Personvernnemnda (Norway) - 2022-12 (20/01589)
PVN - PVN-2022-12 | |
---|---|
Court: | PVN (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 15 GDPR Article 77 GDPR |
Decided: | 08.11.2022 |
Published: | |
Parties: | |
National Case Number/Name: | PVN-2022-12 |
European Case Law Identifier: | |
Appeal from: | Datatilsynet [1] |
Appeal to: | |
Original Language(s): | Norwegian |
Original Source: | PVN (in Norwegian) |
Initial Contributor: | n/a |
The Norwegian Privacy Appeals Board dismissed an appeal concerning a DPA decision where a data subject was not considered a party to proceedings against the controller, despite having informed the DPA about the controller's alleged GDPR violations.
English Summary
Facts
The parent of a school pupil (the data subject) was concerned that the municipality (the controller) violated children's privacy rights on a number of occasions. The parent sent a request to the controller under Article 15 GDPR, to access the data subject's student file but the request was denied.
The parent informed the Norwegian DPA about this rejection as well as the alleged violations on behalf of the controller. She believed to be exercising her right under Article 77 GDPR to lodge a complaint with a supervisory authority. The DPA did not open an investigation into the individual complaint but advised the parent to contact the controller's data protection officer. Later on, the parent was informed that the DPA had started an ex officio investigation into the controller's routines for internal control and information security. The DPA stated that that the questions put to the controller were related to the municipality's duties as data controller, and not to the data subject's rights.
The DPA completed the investigation and proceedings without an order or fine against the controller. The parent complained to the DPA about this decision. However, the DPA rejected this complaint by stating that the parent was not a party to the ex officio investigation against the controller and could not appeal the decision.
The parent appealed this rejection to the Norwegian Privacy Appeals Board (Privacy Board).
Holding
The Privacy Board had to assess whether it was correct of the Norwegian DPA to reject the parent's complaint. It recalled that the DPA chose to open an ex officio investigation. In these proceedings, no individual decision was made, as the DPA, after obtaining the controller's explanation, gave guidance and then closed the case without giving any order. Neither the municipality nor others had the right of appeal under the Public Administration Act against this decision.
However, the Privacy Board considered whether the DPA had acted lawfully when it received a notice or a complaint about possible data protection rights breaches, but decided to process the case further without treating the data subject as a party. The question of the individual's right to be recognised as a party to proceedings under the GDPR was considered in a case before the Förvaltningsrätten in Stockholm (Case 3308-22). Förvaltningsrätten pointed out that it is incompatible with EU law if the individual, by not being recognised as a party to the case, would be in a disadvantageous position with regard to their rights under the GDPR. According to the Privacy Board's assessment, the situation was different in this case.
The Privacy Board considered that the Norwegian DPA acted reasonably in assuming that the parent's inquiry was a general notice about the controller's handling of personal data, not a complaint under Article 77 GDPR. The Privacy Board held that the fact that the data subject's parent was not satisfied with the DPA closing the case without issuing an order, did not change her status in the ex officio investigation (to which she was not a party), nor did it give her any right to appeal.
Consequently, the Privacy Board dismissed the appeal.
