Datatilsynet (Norway): Difference between revisions

From GDPRhub
No edit summary
(Added more information throughout the page.)
Line 38: Line 38:
|Head Count:||Approx. 50
|Head Count:||Approx. 50
|-
|-
|Budget:|| NOK 66 478 000 (EUR 6 200 000) (2020)<ref>https://www.regjeringen.no/contentassets/5e8becb098da42488ef31196759fc81a/2020_datatilsynet-tildelingsbrev.pdf</ref>
|Budget:||NOK 66 478 000 (EUR 6 200 000) (2020)<ref>https://www.regjeringen.no/contentassets/5e8becb098da42488ef31196759fc81a/2020_datatilsynet-tildelingsbrev.pdf</ref>
|}
|}


The Norwegian Data Protection Authority (''Datatilsynet'') is the national Data Protection Authority for Norway. It resides in Oslo and is in charge of enforcing GDPR in Norway.
The Norwegian Data Protection Authority (''Datatilsynet'') is the national Data Protection Authority for Norway. It resides in Oslo and is in charge of enforcing the GDPR in Norway. Datatilsynet is an independent body established in 1980, through the Act No. 48 of 9 June 1978 relating to personal data filing systems, etc. § 2. Through information, dialogue, complaints handling and inspection, Datatilsynet supervises that authorities, companies, organisations and individuals follow data protection legislation.  


==Structure==
==Structure==
Datatilsynet is an independent body set up in 1980. Administratively, Datatilsynet is subordinate to the Ministry of Local Government and Modernisation. Cases are usually assigned to an employee that is named on all documents by initials.  
Administratively, Datatilsynet is subordinate to the King and the Ministry designated by the King; the Ministry of Local Government and Modernisation. Cases are usually assigned to an employee that is named on all documents by initials.  


Datatilsynet is organized in a legal department, a department for technology, analysis and security, a communications department and an administrative department. The legal department is further organized in different sections.
Datatilsynet is organized in a legal department, a department for technology, analysis and security, a communications department and an administrative department. The legal department is further organized in different sections.
Line 66: Line 66:
=====Department for technology, analysis and security=====
=====Department for technology, analysis and security=====
The department for technology, analysis and security have the overarching responsibility for digitalisation, carrying out supervisory tasks and the methodology in relation to this, security of processing, technical analysis, as well as strategic work. The department consist of a staff with security and technical experts, as well as a section for analysis, research and politics.
The department for technology, analysis and security have the overarching responsibility for digitalisation, carrying out supervisory tasks and the methodology in relation to this, security of processing, technical analysis, as well as strategic work. The department consist of a staff with security and technical experts, as well as a section for analysis, research and politics.
== Applicable Material Law in Norway ==
When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through the [https://lovdata.no/dokument/NL/lov/2018-06-15-38 Personal Data Act]. The Personal Data Act is divided into nine chapters with 34 paragraphs, followed by the GDPR full text.


==Procedural Information==
==Procedural Information==
Line 75: Line 78:
There are no formal requirements by law.   
There are no formal requirements by law.   


Datatilsynet required that a complainant had been in touch with the controller, as well as attaching proof of correspondence alongside the complaint.  
Datatilsynet informs on their website that complaints must be sent in written form to their postal address and that they're working to get a secure electronic complaint form in place (December 2020). However, we're aware that complaints sent to their general email address (postkasse@datatilsynet.no) will be processed. 
 
To ensure "effective case processing", Datatilsynet encourages that a complainant first contact the controller to try to resolve the case. Further, they recommend that any relevant correspondance and other documentation is attached to the complaint.  


Datatilsynet also required that the complaint contained:
'''When submitting a complaint, the complainant must include:'''


*The name of the controller
*The name of the controller
*A description of the alleged breach
*A description of what the complaint is about
*Legal claim and remedy
*Their contact information (name, phone number and postal address only)
*Contact information (name, phone number and postal address)
*Copies of any correspondance with the controller


The practice of requiring complainants to fulfil certain obligations to file a complaint was stopped, as there are no basis under GDPR to impose such additional requirements.  
The former practice of requiring complainants to fulfil certain obligations to file a complaint was ended, as there are no basis under GDPR to impose such additional requirements.  


