Datatilsynet (Norway) - 20/04401
Datatilsynet (Norway) - 20/04401-11 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1) GDPR Article 24 GDPR Personopplysningsforskriften § 4-3 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 13.12.2021 |
Published: | 07.01.2022 |
Fine: | 200.000 NOK |
Parties: | Elektro & Automasjon Systemer AS |
National Case Number/Name: | 20/04401-11 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | Rose |
The Norwegian DPA imposed a fine of about €20,000 (NOK 200,000) on Elektro & Automasjon Systemer AS for not implementing appropriate technical and organisational measures to prevent unlawful processing, and therefore mistakenly conducting a credit check without legal basis.
English Summary
Facts
Controller is a company that conducts credit checks. Controller mistakenly conducted a credit check on one of the owners of another company. There was no existing collaboration or customer/vendor relationship between the companies. After finding out about the credit check, this owner (the data subject) lodged a complaint with the Norwegian DPA. In their defence, the controller explained that the credit check had happened on accident and that it had been caused by their lack of familiarity with the system they used for requesting credit reports.
Holding
First, the Norwegian DPA held that the controller had not implemented appropriate technical and organisational measures to prevent unlawful processing, in violation of Article 24 GDPR. Even though the controller had internal procedures in place regarding its processing of personal data in general, none of these were specifically aimed at conducting credit checks. The DPA held that any company that uses a credit report tool has an obligation to familiarise themselves with the tool and the legal framework to prevent errors from happening. Second, the DPA held that the controller lacked legal basis for the processing, in violation of Article 6(1) GDPR.
As a result of the above infringements, the DPA imposed a fine of 200 000 NOK. When determining the size of the fine, the DPA highlighted that credit reports usually contain information about an individual's financial situation, such as information about salary and debt, which especially deserves a high level of protection. As mitigating factors, however, the DPA noted that the breach had only affected one data subject for a short duration.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
EAS / ELEKTRO & AUTOMASJON SYSTEMER AS Åshaugveien 62 Exempt from public: Offl. § 13 cf. Popplyl. § 24 (1) 2. 3170 SEM pkt. Their reference Our reference Date 20 / 04401-11 13.12.2021 Decision on order and infringement fee - Complaint about credit rating without objective needs - EAS / Elektro & Automasjon Systemer AS 1 Introduction We refer to our notice of decision on order and infringement fee dated 17 June 2021. We also refers to their comments on the notice dated 15 July 2021. These comments are dealt with in points 7.1 and 8.3 of the decision. 2. Decision on order and infringement fine 1. Pursuant to Article 58 (2) (2) of the Privacy Regulation, EAS / Elektro & Automasjon Systemer AS, org.nr. 991 800 492, an infringement fee to the Treasury of NOK 200,000 for having obtained credit information without legal action basis, cf. the Privacy Ordinance Article 6 No. 1 letter f. 2. Pursuant to Article 58 (2) (d) of the Privacy Regulation, the EAS / Elektro & Automasjon Systemer AS to improve internal control and routines for credit assessments, cf. Article 24 of the Privacy Regulation. 3. Details of the facts of the case On 18 November 2020, we received a complaint from (hereinafter «complaints») that EAS / Elektro & Automasjon Systemer AS had carried out a credit assessment of him. Complaints received information on 6 October 2020 that a credit assessment had been carried out. Complainants state that the person in question has not had any cooperation, customer relationship or anything else affiliation with their business. He had no expectation that he would stay Postal address: Office address: Telephone: Org.nr: Website: PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO credit-rated by the company and experiences the incident as unnecessary "grafsing" in his personal finance. In your response to our request for a statement, you confirm that the complainant is neither a customer of yours or has another direct relationship with EAS / Elektro & Automasjon Systemer AS. You describe that you use Bisnode as a tool to do credit checks of companies that are customers, suppliers and company in the same industry. The credit check of complainants must have taken place at one error due to lack of knowledge about the system in Bisnode. You further describe that you annually review accounts for other players in the industry to assess your own performance. Complainant is the co-owner of the company which is in the same industry such as EAS / Elektro & Automasjon Systemer AS. In the process of looking at the accounts to, the complainant's name was clicked in the list of shareholders. You explains that the general manager expected that he would then get an overview of ownership interests, corresponding to the system on proff.no and purehelp.no. You point out that neither the company nor the general manager has a private interest in obtaining credit information on complaints. Information obtained in Bisnode was not printed or stored in any way in the business, and it was assumed that the search was interrupted. You also point out that it is the first time such a credit check by a private individual has been performed by EAS / Elektro & Automasjon Systemer AS. In the statement, you write that you have been in contact with Bisnode to get the credit assessment tool explained after you received the Data Inspectorate's request for statement. You indicate that you have routines for processing personal data in business, but that these routines do not mention credit rating. Furthermore, you write that this case must be dealt with by you and that routines must be reviewed for any changes or clarifications. The Norwegian Data Protection Authority sent a notification of a decision on an order and infringement fee on 17 June 2021. EAS / Elektro & Automasjon Systemer AS submitted comments on this notice on 20 July 2021. The comments are dealt with in sections 7.1 and 8.3 of this decision. 