or indirectly, as a result of the breach The Norwegian Data Protection Authority cannot see that Recover AS has obtained any benefits as a result of the infringement. The fact that you have not obtained any benefits as a result of the breach is one of many factors in the assessment, and does not preclude the imposition of an infringement fee. 10 Based on the assessment above, the Norwegian Data Protection Authority concludes that an infringement fee should be imposed. The the next question is the amount of the fee. 6.4. Assessment of the size of the fee In calculating the fee, the elements in point 7.2 above must be weighted, cf. article 83 no. 2. In accordance with Article 83 no. 1, the infringement fee must be effective and be reasonable relation to the infringement and act as a deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in each individual case. The Personal Protection Ordinance provides for a higher level of fine than that which applied thereafter the Personal Data Act from 2000, and it follows from the regulation's article 83 no. 1 that infringement fee must be determined concretely so that it is effective in each individual case, it says in a reasonable proportion to the infringement and acts as a deterrent. The main purpose of infringement fees are prevention, i.e. that the risk of being charged a fee should work 5 deterrent and thereby contribute to increased compliance with the regulations. By Skullerud et al. (2019), page 347, it is stated: Contraception considerations dictate that the fee for an infringement must be set so high that this actually experienced as an evil by the transgressor. This means that the offender's financial ability should be important in the assessment, so that the fee is all the higher stronger carrying capacity the violator has. […] When assessing the financial carrying capacity for a company, it may be relevant to look at the company's overall global annual turnover i previous financial year, cf. art. 83 No. 4 and 5. And further: The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities should avoid establishing standardized fee rates. This applies even if national law allows for standardized rates, cf. section 43 of the Public Administration Act. The fee must therefore be measured concretely in each case, and act as a deterrent for the individual the business. Article 83 no. 5 of the Personal Data Protection Ordinance sets a higher maximum amount for the fee when the case is reached deals with violations of the basic principles for the treatment of personal data in accordance with Articles 5 and 6 of the Personal Data Protection Regulation. Recover AS lacked processing grounds for obtaining credit information about complaints (the legality principle). In addition, the business has had inadequate organizational measures for compliance with the privacy regulations (principle of responsibility). This has drawn in aggravating direction. 5Skullerud et al. (2019). 11We also emphasize in a stricter direction that the illegal credit assessment with simple means could have been avoided by verifying the address with the new customer before you applied the person concerned in Bisnode and was given credit information. We also emphasize the company's finances. According to publicly available accounting figures, Recover AS is registered with a turnover of NOK 1,361,138,000 in 2020, and an annual profit of NOK -609,000. The business is registered with equity of NOK 71,215,000 and a satisfactory solvency. The fee must be set so high that it is effective and achieves a sufficient deterrent effect. After an overall assessment of the facts of the case and the seriousness of the infringement, we have come to the conclusion that a an infringement fee of NOK 200,000 is considered appropriate. 7. Right of appeal and further proceedings You can appeal the decision. Any complaint must be sent to us within three weeks of this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will forward the case to the Privacy Board for complaint processing. If you do not appeal against the infringement fee order, the deadline for compliance is 4 weeks after expiration of the appeal period, cf. Personal Data Act § 27. The deadline for implementing the order point 2 on written routines (internal control) is 4 weeks after expiry of the appeal period. If you do not appeal against the order in point 2, you must within this deadline send us a written confirmation, as well as documentation, that the order on internal control is carried out. 8. Publicity, transparency and confidentiality We would like to inform you that all documents are basically public, cf. Public Relations Act § 3. If you believe there are grounds for exempting all or part of the document from public inspection, we ask you to give reasons for this. The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal information relationship. The duty of confidentiality follows, among other things, from the Personal Information Act § 24 and Section 13 of the Public Administration Act. As a party to the case, you may nevertheless be made aware of such information from the Norwegian Data Protection Authority, cf. the Administration Act § 13 b first paragraph no. 1. You also have the right for inspection of the case's documents, cf. section 18 of the Public Administration Act. We draw your attention to the fact that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority the complainant's identity, personal circumstances and other identifying information, and that you only can use this information to the extent necessary to safeguard its interests theirs in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that breach of this duty of confidentiality can be punished according to Section 209 of the Criminal Code. 12 If you have any questions about the case, you can contact Marte Lindblad Skaslien at telephone: 22 39 69 34. With best regards Jørgen Skorstad department director Marte Lindblad Skaslien senior legal advisor The document is electronically approved and therefore has no handwritten signatures Copy to: Complainant 13