Comment
Although the automated translation and original decision are not fully clear on the matter, it seems that the DPA was using its powers under Article 58(1) GDPR against the municipality (the controller).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The Privacy Board's decision 8 November 2022 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Hans Marius Tessem, Morten Goodwin, Malin Tønseth, Heidi Talsethagen) The case concerns a complaint from A about the Norwegian Data Protection Authority's decision on 3 February 2021 regarding the rejection of a complaint due to a lack of complaint rights. Background of the case A contacted the Norwegian Data Protection Authority on 16 March 2019 and reported what she perceived as repeated breaches of the privacy regulations over a long period of time in X municipality. The inquiry describes specific violations within the municipal area of upbringing, including Y school, where A's child was a pupil. A had also sent a request for access to the child's student file and complained to the municipality about non-compliance with the request for access. In a letter to the Norwegian Data Protection Authority on 22 April 2019, the notification to the Norwegian Data Protection Authority was also extended to apply to complaints about non-compliance with the rules on access. The Norwegian Data Protection Authority informed A in an e-mail on 16 August 2019 that the Norwegian Data Protection Authority receives a large number of inquiries related to access requests and that they do not open a case for access until an access request has been refused by the data controller. As A was at this time in dialogue with the municipality about access, she was informed that the supervisory authority would not start processing a complaint on the basis of A's inquiry. She was advised to contact the municipality's data protection officer and a copy of the authority's e-mail was also sent to the data protection officer. Against the background of A's notification about X municipality, the Norwegian Data Protection Authority opened supervisory proceedings against the municipality. In a letter to X municipality on 20 August 2019, the Norwegian Data Protection Authority asked the municipality, among other things, to explain routines for handling personal data security in schools and asked the municipality to answer questions related to the conditions that A had described in his application to the Norwegian Data Protection Authority. The Norwegian Data Protection Authority informed A in an e-mail the same day that the Norwegian Data Protection Authority would open supervisory proceedings against the municipality and order the municipality to answer questions about routines for internal control and information security. The supervisory authority stated that the questions put to the municipality were related to the municipality's duties as data controller, and not to A's rights. A was informed that she would not be considered a party to the supervision case and that she would therefore not receive a copy of the correspondence either. A was informed that the documents would mainly be public and available on the Norwegian Data Protection Authority's mailing lists. When it came to A's claim for correction, cf. the personal data protection regulation article 16, the supervisory authority stated that they had pointed this out to the municipality. The inspectorate assumed that the municipality would respond to this and encouraged A to notify the inspectorate if this did not happen. In a letter on 27 August 2019, A expressed that she was satisfied that the supervisory authority had decided to proceed with the case. The municipality gave its explanation in a letter to the Norwegian Data Protection Authority on 30 October 2019. A sent further letters to the Norwegian Data Protection Authority in November 2019 and in January 2020, where she elaborated on her view of what she believes to be objectionable processing of personal data in the municipality. The Norwegian Data Protection Authority closed the case in a letter to X municipality on 6 November 2020. The authority concluded that there was no system failure in the municipality, and gave the municipality guidance on compliance with the data protection regulation. In a letter on 27 November 2020, A complained about the authority's case management and the decision to close the case against the municipality without imposing an order. The Danish Data Protection Authority rejected the complaint in a decision on 3 February 2021. The Danish Data Protection Authority assumed that no individual decision had been made that could be appealed and that A was not to be considered a party to the supervisory case against the municipality in any case. A complained on 24 February 2021 about the Norwegian Data Protection Authority's rejection decision. The Norwegian Data Protection Authority further explained the rejection in a letter on 30 April 2021. A gave his comments on this in a letter on 30 May 2021. The Norwegian Data Protection Authority did not find grounds to change its decision and sent the case to the Personal Protection Board on 12 May 2022. A was informed about the case in a letter from the board, and was given the opportunity to make comments. A has given a comment in a letter on 1 June 2022. The case was dealt with in the board's meeting on 8 November 2022. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Hans Marius Tessem, Morten Goodwin, Malin Tønseth and Heidi Talsethagen. Secretariat manager Anette Klem Funderud was also present. The Norwegian Data Protection Authority's assessment in brief The supervisory authority has dealt with A's request to the supervisory authority in accordance with the Personal Protection Regulation article 57 no. 1 letter f and investigated the matter as far as the supervisory authority has deemed it appropriate. The Norwegian Data Protection Authority has used its investigative authority and has ordered the municipality to give an account of the case, cf. article 58 no. 1 letter a. The Norwegian Data Protection Authority has on several occasions guided the municipality on the duties of the data controller according to the regulations. After assessing the municipality's response, the Norwegian Data Protection Authority closed the supervisory case against the municipality because the Norwegian Data Protection Authority did not consider it appropriate to proceed with it. The inspectorate considered it sufficient that the municipality was given clear information that they must continue to work continuously to ensure compliance with the privacy regulations. The Danish Data Protection Authority points out that the most important means of preventing breaches from being repeated is to ensure that those who experience a breach can complain to the data controller so that the deviation is detected, dealt with and notified to the Danish Data Protection Authority in line with the regulations. The work to ensure good enough routines and sufficient information security is a continuous process and it must be recognized that mistakes happen. Although all errors potentially have unfortunate consequences and feel burdensome for the person concerned, the Norwegian Data Protection Authority does not consider it appropriate to sanction all such breaches of personal data security. According to the Norwegian Data Protection Authority's assessment, the supervisory case has contributed to X municipality improving its routines and continuing its continuous work to ensure compliance with the privacy regulations. The Norwegian Data Protection Authority further points out that the conditions for being able to complain to the Personal Data Protection Board are, firstly, that the Norwegian Data Protection Authority has made a single decision. Secondly, the person making the complaint must be a party to the case, cf. the Public Administration Act § 2 first paragraph letter e. None of these conditions are met in this case. The Danish Data Protection Authority has not made any decision in the case that can be appealed, cf. the Administrative Act § 2 first paragraph letter b. In any case, the Danish Data Protection Authority's decision to close the case against the municipality is not a decision directed at A or that directly concerns her. She is therefore not a party to the case and has no right of appeal. The Norwegian Data Protection Authority also points out that even if A is considered a party to a case concerning a complaint about the municipality's incorrect processing of personal data about her child, she does not have the right to complain about the result of the Norwegian Data Protection Authority's processing of the case vis-à-vis the municipality, cf. PVN-2019-07 and PVN-2019-12. As's view of the case in brief She is complaining about the Norwegian Data Protection Authority's decision to reject her complaint. As a party to the case, she has the right to appeal against the Norwegian Data Protection Authority's handling of the original complaint on 16 March 2019. The Norwegian Data Protection Authority's rejection decision is incorrect. She complained to the Norwegian Data Protection Authority because X municipality has violated her and her children's privacy rights on a number of occasions. It is particularly serious that the breaches of the rules have been repeated and affected children. Consideration of the child's best interests has not been taken into account by the Norwegian Data Protection Authority in this case, cf. the Convention on the Rights of the Child, Article 3 No. 1. She used the right to complain to the Norwegian Data Protection Authority, cf. Article 77 of the Personal Protection Regulation. It follows from the provision that the Norwegian Data Protection Authority "shall inform the complainant of the course of complaint processing and the outcome of the complaint". Her original complaint to the Data Protection Authority has not been dealt with on the merits, and she as a party has not been informed by the Data Protection Authority of the outcome. When she accidentally discovered the inspection's letter in the municipality's mailing list, she complained to the municipality about the outcome and the conclusion of the case. The Norwegian Data Protection Authority has closed the complaint without the underlying issue being resolved. The inspectorate has chosen to look through the fingers at X municipality's persistent violations of the rules. This is a case about the municipality's breach of the privacy regulations towards her and her children. According to the Public Administration Act, she is a party to the case because the case directly concerns her and her children, and because their rights are affected if the Norwegian Data Protection Authority closes the case without reacting. She also has the right to complain about the outcome of the case against X municipality. It is not irrelevant to them how the supervisory authority reacts to the breaches of rules that apply to them. Lack of reaction is in practice the same as acceptance of committed and new regulatory breaches. If this case is not handled properly, there is a failure in the enforcement system. The Norwegian Privacy Board's assessment The Norwegian Data Protection Authority has rejected A's complaint and has indicated that no individual decision has been made in the supervisory case giving the right to appeal, and that A is not a party to the case against the municipality anyway. The Norwegian Data Protection Authority's decision on rejection is, on the other hand, a single decision, cf. section 2 third paragraph of the Public Administration Act. The tribunal must assess whether it was right for the Norwegian Data Protection Authority to reject A's complaint. The conditions for being able to appeal the Data Protection Authority's decisions to the Personal Data Protection Board are, firstly, that the authority has made a single decision, cf. Norwegian Public Administration Act § 2 first paragraph letter b. Secondly, the person making the complaint must be a party to the case, cf. Norwegian Public Administration Act § 28, cf. § 2 first paragraph letter e. The Norwegian Data Protection Authority chose to establish a supervisory