4. Treatment responsibility The person who determines the purpose and means for a processing of personal data is data controller, cf. the Privacy Ordinance Article 4 no. 7. The data controller is responsible for ensuring that the processing of personal data takes place in accordance with the basics the principles in the Privacy Ordinance and must be able to demonstrate this, cf. the Privacy Ordinance Article 5 (2). A company is responsible for the processing of personal data performed by an employee when the treatment has taken place through the company's activities. It is EAS / Elektro & 1The European Privacy Council's guidelines, EDPB Guidelines 07/2020 on the concept of controller and processor in the GDPR, p. 10. 2Automasjon Systemer AS which has an agreement with Bisnode and which in our opinion has decided the purpose and means of the credit assessments. The data controller has a duty to carry out appropriate technical and organizational measures measures to ensure and demonstrate that the processing takes place in accordance with the Privacy Ordinance, cf. Article 24. According to Article 24, in assessing appropriate measures, account shall be taken of the nature of the treatment, the scope, purpose and context in which it is carried out, as well as the risks of varying probabilities and the severity of the data subjects' rights and freedoms. The measures will be reviewed new and updated as needed. Based on this, the Data Inspectorate considers EAS / Elektro & Automasjon Systemer AS as responsible for processing in accordance with the Privacy Ordinance, Article 4, No. 7 for the person in question the credit check made by complainants. 5. Legal basis for obtaining credit information 5.1. In particular on the legal basis for obtaining credit information Obtaining and storing credit information about individuals and sole proprietorships constitutes one processing of personal data, cf. the Privacy Ordinance, Article 4, No. 2 and the Act on processing of personal data of 15 June 2018 no. 38 (Personal Data Act) § 1. Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis. When a business should obtain credit information about the registered without that there is consent, or the credit rating is strictly necessary to implement one agreement with the data subject, Article 6 (1) (f) is the most relevant legal basis. Under the old Personal Data Act of 2000, there was an additional requirement that the business may have an "objective need" to obtain credit information. This is stated in the Personal Data Regulations § 4-3, which according to the transitional rules has been continued as applicable straight. 3 The new Credit Information Act also continues the requirement for a "factual need" for disclosure of credit information. The new law has been passed, but has not entered into force yet. However, the Privacy Ordinance does not provide national room for maneuver to regulate it specifically some recipients' processing of credit information. The new Credit Information Act has therefore only the credit information companies as a subject of duty, and not the individual the business that orders credit information. The consequence of this is that "objective need" is not directly an additional condition for the individual the business that collects credit information. Their collection is thus regulated by 2 3Transitional rules on the processing of personal data (FOR-2018-06-15-877). Act on the processing of information in credit information activities (LOV-2019-12-20-109). 3Privacy Ordinance Article 6 No. 1 letter f. Assessments related to whether a business has a "factual need" according to the Personal Data Regulations § 4-3 is, however, closely related with the assessment pursuant to Article 6, paragraph 1, letter f. Previous practice related to "objective needs" is therefore still relevant when assessing "legitimate interest" as a basis for treatment. 5.2. Article 6 (1) (f) of the Privacy Regulation - "legitimate interest" Article 6 (1) (f) requires that the collection of credit information is "necessary" to: safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration individual privacy. The legitimate interest must be legal, clearly defined in advance, real and objectively justified in business. Advocate 47 of the Privacy Ordinance states that in the assessment of whether an interest is justified, among other things, the data subject's expectations should be taken into account the relationship between the data controller and the data subject. Emphasis should also be placed on whether at the time of collection it was foreseeable for the data subjects that the information would remain processed for the current purpose. Which interests meet this depends on a comprehensive assessment of, among other things, which ones benefits the company achieves with the treatment, how important the interest is for the company, whether the treatment has a public interest or safeguards the non-profit interests that come more for good, see the Article 29 Working Party statement. 