Datatilsynet does not currently give any information about an e-mail address where the complaint can be sent, but informs that a solution for secure transmissions is being developed. The former e-mail address was postkasse@datatilsynet.no.
Datatilsynet also has an electronic form for anonymous tips on their website.  


Read more on [https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/hvordan-kan-jeg-klage-til-datatilsynet/ datatilsynet.no]
Read more on [https://www.datatilsynet.no/om-datatilsynet/kontakt-oss/hvordan-kan-jeg-klage-til-datatilsynet/ datatilsynet.no]


===''Ex Officio'' Procedures under Art 57 GDPR===
===''Ex Officio'' Procedures under Art 57 GDPR===
''You can help us filling this section!''
Datatilsynet can carry out their own investigations based on own findings, like cases they've been aware of through the media.


===Appeals===
===Appeals===


======Administrative======
======Administrative======
The term “''Varsel om vedtak''” refers to the notice of a pending decision. Such a decision is sent to the party so that they can comment on the final decision before its adoption. Appealed decisions made by Datatilsynet in which the DPA does not change its opinion are sent to the ''Personvernnemda'' (PVN), an independent body tasked to handle appeals and with the authority to overturn decisions issued by Datatilsynet. PVN decisions are final under the administrative procedure, but can be appealed to the courts.   
The term “''Varsel om vedtak''” refers to the notice of a pending decision. The defendant has the opportunity to comment on and appeal the decision. If they appeal, and Datatilsynet upholds their decision, it is then submitted to the ''Personvernnemda'' (the Privacy Appeal Board), an independent body tasked to manage appeals
 
Personvernnemda has the authority to overturn decisions issued by Datatilsynet. Personvernnemda's decisions are final under the administrative procedure, but can be appealed to the courts.   


======Court======
======Court======
Line 102: Line 109:


==Practical Information==
==Practical Information==
''You can help us filling this section!''
===Filing a complaint===
Datatilsynet informs on their website that complaints must be sent in written form to their postal address and that they're working to get a secure electronic complaint form in place (December 2020). However, we're aware that complaints sent to their general email address (postkasse@datatilsynet.no) will be processed.
 
To ensure "effective case processing", Datatilsynet encourages that a complainant first contact the controller to try to resolve the case. Further, they recommend that any relevant correspondance and other documentation is attached to the complaint.
 
'''When submitting a complaint, the complainant must include:'''
 
*The name of the controller
*A description of what the complaint is about
*Their contact information (name, phone number and postal address only)
*Copies of any correspondance with the controller


=== Filing with the DPA ===
The former practice of requiring complainants to fulfil certain obligations to file a complaint was ended, as there are no basis under GDPR to impose such additional requirements.
''You can help us filling this section!''


=== Known Problems ===
Datatilsynet also has an electronic form for anonymous tips on their website.
''You can help us filling this section!''


=== Filing an Appeal ===
===Known problems===
''You can help us filling this section!''
''No known problems.''


==Decision Database==
===Filing an appeal===
''You can help us filling this section!''
Decision can be appealed, in which case Datatilsynet will review the case. If they uphold their decision, it is then submitted to the Personvernnemda (the Privacy Appeal Board). They have the authority to overturn decisions and these are final under the administrative procedure. Decisions can, however, be appealed to the national courts, starting in the first instance, ''tingretten''.


==Statistics==
==Statistics==
''You can help us filling this section!''
===Funding===
Datatilsynet is financed by the Norwegian government and their budget for 2020 is NOK 66 478 000 (approx. EUR 6 200 000).


=== Funding ===
===Personal===
''You can help us filling this section!''
Datatilsynet has about 55 staff members in 2020 with approx. 60% women and 40% men.