case. In the supervisory case, no individual decision was made, as the supervisory authority, after obtaining the municipality's explanation, gave guidance and then closed the case without giving any order. The supervisory authority's decision to close the case is not decisive for the municipality's rights and obligations, cf. the Public Administration Act § 2 first paragraph letter a and b. Neither the municipality nor others will have the right of appeal under the Public Administration Act against this decision. The question for the tribunal is what leeway the supervisory authority, when it receives a notice or a complaint about possible breaches of the Personal Data Act, has with regard to processing a case further without treating complaints as a party. The tribunal initially explained the Data Protection Authority's decision on 20 August 2019 to open supervisory proceedings against the municipality, and the statement to A on the same day about this, with information that she was not to be considered a party to the supervisory proceedings. A's inquiry to the Norwegian Data Protection Authority in March 2019 concerned her concern about what she perceived as repeated breaches of privacy legislation over time in X municipality, and in particular at Y school where her child was a pupil. To substantiate her concern, she gave a description of various incidents related to the processing of personal data both about her own child, but also incidents related to other children at school. She refers to the descriptions as examples of what she believes to be the municipality's or the school's lack of attention to privacy, set in a system. Such an inquiry can be understood in two ways. Firstly, it can be perceived as a notice or a tip to the Norwegian Data Protection Authority that X municipality, education department, and particularly Y school, are breaking the privacy rules in their processing of personal data. Such a notice may result in the Norwegian Data Protection Authority opening a supervisory case and requesting an explanation from the data controller, as the Norwegian Data Protection Authority did in this case. In such a case, it is normally only the controller who is considered a party. However, the inquiry can also be understood as a complaint from A with a request that one or more specific ongoing breaches of the Personal Data Act regarding her or her child's personal data should cease, possibly a request to get the Norwegian Data Protection Authority to take a decision on a specific processing of such personal data is illegal. How the inquiry is perceived can have an impact on the further processing of the case by the inspectorate. The Norwegian Data Protection Authority gave A guidance regarding her demand for access and encouraged her to contact the data protection officer in the municipality. When it came to a specific rectification requirement, the inspectorate stated that the inspectorate had pointed this out to the municipality and that the inspectorate assumed that the municipality would respond to this and asked A to notify if this did not happen. Furthermore, the tribunal assumes that the inspectorate perceived the inquiry as a warning about a lack of knowledge or lack of respect for the privacy legislation in municipality X and that this was something that affected many people, not just A and her children. As a result, the supervisory authority decided to open a supervisory case and ask the municipality for an explanation, at the same time informing A of this, cf. e-mail 20 August 2019. The Personal Data Protection Regulation must ensure both individual rights and the data controller's general compliance with the data protection rules. The question of the individual's right to be recognized as a party to a complaint under the Personal Data Protection Regulation was considered in a case before the Förvaltningsrätten in Stockholm (judgment 31.10.2022 (Case 3308-22)). Förvaltningsrätten pointed out that it is incompatible with EU law if the individual, by not being recognized as a party to the case, will be in a disadvantageous position with regard to his rights under the regulation. In this case, the court assumed that the complainant in question should be considered a party to the case for what concerned his complaint and the processing of his personal data. According to the tribunal's assessment, the situation is different in our case. It was reasonable for the Norwegian Data Protection Authority to assume that A's inquiry, when one disregards the issue of access and correction, was a general notice about the municipality's handling of personal data. The fact that A was not satisfied that the supervisory authority closed the case against the municipality without issuing an order does not change her status in the supervisory case, nor does it give her any right to appeal. As can be seen from the authority's correspondence with A, the authority assumed that the specific questions relating to the correction of and access to A's personal data were assessed by the municipality. A possible decision on the part of the municipality not to grant the right to access and/or erasure can be brought before the Norwegian Data Protection Authority for individual processing. A has not been successful in his appeal. The tribunal finds reason to point out that the Personal Protection Regulation Article 57 no. 1 letter f sets out a requirement that the supervisory body must deal with complaints lodged by a registered person within a reasonable period. A complained about the Norwegian Data Protection Authority's rejection of her complaint on 24 February 2021. After a further justification from the Norwegian Authority's side on 30 April 2021 and A's comments on this on 12 May 2021, the complaint appears to have been prepared for submission to the Personal Data Protection Board. The complaint was nevertheless only forwarded one year later, on 12 May 2022. That is unfortunate. The decision is unanimous. Conclusion The Norwegian Data Protection Authority's rejection of the complaint is upheld. Oslo, 8 November 2022 Mari Bø Haugstad Manager