4 Furthermore, the relevant processing of personal data must be necessary for this interests. That is, the business must consider whether it can achieve the purpose in a way that better safeguards privacy. One must therefore choose the treatment that is least invasive. Then the business must make a balance of interests to determine whether the individual Privacy outweighs the business' legitimate interest. What type of information these are relevant factors for the balancing of interests, eg whether these are worthy of protection and whether the person has an expectation of having the personal data in peace. It is also relevant to consider what kind of disadvantages the processing of personal data imposes on the person whether the processing of the personal data is perceived as infringing, whether the treatment is suitable for creating fear or unrest, and what measures the company has implemented to reduce the privacy implications. 5.3. Relevant practice related to the Personal Data Regulations § 4-3 - «factual need» According to the Personal Data Regulations § 4-3, credit assessment can only be obtained when one business has a "factual need" for the information, for example in connection with a purchase on credit. As a general rule, there must be an element of credit. This will typically be when the business must provide credit to a customer and need to see if he or she is creditworthy. 4Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46 / EC, pages 24 and 25. 4The Privacy Board has elaborated on the additional condition of factual need in several cases, including PVN-2006-03 KLP, PVN-2010-05 Credit rating and PVN-2017-02 Bertram Bil. IN the latter case, the tribunal referred to the following statement from PVN-2006-03 KLP: The purpose of a credit rating is normally to determine whether a potential customer is creditworthy, and thus whether the company wishes to enter into an agreement with the person in question. This means that when credit information is requested, the requirement of objectivity will be met when the customer must use the credit information in connection with his assessment of credit risk, for example by a loan commitment or agreement on current benefits such as invoiced in arrears, typically mobile phone subscription, subscription for satellite television etc. The tribunal also referred to the statement in PVN-2010-05 Credit rating, where it was stated that the opposite of "objective need" is "curiosity and binocular mentality". 6. On the duty to implement appropriate technical and organizational measures Pursuant to Article 24 of the Privacy Regulation, the data controller shall carry out appropriate procedures technical and organizational measures to ensure and demonstrate that the treatment is carried out in accordance with the Personal Data Act and the Privacy Ordinance. If it is in a reasonable relation to the treatment activities, the company must implement appropriate guidelines for the protection of personal data. Credit rating is an intrusive processing of personal data and constitutes a large encroachment on individuals' right to privacy. Companies that carry out credit assessments must therefore document their internal routines or processes (internal control), which meets the requirement of objectivity in credit assessment. The routines must describe when and how credit information can be obtained and how access is to be provided. The routines must ensure that credit information is not obtained without the requirement of objective need being met. 7. The Danish Data Protection Agency's assessment 7.1. The duty of internal control and the principle of accountability It appears from the report that EAS / Elektro & Automasjon Systemer AS had routines for processing personal data, but that these did not include routines for conducting credit assessments. We assume that EAS / Electrical & Automation Systemer AS did not have routines for credit assessments at the time of the inspection. In the statement, you explain that the general manager's lack of understanding of the credit assessment tool was the reason why the relevant credit assessment was carried out. You point out that you use Bisnode for credit checks of companies that are customers, suppliers and companies in the same industry. Even if you do not normally want to obtain credit information about individuals, access to the credit rating tool indicates that you must have an awareness around the regulations and functions in Bisnode when it comes to obtaining credit information on natural persons and sole proprietorships. 5The lack of awareness of the regulations, the company's access to credit assessment services, as well as the fact that there has been a breach of the regulations in this case indicates that EAS / Elektro & Automasjon Systemer AS is ordered to establish internal control for credit ratings. In our opinion, the establishment of routines could have a preventive effect against that unlawful credit assessments are later carried out. In its comments on the Data Inspectorate's notification, EAS / Elektro & Automasjon Systemer AS has added by revised routines for processing personal data with a new «Routine 8: Routine for credit assessment, cf. Article 24 of the Privacy Ordinance ». In the routine, one is included reproduction of the Privacy Regulation Article 24 and a brief description of who can carry out credit assessment and in which cases credit assessment can be carried out. The Data Inspectorate believes that it is positive that a clear demarcation has been made of who can conduct credit reviews. Nevertheless, the routines should refer to the legal basis the business has for credit assessments in case individuals and sole proprietorships become credit rated. The routine should to a greater extent be linked to the rules and assessments that should be made done in accordance with the privacy regulations. It is important to be aware of that privacy policy applies to credit assessments of sole proprietorships, as this information is closely linked to information about the finances of the private individual who has the enterprise. EAS / Elektro & Automasjon systems AS should in their routines emphasize article 6 no. 1 letter f as a relevant treatment basis for their business, as well as provide for organizational measures which ensures that the requirements of the Privacy Ordinance are met before credit information about private individuals and sole proprietorships are obtained. The Norwegian Data Protection Authority has the competence to order the data controller to ensure that the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf. Privacy Regulation Article 58 No. 2 letter d. This is the background for the order to Improve credit rating procedures. EAS / Elektro & Automasjon Systemer AS must improve the routines to ensure that credit rating only occurs when the conditions of the Privacy Ordinance are met. 7.2. Processing basis for obtaining credit information The question is whether EAS / Elektro & Automasjon Systemer AS had a valid one basis for processing pursuant to Article 6, paragraph 1, letter f when you obtained credit information about complaints. The first condition that must be met for the processing to be legal is that EAS / Elektro & Automasjon Systemer AS had a "legitimate interest" in obtaining the information. EAS / Elektro & Automasjon Systemer AS writes in their statement that this is correct complainants point out that he is neither a customer nor has other direct relationships with the business. Furthermore, you write that this was done by mistake as you wanted to get information about 6 owner interests in a company where the complainant is a part-owner. Regardless of whether it was done on purpose or not, EAS / Elektro & Automasjon Systemer AS has obtained credit information about an individual without any kind of customer relationship, supplier relationship or other affiliation to the business. There is agreement between the parties that the credit rating should not have been done. Complainants had no expectation that EAS / Elektro & Automasjon Systemer AS was to process his credit information and it was also not foreseeable that the business should obtain the information. Our assessment is that the requirement of "legitimate interest" in the Privacy Regulation Article 6 No. 1 letter f is not fulfilled. We do not consider it appropriate to assess the requirement of "necessity" as our assessment is that the company did not have a legitimate interest in carrying out the credit assessment. The third condition in Article 6 (1) (f) is the specific balance of interests between the company's interest in processing the personal data and those registered privacy interests. Credit information is a type of personal information that is particularly worthy of protection. One Credit rating is the result of compiling personal information from many different sources sources, and shows a number that indicates the probability that a person will pay a claim. One Credit rating will also show details about individuals' personal finances, including any payment remarks, voluntary mortgages and debt ratio. This is private information as individuals have an expectation that is not obtained by businesses unless it are objectively justified in their relationship with them. Private individuals should therefore enjoy special protection against obtaining credit information. Consideration of the complainants' right to privacy weighs heavily in the treatment of this type personal information. The business did not need to obtain credit information about complaints and a possible collection of credit information on the basis of curiosity will not meet the balance of interests in Article 6 (1) (f). The conclusion is after this that EAS / Elektro & Automasjon Systemer AS did not have legal action basis under Article 6 (1) (f) to process credit information on complaints communicated complaints 6 October 2020. Infringement fee 8.1. General information about infringement fines Violation fees are a tool to ensure effective compliance and enforcement of the personal data regulations. We believe it is necessary to respond to the violation, and notifies with this the imposition of infringement fines, cf. the Privacy Ordinance Article 83. 7In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to impose fee. In this context, reference is made to Chapter IX of the Public Administration Act on administrative matters sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMK). 8.2. Assessment of whether an infringement fee is to be imposed When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account to the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate can impose infringement fines after a discretionary overall assessment, but they listed the moments lay down guidelines for the exercise of discretion by highlighting moments that should special emphasis is placed on. We will here assess the relevant factors on an ongoing basis. a) the nature, severity and duration of the infringement, taking into account it the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered, The principle of legality in the Privacy Regulation Article 5 No. 1 and the requirement to basis of treatment in Article 6 is one of the basic requirements that must be met when one business processes personal data. As we have explained above, credit information is a type of personal information that is particularly worthy of protection and which private individuals have an expectation that is not obtained by businesses, unless it is objectively justified in their relationship with them. No complaints any relationship with the business that made it predictable that you should treat credit information about him. The violation is therefore serious, and indicates that it is imposed infringement fine. In the mitigating direction draws the fact that an illegal credit rating will not be one violation over longer duration. In this case, EAS / Electrical & Automation Systems shows AS that you thought the search was interrupted and that you have not stored credit information about complaints in business. However, the damage occurred at the time of personal credit information is obtained and processed by someone without a basis for treatment. b) whether the infringement was committed intentionally or negligently, You describe that the credit assessment must have been performed by accident, as the general manager expected Getting information about ownership interests in the company the complainant is part-owner in when he clicked on the complainant 8 names in the list of shareholders. Furthermore, it appears from the statement that neither general manager personally or EAS / Elektro & Automasjon Systemer AS was interested in getting access to the complainant's credit information. There are no grounds for concluding that the credit rating was made intentionally. However, it must be possible to assume that the general manager of a company has knowledge of key issues features of the credit rating tool the company uses. The Data Inspectorate adds due to the fact that the company, through the general manager, has shown negligence in obtaining credit information on complaints. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, The report refers to the fact that the general manager assumed that the search was interrupted and that it was not saved credit information about complaints in the business. This therefore does not pull in an aggravating direction. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32, In an aggravating direction, we emphasize that the violations were committed by the general manager of the business, as the Privacy Ordinance presupposes that compliance with the regulations is particularly rooted in the management of an enterprise, cf. Article 5 No. 2. Furthermore, we emphasize in an aggravating direction that EAS / Elektro & Automasjon Systemer AS had a lack of awareness of the regulations, and that the company had neither technical or organizational measures in the form of routines to ensure compliance with the regulations and it necessary knowledge of the credit rating tool the company uses. e) any previous violations committed by the data controller or the data processor, The Data Inspectorate does not know whether there have been previous violations. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it, The company apologizes for the incident and has shown willingness to contribute to the information of the case and to learn from the incident by processing the case in their deviation system, reviewing and adjusting routines for the processing of personal data in the business. This therefore does not pull in aggravating direction. g) the categories of personal data affected by the infringement, 9Special categories of personal data (sensitive personal data) are not affected by the infringement in our case. However, information on salary, debt and creditworthiness is information that has a special need for protection due to its private nature. This pulls in the aggravating direction. h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement, We were notified of the breach of complaints. The company did not inform though the infringement. This can in some cases pull in an aggravating direction, but the Data Inspectorate has not emphasized this in a particularly aggravating direction in this case as there are no specifics evidence that EAS / Elektro & Automasjon Systemer AS should have behaved differently to the Norwegian Data Protection Authority in this case. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter that that mentioned measures are complied with, We do not know that measures have previously been taken against the company with regard to the same case subject. This therefore does not pull in an aggravating direction. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42, We do not find this aspect relevant. k) and any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement The Data Inspectorate cannot see that EAS / Elektro & Automasjon Systemer AS has achieved any benefits as a result of the violation, and we do not emphasize this aspect in aggravating direction. Based on the assessment above, the Danish Data Protection Agency concludes that an infringement fee should be imposed. The The next question is the size of the fee. 8.3. Assessment of the size of the fee When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in the question of whether fee should be imposed. We therefore refer to the assessments of the case severity above. The infringement fee must be effective, be in a reasonable proportion to 10 violation and act as a deterrent. This means that the supervisory authority must make one concrete, discretionary assessment in each individual case. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the amount of the fee must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no 1. The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that infringement fines shall be determined specifically so that in each individual case it is effective, it says in a reasonable proportion to the violation and acts as a deterrent. The main purpose of infringement fines are contraception, ie the risk of being charged a fee must work deterrent and thereby contribute to increased compliance with the regulations. 5 By Skullerud et al. (2019), page 347, it appears: Contraceptive considerations dictate that the fee for a violation must be set so high that this actually perceived as an evil by the offender. This means that the offender financial ability should be important in the measurement, so that the fee is higher the more stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a companies, it may be relevant to look at the company's total global annual turnover in previous financial year, cf. art. 83 Nos. 4 and 5. And further: The consideration of ensuring an individual assessment in each individual case indicates that Regulators should avoid establishing standardized fee rates. This applies to yourself whether national law allows for standardized rates, cf. the Public Administration Act § 43. The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual the business. Article 83 (5) of the Privacy Regulation sets a higher maximum amount for fees when the case deals with violations of the basic principles of treatment of personal data in accordance with Articles 5 and 6 of the Privacy Regulation. In our case, EAS / Elektro & Automasjon Systemer AS lacked a basis for treatment obtaining credit information on complaints (principle of legality). In addition, was missing the company technical and organizational measures for compliance with the privacy regulations (principle of accountability). Lack of knowledge about the credit rating tool and guidelines for when credit assessment can be carried out, have facilitated that credit rating has been conducted illegally. This pulls in an aggravating direction. In an aggravating direction, we place particular emphasis on the fact that the credit assessment was initiated by the company's general manager, and that the company's management lacked knowledge of how 5 Skullerud et al. (2019). 11credit assessment tool should be used to avoid performing illegal credit assessments of private individuals. The fee must be set so high that it is effective and achieves a sufficient deterrent effect. In measuring the size of the fee, we therefore also place emphasis on the company's finances. EAS / Elektro & Automasjon Systemer AS ’comments on the size of the notified fee have therefore significance for the measurement. EAS / Elektro & Automasjon Systemer AS has made several comments the company's finances related to the ongoing changing situation as a result of Covid-19- pandemic. EAS / Elektro og Automasjon Systemer AS states that the company has completed layoffs in the last year to adapt to a small situation order access. At the time of the comments, 7 employees in the company have been laid off, corresponding to 24 % of the workforce. You point out that in light of this, the fee should be significantly reduced. The notified fee of NOK 250,000 has been measured according to the latest available accounting figures from 2019 on the time of the notice. In 2019, EAS / Elektro & Automasjon Systemer AS had registered operating revenues of NOK 34,630,000. EAS / Elektro & Automasjon Systemer AS has submitted accounting figures for 2020 and preliminary accounting figures for period 1-4 of 2021. In 2020, the business had a turnover of NOK 33 095 228. This amounts to approx. 95% of turnover for 2019. In period 1-4 of 2021 had the business had operating revenues of NOK 9,526,603. For the same period in 2020, the business had operating revenues of NOK 11,425,258. Operating revenues for the period 1-4 2021 amount to approx. 83% of operating revenues for the same period in 2020. Based on the financial situation the company is in as a result of coronary pandemic, our assessment is that a lower fee could have the preventive and deterrent effect Article 83 presupposes. After taking into account the seriousness of the violations and EAS / Electrical & Automation Systems AS 'comments, the Data Inspectorate sets the final fee at NOK 200,000. We have this reduced the notified fee of NOK 250,000 by approx. 20%, corresponding to EAS / Elektro & Automasjon Systemer AS 'turnover fall between 2019 and period 1-4 of 2021. We remind you that violations of Article 6 of the Privacy Ordinance can lead to sanctions in the form of infringement fines of up to EUR 20 million, see Article 83 (5) of the Privacy Regulation letter a. This corresponds to approx. NOK 214,000,000. The fee imposed in this case is thus at the very bottom layer of what the regulation prescribes for such breaches of regulations. 9. Right of appeal and further proceedings 12You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will forward the case to the Privacy Board for complaint processing. If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after the expiry of the appeal period, cf. the Personal Data Act § 27. The deadline for implementing section 2 of the order on written routines (internal control) is 4 weeks after expiry of the time limit for appeal. If you do not appeal the order point 2, you must within this deadline send us a written confirmation, as well as documentation, that the order for internal control is completed. 10. Publicity, transparency and duty of confidentiality We will inform you that all the documents are basically public, cf. § 3 of the Public Access to Information Act If you believe there is a basis for exempting all or part of it the document from public access, we ask you to justify this. The Data Inspectorate has a duty of confidentiality about who has complained to us, and about the complainant's personal relationship. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and Section 13 of the Public Administration Act As a party to the case, you may nevertheless be made aware of such information from the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You are also right for access to the case documents, cf. the Public Administration Act § 18. We point out that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority the complainant's identity, personal circumstances and other identifying information, and that you only may use this information to the extent necessary to safeguard the interests their in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that Violation of this duty of confidentiality can be punished according to the Penal Code § 209. If you have questions about the case, you can contact Ida Småge Breidablikk by phone 22 39 69 70. With best regards Jørgen Skorstad department director, law Ida Småge Breidablikk senior legal adviser The document is electronically approved and therefore has no handwritten signatures Copy to: 1314