Datatilsynet (Norway) - 23/03206

From GDPRhub
Revision as of 13:11, 17 September 2024 by Mba (talk | contribs) (→‎Facts)
Datatilsynet - 23/03206
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 30.08.2024
Published: 11.09.2024
Fine: n/a
Parties: Stavanger Arbeiderparti
National Case Number/Name: 23/03206
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: fb

The DPA issued a reprimand to a political party after it sent political advertisements to data subjects via emails. Even though the email addresses were obtained lawfully through a freedom of information request, the DPA found that the processing had no legal basis.

English Summary

Facts

On 20 August 2023, several parents of children in kindergartens received an email from the majority parties of a municipality.

After receiving this email, several data subjects filed a complaint with the DPA.

The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Freedom of Information Act.

The controller firstly argued that it processed this data in accordance with Article 6(1)(e) GDPR. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on Article 6(1)(f) GDPR.

Holding

First of all, the DPA believed that the municipality rightfully disclosed the addresses, since the Freedom of Information Act provides for an appropriate legal basis for this processing.

Secondly, the DPA investigated who was the controller in the case at hand. Since the Stavanger Labour Party stated that it processed data also on behalf of the other majority parties, the DPA assumed that this entity was the controller.

Thirdly, the DPA analysed the legal basis. The DPA pointed out that the controller has failed to provide documentation about whether a legitimate interest assessment had been carried out.

However, the DPA further noted that it is clear that this processing had some negative consequences on data subjects, since the DPA received several complaints. According to the DPA, this shows that this processing operation was not foreseeable for data subjects.

Furthermore, the DPA pointed out that, even though the data was lawfully disclosed by the municipality, it was then used for a purpose outside the scope of the Freedom of Information Act.

In every case, the DPA found that this processing was lacking of legal basis since the controller failed to demonstrate its assessment.

Fourthly, the DPA recalled that the controller used a processor to send the emails and shared the data subjects’ email addresses with it. The DPA noted that no specific data processing agreement was entered into with the processor. However, the controller argued that it had accepted the Terms of Service while creating the account. The DPA accepted this argument since Article 28(3) GDPR does not impose any formal requirements.

Fifthly, the DPA found a violation of Article 14 GDPR since the controller failed to provide data subject with the information set by that article. The controller explicitly admitted this failure.

Sixthly, the DPA investigated the data retention period. The DPA found that the email addresses were deleted manually soon after the sending of the email and therefore found no violation on this point.

On these grounds, the DPA issued a reprimand to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Sissel Beate Fuglestad













Your reference Our reference Date
                        23/03206-24 30.08.2024



Decision on reprimand - sending of political advertising by e-mail

In August 2023, the Norwegian Data Protection Authority received several complaints from private individuals who had received an e-mail
from the majority parties in Stavanger (Arbeiderpartiet, People's Party - FNB, Green Party De

Green, Red, Center Party and SV). We decided to carry out investigations into the legality
of the treatments that were the subject of the complaints.


We sent, on the basis of the Personal Data Protection Regulation article 58 no. 1, letter a, a demand for
statement to the Stavanger Labor Party on 8 September 2023. We received a reply on 28
September 2023. The Norwegian Data Protection Authority sent a request for further explanation on 1 November 2023,
which was answered on November 7, 2023.


In a letter of 22 July 2024, the Norwegian Data Protection Authority notified a decision on reprimand, cf.
the personal protection regulation article 58 no. 2, letter b. In their reply of 23 August 2024,

you have taken note of our notice, and we will make a final decision in line with the notice.

1. Background of the case

The e-mail in question was sent on 20 August 2023 in connection with the municipal elections and
the recipients were parents of children in kindergartens and schools in Stavanger municipality. Parents'

contact information had been handed over by Stavanger municipality to the Majority Parties in
Stavanger in accordance with the Public Act. In the complaints the Norwegian Data Protection Authority has received, questions are asked
by the legality of the municipality's and the Plural parties' processing of personal data.

The case has also been discussed in the media.

Through the Norwegian Data Protection Authority's investigation into the matter, it has emerged that the Majority Parties

sent a request for access to the joint post office for Education and training in the municipality, at
on behalf of the cooperation parties (Arbeiderpartiet, Folkets Parti, SV, Rødt, MDC and
Center Party). The request for access was worded as follows:





Postal address: Office address: Telephone: Organization number: Website:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO «Hello. Can we have access to the lists of children of kindergarten age and 1st and 2nd graders in
        Stavanger with contact information for all parents. Preferably also email. Such lists are given to both
        churches and private schools - and is (unfortunately) public information"

The majority parties have stated that the request for access was clearly limited to sensitive
information, they did not want to be given their name, date of birth or telephone number.


Through the access request, information on addresses and e-mail addresses was released.
The email addresses were uploaded to the program Brevo, and the information was then deleted at
The majority parties. It is also stated that the email addresses were to be deleted by Brevo by agreement
after the sending of the e-mails in question had been completed.

2. The Norwegian Data Protection Authority's investigation
In what follows, the Norwegian Data Protection Authority reviews the various topics considered in the case.


    2.1. Delivery from Stavanger municipality


Any processing of personal data requires a legal basis to be legal.
The Personal Data Protection Regulation sets out various alternative legal bases. In addition to
personal data protection regulation, special regulations may authorize the processing of
personal data.

The municipality's disclosure of personal data was made following a request for access
public law, and the requirement for a legal basis for this processing activity is considered fulfilled.


    2.2. The majority party's processing of information

        2.2.1. What personal data was received and processed by
             The majority parties


Through the reports to the Norwegian Data Protection Authority, Stavanger Labor Party has on behalf of
The majority parties stated that through the access requirement they collected contact information for everyone
parents with children of kindergarten age and the first two stages of primary school.

The municipality was explicitly asked not to disclose names of guardians or children, date of birth,
telephone etc. The information that was handed over to the Majority Parties contained information about
school/grade, street address and email address.


The information that was forwarded to Brevo consisted exclusively of a list of
email addresses.

Email addresses are considered personal data, and in the following we assume that
The privacy regulations also apply to the disclosure of this information to
Letter.






                                                                                                 2 2.2.2. The purpose of the processing of personal data (collection and so on
             processing) in connection with sending e-mails

A basic principle in the privacy regulations is the requirement for purpose determination. It follows
of the personal protection regulation article 5 no. 1 letter b) that the purpose of processing of
personal data must be specifically and explicitly stated. The statement of purpose determines
including which information is relevant and necessary.


Through the Norwegian Data Protection Authority's investigation of the matter, it appears clear that the purpose of
The majority parties were to first get an overview of the guardian's contact information, then to
be able to send out targeted and relevant information to parents in connection with
municipal election 2023.

It has been stated that it was desirable to inform parents about the consequences for

the parents of young children with the position of the various party groupings, information that became
considered "generally useful".

        2.2.3. Processing responsibility

The Danish Data Protection Authority has investigated who is responsible for the collection and use of data
personal data for sending the e-mail that the complaints are about.


Following our demand for an explanation, it is stated that information collection and sending of
e-mail was made on behalf of said majority parties. Stavanger is responsible for processing
Labor Party.

The Personal Data Protection Regulation and the accountability principle require that there is clarity about who

is responsible for the processing of personal data, also when using
data processors. See, among other things, Article 5 No. 2 and Article 29.

In the case of shared/joint responsibility, the distribution of responsibility must be determined in an open manner, cf. Article 26.

Stavanger Arbeiderparti has stated that they are responsible for processing, on behalf of
The majority parties. No agreement indicating other responsibilities has been presented.

The Norwegian Data Protection Authority has therefore assumed that it is the Stavanger Labor Party that alone is
controller for the processing of personal data to which the case relates.

        2.2.4. The legal basis for the processing(s)

           2.2.4.1.    About the basis in question

When personal information is obtained through access in accordance with the Public Service Act, it must be further used
of the information take place in accordance with the rules in the Personal Data Act and
the personal data protection regulation. Basic principles for processing personal data are
laid down in the personal data protection regulation art. 5 no. 1 letter a - f. The principle of legality implies

that there must be a legal basis for the processing of personal data. It has to




                                                                                               3 there is a legal basis for all processing activities carried out in this case
including the delivery to Brevo and the sending of e-mails.

Personal data protection regulation art. 6 no. 1 contains six alternative legal grounds (letter a -
f).

Initially, the Stavanger Labor Party stated that the relevant legal basis for their

processing of personal data was the personal data protection regulation article 6, no. 1 letter e).
The Norwegian Data Protection Authority refuted in a letter of 1 November 2023 that this option could be used for it
current treatment.

The Stavanger Labor Party has since stated that they have a legal basis in article 6, no. 1, letter
f). According to this provision, processing of personal data may be lawful if it
is necessary for purposes related to the legitimate interests pursued by it

data controller. The provision requires that a balance be made and that
controllers must decide whether the interests or rights of the data subject and
freedoms and the need to protect personal data must take precedence over the legitimate interest.

The person responsible must therefore both explain the legitimate interests and assess whether
the processing may have an impact on the interests of the data subjects. Next, a
balance between these before it can be established that a treatment has a legal basis

the alternative in the personal data protection regulation article 6 no. 1 letter f).

We note that there is no requirement for such assessments to be in writing
the privacy regulations. However, it is difficult to demonstrate compliance without assessments
be documented.


We also refer in that context to the obligation to provide information in the Personal Data Protection Ordinance
article 14 no. 2 letter b) implies that the registered persons are entitled to receive the information which
is necessary to ensure fair and open treatment. It is specified in the provision that
if the legal basis for the processing follows from Article 6 no. 1 letter f, it shall
are informed about the legitimate interests pursued by the data controller.

We asked the Majority Parties to explain the balancing of interests that was carried out before

the processing started, including how privacy considerations were assessed and emphasised, cf.
personal data protection regulation art. 6 no. 1 letter f. We further requested that any written
documentation was attached to the statement.

            2.2.4.2.    The assessments carried out by the Stavanger Labor Party

The Stavanger Labor Party has stated that the assessments they carried out were not documented
in writing.

It is therefore difficult for the Norwegian Data Protection Authority to take a position on the assessment of authorization for
the processing of personal data was carried out lawfully. In the absence of documentation on

Stavanger Arbeiderparti's assessments, we have therefore based the information that is
obtained through our case management.



                                                                                                  4 The Stavanger Labor Party has explained what legitimate interests they have based on. The
states that the e-mail was carefully assessed in relation to the Personal Data Protection Regulation art 6 no. 1 letter
f, precisely because it can be difficult to know which instruments are legitimate to use
in connection with an election campaign. They state that they were aware that the legitimate interest
"must be legal, clearly defined in advance, real and factually justified in the business".


Stavanger Arbeiderparti further believes that in connection with an election campaign it must be within
the concept of "legitimate interest" for a political party to send out targeted political information.
They indicate that in an election campaign it is in the public interest to clarify and inform about them
consequences different political positions will have for voters, and that so targeted
information is important for voters to be able to make knowledge-based choices.

They further state that election campaign material, distributed via e-mail, does not differ in principle

election campaign material distributed via other channels, as long as the email addresses are public
available.

Stavanger Labor Party states that they also considered alternative distribution methods of theirs
political messages. Among other things, they had an offer from Posten Norge AS for
target group-specific mailings, i.e. in the direction of what is called Direct Mail (DM). This
the alternative was not assessed as less intrusive than the e-mail that was chosen. One

alternatives that were also considered were direct actions linked to nurseries, small schools, etc.,
but it was considered less appropriate than an email distribution.

The conclusion of the Stavanger Labor Party was that it must be possible as part of a political election campaign
is justified in carrying out such an e-mail based on a "legitimate interest", i.a. a. to get
out a political message, which is the main purpose of running an election campaign.


Through the Norwegian Data Protection Authority's proceedings, it has not been documented that Stavanger
The Labor Party has carried out such an assessment of the interests of those registered. It is neither
described or submitted documentation that shows that the assessments have taken place in this way
the privacy regulation article 6 no. 1, letter f requires. This applies
the treatment activities in all stages; the collection through the request for access to the municipality,
the compilation the municipality had to prepare, the processing by the Stavanger Labor Party,

the transmission to Brevo or through the sending of e-mails.

The second most relevant alternative was not considered less invasive compared to
privacy considerations. In addition, they considered that privacy considerations were well taken care of, through the fact that it was
sent a limited amount of personal data, only email addresses, to Brevo.

            2.2.4.3.    The Norwegian Data Protection Authority's assessment

Stavanger Arbeiderparti has to a small extent explained that they have assessed those registered
interests. However, to a certain extent it has been expressed that the access requirement they aimed at
the municipality could have some negative effects, all the while they themselves in the access request

uses the word "unfortunately" about the scope of public law.




                                                                                                  5 Admittedly, several alternative solutions were considered, but the Norwegian Data Protection Authority considers that they were not
carried out an assessment of the privacy consequences of the processing itself.

The case has attracted great interest and has led to several complaints to the Norwegian Data Protection Authority from those registered. The
It appears obvious to the Norwegian Data Protection Authority that the processing has actually had a negative impact on
those registered. We assume that this treatment has caused reactions, among other reasons
it was not predictable for those to whom it applies.


The access requirement that was directed at the municipality involved a compilation of
personal data that should have been assessed by the Stavanger Labor Party, even if there is one
legal delivery by the municipality. The disclosure consisted of compiled information such as
was tailored for a purpose outside the scope of public law. This should too
been taken into account in the assessment. We note that the negative consequences of the access requirement
was also pointed out by the Stavanger Labor Party at the same time as the claim was made.


Alternatives to the chosen solution that were considered were direct actions associated with kindergartens,
small school etc., but it was considered less appropriate than an e-mail distribution.

Stavanger Arbeiderparti has not confirmed that they have surveyed or assessed
the privacy interests of the data subjects in the relevant processing.
The privacy consequences are therefore also not weighted against the legitimate interest

the purpose of the treatment was to safeguard.

The Norwegian Data Protection Authority believes that the missing assessments, which a controller is required to
carried out according to the Personal Data Protection Ordinance, Article 6 No. 1, letter f, must be considered a breach
on the Personal Data Protection Regulation.


        2.2.5. Use of data processor

The majority parties used the Brevo service for sending emails. It is stated that Brevo only
was given a list of e-mail addresses.

At the request of the Norwegian Data Protection Authority, it has been stated that no data processor agreement was entered into with
Letter. Stavanger Arbeiderparti points out that the "Terms of Service" was approved when it was created

account and that the "Privacy policy" has been read through.

The Personal Protection Regulation Article 28 No. 3 requires that processing of personal data which
carried out by a data processor must be subject to an agreement. The provision states in more detail what
such an agreement must regulate, but there are no formal requirements.

The Danish Data Protection Authority has not investigated the supplier Brevo and any special requirements

should have been stipulated in the specific agreement. We have also not reviewed the company's "Terms
of Service" or "Privacy policy" to which reference is made.

We assume that the Stavanger Labor Party has assessed that the agreement with Brevo is comprehensive
for the processing of information they must carry out on their behalf.




                                                                                                6 2.3. What information is given to the registered cf. the Personal Protection Ordinance art.
         14.

Stavanger Arbeiderparti confirms that no information about the treatment has been given to them
registered, and that this is not in accordance with Article 14 of the Personal Data Protection Regulation.


    2.4. Storage period for the personal data

The Norwegian Data Protection Authority asked for an explanation of the content of the agreement with regard to the deletion of
the personal data at Brevo, and whether confirmation was obtained that the deletion was
been carried out.

The Stavanger Labor Party has stated that the personal data was deleted for those persons who

had access to the email addresses the day after dispatch. The personal data that was loaded
up with Brevo, was also deleted the same day. The account with Brevo has also been deleted, as this was one
one-off mailing.

They have assumed that the deletion at Brevo was "non-reversible" and that all data would remain
permanently deleted within 30 days at the latest. The address list (email addresses) was deleted manually
from the account prior to the account being deleted. No confirmation has been requested from Brevo

beyond this.

The Norwegian Data Protection Authority assumes that the deletion has been carried out. We clarify that a
The data processing agreement must also contain terms that include the deletion of information, see
point 6.


3. Decision on reprimand

The Norwegian Data Protection Authority's case management has revealed that the processing of personal data in
in connection with the majority parties' e-mail sending of political messages has resulted in several
breach of the privacy regulations.

Paragraph 148 of the Personal Protection Ordinance states that sanctions should be imposed for

breach of the regulation, including infringement fees. The preface allows for it to know less
infringements may be given a reprimand instead of an infringement fee. It can, among other things
emphasis is placed on whether the breach has entailed a high risk for the rights of the data subjects.

The Norwegian Data Protection Authority has come to the conclusion that a decision on reprimands for the infringements must be made. We
has emphasized in the assessment that the collection of personal data from the municipalities had
valid legal basis through public law. Furthermore, we have emphasized what was processed

personal data to a very limited extent, and that they were deleted as soon as the purpose of
treatment was achieved. We consider that the violations did not pose a high risk for them
data subject's rights.






                                                                                                 7 The Danish Data Protection Authority nevertheless believes that it is necessary to react, and takes this into account in
the personal protection regulation article 58 no. 2, letter b decision on reprimand for the following
Violations:

    1. Inadequate assessments when using the Personal Protection Regulation Article 6 no. 1, letter
        f as a legal basis for processing personal data and
    2. failure to comply with the duty to provide information about the treatment to them

        registered, cf. Article 14 of the Personal Data Protection Ordinance.

See above for further justification of our assessments of the various conditions.

4. Access to appeal

This decision can be appealed in accordance with Chapter VI of the Public Administration Act. Any complaint must

sent to the Norwegian Data Protection Authority within three weeks of receipt of the decision. If we maintain
our decision, the case will be forwarded to the Personal Protection Board for processing.

Any questions can be directed to postkasse@datatilsynet.no.




With kind regards


Camilla Nervik
section manager


The document is electronically approved and therefore has no handwritten signatures


Copy to: STAVANGER ARBEIDERPARTI





















                                                                                               8