=== Personal ===
===Caseload===
''You can help us filling this section!''
From Datatilsynet's annual report 2019; number of:


=== Caseload ===
* Complaints: 1,916
''You can help us filling this section!''
* Complaints where children were involved: 11%
* Decisions: 285
* Complaints on decisions: 23
* Administrative fines: 10
* Cases sent to the Privacy Appeal Board: 16
* New cases: 3,118
* Recorded documents: 5,096 incoming and 3,531 outgoing
* Requests for access (to Datatilsynet's cases/documents): 3,437
* Documents given access to where content has been redacted: 409
* Documents denied access to: 256
* Inquiries to the helpline (phone): 7,186, of which 3% are from DPO's, 49% from businesses and 48% from private individuals
* Media coverage: 4,233 news pieces


=== Fines ===
===Fines===
''You can help us filling this section!''
Central decisions from 2015 [https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/ are available on this page]. Decisions from the past couple of years [[:Category:Datatilsynet (Norway)|are summarized on the GDPRhub here]].


=== Annual Reports ===
===Annual Reports===
''You can help us filling this section!''
Datatilsynet's annual reports from 2009 [https://www.datatilsynet.no/om-datatilsynet/arsmeldinger/ are available on this page].


==References==
==References==

Revision as of 07:38, 18 December 2020

Datatilsynet
LogoNO.png
Name: Datatilsynet
Abbreviation : Datatilsynet
Jurisdiction: Norway
Head: Bjørn Erik Thon
Deputy: n/a
Adress: Tollbugata 3

0152 Oslo

NORWAY

Webpage: datatilsynet.no
Email: postkasse@datatilsynet.no
Phone: +47 22 39 69 00
Twitter: @datatilsynet
Procedural Law: Public Administration Act (Forvaltningsloven) (in EN), Freedom of Information Act (Offentleglova) (in EN)
Decision Database: Important decisions (in NO)
Translated Decisions: Category:Datatilsynet (Norway)
Head Count: Approx. 50
Budget: NOK 66 478 000 (EUR 6 200 000) (2020)[1]

The Norwegian Data Protection Authority (Datatilsynet) is the national Data Protection Authority for Norway. It resides in Oslo and is in charge of enforcing the GDPR in Norway. Datatilsynet is an independent body established in 1980, through the Act No. 48 of 9 June 1978 relating to personal data filing systems, etc. § 2. Through information, dialogue, complaints handling and inspection, Datatilsynet supervises that authorities, companies, organisations and individuals follow data protection legislation.

Structure

Administratively, Datatilsynet is subordinate to the King and the Ministry designated by the King; the Ministry of Local Government and Modernisation. Cases are usually assigned to an employee that is named on all documents by initials.

Datatilsynet is organized in a legal department, a department for technology, analysis and security, a communications department and an administrative department. The legal department is further organized in different sections.

Legal Department

Department for the enforcement of rules, international cooperation and sanctions

The department for the enforcement of rules, international cooperation and sanctions have the overarching responsibility for the legal development at Datatilsynet, as well as the international work, for instance with the EDPB.

The department have three different sections:

Section for public services

The section for public services have the main responsibility for police- and justice sector, immigration administration, the health sector, public administration and the school- and kindergarden sector.

Section for private services

The section for private services have the main responsibility for the banking and financing sector, privacy in the workplace, violations on the internet, camera surveillance, audio recordings and the like.

International Section

The international section have the main responsibility for the transfer of personal data to third-countries and international cooperation.

Department for technology, analysis and security

The department for technology, analysis and security have the overarching responsibility for digitalisation, carrying out supervisory tasks and the methodology in relation to this, security of processing, technical analysis, as well as strategic work. The department consist of a staff with security and technical experts, as well as a section for analysis, research and politics.

Applicable Material Law in Norway

When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through the Personal Data Act. The Personal Data Act is divided into nine chapters with 34 paragraphs, followed by the GDPR full text.

Procedural Information

Applicable Procedural Law

Datatilsynet is, like all other public bodies in Norway, bound by the Public Administrative Act of 1967 (Forvaltningsloven - fvl.) and the Freedom of Information Act of 2009 (Offentleglova).

Complaints Procedure under Art 77 GDPR

There are no formal requirements by law.

Datatilsynet informs on their website that complaints must be sent in written form to their postal address and that they're working to get a secure electronic complaint form in place (December 2020). However, we're aware that complaints sent to their general email address (postkasse@datatilsynet.no) will be processed.

To ensure "effective case processing", Datatilsynet encourages that a complainant first contact the controller to try to resolve the case. Further, they recommend that any relevant correspondance and other documentation is attached to the complaint.

When submitting a complaint, the complainant must include:

  • The name of the controller
  • A description of what the complaint is about
  • Their contact information (name, phone number and postal address only)
  • Copies of any correspondance with the controller

The former practice of requiring complainants to fulfil certain obligations to file a complaint was ended, as there are no basis under GDPR to impose such additional requirements.

Datatilsynet also has an electronic form for anonymous tips on their website.

Read more on datatilsynet.no

Ex Officio Procedures under Art 57 GDPR

Datatilsynet can carry out their own investigations based on own findings, like cases they've been aware of through the media.

Appeals

Administrative

The term “Varsel om vedtak” refers to the notice of a pending decision. The defendant has the opportunity to comment on and appeal the decision. If they appeal, and Datatilsynet upholds their decision, it is then submitted to the Personvernnemda (the Privacy Appeal Board), an independent body tasked to manage appeals.

Personvernnemda has the authority to overturn decisions issued by Datatilsynet. Personvernnemda's decisions are final under the administrative procedure, but can be appealed to the courts.

Court

Decisions can also be appealed to the courts, starting in the first instance, tingretten.

Practical Information

Filing a complaint

Datatilsynet informs on their website that complaints must be sent in written form to their postal address and that they're working to get a secure electronic complaint form in place (December 2020). However, we're aware that complaints sent to their general email address (postkasse@datatilsynet.no) will be processed.

To ensure "effective case processing", Datatilsynet encourages that a complainant first contact the controller to try to resolve the case. Further, they recommend that any relevant correspondance and other documentation is attached to the complaint.

When submitting a complaint, the complainant must include:

  • The name of the controller
  • A description of what the complaint is about
  • Their contact information (name, phone number and postal address only)
  • Copies of any correspondance with the controller

The former practice of requiring complainants to fulfil certain obligations to file a complaint was ended, as there are no basis under GDPR to impose such additional requirements.

Datatilsynet also has an electronic form for anonymous tips on their website.

Known problems

No known problems.

Filing an appeal

Decision can be appealed, in which case Datatilsynet will review the case. If they uphold their decision, it is then submitted to the Personvernnemda (the Privacy Appeal Board). They have the authority to overturn decisions and these are final under the administrative procedure. Decisions can, however, be appealed to the national courts, starting in the first instance, tingretten.

Statistics

Funding

Datatilsynet is financed by the Norwegian government and their budget for 2020 is NOK 66 478 000 (approx. EUR 6 200 000).

Personal

Datatilsynet has about 55 staff members in 2020 with approx. 60% women and 40% men.

Caseload

From Datatilsynet's annual report 2019; number of:

  • Complaints: 1,916
  • Complaints where children were involved: 11%
  • Decisions: 285
  • Complaints on decisions: 23
  • Administrative fines: 10
  • Cases sent to the Privacy Appeal Board: 16
  • New cases: 3,118
  • Recorded documents: 5,096 incoming and 3,531 outgoing
  • Requests for access (to Datatilsynet's cases/documents): 3,437
  • Documents given access to where content has been redacted: 409
  • Documents denied access to: 256
  • Inquiries to the helpline (phone): 7,186, of which 3% are from DPO's, 49% from businesses and 48% from private individuals
  • Media coverage: 4,233 news pieces

Fines

Central decisions from 2015 are available on this page. Decisions from the past couple of years are summarized on the GDPRhub here.

Annual Reports

Datatilsynet's annual reports from 2009 are available on this page.

References

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB