Datatilsynet (Norway) - 0/02422

From GDPRhub
Revision as of 08:40, 14 February 2023 by Riealeksandra (talk | contribs) (→‎Facts)
Datatilsynet - 0/02422
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 12 GDPR
Article 12(1) GDPR
Article 12(3) GDPR
Article 13 GDPR
Article 15 GDPR
Article 17 GDPR
Article 58(2)(i) GDPR
Article 60(3) GDPR
Type: Investigation
Outcome: Violation Found
Started: 02.10.2018
Decided: 06.02.2023
Published: 08.02.2023
Fine: 10000000 NOK
Parties: SATS Norway AS
SATS ASA
National Case Number/Name: 0/02422
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined the fitness chain SATS close to a million euro for not responding timely to access and erasure requests, insufficient information and monitoring members' training history without a legal basis.

English Summary

Facts

The company SATS ASA (the controller) is a provider of fitness and training services with headquarter in Norway and operations and offices in Denmark, Finland and Sweden. They have over 270 clubs, about 9 000 employees and more than 700 000 members. Between 2 October 2018 and 8 December 2021, the Norwegian DPA Datatilsynet received four complaints from members of their fitness centers concerning unanswered access requests, lack of legal basis and refusal to comply with erasure requests:

  • One complainant claimed that in May 2018 the controller had transferred their personal data to other companies within its corporate group, as well as to Facebook outside the EU/EEA, without a proper legal ground. They further claimed that an access request they submitted on 29 August 2018 had remained unanswered.
  • On 1 March 2019, the DPA received one more complaint submitted by another member after they had their membership terminated, claiming that the controller had not responded to an access request they submitted on 25 February 2019, as well as refusing to comply with an erasure request submitted on the same date.
  • On 7 October 2019, the DPA received another complaint about the controller’s refusal to comply with an erasure request submitted on 5 October 2019, after they had their membership terminated.

On 7 September 2021 and 5 October 2021, the DPA formally approached the controller and asked the company to express its views on the issues raised in Complaint No 2 and Complaint No 3. The controller replied on 1 December 2021, however, on 8 December 2021, the DPA received yet another complaint about the controller’s refusal to comply with an erasure request they submitted on 6 August 2021.

On 23 March 2022, the DPA sent further questions to the controller on all of the above complaints and received the controller’s response on 28 April 2022.

Despite receiving the complaints over a fairly long time period, the DPA decided to handle the complaints jointly, given that all of them concerned partially similar alleged infringements and for procedural efficiency.

On 26 September 2022, after their investigation, the DPA sent the controller an advance notification of their intention to issue an administrative fine of NOK 10 000 000 (ten million) for having violated several provisions of the GDPR.

The controller responed to the DPA on 31 October 2022 and argued, among other things, that:

  • It was "arbitrary from the part of Datatilsynet to contest a violation of Article 12(3) GDPR and Article 15 GDPR due to a failure to respond to an access request that was submitted around a month after the GDPR became applicable in Norway, as at that time many companies experienced challenges in applying the new rules". The DPA found the argument untenable as other companies' non-compliance is not not a valid justification for a violation of the GDPR that started to occur in September 2018. Further, one of the violations is still ongoing (as per February 2023).
  • The DPA's conclusion that the controller violated both Article 12(3) GDPR and Article 15 GDPR would violate the principle of ne bis in idem. The DPA rejected this argument, recalling that "the principle ne bis in idem [...] do[es] not apply to a situation in which several penalties are imposed in a single decision, even if those penalties are imposed for the same actions. In fact, where the same conduct infringes several provisions punishable by fines, the question whether several fines may be imposed in a single decision falls not within the scope of the principle ne bis in idem”."
  • The assessment of the necessity of a storage period is to a large extent discretionary, noting that the DPA is not in the position to and should refrain from questioning the assessment made by the controller. The controller made the same statement related to choice of legal bases. The DPA rejected both arguments, noting that they are competent to review assessments made by a controller to ensure compliance with their obligations.

Despite the controller's arguments, the DPA submitted a draft decision on 30 December 2022 to the other supervisory authorities concerned in accordance with Article 60(3) GDPR, which was in line with the above advance notification. The DPA did not receive any relevant and reasoned objections and, consequently, upheld their advance notification.

Holding

Pursuant to Article 58(2)(i) GDPR, the DPA issued an administrative fine of NOK 10 000 000 (ten million) against SATS ASA for:

  1. Infringing Article 12(3) GDPR and Article 15 GDPR by failing to timely act upon two separate access requests.
  2. Infringing Article 5(1)(e) GDPR, Article 12(3) GDPR and Article 17 GDPR by failing to take prompt action and erase certain personal data without undue delay pursuant to three separate erasure requests.
  3. Infringing Article 5(1)(a) GDPR, Article 12(1) GDPR and Article 13 GDPR by failing to duly inform data subjects about its data retention policy concerning the personal data of banned members, and the relevant legal basis for the processing.
  4. Infringing Article 5(1)(a) GDPR and Article 6(1) GDPR by failing to rely on a valid lawful basis to process the training history data of the members of its fitness centers.

Comment

By the original contributor: An interesting tid-bit from the decision: "Moreover, as the GDPR and its novel international data transfer requirements became applicable in Norway on 20 July 2018, Datatilsynet decided not to investigate the part of Complaint No 1 dealing with an alleged unlawful transfer of personal data that took place in May 2018 (or earlier)." It would have been interesting to see how the DPA would have dealt with this, had the complaint been submitted on or after 20 July!

Further Resources

The controller's response to the fine: press release (in Norwegian).

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

SATS ASA

 Postboks 4949 NYDALEN

 0423 OSLO








Your reference          Our reference                                      Date
                        20/02422-9                                         06.02.2023



Administrative Fine - SATS ASA

    1. Introduction and Summary


The Norwegian Data Protection Authority (hereinafter “Datatilsynet”, “we”, “us”, “our”) is the
independent supervisory authority responsible for monitoring the application of the General
                                        1
Data Protection Regulation (“GDPR”) with respect to Norway.

Between 2 October 2018 and 8 December 2021, Datatilsynet received several complaints
against SATS ASA (hereinafter “SATS”, “you”, “your”, “the company”). In essence, all such

complaints concerned alleged infringements of data subjects’ rights committed by SATS, in
particular in connection with its handling of data subjects’ requests submitted pursuant to
Articles 15 and 17 GDPR.


After having investigated all of these complaints, Datatilsynet hereby issues an administrative
fine of NOK 10 000 000 (ten million) against SATS for having violated Articles 5(1)(a) and
(e), 6(1), 12, 13, 15 and 17 GDPR.


    2. Datatilsynet’s Decision


Pursuant to Article 58(2)(i) GDPR, Datatilsynet issues an administrative fine of NOK 10 000
000 (ten million) against SATS ASA for:


    •   having infringed Articles 12(3) and 15 GDPR byfailing to timelyact upon two separate
        access requests;


    •   having infringed Articles 5(1)(e), 12(3) and 17 GDPR by failing to take prompt action
        and erase certain personal data without undue delay pursuant to three separate erasure
        requests;


1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons withregard to the processingofpersonal data and onthe free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) OJ [2016] L 119/1.

Postal address:  Office addressPhone:         Ent.reg:        Home page:
P.O. Box 458 Sentrum Trelastgat+47 22 39 69 00974 761 467     www.datatilsynet.no/en/
N-0105 OSLO      N-0191 OSLO    •   having infringed Articles 5(1)(a), 12(1) and 13 GDPR by failing to duly inform data
        subjectsaboutitsdataretentionpolicyconcerningthepersonaldataofbannedmembers,
        and the relevant legal basis for the processing; and


    •   having infringed Articles 5(1)(a) and 6(1) GDPR by failing to rely on a valid lawful
        basis to process the training history data of the members of its fitness centers.


Our inquiryhas onlyfocused on SATS’ compliance with Articles 5, 6, 12, 13, 15 and 17 GDPR
in connection with the complaints against SATS lodged with Datatilsynet between 2 October

2018 and 8 December 2021. Thus, the present decision is without prejudice to the possibility
of openingfuture inquiries into SATS’ compliance with other provisions of the GDPR and with
respect to other data subjects.


    3. Factual Background


On 2 October 2018, Datatilsynet received a complaint against SATS (Case 20/01746,
previously 18/03153). This complaint was submitted by a member of the fitness centers run
by SATS in Norway (hereinafter “Complainant No 1”) who essentially claimed that in May
                                                                               3
2018 (or earlier), SATS Norway AS (i.e., an entity of SATS’ corporate group) had transferred
theirpersonal datato othercompanies withinits corporate group, as well as toFacebookoutside
the EU/EEA, without a proper legal ground. Complainant No 1 also claimed that an access

request they submitted on 29 August 2018 to privacy@satselixia.no pursuant to Article 15
GDPR has remained unanswered.     5


On 1 March 2019, Datatilsynet received another complaint against SATS (Case 20/02422,
previously 19/00817). This complaint was submitted by another member of the fitness centers
run by SATS in Norway (hereinafter “Complainant No 2”) who essentially claimed that SATS

failed to respond to an access request they submitted on 25 February 2019 pursuant to Article
15 GDPR, and refused to comply with an erasure request they submitted on the same date
pursuant to Article 17 GDPR, after they had their membership terminated by SATS.      7


On 7 October 2019, Datatilsynet received yet another complaint against SATS (Case 20/01707,
previously 19/03020). This complaint was submitted by another member of the fitness centers

run by SATS in Norway (hereinafter “Complainant No 3”) who essentially claimed that SATS
refused to comply with an erasure request they submitted to SATS on 5 October 2019 pursuant
to Article 17 GDPR, after they had their membership terminated by SATS.     9




2See letter to Datatilsynet dated 2 October 2018 (hereinafter “Complaint No 1”).
3When the complaint was lodged with Datatilsynet SATS Norway AS was named HFN Norway AS.
4See Complaint No 1.
5
6Ibid.
7See email to Datatilsynet dated 1 March 2019 (hereinafter “Complaint No 2”).
 Ibid.
8See email to Datatilsynet dated 7 October 2019 (hereinafter “Complaint No 3”).
9Ibid.



                                                                                               2On 7 September 2021 and 5 October 2021, Datatilsynet formally approached SATS and asked
                                                                                                  10
the company to express its views on the issues raised in Complaint No 2 and Complaint No 3.
We received SATS’ replies on 1 December 2021.       11


On 8 December 2021, Datatilsynet received one more complaint against SATS (Case
21/04061). This complaint was submitted by yet another member of the fitness centers run by
SATS in Norway(hereinafter “Complainant No 4”) who essentiallyclaimed that SATS refused

to comply with an erasure request they submitted on 6 August 2021 pursuant to Article 17
GDPR.


On 23 March 2022, Datatilsynet sent further questions to SATS on all of the above
complaints. We received SATS’ response on 28 April 2022.         14


Given that all of the above complaints concerned partiallysimilar alleged infringements of data
subjects’ rights committed by SATS, Datatilsynet decided to handle all of these complaints
jointly, also for reasons of procedural efficiency. Moreover, as the GDPR and its novel

international data transfer requirements became applicable in Norway on 20 July 2018,
Datatilsynet decided not to investigate the part of Complaint No 1 dealing with an alleged
unlawful transfer of personal data that took place in May 2018 (or earlier).    15However, this is

without prejudice to the possibility of opening future inquiries into SATS’ compliance with
data transfer requirements.


After having investigated all of these complaints, on 26 September 2022, Datatilsynet sent
SATS an advance notification of its intention to issue an administrative fine of NOK 10 000
000 (ten million) against SATS for having violated several provisions of the GDPR.       16


On 31 October 2022, SATS submitted written representations to Datatilsynet regarding the
contested violations and envisaged administrative fine. The present decision takes account of
                               17
such written representations. However, in our view, SATS’ submissions do not warrant any
significant changes in our assessment of the present case, as outlined in further detail below.


On 30 December 2022, Datatilsynet submitted a draft decision—which was in line with the
above advance notification—to the other supervisory authorities concerned in accordance with
Article 60(3) GDPR. None of the other supervisory authorities concerned expressed a relevant
and reasoned objection to the draft decision within four weeks after having been consulted by
                                                                      18
Datatilsynet. Thus, Datatilsynet is bound by that draft decision,        which is mirrored in the
present decision.


10See Datatilsynet’s letters to SATS dated 7 September and 5 October 2021.
11See SATS’ letters to Datatilsynet dated 1 December 2021.
12See email to Datatilsynet dated 8 December 2021 (hereinafter “Complaint No 4”).
13See Datatilsynet’s letter to SATS dated 23 March 2022.
14See SATS’ letter to Datatilsynet dated 28 April 2022.
15
  See also Article 57(1)(f) GDPR, which specifies that supervisory authorities should investigate complaints “to
16e extent appropriate”.
  See Datatilsynet’s letter to SATS dated 26 September 2022.
17See SATS’ letter to Datatilsynet dated 31 October 2022.
18See Art. 60(6) GDPR.



                                                                                                  3    4. Legal Background


    4.1. Scope of Application of the GDPR

Under Article 2(1) GDPR, the Regulation:

    “[…] applies to the processing of personal data wholly or partly by automated means and
    to the processing other than by automated means of personal data which form part of a

    filing system or are intended to form part of a filing system.”

Moreover, Article 3(1) GDPR provides that the Regulation:

    “[…] applies to the processing of personal data in the context of the activities of an
    establishment of a controller or a processor in the Union, regardless of whether the
    processing takes place in the Union or not.”


    4.2. Definitions

The GDPR lays down the following definitions, which are relevant in the present case:

Pursuant to Article 4(1) GDPR:

    “‘personal data’ means any information relating to an identified or identifiable natural

    person (“data subject”); an identifiable natural person is one who can be identified,
    directly or indirectly, in particular by reference to an identifier such as a name, an
    identification number, location data, an online identifier or to one or more factors specific
    to the physical, physiological, genetic, mental, economic, cultural or social identity of that
    natural person.”

Pursuant to Article 4(2) GDPR:


    “‘processing’ means any operation or set of operations which is performed on personal
    data or on sets of personal data, whether or not by automated means, such as collection,
    recording, organisation, structuring, storage, adaptation or alteration, retrieval,
    consultation, use, disclosure by transmission, dissemination or otherwise making available,
    alignment or combination, restriction, erasure or destruction.”

Pursuant to Article 4(7) GDPR:


    “‘controller’ means the natural or legal person, public authority, agency or other body
    which, alone or jointly with others, determines the purposes and means of the processing
    of personal data; where the purposes and means of such processing are determined by
    Union or Member State law, the controller or the specific criteria for its nomination may
    be provided for by Union or Member State law.”





                                                                                            4Pursuant to Article 4(11) GDPR:

    “‘consent’ of the data subject means any freely given, specific, informed and unambiguous
    indication of the data subject's wishes by which he or she, by a statement or by a clear
    affirmative action, signifies agreement to the processing of personal data relating to him or
    her.”


Pursuant to Article 4(16) GDPR:

    “‘main establishment’ means:

    (a) as regards a controller with establishments in more than one Member State, the place
        of its central administration in the Union, unless the decisions on the purposes and
        means of the processing of personal data are taken in another establishment of the

        controller in the Union and the latter establishment has the power to have such
        decisions implemented, in which case the establishment having taken such decisions is
        to be considered to be the main establishment; […]”.

Pursuant to Article 4(23) GDPR:

    “‘cross-border processing’ means either:


    (a) processing of personal data which takes place in the context of the activities of
        establishments in more than one Member State of a controller or processor in the Union
        where the controller or processor is established in more than one Member State; or

    (b) processing of personal data which takes place in the context of the activities of a single

        establishment of a controller or processor in the Union but which substantially affects
        or is likely to substantially affect data subjects in more than one Member State.”

    4.3. Lawfulness of Processing, Information Obligations and Data Subjects’ Rights

Article 5(1) GDPR reads as follows:


    “1. Personal data shall be:

        (a) processedlawfully,fairlyandin a transparent manner in relation to thedata subject
           (‘lawfulness, fairness and transparency’);

        (b) collected for specified, explicit and legitimate purposes and not further processed
           in a manner that is incompatible with those purposes; further processing for

           archiving purposes in the public interest, scientific or historical research purposes
           or statistical purposes shall, in accordance with Article 89(1), not be considered to
           be incompatible with the initial purposes (‘purpose limitation’);






                                                                                               5        (c) adequate, relevant and limited to what is necessary in relation to the purposes for
            which they are processed (‘data minimisation’);

        (d) accurate and, where necessary, kept up to date; every reasonable step must be taken
            to ensure that personal data that are inaccurate, having regard to the purposes for
            which they are processed, are erased or rectified without delay (‘accuracy’);


        (e) kept in a form which permits identification of data subjects for no longer than is
            necessaryfor thepurposesfor whichthepersonal data areprocessed;personal data
            may be stored for longer periods insofar as the personal data will be processed
            solely for archiving purposes in the public interest, scientific or historical research
            purposes or statistical purposes in accordance with Article 89(1) subject to
            implementation of the appropriate technical and organisational measures required
            by this Regulation in order to safeguard the rights and freedoms of the data subject

            (‘storage limitation’);

        (f) processed in a manner that ensures appropriate security of the personal data,
            including protection against unauthorised or unlawful processing and against
            accidental loss, destruction or damage, using appropriate technical or
            organisational measures (‘integrity and confidentiality’).”


Moreover, Article 6(1) GDPR reads:

    “1. Processing shall be lawful only if and to the extent that at least one of the following
    applies:

    (a) the data subject has given consent to the processing of his or her personal data for

        one or more specific purposes;

    (b) processing is necessary for the performance of a contract to which the data subject is
        party or in order to take steps at the request of the data subject prior to entering into a
        contract;

    (c) processing is necessary for compliance with a legal obligation to which the controller

        is subject;

    (d) processing is necessary in order to protect the vital interests of the data subject or of
        another natural person;

    (e) processing is necessary for the performance of a task carried out in the public interest
        or in the exercise of official authority vested in the controller;


    (f) processing is necessary for the purposes of the legitimate interests pursued by the
        controller or by a third party, except where such interests are overridden by the
        interests or fundamental rights and freedoms of the data subject which require
        protection of personal data, in particular where the data subject is a child. […]”




                                                                                                  6Further, Article 12(1) and (3) GDPR reads:

    “The controller shall take appropriate measures to provide any information referred to in
    Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to
    processing to the data subject in a concise, transparent, intelligible and easily accessible
    form, using clear and plain language, in particular for any information addressed

    specifically to a child. The information shall be provided in writing, or by other means,
    including, where appropriate, by electronic means. When requested by the data subject, the
    information may be provided orally, provided that the identity of the data subject is proven
    by other means.

    […]


    The controller shall provide information on action taken on a request under Articles 15
    to 22 to the data subject without undue delay and in any event within one month of receipt
    of the request. That period may be extended by two further months where necessary, taking
    into account the complexity and number of the requests. The controller shall inform the
    data subject of any such extension within one month of receipt of the request, together with
    the reasons for the delay. Where the data subject makes the request by electronic form
    means, the information shall be provided by electronic means where possible, unless

    otherwise requested by the data subject.”

Article 13(1)(c) and (2)(a) GDPR provides:

    “1. Where personal data relating to a data subject are collected from the data subject, the
    controller shall, at the time when personal data are obtained, provide the data subject with

    all of the following information:

    […]

    (c) the purposes of the processing for which the personal data are intended as well as the
        legal basis for the processing;


    […]

    2. In addition to the information referred to in paragraph 1, the controller shall, at the
    time when personal data are obtained, provide the data subject with the following further
    information necessary to ensure fair and transparent processing:

        (a) the period for which the personal data will be stored, or if that is not possible, the

            criteria used to determine that period […].”

Furthermore, Article 15 GDPR reads:






                                                                                               7    “1. The data subject shall have the right to obtain from the controller confirmation as to
    whether or not personal data concerning him or her are being processed, and, where that
    is the case, access to the personal data and the following information:

    (a) the purposes of the processing;

    (b) the categories of personal data concerned;


    (c) the recipients or categories of recipient to whom the personal data have been or will be
        disclosed, in particular recipients in third countries or international organisations;

    (d) where possible, the envisaged period for which the personal data will be stored, or, if
        not possible, the criteria used to determine that period;


    (e) the existence of the right to request from the controller rectification or erasure of
        personal data or restriction of processing of personal data concerning the data subject
        or to object to such processing;

    (f) the right to lodge a complaint with a supervisory authority;

    (g) where the personal data are not collected from the data subject, any available

        information as to their source;

    (h) the existence of automated decision-making, including profiling, referred to in Article
        22(1) and (4) and, at least in those cases, meaningful information about the logic
        involved, as well as the significance and the envisaged consequences of such processing
        for the data subject.


    2.    Where personal data are transferred to a third country or to an international
    organisation, the data subject shall have the right to be informed of the appropriate
    safeguards pursuant to Article 46 relating to the transfer.

    3. The controller shall provide a copy of the personal data undergoing processing. For
    any further copies requested by the data subject, the controller may charge a reasonable

    fee based on administrative costs. Where the data subject makes the request by electronic
    means, and unless otherwise requested by the data subject, the information shall be
    provided in a commonly used electronic form.

    4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights
    and freedoms of others.”


In addition, Article 17 GDPR reads:

    “1.   The data subject shall have the right to obtain from the controller the erasure of
    personal data concerning him or her without undue delay and the controller shall have the





                                                                                                 8obligation to erase personal data without undue delay where one of the following grounds
applies:

(a) the personal data are no longer necessary in relation to the purposes for which they
    were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point

    (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground
    for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no
    overriding legitimate grounds for the processing, or the data subject objects to the
    processing pursuant to Article 21(2);


(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or
    Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society
    services referred to in Article 8(1).


2.   Where the controller has made the personal data public and is obliged pursuant to
paragraph 1 to erase the personal data, the controller, taking account of available
technology and the cost of implementation, shall take reasonable steps, including technical
measures,toinformcontrollerswhichareprocessingthepersonaldatathatthedatasubject
has requestedthe erasure bysuch controllers of anylinks to, or copyor replicationof, those

personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member

    State law to which the controller is subject or for the performance of a task carried out
    in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h)
    and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes

    or statistical purposes in accordance with Article 89(1) in so far as the right referred to
    in paragraph 1 is likely to render impossible or seriously impair the achievement of the
    objectives of that processing; or

(e) for the establishment, exercise or defence of legal claims.”




                                                                                             9    4.4. Competence, Tasks and Powers of Supervisory Authorities under the GDPR

Pursuant to Article 55(1) GDPR:

    “Each supervisory authority shall be competent for the performance of the tasks assigned
    to and the exercise of the powers conferred on it in accordance with this Regulation on the

    territory of its own Member State.”

Further, Article 56(1) GDPR reads as follows:

    “Without prejudice to Article 55, the supervisory authority of the main establishment or of
    the single establishment of the controller or processor shall be competent to act as lead
    supervisory authority for the cross-border processing carried out by that controller or

    processor in accordance with the procedure provided in Article 60.”

Pursuant to Article 58(2) GDPR:

    “2. Each supervisory authority shall have all of the following corrective powers:

    (a) to issue warnings to a controller or processor that intended processing operations are

        likely to infringe provisions of this Regulation;

    (b) to issue reprimands to a controller or a processor where processing operations have
        infringed provisions of this Regulation;

    (c) to order the controller or the processor to comply with the data subject's requests to

        exercise his or her rights pursuant to this Regulation;

    (d) to order the controller or processor to bring processing operations into compliance
        with the provisions of this Regulation, where appropriate, in a specified manner and
        within a specified period;

    (e) to order the controller to communicate a personal data breach to the data subject;


    (f) to impose a temporary or definitive limitation including a ban on processing;

    (g) to order the rectification or erasure of personal data or restriction of processing
        pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to
        whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;


    (h) to withdraw a certification or to order the certification body to withdraw a certification
        issued pursuant to Articles 42 and 43, or to order the certification body not to issue
        certification if the requirements for the certification are not or are no longer met;






                                                                                               10    (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of
        measures referred to in this paragraph, depending on the circumstances of each
        individual case;

    (j) to order the suspension of data flows to a recipient in a third country or to an
        international organisation.”


Pursuant to Article 83(1) to (5) GDPR:

    “1.   Each supervisory authority shall ensure that the imposition of administrative fines
    pursuant to this Article in respect of infringements of this Regulation referred to in
    paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and
    dissuasive.


    2. Administrative fines shall, depending on the circumstances of each individual case, be
    imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of
    Article 58(2). When deciding whether to impose an administrative fine and deciding on the
    amount of the administrative fine in each individual case due regard shall be given to the
    following:

    (a) thenature,gravityanddurationoftheinfringementtakingintoaccountthenaturescope

        or purpose of the processing concerned as well as the number of data subjects affected
        and the level of damage suffered by them;

    (b) the intentional or negligent character of the infringement;

    (c) any action taken by the controller or processor to mitigate the damage suffered by data

        subjects;

    (d) the degree of responsibility of the controller or processor taking into account technical
        and organisational measures implemented by them pursuant to Articles 25 and 32;

    (e) any relevant previous infringements by the controller or processor;


    (f) the degree of cooperation with the supervisory authority, in order to remedy the
        infringement and mitigate the possible adverse effects of the infringement;

    (g) the categories of personal data affected by the infringement;

    (h) the manner in which the infringement became known to the supervisory authority, in
        particular whether, and if so to what extent, the controller or processor notified the

        infringement;

    (i) where measures referred to in Article 58(2) have previously been ordered against the
        controller or processor concerned with regard to the same subject-matter, compliance
        with those measures;




                                                                                              11(j) adherence to approved codes of conduct pursuant to Article 40 or approved
    certification mechanisms pursuant to Article 42; and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case,
    such as financial benefits gained, or losses avoided, directly or indirectly, from the
    infringement.


3.    If a controller or processor intentionally or negligently, for the same or linked
processing operations, infringes several provisions of this Regulation, the total amount of
the administrative fine shall not exceed the amount specified for the gravest infringement.

4.   Infringements of the following provisions shall, in accordance with paragraph 2, be
subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up

to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is
higher:

    (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to
        39 and 42 and 43;

    (b) the obligations of the certification body pursuant to Articles 42 and 43;


    (c) the obligations of the monitoring body pursuant to Article 41(4).

5.   Infringements of the following provisions shall, in accordance with paragraph 2, be
subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up
to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is

higher:

    (a) the basic principles for processing, including conditions for consent, pursuant to
        Articles 5, 6, 7 and 9;

    (b) the data subjects' rights pursuant to Articles 12 to 22;


    (c) the transfers of personal data to a recipient in a third country or an international
        organisation pursuant to Articles 44 to 49;

    (d) any obligations pursuant to Member State law adopted under Chapter IX;

    (e) non-compliance with an order or a temporary or definitive limitation on processing
        or the suspension of data flows by the supervisory authority pursuant to Article

        58(2) or failure to provide access in violation of Article 58(1). […]”








                                                                                            12    4.5. EEA and Norwegian Law

The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”)

Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint
Committee Decision”).  19


Article 1(b) of the EEA Joint Committee Decision provides that:

    “[…] the terms “Member State(s)” and “supervisory authorities” shall be understood to
    include, in addition to their meaning in the Regulation, the EFTA States and their

    supervisory authorities, respectively.”

Further, Article 1(c) of the EEA Joint Committee Decision reads as follows:


    “References to Union law or Union data protection provisions shall be understood as
    referring to the EEA Agreement or data protection provisions contained therein,
    respectively.”

                                                                                20
The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal
Data Act and the GDPR became applicable in Norway on 20 July 2018.      21


    5. Datatilsynet’s Competence

SATS runs a chain of fitness centers. It has its headquarter in Norway, but has also operations
                                              22
and offices in Denmark, Finland and Sweden.

Thus, SATS has several establishments in theEU/EEA,including in Norway, andin the context
of the activities of these establishments it processes personal data, including the personal data

of its customers (i.e., the about 700 000 members of its fitness centers), such as the
complainants. Therefore, the GDPR applies to such data processing activities in accordance
with Article 3(1) GDPR.


With respect to the processing of the personal data of the complainants, SATS (i.e., the
controlling undertaking of the SATS group) qualifies as a controller (within the meaning of
Article 4(7) GDPR), as it is SATS that had a factual influence on and decided the means and









19Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 amending Annex XI (Electronic
communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in
Article 101) to the EEA Agreement OJ [2018] L 183/23.
20Act No 38 of 15 June 2018 relating to the processing of personal data (“personopplysningsloven”).
21Ibid., § 32.
22See SATS’ letter to Datatilsynet dated 28 April 2022.




                                                                                             13                                                                                                            23
purposes of the relevant personal data processing, as acknowledged in SATS’ privacy policy.
ThecompanyhasnotdisputedSATS’controllerstatusinthecontextofDatatilsynet’sinquiry.                           24


As a controller, SATS has it main establishment (within the meaning of Article 4(16) GDPR)
in Norway. Moreover, the processing of the personal data of SATS members, including the
complainants, qualifies as cross-border processing under Article 4(23) GDPR. This is because,

although all complainants are members of SATS’ fitness centers in Norway, SATS members’
personal data may be accessed by SATS’ staff in all of the European countries in which SATS

operates, and SATS’ internal routines and policies on data storage, erasu26 and access are the
same in all of the European countries in which SATS operates.


Therefore, the cooperation mechanism and procedure set out in Articles 56(1) and 60 GDPR
apply to the present case, and Datatilsynet is competent to act as lead supervisory authority in
the case at hand pursuant to Article 56(1) GDPR. This was not disputed by SATS in the course
                 27
of our inquiry.

    6. Datatilsynet’s Assessment


    6.1. Findings of a Violation of Articles 12(3) and 15 GDPR


The evidence collected by Datatilsynet shows that Complainant No 1 and Complainant No 2
each submitted an access request to SATS, on 29 August 2018 and 25 February 2019. Both               28

requests were explicit in demanding either information on the recipients of the complainant’s
personal data and the legal ground for sharing their personal data with such recipients,              29 or a
                                                     30
copy of the personal data of the complainant. In this regard, it should be noted that, in order
to make an access request under the GDPR, it is sufficient for the requesting data subjects to
specify that they want to obtain information on the processing of their personal data, and it is



23See SATS’ privacy policy from September 2021 (attached to Complaint No 4), which states (in Norwegian):
“Denne personvernerklæringen er ment å gi informasjon om hvordan og hvorfor SATS Group AS («SATS
Group») samler inn og behandler personopplysninger. Det er SATS Group v/CEO som er behandlingsansvarlig

for opplysninger som samles inn og behandles av SATS Group.” Note that, on 11 October 2022, SATS’ Nordic
Head of Legal & Compliance informed us that SATS Group AS does not exist any longer, and that all
correspondence should instead be addressed to SATS ASA.
24Cf. SATS’ letters to Datatilsynet dated 1 December 2021, 23 March 2022, 28 April 2022 and 31 October 2022.
25 See SATS’ letter to Datatilsynet dated 28 April 2022 (stating (in Norwegian): “SATS har sin
hovedadministrasjon i Oslo og den aktuelle behandlingen blir utført fra samme sted, slik at «hovedvirksomheten»
er i Norge i personvernforordningens forstand”).
26See SATS’ letter to Datatilsynet dated 28 April 2022.
27
28Cf. SATS’ letter to Datatilsynet dated 31 October 2022.
  See correspondence attached to Complaint No 1 and Complaint No 2.
29See Complainant No 1’s email to privacy@satselixia.no dated 29 August 2018 (stating: “I would like to receive
information on the parties that my personal data has been shared with, categories of data sent to those parties, as
well as legal grounds for such sharing”).
30See Complainant No 2’s email to SATS’ Customer Service Manager (i.e., the SATS’ employee who notified
them of the revocation of their SATS membership) dated 25 February 2019 (stating: “Personopplysninger skal

være forsvarlig innhentet og korrekt, men her bygger Sats utestengelsen alene på betjeningen sin versjon av saken
uten kontradiksjon. Dette er i strid med personopplysningsloven. Jeg ber derfor om innsyn og kopi av samtlige
opplysninger i sakens anledning med; innhold, dato og klokkeslett”).



                                                                                                           14                                                             31
not necessary to specify the legal basis of the request. Further, both requests were submitted  32
through communication channels made available by SATS for similar inquiries.                       In this
respect, it should be pointed out that if a data subject makes a request using a communication

channel provided by the controller, such request should be considered effective and the
controller should handle such a request accordingly.        33 Therefore, the access requests at hand

were effective and validly submitted for the purpose of Article 15 GDPR.

When Datatilsynet asked SATS whether it responded to such access requests, SATS replied
that it was unableto confirmthat it had taken actionwith respect to the access request submitted
                          34
by Complainant No 1.        SATS further confirmed this in the written representations it sent to
Datatilsynet on 31 October 2022. This is despite the fact that Complainant No 1 sent several
reminders to SATS.     36 In essence, according to the evidence collected by Datatilsynet, that

access request has remained unanswered to this date.

In its written representations, SATS argued that it is arbitrary from the part of Datatilsynet to
contest a violation of Articles 12(3) and 15 GDPR due to a failure to respond to an access

request that was submitted around a month after the GDPR became applicable in Norway, as at
that time many companies experienced challenges in applying the new rules. We take note of

this argument, but find it untenable. As acknowledged by SATS itself, the fact that other
companies faced challenges with adapting to the GDPR after it became applicable in 2018 is
not a valid justification for a violation of the GDPR that started to occur in September 2018.           38

Moreover, it should be stressed that SATS has never replied to the access request of
Complainant No 1—not even after Datatilsynet contacted SATS in connection with Compliant

No 1—with the result that that violation is still ongoing, and therefore it does not only concern
SATS’ failure to act in 2018. Further, it should be noted that Norwegian data subjects enjoyed

a right of access also under the Norwegian Data Protecti39 Act from 2000, which was in force
before the GDPR became applicable in Norway.               Thus, this was not a completely new right
that SATS had to become familiar with only after the GDPR became applicable; the company
                                                                                                         40
should have had appropriate routines in place to timelyrespond to access requests since 2001.
In passing, it should be emphasized that Datatilsynet’s enforcement action in the present case


31EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 1.0, Adopted on 18 January 2022,
para. 50.
32That is the email privacy@satselixia.no, and the email address of SATS’ Customer Service Manager who
notified to Complainant No 2 the termination of their membership.
33EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 1.0, Adopted on 18 January 2022,
paras. 52-57.
34
35See SATS’ letter to Datatilsynet dated 28 April 2022.
  See SATS’ letter to Datatilsynet dated 31 October 2022 (stating (in Norwegian): “SATS erkjenner at man ikke
kan dokumentere svaret på innsynsforespørselen fra klager 1”).
36See correspondence attached to Complaint No 1.
37See SATS’ letter to Datatilsynet dated 31 October 2022.
38Ibid. (stating (in Norwegian): “Det bør bemerkes at forespørselen kom én måned etter GDPR trådte i kraft.
SATS var på den tiden ikke alene med å ha utfordringer med å implementere og operasjonalisere sine nye
personvernrutiner. SATS forstår at det i utgangspunktet ikke er unnskyldende, men […]” (emphasis added)).
39
40Cf. Sections 16 and 18 of the Norwegian Data Protection Act (LOV-2000-04-14-31) (repealed).
  Cf. Section 50 of the Norwegian Data Protection Act (LOV-2000-04-14-31) (repealed). In should be noted that
Complainant No 1 submitted an access request also under the rules in force before July 2018. See the
correspondence attached to Complaint No 1.



                                                                                                        15was triggered by complaints submitted by data subjects—which Datatilsynet is required to
investigate to the extent appropriate and with all due diligence —and it is not the result of an

“arbitrary” ex officio initiative aimed at singling out SATS’ state of compliance.

As for the second access request, SATS first responded that it did not receive anyaccess request
from Complainant No2, andlaternotedthatit respondedto theaccess request ofComplainant
                               43
No 2 on 27 February 2019. Further, in its written representations, SATS acknowledged that it
did not respond satisfactorily to the access request from Complainant No 2.                44 However, the
companynotedthattherequestfromComplainantNo2washandled,halfayearaftertheGDPR

became applicable in Norway, by SATS’ customer service, which at that time was probably
less aware of GDPR requirements than others within the organization; something that—
                                                                                           45
according to SATS—was common to most Norwegian companies at the time. We take note
of this argument, but find it unconvincing. At the outset, it should be noted that there were
                                                                                        46
approximately two years between the entry into force of the GDPR in 2016 and the moment
in which it started to apply in 2018. Therefore, companies had at least two years to adapt to
the new rules, and European supervisory authorities have repeatedly stated that there would be
                                                                       48
no “grace period” after the GDPR became applicable in 2018. Moreover, as previouslynoted,
the alleged similar challenges experienced by other businesses with the implementation of the

GDPR are no valid excuse for a violation committed by SATS. Moreover, as part of its
accountability duties,   49 it was SATS’ responsibility to ensure that its personnel in charge of

handling customers’ inquiries was sufficiently aware of and trained to comply with data
subjects’ rights, also in view of the fact that—as noted above—the right of access was not a
completely new right introduced by the GDPR.


At any rate, in Datatilsynet’s view, SATS did not take adequate action in response to the access
request from Complainant No 2 without undue delay. Most notably, it did not provide any

information on action taken on the request to receive a copy of their personal data that
Complainant No 2 submitted to SATS. The email that SATS sent to Complainant No 2 on 27
February 2019 was mainly a response to the complainant’s erasure request (see section 6.2

below), and did not provide all of the information that the data subject requested and was

41
  See Article 57(1)(f) GDPR. See too CJEU, Case C-311/18, Data Protection Commissioner v Facebook Ireland
42mited and Maximillian Schrems, para. 109.
  See SATS’ letter to Datatilsynet dated 1 December 2021 (stating (in Norwegian): “SATS har ikke registrert å
ha mottatt en anmodning om innsyn”).
43See SATS’ letter to Datatilsynet dated 28 April 2022.
44See SATS’ letter to Datatilsynet dated 31 October 2022 (stating (in Norwegian): “SATS erkjenner også at man
ikke svarte fullgodt på innsynsforespørselen fra klager 2”).
45Ibid.
46
47See Art. 99(1) GDPR.
  See Art. 99(2) GDPR and § 32 personopplysningsloven.
48 See e.g.: <https://www.theparliamentmagazine.eu/news/article/gdpr-no-period-of-grace-following-entry-into-
force>; <https://www.natlawreview.com/article/happy-gdpr-day>.
49See Arts. 5(2) and 24 GDPR.
50In this regard, it should be noted that the EDPB has opined that “The controller shall react and, as a general rule,
provide the information under Art. 15 without undue delay, which in other words means that the information

should be given as soon as possible. This means that, if it is possible to provide the requested information in a
shorter amount of time than one month, the controller should do so.” See EDPB, Guidelines 01/2022 on data
subject rights - Right of access, Version 1.0, Adopted on 18 January 2022, para. 156.



                                                                                                           16                                                 51
entitled to receive under Article 15 GDPR. That email simply provided a brief description of
the incident that led to the termination of the SATS membership of Complainant No 2, and a

small extract of some parts of SATS’ general terms and conditions, as well as information on
SATS’ internal data retention policy regarding the personal data of banned members. In this
regard, it should be noted that “the controller should always be able to demonstrate, that the

way to handle the request aims to give the broadest effect to the right of access and that it is in
line with its obligation to facilitate the exercise of data subjects rights” and that “the notion of
                                                    53
a copy has to be interpreted in a broad sense”. In its written representations, SATS took issue
with the fact that, in its advance notification of an administrative fine, Datatilsynet referred to

the latter two passages in the EDPB’s Guidelines 01/2022 on the right of access, which—
according to SATS—do not reflect the wording of the GDPR, although SATS did not explain
why. In this respect, Datatilsynet notes that, although they are not binding, EDPB guidelines
                                    55
are important interpretative aids that supervisory authorities should take into account to make
sure that they comply with their legal obligation to ensure the consistent application of the
                                     56
GDPR throughout the EU/EEA. Further, in our view, the statements made in such passages
directly follow from the obligation to facilitate the exercise of data subjects rights set out in

Article 12(2) GDPR, as well as from the broad effect that should be given to the data subject’s
right of access so as to ensure that such a right “retains its effectiveness” and to “enable the data
subject to check […] that the data concerning him or her are accurate”, which implies that the
                                                                     57
“the information provided must be as precise as possible”.              This is also because Article 15
“gives specific expression” to the individual right to access data concerning him or her,

enshrined in the second sentence of Article 8(2) of the Charter of Fundamental Rights of the
European Union, as well as Article 8 ECHR. In any event, it should be stressed that SATS

did not provide any copy whatsoever—narrow or broad—of the personal data it processed, as
expressly requested by Complainant No 2 and required by Article 15(3) GDPR.












51 Cf. SATS’ Customer Service Manager’s email to Complainant No 2 dated 27 February 2019 (attached to
Complaint No 2).
52EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 1.0, Adopted on 18 January 2022,
para. 35.
53
54Ibid., para. 25.
  See SATS’ letter to Datatilsynet dated 31 October 2022.
55EDPB guidelines are even used as interpretative aids by European high courts. See e.g. CJEU, Case C-645/19,
Facebook Ireland and Others, para. 74; CJEU, Case C-911/19, ECtHR, Biancardi v. Italy, Application no.
77419/16, judgment of 25 November 2021, paras. 29 and 53.
56See Arts. 51(2) and 70(1)(d)-(m). See too, by analogy, CJEU, Case C-911/19, Fédération bancaire française
(FBF) v Autorité de contrôle prudentiel et de résolution (ACPR), para. 71.
57
58Opinion of Advocate General Pitruzzella in Case C-154/21, RW v Österreichische Post AG, paras. 19 and 26.
59Ibid., para. 14.
  ECtHR, K.H. and Others v. Slovakia, App. No. 32881/04, para. 47.



                                                                                                         17Finally, it should be pointed out that SATS acknowledged that its handling of both of the above
                                                60
access requests was not entirely satisfactory,     and that such requests could have been better
handled. 61

In light of the above, SATS violated Articles 12(3) and 15 GDPR with respect to Complainant
No 1 and Complainant No 2, as it failed to take adequate action on the access requests they

submitted on 29 August 2018 and 25 February2019 within the deadline set out in Article 12(3).

In its written submissions, SATS argued that Datatilsynet’s conclusion that SATS violated both

Article 12(3) and 15 GDPR would violate the principle of ne bis in idem (in Norwegian
“dobbeltstraff”). 62This argument should be rejected. At the outset, it should be recalled that
“the principle ne bis in idem […] do[es] not apply to a situation in which several penalties are

imposed in a single decision, even if those penalties are imposed for the same actions. In fact,
where the same conduct infringes several provisions punishable by fines, the question whether
several fines may be imposed in a single decision falls not within the scope of the principle ne
bis in idem”. 63 Indeed, neither that principle nor the principle governing concurrent offences

“preclude an undertaking from being penalised for an infringement of several distinct legal
provisions, even if those provisions have been infringed by virtue of the same conduct.” This64
is even specificallyenvisaged in Article 83(3) GDPR, which provides that “[i]f a controller […]

for the same or linked processing operations, infringes several provisions of this Regulation,
the total amount of the administrative fine shall not exceed the amount specified for the gravest
infringement” (emphasis added). In any event, Articles 12(3) and 15 GDPR must necessarily

be read (and applied) together—and may thus be cumulatively violated—as the first provision
regulates the timing for taking action on an access request, whereas the second provision
establishes what kind of information must be provided in response to such a request.


    6.2. Findings of a Violation of Articles 5(1)(e), 12(3) and 17 GDPR


The evidence collected by Datatilsynet shows that Complainant No 2, Complainant No 3 and
Complainant No 4 each submitted a data erasure request to SATS, on 25 February 2019, 5
October 2019 and 6 August 2021. In its written representations, SATS wrongly claimed that
the erasure requests were “only two”, whereas the erasure requests assessed by Datatilsynet
            66
were three.




60See SATS’ letter to Datatilsynet dated 28 April 2022 (stating (in Norwegian): “SATS [er] åpen for at det kan ha
skjedd mindre glipper i håndteringen av anmodninger fra de fire klagerne saken gjelder, i relasjon til respons tid
og begrunnelser”).
61 See SATS’ letter to Datatilsynet dated 31 October 2022 (stating (in Norwegian): “SATS erkjenner at
medlemmenes forespørsler kunne vært bedre håndtert”).
62Ibid., p. 9.
63
  GC, Case T-704/14, Marine Harvest ASA v European Commission, para. 344. See too CJEU, Case C-10/18 P,
64wi ASA v European Commission.
  GC, Case T-704/14, Marine Harvest ASA v European Commission, paras. 370-371. See too GC, Case T-609/19,
Canon v European Commission, para. 461; CJEU, Case C-10/18 P, Mowi ASA v European Commission.
65See SATS’ letter to Datatilsynet dated 31 October 2022, p. 3 (stating (in Norwegian): “her er det snakk om kun
to forhold”).
66See Complaints No 2, No 3 and No 4.



                                                                                                  18TheerasurerequestsofComplainantNo2andComplainantNo3concernedalloftheirpersonal
data, and were submitted after the termination of their SATS membership by SATS.
Conversely, the erasure request of Complainant No 4 was not submitted in connection with any

termination of their membership, and concerned only specific kinds of personal data, namely
the logs of their training activities.

                                                             67
SATS eventually responded to all of such requests, although SATS replied 68r the first time               69
to Complainant No 4 – after a reminder from the complainant – on 23 September 2021, i.e.
more than one month after it received their request on 6 August 2021, which constitutes in itself
                                         70
a violation of Article 12(3) GDPR.

In its reply to Complainant No 3 dated 11 October 2019, SATS refused to delete the

complainant’s date of birth, name and picture, and justified this on the basis of the following
internal policy, which was copied verbatim (in English) in the text of the email to the
complainant:


    “If the customer relationship is terminated due to improper behavior from the member,
    name, date of birth and picture shall be kept for 60 months. Further, the member in question

    shallbemarkedas ‘excluded’.Therest ofthedatashallbedeleted,includedpossiblereports
    on the behavior.”    71


Complainant No 3 was further informed by SATS that, based on the above internal policy,
SATS could retain their date of birth, name and picture for 60 months, whereas the rest of their
personal data would be deleted within 30 days.           72 SATS also informed the same complainant

that they would be banned from SATS’ fitness centers for 24 months from the date in which
they received SATS’ notification of the termination of their membership.               73


Complainant No 2 received a partially similar response. Most notably, in its reply to
Complainant No 2 dated 27 February 2019, SATS stated that:






67SATS replied to the erasure requests of Complainants No 2 and No 3 within the deadline set out in Article 12(3)
GDPR, but failed to take adequate action upon such requests, as outlined below.
68See Complainant No 4’s email to SATS dated 16 September 2021 (attached to Complaint No 4).
69As acknowledged by SATS. See SATS’s letter to Datatilsynet dated 28 April 2022.
70
  Article 12(3) GDPR provides that “The controller shall provide information on action taken on a request under
Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the
request. That period may be extended by two further months where necessary, taking into account the complexity
and number of the requests. The controller shall inform the data subject of any such extension within one month
of receipt of the request, together with the reasons for the delay” (emphasis added). Datatilsynet has taken into
account the relatively modest duration of SATS’ delay when setting the amount of the administrative fine issued
against SATS (see Section 7.1 below).
71See email from kundeservice@sats.no to Complainant No 3 dated 11 October 2019 (attached to SATS’ letter to

72tatilsynet dated 1 December 2021).
73Ibid.
  Ibid. (stating (in Norwegian): “du vil være utestengt fra SATS i 24 måneder fra datoen vi sendte deg informasjon
om utestengelsen per brev”).



                                                                                                             19    “Banned members can, in accordance with the GDPR, request to have their training history
    deleted, while other information and the member profile itself can be retained by us for up
                    74
    to 60 months”.

SATS also informed Complainant No 2 that they would be banned from SATS’ fitness centers
                                                75
for one year starting from 21 February 2019.

When asked by Datatilsynet to explain the purposes for which SATS retained and processed

the personal data of banned members (including Complainant No 2 and Complainant No 3),
SATS stated:


    “SATS processes the date of birth, name and photo [of the former member] in connection
    with [their] exclusion, with the aim of being able to prevent the excluded member from
    using SATS’ services during the exclusion period” (emphasis added).       76

                                                                                                   77
After having been notified of our intention to issue an administrative fine, SATS (knowingly)
changed position, and stated that a broader and vaguer purpose applies in this context: “the
purpose of the storage is to be able to process the information in connection with the ban. This
                                                          78
purpose does not expire as soon as the ban is lifted”.      It also claimed that such a change of
position would not affect theassessmentofthelegitimacyoftheretention period. Wedisagree
with the latter claim: any broadening of the scope of the purpose of a processing operation

inevitably affects such an assessment. This is because personal data must be kept for “no longer
than is necessary for the purposes for which the personal data are processed”          80 (emphasis
added), with the result that the necessity of the retention must be assessed vis-à-vis the relevant

purpose. Furthermore, it is not possible to adjust the relevant purpose ex post; the assessment
should be made with respect to the purpose identified by the controller at the outset of the
relevant processing, as it results from theevidence collectedbythesupervisoryauthorityduring

its investigation. Moreover, the answer that SATS provided to Datatilsynet in April 2022
specifically addressed the purpose of processing the personal data of Complainant No 2 and
Complainant No 3—which SATS identified as “being able to prevent the excluded member

fromusingSATS’servicesduringtheexclusionperiod”—whereas initswrittenrepresentations
from October 2022 SATS described the purpose of processing the personal data of banned
members in general. In this respect, Datatilsynet acknowledges that, in certain exceptional

74
  SATS’email to Complainant No 2dated 27February2019(our translation) (stating(inNorwegian): “Utestengte
medlemmer kan i henhold til GDPR be om å få sin treningshistorikk slettet, mens annen informasjon og selve
medlemsprofilen kan beholdes av oss i inntil 60 måneder”).
75SATS’ email to Complainant No 2 dated 21 February 2019 (stating (in Norwegian): “Du er utestengt for 1 år
fra dagens dato”).
76See SATS’letter to Datatilsynet dated 28 April 2022 (our translation) (stating(inNorwegian): “SATS behandler
fødselsdato, navn og bilde i forbindelse med utestengelse, for det formål å kunne forhindre det utestengte
medlemmet fra å benytte seg av SATS’ tjenester i løpet av utestengelsesperioden”).
77
  See SATS’ letter to Datatilsynet date 31 October 2022, p. 3 (stating (in Norwegian): “SATS beklager at formålet
78 noe snevrere angitt i SATS' svar av 28. april 2022 til Datatilsynet”).
   Ibid. (stating (in Norwegian): “[…] er formålet med oppbevaringen å kunne behandle opplysningene i
forbindelse med utestengelsen. Dette formålet utløper ikke straks utestengelsen er opphevet”).
79 Ibid. (stating (in Norwegian): “dette har naturligvis ingenting å si for den rettslige vurderingen av om
oppbevaringstiden er legitim”).
80See Art. 5(1)(e) GDPR.



                                                                                                  20circumstances, SATS may need to process the personal data of banned members for purposes
that go beyond preventing them from using SATS’ services during the exclusion period (e.g. to

defend a legal claim in court, etc.). However, this would not apply invariably in all cases, and
most importantly it does not apply in this case, given that, when asked about the purpose for
which SATS processed the data of Complainant No 2 and Complainant No 3, SATS replied
that it processed such data to be “able to prevent the excluded member from using SATS’
services during the exclusion period”. Therefore, in the present case, Datatilsynet will

exclusively focus on the latter purpose.

A company running a fitness center may legitimately retain and refuse to delete the date of
birth, name and photo of former members who were banned from its fitness center for the entire

duration of the relevant ban. This is because such information is essential to enable the center’s
staff to enforce the ban. However, retaining such personal data for a period longer than the
duration of the ban, or retaining more than the aforementioned personal data (e.g., traininglogs,
correspondence, etc.), violates the storage limitation principle set out in Article 5(1)(e) GDPR
(unless the data are retained for other legitimate purposes beyond preventing the excluded

member from using the center’s services during the exclusion period). This is because the
personal data at hand would no longer be necessary for the purposes for which they are/were
processed.

Whether SATS legitimately refused to act – at least partially – upon the erasure requests

submitted by Complainant No 2 and Complainant No 3 should also be assessed in light of the
actual necessityof processing their data, as the GDPR’s right of erasure applies inter alia where
the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed. 81


In the present case, in our view, SATS failed to comply with Articles 17 and 5(1)(e) GDPR
with respect to the personal data of both Complainant No 2 and Complainant No 3.

Despite the fact that Complainant No 3 required the erasure of all of their personal data on 5

October 2019, and that SATS informed them on 11 October 2019 that their personal data other
than their date of birth, name and picture would be deleted within 30 days, SATS deleted
Complainant No 3’s training logs, membership number, address, telephone number and e-mail
only on 4 November 2021, after the opening of Datatilsynet’s inquiry. In this regard, it should
be noted that “SATS acknowledges that certain member data on complainant […] No 3 were
                                         83
stored beyond SATS’ internal routines”. Thus, with respect to the erasure of such data, SATS
did not take action without undue delay, as required by Article 17(1) GDPR.

Moreover, SATS retained the date of birth, name and picture of Complainant No 3 beyond the
relevant exclusion period of 24 months—as such data were deleted on 4 November 2021 (i.e.,

after Datatilsynet’s inquiry) and the exclusion period started running on 4 October 2019—even
though such data were processed “with the aim of being able to prevent the excluded member

81
82See Art. 17(1)(a) GDPR.
83See SATS’ letter to Datatilsynet dated 28 April 2022.
  See SATS’ letter to Datatilsynet dated 31 October 2022, p. 3 (stating (in Norwegian): “erkjenner SATS at visse
medlemsdata om klager […] 3 ble lagret utover SATS’ internrutiner.”).



                                                                                             21from using SATS’ services during the exclusion period”, with the result that such data were
retained for longer than it was necessary for the purpose for which the data were processed, in

breach of Article 5(1)(e) GDPR.

Similarly, despite the fact that Complainant No 2 required the erasure of all of their personal

dataon25 February2019, and that theabove-cited SATS’internal policyprovidesthatpersonal
data other than the date of birth, name and picture “shall be deleted” after the member’s
exclusion, SATS retained the “address and telephone number” of Complainant No 2 until 4
                  85
November 2021.       It also retained the correspondence with Complainant No 2, at least until
2021. In this respect, it should be noted that “SATS acknowledges that certain member data
on complainant No 2 […] were stored beyond SATS’ internal routines”. SATS claimed that

this was likely due to a mistake,88hich was presumably due to the extraordinary workload
during the Covid-19 pandemic. However, Datatilsynet finds that the pandemic is an irrelevant
factor in this respect, given that the personal data at hand should have been deleted without

undue delay from 25 February 2019, i.e. long before the beginning of the pandemic in Norway.
Moreover, SATS retained the date of birth, name and picture of Complainant No 2 well beyond
the relevant exclusion period of one year, as such data were deleted on 4 November 2021 (i.e.,
after Datatilsynet’s inquiry) and the exclusion period started running on 21 February 2019.

Thus, such data were retained for longer than it was necessary for the purpose for which the
data were processed, in breach of Article 5(1)(e) GDPR, given that they were processed “with
the aim of being able to prevent the excluded member from using SATS’ services during the
                   89
exclusion period”.

In its written representations, SATS argued that the assessment of the necessity of a storage

period is to a large extent discretionary, and that Datatilsynet is not in the position to and should
refrain from questioning the assessment made by the controller.     90 In this respect, it should be
noted that, while it is for the controller to ensure operational compliance with its data retention

obligations, the controller mus91also be able to demonstrate compliance with such obligations
to the supervisory authority,     and thus allow the authority to review whether the retention
periods set bythe controller are justified. Consequently, Datatilsynet is competent to review the

assessment made by the controller to ensure compliance with its retention obligations. In the
present case, Datatilsynet has simply reviewed the necessity of the retention of the data of
Complainants No 2 and 3 in light of: (1) the relevant purpose of the processing identified by
SATS, which is linked to a specific timeframe (“being able to prevent the excluded member

from using SATS’ services during the exclusion period” (emphasis added)); and (2) SATS’


84See SATS’ letter to Datatilsynet dated 1 December 2021 (stating (in Norwegian): “Klager ble utestengt fra
SATS’ sentre den 20. februar 2019 grunnet truende oppførsel motto av SATS’ ansatte. Utestengelsen ble registrert
i SATS’ medlemssystem Exerp. Ved utestengelse lagrer SATS navn, fødselsdato, adresse og telefonnummert”).
85Ibid.
86Excerpts from such correspondence were included by SATS in its reply to Datatilsynet dated 1 December 2021.
87
  See SATS’ letter to Datatilsynet dated 31 October 2022, p. 3 (stating (in Norwegian): “erkjenner SATS at visse
88dlemsdata om klager 2 […] ble lagret utover SATS’ internrutiner.”).
  See SATS’ letter to Datatilsynet dated 28 April 2022 (stating (in Norwegian): “ser det ut til a ha skjedd en glipp
som antagelig skyldes den ekstraordinære arbeidsmengden under pandemien”).
89See SATS’ letter to Datatilsynet dated 28 April 2022 (our translation).
90See SATS’ letter to Datatilsynet dated 31 October 2022, p. 4.
91See Art. 5(2) GDPR.



                                                                                                 22retentionpolicy, whichprovidedthatpersonaldataotherthanthedateofbirth,nameandpicture
“shall be deleted” after the member’s exclusion. Moreover, SATS itself has acknowledged that
it has retained some of the personal data of Complainants No 2 and 3 for longer than its own
internal routines envisaged. Therefore, Datatilsynet has not determined the necessity of the

relevant retention periods in theabstract, in light of its ownsubjective evaluations; it has merely
tested thenecessityof the relevant retention periods in light oftheinformationandjustifications
provided by the controller.

In our view, SATS also violated Articles 17 and 5(1)(e) GDPR with respect to Complainant No

4. This is for the reasons outlined below.

As explained in more detail below (see section 6.4), SATS’ general terms and conditions allow
its members to withdraw consent to the processing of their training historydata and request that

such data be deleted. Thus, in our view, Complainant No 4 legitimately relied on this provision
to withdraw their consent and request the deletion of their training history data on 6 August
2021:


        “Jeg […] trekker herved tilbake mitt samtykke til at SATS kan behandle, lagre eller på
        annen måte oppbevare følgende personopplysninger:
            •  Sporing av hvilket treningssenter jeg trener på

            •  Sporing av hvilke tidspunkter jeg trener på
            •  Annen overvåkning av min treningsaktivitet […]

        Vennligst bekreft at dette er mottatt, at ovennevnte personopplysninger vil bli slettet fra

        og med uke 31, og at ovennevnte personopplysninger ikke vil bl92innhentet, lagret,
        oppbevart eller på andremåter behandlet fra og med uke 31”.

In light of such request, SATS should have deleted the complainant’s training history data

without undue delay in accordance with Article 17(1)(b) GDPR. Instead, SATS replied to
Complainant No 4 that the deletion would take place within 6 months in accordance with its
privacy policy, and explained that such a deletion deadline was set among other things for
ensuring the safety of SATS members and infection tracing during the pandemic. SATS also

informed Complainant No 4 that Article 17(1)(b) was not applicable to their case, as SATS’
legal basis for processing their training history data was “Article 6(1)(b) and (f)”, and the
processing was still necessary in relation to the purposes for which they were collected or
otherwise processed. 94



92See Complainant No 4’s email to privacy@sats.no dated 6 August 2021 (attached to Complaint No 4).
93See SATS’ email to Complainant No 4 dated 23 September 2021 (stating (in Norwegian): “Sletting skjer i
henhold til vårpersonvernerklæring senest etter 6 måneder ved mottatt anmodning om sletting […] Bakgrunnen
for […] slettefristen på 6 måneder etter mottatt krav om sletting, er blant annet sikkerheten til våre medlemmer
samt smittesporing ”).
94See SATS’ email to Complainant No 4 dated 2 October 2021 (stating (in Norwegian): “Vi har tidligere forklart
deg grunnlaget for oppbevaringen i inntil seks måneder fra vi har mottatt en sletteanmodning, som – blant andre
forhold – er knyttet til sikkerheten til våre medlemmer samt smittesporing. Dette er hensyn som faller innenfor
artikkel 17 nr. 1 a) i personvernforordningen (GDPR), som «nødvendige for formålet de ble samlet inn eller
behandlet for», sammenholdt med behandlingsgrunnlaget i artikkel 6 nr. 1 bokstav b) og f). Som konsekvens av




                                                                                               23In our view, SATS’ position on the applicability of Article 6(1)(b), and accordingly on the
inapplicability of Article 17(1)(b), is untenable in this case (see further section 6.4 below).
Moreover, while the retention for a few months of the training logs of the previous last few

weeks or months for infection tracing purposes may be justified in the context of the Covid-19
pandemic, the blanket retention for up to 6 months (after an erasure request) of all available
training logs appears unjustified and disproportionate.        95 Indeed, data retention for infection

tracing purposes should be proportionate to the incubation and infectious period of Covid-19,
which was deemed to require a quarantine period of 14 days for those who had a close contact
with an infected individual in the last 24 hours. The excessiveness of a retention period of 6

months is further supported, for example, by the fact that the Regulation on Digital Infection
Tracing provided for a data retention period of up to 30 days.           97 While SATS insisted in its
written representations that 6 months was a necessary and proportionate retention period, it did
                                                                            98
not provide any evidence or specific arguments to support its view. In any event, it should be
noted that SATS deleted the training history data of Complainant No 4 only on 7 April 2022,
i.e. after the opening of our inquiry and well beyond the 6 months deadline specified by the
           99                                                              100
company. However, SATS stated that this was due to a mistake.

In conclusion, based on the evidence collected by Datatilsynet, it appears that SATS did not

properly handle any of the above three erasure requests. In this regard, it should be noted that
SATS itself has acknowledged that its handling of these erasure requests was not entirely
satisfactory. 101 While, if taken in isolation, each of these episodes of mishandling of a data

subject’srequestisnot verygrave,thefactthattheyhaveoccurredrepeatedlyoveralongperiod
of time and have affected multiple data subjects is indicative of broader, more systemic issues
regarding SATS’ handling of data subjects’ requests. Moreover, it bears emphasizing that

SATSproceededto deletethepersonaldataofalloftheabovecomplainants withaconsiderable
delay, only after Datatilsynet’s inquiry. It would have likely retained such data for even longer
without our intervention.



at det på denne bakgrunn foreligger et lovlig formål for behandlingen og utsatt sletting, har du heller ikke et krav
på omgående sletting i medhold av artikkel 17 nr. 1bokstav b).”).
95Note that Complainant No 4 has been a member of SATS for about 8 years. Thus, they likely generated a
considerable amount oftraininglogs over these years, and SATS’retentionofthe traininglogs for infection tracing
purposes was not limited to the previous last few weeks or months.
96Forskrift om smitteverntiltak mv. ved koronautbruddet (Covid-19-forskriften). In our guidelines on infection

tracing published on 21 September 2020 we wrote that “It will not normally be necessary to store information
about visitors for infection control reasons for more than 14 days”. See Datatilsynet, Besøksregistrering og
smittesporing (21.09.2020) (stating (in Norwegian): “Det vil normalt ikke være nødvendig å lagre opplysninger
om besøkende av smittevernhensyn i mer enn 14 dager”) <https://www.datatilsynet.no/personvern-pa-ulike-
omrader/korona/besoksregistrering-og-smittesporing/>.
97Forskrift om digital smittesporing og epidemikontroll i anledning utbrudd av Covid-19.
98SATS simply stated (in Norwegian) “SATS’ vurdering om lagringstid er uansett rimelig og forsvarlig, og da er
det ikke avgjørende om Datatilsynet skulle ha et noe avvikende syn på tidens lengde”. Cf. SATS’ letter to
Datatilsynet dated 31 October 2022, p. 4.
99
100ee SATS’ letter to Datatilsynet dated 28 April 2022.
101Ibid.
   See SATS’ letter to Datatilsynet dated 28 April 2022 (stating: “SATS [er] åpen for at det kan ha skjedd mindre
glipper i håndteringen av anmodninger fra de fire klagerne saken gjelder, i relasjon til respons tid og
begrunnelser”).



                                                                                                         24In its written submissions, SATS argued that Datatilsynet’s conclusion that SATS breached
Articles 5(1)(e), 12(3) and 17 GDPR would violate the principle of ne bis in idem.          102This

argument should be rejected. As noted above, that principle does not preclude an undertaking
from being penalised for an infringement of several distinct legal provisions, even if those
provisions have been infringed by virtue of the same conduct.     103Moreover, it should be noted

that Article 12(3) and 17 GDPR must necessarilybe read (and applied) together—and maythus
be cumulatively violated—as the first provision regulates the timing for providing information
on the action taken on a request under Article 17, whereas the second provision establishes
upon what conditions the right to erasure set out in Article 17 applies.


As for the contested violation of Article 5(1)(e), SATS also argued that “it will always be the
case that a breach of a specific obligation [in the GDPR] also represents a breach of one of the
privacy principles” and therefore the two breaches should not be cumulated.      104This argument

should be rejected. If one would follow SATS’ argument, a violation of Article 5 should never
becontested. However,this would depriveArticle 83(5)(a)ofessentiallyanyeffect, as thelatter
provision establishes a specific fine for infringements of “the basic principles for processing
                             105
[…] pursuant to Article 5”.     It must be clear that, in our view, the basic principles in Article
5 are both general rules that shall guide the reading of other provisions in the GDPR and legal
requirements in their own right. In particular, Article 17 should be read jointly and in light of
the principle set out in Article 5(1)(e), but the latter provision may also be breached on its own.

This has occurred in the present case with respect to the personal data that SATS could
legitimately retain for a while after the relevant erasure request (e.g., date of birth, name and
photo of banned members), but that it eventually retained for much longer than it was actually

necessary. Finally, it should be noted that the EDPB has already found that the same conduct
may lead to the simultaneous breach of a principle in Article 5 and of the obligations stemming
from that principle in the rest of the GDPR.  106


    6.3. Findings of a Violation of Articles 5(1)(a), 12(1), 13(1)(c) and 13(2)(a) GDPR

It is apparent from the evidence collected by Datatilsynet that SATS has established a specific
data retention policy with respect to the personal data of members whose membership is

terminated by SATS. The policy reads as follows:

        “If the customer relationship is terminated due to improper behavior from the member,

        name, date of birth and picture shall be kept for 60 months. Further, the member in

102
103ee SATS’ letter to Datatilsynet dated 31 October 2022, p. 9.
   GC, Case T-704/14, Marine Harvest ASA v EuropeanCommission, paras. 370-371.See tooGC, Case T-609/19,
104on v European Commission, para. 461.
   See SATS’ letter to Datatilsynet dated 31 October 2022, p. 9 (stating in Norwegian: “Det vil så å si alltid være
slik at et brudd på en konkret forpliktelse også representerer brudd på et av personvernprinsippene. Datatilsynet
må naturligvis påse at man ikke anser ett og samme forhold som to brudd på GDPR og regner dette dobbelt i sin
vurdering av overtredelsesgebyr.”).
105See EDPB, Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory
Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR, Adopted on 28 July 2021, para. 191.
106See EDPB, Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory
Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR, Adopted on 28 July 2021, paras. 183-201.




                                                                                                 25        question shall be marked as ‘excluded’. The rest of the data shall be deleted, included
        possible reports on the behaviour”.  107

                                                                                             108
This policy was apparently developed bySATS in cooperation with an external law firm             and
appears to be a standard internal policy given that all of SATS’ replies to the erasure requests
mentioned abovereferto this 60 monthsretention period,andthatthepolicyat handwas quoted
                                                                     109
in English in an email in Norwegian to a Norwegian data subject,        which—in our view—may
indicate that SATS’ customer service copied it from an internal document in English.


Nonetheless, no publicly available documents (including SATS’ privacy policy and terms of
service) provide specific information on the retention period at hand, as acknowledged by
SATS.  110 In this respect, SATS initially noted that the duration of the exclusion of a member

mayvaryand that thereforeit is impossibleto provide general informationonthestorage period
applicable to the personal data of banned members, and that in anyevent SATS’ privacy policy
mentions that personal data are stored for as long as it is necessary for achieving the purposes
for which they are obtained.   111However, in its written representations, SATS acknowledged
                                                           112
that it should have been more transparent on this point.

For the sake of clarity and completeness, Datatilsynet notes that SATS was not sufficiently

transparent regarding its data retention policy for the following reasons. First, given that SATS
formalized such a retention policy internally, one may not logically argue that it is impossible
to inform data subjects of such policy in advance, as this could have been done for example by

simply copying the above-quoted wording in SATS’ privacy policy. Secondly, to comply with
Article 13(2)(a) GDPR, it is not sufficient to state that personal data will be stored for as long
as necessary, without providing any additional information that would enable the data subject
toassess,onthebasisoftheirownsituation,theretentionperiodforspecific dataorpurposes.              113


Therefore, in ourview,SATS violatedArticles5(1)(a) and13(2)(a) GDPR,as it failedto ensure
transparency about the period for which it stores the personal data of banned members and/or

the criteria used to determine that period. Under Article 13(1) GDPR, such information should
have been provided “at the time when personal data are obtained”. Therefore, it is not sufficient
to inform data subjects about this retention period when SATS notifies them of the termination
of their membership.


On a general note, Datatilsynet has strong reservations about a blanket storage period of 60
months for personal data of banned members. This is because 60 months is an extraordinarily


107See email from kundeservice@sats.no to Complainant No 3 dated 11 October 2019 (attached to SATS’ letter
to Datatilsynet dated 1 December 2021).
108
109Ibid. See too SATS’ letter to Datatilsynet dated 31 October 2022, p. 5.
   See email from kundeservice@sats.no to Complainant No 3 dated 11 October 2019 (attached to SATS’ letter
110Datatilsynet dated 1 December 2021).
   See SATS’ letter to Datatilsynet dated 28 April 2022.
111Ibid.
112See SATS’letter to Datatilsynet dated 31October2022, p. 5(statingin(Norwegian) “På dette punktet tar SATS
selvkritikk. […] Det er på det rene at slettetidene skulle vært mer konkrete”).
113Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01, As last
Revised and Adopted on 11 April 2018), p. 38.



                                                                                                  26long period, which in practice maylead SATS to retain such data for longer than it is necessary,
in violation of Article 5(1)(e), as exemplified by how SATS handled the erasure of the data of

Complainant No 2 and Complainant No 3 (see section 6.2 above). A retention period of 60
months would only be justifiable in very exceptional circumstances, whereas much shorter
retention periods should apply in standard cases. Thus, specific criteria should be set out, and

communicated in advance to data subjects, to ensure that the data of banned members are not
processed for longer than it is actuallynecessary in practice, in light of the circumstances of the
specific termination of the membership. However, it is for the controller to identify and apply

the relevant criteria.

Furthermore, SATS' privacy policy in effect in 2021 simply stated that SATS' legal basis for

processing the personal data of its customers was generally performance of a contract” and in
some cases "consent" (see further section 6.4 below). However, the policy did not clarify
which processing activities or purposes were covered by each of these legal bases. This

constitutes in itself a breach of Articles 12(1) and 13(1)(c) GDPR, as the information on legal
bases in the privacy policy was not "clear" and did not allow data subjects to assess, on the
basis of their own situation, what legal basis/purposes apply. 115 This confusion was further
exacerbated by the fact that, when questioned about the applicable legal basis by a data subject,

SATS also referred to a legal basis (i.e., legitimate interest) that was not mentioned among the
relevant legal bases listed in its privacy policy. 116 Nevertheless, SATS' current privacy policy
(updated after the opening of our inquiry) is clearer on this point. 117 In its written

representations, SATS acknowledged that "the description [in its privacy policy in effect in
2021] of the legal grounds should have been more refined”. 118However, it claimed that the
recent update to its privacy policy was not triggered by the Norwegian Data Protection Authority's inquiry. 119


In its written representations, SATS argued that the Norwegian Data Protection Authority's conclusion that SATS breached
Articles 5(1)(a), 12(1), 13(1)(c) and 13(2)(a) GDPR would violate the principle of ne bis in
      120
ditto. Moreover, SATS argued that “all violations of Article 13 automatically constitute a
breach of Article 12" and that "it will always be the case that a breach of a specific obligation




114
115See Privacy statement and cookies - SATS (attached to Complaint No 4).
   Cf. Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01, As last
Revised and Adopted on 11 April 2018), page 9.
116 See correspondence attached to Complaint No 4.
117 See: <https://www.sats.no/legal/personvernerklaring> (stating: "We must have grounds for processing according to the GDPR for
our processing of personal data. For administration of membership, training follow-up, online training,
app functions and training-related services are the basis that it is necessary to fulfill our agreement with you.
For purchases, there is the necessity to fulfill a legal obligation. For product development, it is our right
interest in improvement and innovation. For studies, it is our legitimate interest to contribute to research and
public information. For camera surveillance, there is the need to prevent dangerous situations and to take care of consideration

to the safety of our employees and members. If it is necessary for us to process special categories of
personal data (sensitive personal data) to provide our services to you is your basis for processing
118thick that you provide via the membership terms and conditions (GDPR article 6 no. 1 letter a and article 7 no. 4).").
   See SATS' letter to Datatilsynet dated 31October2022, p. 5 (statingin(Norwegian) "At this point, SATS takes
self-criticism. […] the description of the grounds for treatment should have been more refined”).
119 Ibid.
12See SATS' letter to the Norwegian Data Protection Authority dated 31 October 2022, p. 9.



                                                                                                     27 121
[in the GDPR] also represents a breach of one of the privacy principles". Therefore,
according to SATS, these breaches should not be cumulated. These arguments should be
rejected. As noted above, the principle of ne bis in idem does not preclude an undertaking from
being penalized for an infringement of several distinct legal provisions, even if those provisions
                                                     122
have been infringed by virtue of the same conduct. Moreover, it should be noted that Articles
12(1) and 13 must be read (and applied) together—and may thus be cumulatively violated—as
the first provision regulates how certain information must be provided, whereas the second
provision establishes what information must be provided.


As for the violation of the transparency principle in Article 5(1)(a), we emphasize once again
that there is nothing in the GDPR that precludes a controller from being penalized both for an
infringement of a principle in Article 5 and an infringement of the obligations stemming from
that principle in the rest of the GDPR. 123 In the present case, by failing to provide sufficient

information about the relevant storage periods and legal basis for the processing, SATS has not
only violated the specific information requirements laid down in Article 13(1)(c) and (2)(a)
GDPR; it also failed to ensure that “personal data [are] processed […] in a transparent manner
in relation to the data subject”, as required pursuant to Article 5(1)(a) GDPR.


    6.4. Findings of a Violation of Articles 5(1)(a) and 6(1) GDPR

Complainant No4 lodged their complaint with the Norwegian Data Protection Authority, partly due to their doubts regarding
                                                                                            124
SATS' position on the legal basis for the processing and storage of training history data. We
believe that Complainant No 4 has raised legitimate doubts regarding SATS' position on such
legal basis. This is due to the fact that SATS' privacy policy and general terms and conditions
provide confusing and misleading information on this point. Furthermore, SATS has provided

partially different responses regarding the legal basis for the processing of training history data
to Complainant No 4 and to the Norwegian Data Protection Authority. This warrants an assessment of whether SATS is relied upon
on a valid legal basis for processing training history data.


SATS' privacy policy in effect in 2021 stated the following with respect to the legal bases that
SATS relied on for processing the personal data of its customers:

        "LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA


        Processing of personal data is not permitted unless there is a
        valid basis for processing. Such a basis for treatment can, for example, be
        consent from the registered person, contract (conclusion of an agreement), law or that we as




121Ibid. (stating (in Norwegian): "It will, so to speak, always be the case that a breach of a concrete obligation also
represents a breach of one of the privacy principles […] all breaches of Article 13 automatically constitute a breach of
article 12”).
122GC, Case T-704/14, Marine Harvest ASA v European Commission, paras. 370-371. See also GC, Case T-609/19,
Canon v European Commission, para. 461.
123 See EDPB, Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory
Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR, Adopted on 28 July 2021, paras. 183-201.
124 See correspondence attached to Complaint No 4.




                                                                                                28 the controller has a "legitimate interest" that exceeds the data subject's requirements
        on privacy.


        Our basis for processing is mainly contract, and in some cases consent. By
        we will always provide information on the start of processing of your personal data
                                125
        treatment basis.”

Therefore, the privacy policy simply stated that SATS' legal basis for processing the personal

data of its customers was generally “performance of a contract” and in some cases “consent”,
but without specifying which purposes were covered by each of these legal bases.


However, Section 5.2 of SATS' general terms and conditions in effect in 2021 stated:

        "The member agrees that SATS, and other companies that are part of the same group,

        registers, stores and uses information about the Member […] The Member agrees
        to SATS storing training history for the purpose of being able to follow up the Member's
        activity and arrange the Member's training programme") 126 (In the English version:
        "The Member consents to that SATS and other companies that are part of the same

        Group, registering, storing and using such personal data […] The Member agrees that
        SATS can save training history data in order to be able to monitor Member activities
        and facilitate Member training”). 127


Furthermore, Section 5.3 of SATS' general terms and conditions read:


        "The member has the right to access his training history and can demand to have it deleted.
        SATS must confirm receipt of notification of deletion." 128 (In the English version: “The
        Members can withdraw consent to their training history and request that such be deleted.
                                                                             129
        SATS will confirm receipt of notification in respect of deletion”).

This wording (“samtykker”/“consent”) in the general terms and conditions suggests that the

processing of training history data to monitor member activities and facilitate member training
is one of those processing activities for which SATS relied on "consent" as a legal basis.

However, during our inquiry, SATS took the view that the term "samtykker"/"consent" in the

general terms and conditions should not be interpreted as "consent" for GDPR purposes, etc
that SATS' legal basis for processing training history data was Article 6(1)(b) GDPR. 130
Nevertheless, in its written representations, SATS acknowledged that its communication
                                      131
regarding legal bases was imprecise.

125See Privacy statement and cookies - SATS (attached to Complaint No 4).
126 General conditions for membership in SATS - SATS (attached to Complaint No 4).
127
   SATS's General Terms and Conditions (English Version), applicable from 23.08.2021, available at
128tps://www.sats.no/legal/english-version-of-our-general-terms-and-conditions>.
129Generelle vilkår for medlemskap i SATS – SATS (attached to Complaint No 4).
   SATS’s General Terms and Conditions (English Version), applicable from 23.08.2021, available at
<https://www.sats.no/legal/english-version-of-our-general-terms-and-conditions>.
130See SATS’ letter to Datatilsynet dated 28 April 2022.
131See SATS’ letter to Datatilsynet dated 31 October 2022, p. 5.



                                                                                                29In addition, in its written representations, SATS claimed that it is up to the controller to
determine the relevant legal basis, and that Datatilsynet is not in the position to challenge the
controller’s choice regarding the legal basis, as long as the latter is reasonable and justified.      132


Datatilsynet takes note of these arguments, but find them unconvincing. Although it is the
controller’s responsibility to ensure that it relies on a valid legal basis,      133the validity of the

legalbasis chosenbythe controller(andhencethe lawfulnessoftheprocessing)maybeverified
and challenged by supervisory authorities,      134 as well as by data subjects.  135 Thus, it is not the
case that Datatilsynet is not in the position to challenge the validity of the legal basis chosen by

SATS. Moreover, the legal basis must be identified and communicated to data subjects at the
outset of the processing;   136it is not possible for the controller to “fix” the legal basis ex post.
Therefore, the supervisory authority’s assessment of the lawfulness of the processing should

inevitably focus on the choice made by the controller at the outset of the processing, which
should be assessed inter alia on the basis of the information that the controller has provided to
data subjects.


With respect to the processing of training history data, SATS’ general terms and conditions in
effect in 2021 provides that SATS members “samtykker”/“consent” to the processing of such

data. That wording is included in a section of the general terms and conditions with the heading
“personopplysning, markedsføring og kommunikasjon”, which exclusively deals with data
protection and privacymatters.Thus,it seems illogical thatthetermsusedinthatsectionshould

not be interpreted in accordance with their standard meaning under data protection law, as
SATS argued. Moreover, the English version of that section expressly states that consent can
be withdrawn,   137 which further confirms that the section uses the term “consent” in accordance
                  138
with the GDPR.        Finally, the fact that consent to the processing of training history data can
be withdrawn under SATS’ general terms and conditions confirms that such processing is not
necessary for the performance of the membership contract, as outlined further below.

                                                                                                       139
It should benotedthat forconsent to bevalidundertheGDPR itshouldgenerallybeseparate.
In this regard, the EDPB has opined that “the situation of ‘bundling’ consent with acceptance


132See SATS’ letter to Datatilsynet dated 31 October 2022, p. 5 (stating in Norwegian: “GDPR legger opp til at
det er den behandlingsansvarlige som fastsetter sine behandlingsgrunnlag. Tilsynet kan neppe overprøve slike
vurderinger så lenge de er forsvarlige og rimelige”).
133
134See Arts. 5(1)(a) and (2), 6 and 24 GDPR.
   See Art. 57(1)(a) GDPR. See too e.g. CJEU, Case C-245/20, X, Z v Autoriteit Persoonsgegevens, para. 22
(assuming that supervisory authorities are generally competent to “review the lawfulness” of a processing
operation, barring when the latter is carried out by a court in its judicial capacity).
135See Recital 63 GDPR (stating: “A data subject should have the right of access to personal data which have been
collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware
of, and verify, the lawfulness of the processing” (emphasis added)).
136See EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of
the provision of online services to data subjects, Version 2.0, 8 October 2019, para. 17.
137
   SATS’s General Terms and Conditions (English Version), applicable from 23.08.2021, Section 5.3 (stating:
138e Member can withdraw consent to their training history and request that such be deleted”).
   See Article 7(3) GDPR.
139See Article 7(4) and Recital 43 GDPR. See further Case C-673/17, Planet49 (Advocate General Opinion), para.
66.



                                                                                                       30of terms or conditions, or ‘tying’ the provision of a contract or a service to a request for consent
to process personal data that are not necessary for the performance of that contract or service,

is considered highly undesirable. If consent is given in this situation, it is presumed to be not
freely given”. 140


Therefore, the consent to the processing of training history data set out in Section 5.2 and tied
to the acceptance of SATS’ general terms and conditions is invalid, as – contraryto what SATS
argued  141 – such processing is not invariably and objectively necessary to perform the
          142
contract.    This is first and foremost evidenced by the fact that, as outlined above, SATS’
general terms and conditions allow members to withdraw their consent to the processing of the
training historydata and request that such data be deleted. In this regard, it should be noted that

the general terms and conditions do not specify that any conditions apply to requests for
deletion, theysimplyprovide that SATS shall acknowledge receipt of such requests. Moreover,
SATS’ processing of training history data is not objectively necessary to provide its services,

at least to those members who intend to make only a basic use of SATS’ training facilities (e.g.,
withoutparticipatingin groupclasses, withoutusingapersonaltrainer,etc.),asaccesstoSATS’
facilities to simply work out on one’s own does not require the recording of training history
data. Furthermore, in its written representations, SATS stated that the processing of such data
              143
is “relevant”    to offer its services, but it failed to explain or show how such processing would
be “necessary” to perform the contract with its members.          144 In this respect, the EDPB has
opined that:


    “necessary for the performance of a contract with the data subject […] must be interpreted
    strictly and does not cover situations where the processing is not genuinely necessary for

    the performance of a contract, but rather unilaterally imposed on the data subject by the
    controller. Also the fact that some processing is covered by a contract does not
    automatically mean that the processing is necessary for its performance. […] Even if these

    processing activities are specifically mentioned in the small print of the contract145his fact
    alone does not make them ‘necessary’ for the performance of the contract.”


140EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.1, Adopted on 4 May 2020, para.
26.
141
   See SATS’ letter to Datatilsynet dated 28 April 2022 (stating (in Norwegian): “lagring om treningshistorikk er
nødvendig for at SATS skal kunne tilby en integrert del av sin tjeneste, nemlig treningsoppfølging. SATS tilbyr
segregerte medlemskap, f.eks. medlemskap forbeholdt ett senter, sentre i en region eller medlemskap på
landsbasis. I tillegg tilbyr SATS en rekke tilleggstjenester, f.eks. gruppetimer, PT-timer et c. SATS må følgelig
behandle opplysninger om treningshistorikk (dvs. besøk og økter) for a blant annet holde oversikt over at
medlemmets tilgang kjøpte og gjennomført e gruppetimer, PT-timer etc.”).
142See EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of
the provisionofonline services to data subjects, Version2.0,8 October2019,para.27(stating: “Where a controller
seeks to establish that the processing is based on the performance of a contract with the data subject, it is important
to assess what is objectively necessary to perform the contract”).
143
   See SATS’ letter to Datatilsynet dated 31 October 2022, p. 5 (stating (in Norwegian): “SATS mener at
behandling av treningshistorikk er relevant for å tilby medlemmene treningsoppfølging, som er en sentral del av
144S’ tjenester» (emphasis added).
   It should be emphasised that the controller is responsible to demonstrate compliance with the lawfulness
principle. See Article 5(2) GDPR.
145See EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of
the provision of online services to data subjects, Version 2.0, 8 October 2019, para. 28.



                                                                                                      31In its written representations, SATS claimed that the EDPB’s strict interpretation of Article
                                       146
6(1)(b) has no basis in the GDPR.          Datatilsynet takes note of this argument. However, it
should be dismissed in light of the case law of the CJEU on the notion of ‘necessity of
processing personal data’. Indeed, the CJEU has repeatedly found that “[a]s regards the
condition relating to the necessity of processing personal data, it should be borne in mind that

derogations and limitations in relation to the protection of personal data must apply only in so
far as is strictly necessary” (emphasis added).  147


Inlightoftheabove,neitherArticle6(1)(a)norArticle6(1)(b)wasavalidlegalbasisforSATS’
processing of training history data in the circumstances at hand, as the consent to such
processing was not “freely given” and “informed”, as it was tied to the general acceptance of

SATS’ terms and conditions, and in any event the processing at hand was not objectively
necessary to the performance of the membership contract. Therefore, SATS violated Articles
5(1)(a) (lawfulness principle) and 6(1) GDPR, as it failed to have a valid legal basis in place to
engage in the processing of training history data.


The fact that SATS failed to have a valid legal basis in place is further evidenced by the fact
that, in response to a query from Complainant No 4, SATS noted that the legal bases for
                                                                                    148
processing and retaining training history data was “Article 6(1)(b) and (f)”,           and the latter
(i.e., Art. 6(1)(f)) was neither mentioned as a relevant legal basis in the privacy policy nor in
the general terms and conditions. This shows that the applicable legal basis was unclear also to

SATS’ staff.

It should be pointed out in passing that the choice of an appropriate legal basis is not a mere
“technicality” of very limited importance to data subjects, as suggested by SATS.        149Rather, it

is essential to ensure compliance with a core principle of the GDPR (i.e., the lawfulness
principle), which is of key importance to data subjects, as evidenced by the fact that
Complainant No 4 took issue with the legal bases that SATS communicated to them. In any

event, it is for SATS to id150ify an appropriate legal basis, should it wish to process training
history data in the future.






146See SATS’ letter to Datatilsynet dated 31 October 2022, p. 5.
147CJEU, Case C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības
SIA ‘Rīgas satiksme’, para. 30 (and case law cited therein).
148See SATS’ email to Complainant No 4 dated 10 October 2021 (referring to “behandlingsgrunnlaget i artikkel

149r. 1 bokstav b) og f)”) (attached to Complaint No 4).
   See SATS’ letter to Datatilsynet dated 31 October 2022, p. 5 (stating (in Norwegian): “Under enhver
omstendighet kan det ikke være tvilsomt at GDPR artikkel 6(1)(f), berettiget interesse, er et gyldig
behandlingsgrunnlag for treningshistorikk. Uenighet om gråsonene mellom artikkel 6(1)(b) og 6(1(f) er langt på
vei en "teknikalitet" med svært begrenset betydning, om noen, for medlemmene.”).
150In its written representations, SATS sought Datatilsynet’s input on whether Article 6(1)(f) could be an
appropriate legal basis to process training history data in the future. See SATS’ letter to Datatilsynet dated 31
October 2022, p. 5 (stating (in Norwegian): “SATS er åpen for heller å basere behandlingen av treningshistorikk
på artikkel 6(1)(f) dersom Datatilsynet skulle mene at dette grunnlaget er mer treffende”).



                                                                                                   32In its written submissions, SATS argued that Datatilsynet’s conclusion that SATS breached
Articles 5(1)(a) and 6(1) GDPR would violate the principle of ne bis in idem.         151 Moreover,
SATS argued that “it willalways bethecasethatabreachofaspecificobligation[intheGDPR]
                                                               152
also represents a breach of one of the privacy principles”         and therefore the two breaches
should not be cumulated.   153 In this respect, it is sufficient to restate what has been mentioned
above with respect to the other violations of Article 5: there is nothing in the GDPR that

precludes a controller from being penalized both for an infringement of a principle in Article 5
and an infringement of the obligations stemming from that principle in the rest of the
Regulation. 154 In the present case, by failing to have a valid legal basis for the processing of
training history data, SATS has not only failed to make sure that “personal data [are] processed

lawfully”, as required by Article 5(1)(a); it also failed to make sure that one of the legal bases
listed in Article 6(1) could validly be invoked.

    7. Choice of Corrective Measure


Under Article 58(2) GDPR, Datatilsynet has several corrective powers, including the power to
impose administrative fines for violations of the GDPR.


When deciding whether to impose an administrative fine and deciding on the amount of the
administrative fine, due regard must be given to the factors listed in Article 83(2)(a) to (k)
GDPR. The following sub-sections outline how Datatilsynet has given “due regard” to these

factors in the present case.

    7.1. Nature, Duration and Gravity of the Infringements (Art. 83(2)(a))


As regards the criterion at Article 83(2)(a), SATS’ infringements consist in having failed to
complywithrequirementswhoseviolationsmayallbesanctionedin accordancewiththehigher
tier of sanctions (Article 83(5)) under the GDPR’s two-tier sanctions’ system. In this regard, it

should benotedthat theGDPR “in settinguptwodifferent maximum amounts ofadministrative
fine (10/20 million Euros), already indicates that a breach of some provisions of the Regulation
may be more serious than for other provisions”.     155This only speaks to the intrinsic nature of
some infringements (i.e., the infringements that may be fined up to 20 million Euros are—

according to the assessment made by the legislator— by “nature” more serious than those that
may be fined up to 10 million Euros). However, the actual gravity of a specific infringement
should be assessed having regard also to other elements;     156whether a violation is subject to a





151
152ee SATS’ letter to Datatilsynet dated 31 October 2022, p. 9.
   Ibid. (stating (in Norwegian): “Det vil så å si alltid være slik at et brudd på en konkret forpliktelse også
representerer brudd på et av personvernprinsippene”).
153Ibid.
154See EDPB, Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory
Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR, Adopted on 28 July 2021, paras. 183-201.
155Article 29 Data Protection Working Party, Guidelines on the application and setting of administrative fines for
the purposes of the Regulation 2016/679 (WP 253, Adopted on 3 October 2017), p. 9.
156It should be noted that “nature” and “gravity” are two different and separate elements in Article 83(2)(a) GDPR.




                                                                                                  33maximum fine of 20 or 10 million Euros is only a starting point for assessing its gravity.      157

With respect to the nature of SATS’ infringements, it should also be noted that the
infringements at hand concern “rights and obligations [that] are at the core of the fundamental
right to data protection”.158We consider that, overall, SATS’ infringements may be deemed to
be moderately serious in nature in the present circumstances.


The duration of most of the infringements is considerable. The access request of Complainant
No 1 has remained unanswered since 2018, and SATS never provided a copy of the personal
data of Complainant No 2 in response to their request in February 2019, although these data
were finally deleted on 4 November 2021. SATS replied to Complainant No 4 only a couple of

weeks late. However, SATS deleted certain personal data of Complainant No 2 and of
Complainant No 3 on 4 November 2021, respectively about one and nineteen months after the
expiry of the relevant exclusion period when the deletion should have taken place. As for the
infringements of the lawfulness and transparency requirements, these are partially ongoing and

have lasted at least since August 2021 (i.e., since the last update to the general terms and
conditions). Such a – on the whole – prolonged state of noncompliance is one of the key
elements to be taken into consideration in the analysis of the gravity of the infringements.

The gravity of the infringements should be assessed bearing in mind that they relate to rights

and obligations that are at the core of the fundamental right to data protection. However, the
impact oftheinfringements fortheaffectedindividuals, orat least forthecomplainants, appears
to have been relatively modest in practice, as Datatilsynet has not been made aware of any
specific damages suffered by the data subjects, apart from the emotional distress incurred,

although the excessive retention of data on alleged wrongdoing could have had significant
consequences for the relevant data subjects (e.g., a prolonged exclusion from the fitness
centers). While the former element attenuates to a certain extent the gravity of the
infringements, a central element of the analysis of their gravity should be whether the nature

and scope of the infringements are indicative of broader, more systemic issues. In this regard,
Datatilsynet considersthatamultinationalcompany,likeSATS,shouldhavesufficientpolicies,
procedures and routines in place to enable the company to promptly and adequately respond to
data subjects’ requests, and to meet the relevant storage limitation, transparencyand lawfulness
requirements.


In its written representations, SATS claimed that the identified infringements are not indicative
ofmoresystemicissues,asthepresent caseconcernsonlyaverysmallnumberofcomplaints.                 159
However, in our view, the reoccurrence over a long period of time of several similar failures to

ensurecompliancewith keydataprotectionrights andobligations reveals that theinfringements
were not the result of occasional oversights. Instead, they are indicative of a failure to put in

157This is noted in response to SATS’ remark that the seriousness of a violation may not be assessed only on the
basis of whether it may be sanctioned under Article 83(4) or (5). Cf. SATS’ letter to Datatilsynet dated 31 October
2022.
158EDPB, Guidelines 10/2020 on restrictions under Article 23 GDPR, Version 2.0, Adopted on 13 October 2021,
para. 2 (stating: “Data protection cannot be ensured without adhering to the rights and principles set out in the
GDPR (Articles 12 to 22 […],as well as Article 5 in so far as its provisions correspond to the rights and obligations
provided in Articles 12 to 22 GDPR). All these rights and obligations are at the core of the fundamental right to
data protection”).
159
   See SATS’ letter to Datatilsynet dated 31 October 2022, p. 6.



                                                                                                34place and follow adequate policies, procedures and routines. Moreover, through the assessment

of the four complaints at issue in the present case, Datatilsynet has identified compliance issues
that go beyond the mishandling of a few data subjects’ requests (e.g., a failure to have a valid
lawful basis in place for the processing of training history data in general, deficiencies in
policies and documents that apply or applied to all of SATS’ members, etc.). This is a systemic

issue that enhances the gravity of the infringements. In this regard, it should be noted that most
of the complaints concern data subjects’ requests and policies that predate the Covid-19
pandemic. Thus, the pandemic should not be factored in when assessing the gravity of the
infringements.


In respect of the number of affected data subjects, most of the violations affected four
individuals in Norway(i.e.,the complainants). However, someviolations (i.e.,theinfringement
of the transparency and lawfulness obligations) have affected virtually all of the about 700 000
SATS members.


Having considered the above, and taking into account all of the aforementioned aggravating
and mitigating elements in their complexity, Datatilsynet considers the infringements to be
moderately grave. This factor should be weighed accordingly in the present case.


    7.2. Intentional or Negligent Character of the Infringements (Art. 83(2)(b))

In respect of the criterion at Article 83(2)(b), the EDPB found that:


        “In general, “intent” includes both knowledge and wilfulness in relation to the
        characteristics of an offence, whereas “unintentional” means that there was no
        intention to cause the infringement although the controller/processor breached the duty
        of care which is required in the law.”160


Further to our inquiry, we see no evidence of an intentional infringement on the part of SATS.
However, in our view, the infringements arose due to negligence on the part of SATS, insofar
as the company failed to implement and follow appropriate measures to respond timely and
properlyto data subjects’ requests, and to ensure – and be able to demonstrate – full compliance

with storage limitation, lawfulness and transparency requirements, thus disregarding its duty of
care.161However, further to our inquiry, SATS seems to have taken some measures to improve
its routines and state of compliance (see section 7.3 below).


It bears emphasizing that several staff members of SATS, including SATS’ Customer Service
Manager, have been involved in handling the above data subjects’ requests, and that SATS’
management is ultimately responsible for ensuring SATS’ compliance with the GDPR. SATS
has itself stated that the CEO has a responsibility for GDPR compliance.    162Therefore, it may


160Article 29 Data Protection Working Party, Guidelines on the application and setting of administrative fines for
the purposes of the Regulation 2016/679 (WP 253, Adopted on 3 October 2017), p. 12. These guidelines have
been endorsed by the EDPB. See EDPB, Endorsement 1/2018 (adopted on 25 May 2018).
161See Article 5(4) and 24 GDPR.
162 Generelle vilkår for medlemskap i SATS – SATS (attached to Complaint No 4) (stating:

“Databehandlingsansvarlig for opplysningene er SATS v/CEO.”).



                                                                                               35be concluded that several staff members of SATS have acted negligentlyin connection with the
establishment and implementation of adequate compliance measures, as they disregarded their
                                                                                     163
duty of care to ensure compliance with several legal obligations under the GDPR.

Overall, this factor should be weighed moderately against SATS in the present case.


In its written representations, SATS claimed that the negligence identified by Datatilsynet
should be weighed neither against nor in favor of SATS. Datatilsynet disagrees with this view,
and considers that the identified negligence should be weighed against SATS, albeit

moderately. This is because SATS acted negligently over a prolonged period of time, despite
thefact that several datasubjects promptedSATS to bringits processinginto compliance.Thus,
the infringements are not due to a minor negligence, which occurred over a limited period of

time. As a result, this degree of negligence should be given some weight for fining purposes.
In this respect, the EDPB noted that “[d]epending on the circumstances of the case, the
supervisory authority may also attach weight to the degree of negligence. At best, negligence
could be regarded as neutral” (emphasis added).   164


    7.3. Action Taken by the Controller to Mitigate the Damage Suffered by Data
         Subjects (Art. 83(2)(c))

                                                                                                165
SATS has taken several remedial actions, at least with respect to most of the infringements.
For example, after Datatilsynet’s inquiry, SATS has deleted the personal data of Complainant
                                                  166
No 2, Complainant No 3 and Complainant No 4.          SATS has also updat167its internal routines
with the aim of ensuring a timelier handling of data subjects’ requests.     Further, SATS noted
that it will consider amending Section 5.2 of its general terms and conditions.  168All in all, this
goes to the credit of SATS and should be weighed in favor of the company in the present case.


    7.4. Degree of responsibility of the controller taking into account technical and
         organisational measures implemented pursuant to Articles 25 and 32 GDPR

         (Art. 83(2)(d))

The criterion at Article 83(2)(d) is not applicable in the present case, as the infringements
contestedinthecaseathanddonot concerntechnicalandorganisationalmeasuresimplemented

pursuant to Articles 25 and 32 GDPR.







163
164See HR-2021-797-A, and Section 46 of the Public Administration Act (‘forvaltningsloven’).
   EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 1.0, Adopted
on 12 May 2022, para. 57.
165However, some instances of non-compliance are yet to be remedied, for instance by responding to the access
request of Complainant No 1, and by updating the privacy policy and general terms of terms of service.
166See SATS’ letter to Datatilsynet dated 28 April 2022.
167Ibid.
168Ibid.



                                                                                                36    7.5. Relevant Previous Infringements by the Controller (Art. 83(2)(e))


The criterion at Article 83(2)(e) is not applicable in the present case, as SATS has not been
sanctioned for similar or otherwise “relevant” infringements in the past.


In its written representations, SATS argued that the absence of previous infringements should
be considered a mitigating factor.  169 This argument should be rejected. In this regard, it suffices

to note that, under EU/EEA law, it is well established that the absence of any previous
infringement is a normal circumstance, which should not be taken into account as a mitigating
factor.170 Moreover, the EDPB has specifically noted that “[t]he absence of any previous

infringements, […] cannot be considered a mitigating factor, as compliance with the GDPR is
the norm. If there are no previous infringements, this factor can be regarded as neutral.”      171


    7.6. Degree of Cooperation with the Supervisory Authority (Art. 83(2)(f))

SATS has responded to Datatilsynet’srequests forinformation,         172althoughit demandedseveral
                      173
deadline extensions,      and SATS’ cooperation did not go beyond what was required by law.
Thus, in our view, this factor should be weighed neither in favor nor against SATS. As noted
by the EDPB with respect to Article 83(2)(f) GDPR: “it would not be appropriate to give
                                                                        174
additional regard to cooperation that i175lready required by law”.          This was not disputed by
SATS in its written representations.


    7.7. Categories of Personal Data Affected by the Infringements (Art. 83(2)(g))

In light of the circumstances of the present case, the infringements committed by SATS do not

appear to affect anyspecial categories ofpersonal data(within themeaningofArticle9GDPR).
However, some of them did affect information subject to a greater degree of sensitivity on the
part of the individuals affected, such as data on their alleged wrongdoing. This element should

be weighed moderately against SATS in the present case.

In its written representations, SATS argued that the factor in Article 83(2)(g) GDPR should be
                       176
weighed in its favor.     The company claimed that the present case only affects “trivial data”,
and that the information on “alleged wrongdoing” was deleted in accordance with SATS’


169
170See SATS’ letter to Datatilsynet dated 31 October 2022, p. 7.
   See e.g. Joined Cases T-305/94, T-306/94, T-307/94, T-313/94, T-314/94, T-315/94,T-316/94, T-318/94, T-
325/94, T-328/94, T-329/94 and T-335/94, LVM v Commission, para. 1163; Case T-8/89, DSM v Commission,
para. 317.
171EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 1.0, Adopted
on 12 May 2022, para. 94.
172See the Factual Background above.
173See email from SATS’ Nordic Head of Legal & Compliance to Datatilsynet dated 27 October 2021; email from
Brækhus Advokatfirma to Datatilsynet dated 31 March 2022; email from Brækhus Advokatfirma to Datatilsynet

174ed 19 April 2022; email from Advokatfirmaet Wiersholm to Datatilsynet dated 28 September 2022.
   Article 29 Data Protection Working Party, Guidelines on the application and setting of administrative fines for
the purposes of the Regulation 2016/679 (WP 253, Adopted on 3 October 2017), p. 14.
175Cf. SATS’ letter to Datatilsynet dated 31 October 2022.
176Ibid, p. 7.



                                                                                                     37                                                                                                177
internal routines, and was thus not affected by the infringements identified by Datatilsynet.
This argument should be rejected. In this respect, it suffices to note that SATS kept its
correspondence from 2019 with Complainant No 2 and Complainant No 3—which includes
detailed information on their alleged misbehavior that led to their temporary ban from SATS’
                            178
gyms—at least until 2021.       This is despite the fact that, as outlined above, SATS’ retention
policy provides that “If the customer relationship is terminated due to improper behavior from
the member, name, date of birth and picture shall be kept for 60 months. Further, the member

inquestionshallbemarkedas‘excluded’.Therest of179datashallbedeleted,includedpossible
reports on the behavior” (emphasis added).       Therefore, contrary to what SATS argued in its
writtenrepresentations,theinformationon“allegedwrongdoing”wasnotdeletedinaccordance
with SATS’ routines and is thus affected by the relevant infringements identified by

Datatilsynet.

    7.8. Manner in Which the Infringements Became Known to the Supervisory
         Authority (Art. 83(2)(h))


SATS’ infringements in the present case became known to Datatilsynet as a result of several
complaints submitted over a period of four years. This factor should be weighed against SATS.


Initswrittenrepresentations,SATSarguedthatthisfactorshouldnotbeweighedagainstSATS,
as this would amount to a violation of the principle against self-incrimination.   180Datatilsynet
acknowledges that SATS was not required to report the infringements to us out of its own
motion, and that the mere fact that a controller did not spontaneously report an infringement to

Datatilsynet is not an aggravating factor. However, the negligent conduct of the controller
before the relevant infringement(s) became known to the supervisory authority—which
ultimately triggered the involvement of the authority in the case—“may also be considered by
                                                               181
the supervisory authority to merit a more serious penalty”.        In this case, the infringements
were brought to the attention of Datatilsynet by several data subjects, after and due to the fact
that SATS failed to remedy the identified instances of non-compliance, despite the fact that
these data subjects have previously attempted to prompt SATS to comply. Thus, the

infringements were brought to the attention of Datatilsynet as a result of SATS’ failure to
properly address the legitimate claims that various data subjects brought to its attention over
the course of four years. This is the element that should be weighed against SATS in this case,
and not the fact that it did not report the infringements to Datatilsynet of its own motion.







177Ibid.
178Excerpts from this correspondence were included by SATS in its replies to Datatilsynet dated 1 December
2021.
179In its correspondence with Complainant No 3 SATS also stated that such “rest of the data” would be deleted
within 30 days. See email from kundeservice@sats.no to Complainant No 3 dated 11 October 2019 (attached to
SATS’ letter to Datatilsynet dated 1 December 2021).
180See SATS’s letter to Datatilsynet dated 31 October 2022, p. 7.
181See Article 29 Data Protection Working Party, Guidelines on the application and setting of administrative fines
for the purposes of the Regulation 2016/679 (WP 253, Adopted on 3 October 2017), p. 15.




                                                                                                38    7.9. Compliance with Corrective Measures Previously Ordered Against the

         Controller with Regard to the Same Subject-Matter (Art. 83(2)(i))

The criterion at Article 83(2)(i) is not applicable in this case, as no measures referred to in
Article 58(2) GDPR have previously been ordered against SATS by Datatilsynet.


In its written representations, SATS argued that this factor should be weighted in favor of the
company.  182 This argument should be rejected. First, the wording of Article 83(2)(i) GDPR
makes clear that this factor applies only “where measures referred to in Article 58(2) have
previously been ordered against the controller”,   183 and no such measures have been ordered

against SATS in the past. Secondly, the use of corrective measures is typically linked to the
identification of an infringement and, as noted above (see Section 7.5), the absence of previous
infringements—and hence of previous corrective measures—is a normal circumstance, which
should not be taken into account as a mitigating factor.


    7.10.       Adherence to Approved Codes of Conduct or Certification Mechanisms
         (Art. 83(2)(j))

The criterion at Article 83(2)(j) is not applicable in this case, as SATS does not appear to adhere

to any approved codes of conduct pursuant to Article 40 GDPR or approved certification
mechanisms pursuant to Article 42 GDPR.

    7.11.       Any Other Aggravating or Mitigating Factor (Art. 83(2)(k))


Datatilsynet has not identified any other aggravating or mitigating factors in the present case.
In this regard, it should be noted that, as outlined above, most of the complaints concern data
subjects’ requests and policies that predate the Covid-19 pandemic. Thus, the latter does not

appear to have had any significant impact on the infringements. Moreover, the reduction of
SATS’ turnover due to the Covid-19 pandemic should not be considered a mitigating factor
under Article 83(2)(k) GDPR.    184This should be weighed neither against nor in favor of SATS
in the present case.


In its written representations, SATS argued that some of the infringements concern facts that
occurred in 2018 and 2019, shortly after the entryinto force of the GDPR, and that this element
should be weighed in SATS’ favor.    185 We find this argument untenable. It suffices to reiterate
that: (1) SATS has not responded to the access request of Complainant No 1 to this date, and it

deleted the data of Complainants No 2 and No 3 onlyafter the opening of Datatilsynet’s inquiry
in 2021, with the result that most of the violations identified by Datatilsynet were still ongoing
in 2021; and (2) Datatilsynet’s assessment of the lawfulness and transparency of SATS’
processing has primarily focused on documents and policies that were still applicable in 2021

when we opened our inquiry. Furthermore, there were approximately two years between the

182See SATS’ letter to Datatilsynet dated 31 October 2022, p. 8.
183See Article 83(2)(i) GDPR.
184EDPB, Decision 01/2022 on the dispute arisen on the draft decision of the French Supervisory Authority
regarding Accor SA under Article 65(1)(a) GDPR, adopted on 15 June 2022, para. 72.
185
   See SATS’ letter to Datatilsynet dated 31 October 2022, p. 8.



                                                                                                39                                         186                                                          187
entry into force of the GDPR in 2016         and the moment in which it started to apply in 2018.
Therefore, companieshad at least two yearsto adapt to thenewrules, andEuropeansupervisory
authoritieshave repeatedlystatedthat therewould beno “grace period”after theGDPR became
                     188
applicable in 2018.

Moreover, SATS argued that the length of the administrative proceedings is a factor that

Datatilsynet should consider under Article 83(2)(k) GDPR, in particular to reduce the amount
of the fine. In support of this argument, SATS noted that one of the complaints was submitted
to Datatilsynet in 2018, and referred to several cases in which the Norwegian Privacy Appeals

Board (“Personvernnemda”) reduced a fine imposed by Datatilsynet due to an excessive
duration of the case handling which—according to Personvernnemda—resulted in a violation
ofArticle6(1)oftheEuropeanConventiononHumanrights (ECHR).                    189InDatatilsynet’s view,

this argument should be rejected for the following reasons.

First, Personvernnemda has made clear that the duration of the administrative proceedings

concerning the handling of a complaint should be calculated from the first request for
information that Datatilsynet sent to the relevant controller,        190  and not from the moment
Datatilsynet received the complaint.    191 This appears to be meant to follow the case law on the

reasonable duration of criminal proceedings of the European Court of Human Rights
(“ECtHR”), which found that the starting-point of the period to be taken into consideration is
when the person affected by the investigation became aware of the charges against them or

when they were substantially affected by the measures taken in the context of the investigation
or proceedings.  192 In the present case, it is apparent that Datatilsynet first sent a request for
information about Complaint No 1 to SATS on 23 March 2022                193 and notified SATS of its

intention to issue an administrative fine on 26 September 2022. In other words, approximately
six months elapsed before Datatilsynet notified SATS of its intention to issue an administrative
fine. As for Complaints No 2, No 3 and No 4, it took Datatilsynet respectively approximately
       194            195
1 year,    11 months      and 6 months to notifySATS of its intentionto imposeanadministrative





186See Art. 99(1) GDPR.
187See Art. 99(2) GDPR and § 32 personopplysningsloven.
188See e.g.: <https://www.theparliamentmagazine.eu/news/article/gdpr-no-period-of-grace-following-entry-into-
force>; <https://www.natlawreview.com/article/happy-gdpr-day>.
189See SATS’ letter to Datatilsynet dated 31 October 2022, p. 8.
190See PVN-2021-03 (stating (in Norwegian): “Nemnda legger for sin vurdering til grunn at forberedelsene med

191te på å avgjøre denne saken startet med tilsynets krav om redegjørelse”).
   It should stressed the filing of a complaint does not invariably and automatically lead to the opening of an
investigation.
192ECtHR, Mamič v. Slovenia (no. 2), App. No. 75778/01, judgment of 27 July 2006, paras. 23-24; ECtHR, Liblik
and Others v. Estonia, App. Nos. 173/15 and 5 others, judgment of 28 May 2019, para. 94.
193See the Factual Background above.
194As noted in the Factual Background, the first request for information regarding Complaint No 2 was sent on 7
September 2021 and Datatilsynet notified its intention to issue an administrative fine against SATS on 26

195tember 2022.
   As noted in the Factual Background, the first request for information regarding Complaint No 3 was sent on 5
October 2021 and Datatilsynet notified its intention to issue an administrative fine against SATS on 26 September
2022.



                                                                                                      40fine.196Moreover, approximately four months elapsed between the date in which Datatilsynet
                                                                                                   197
notifiedSATSofitsintentiontoissueanadministrativefineandthedateofthefinal decision.
Thus, the duration of the administrative proceedings was overall shorter than that of those cases
reviewed by Personvernnemda—which SATS referred to in its written representations—which
                                              198
all lasted considerably more than one year.

Secondly, when determining whether the duration of the proceedings has been reasonable, due

regard must be had to factors such as the complexity of the case, the applicant’s conduct and
the conduct of the relevant authorities.  199 With respect to the first factor, the present case is
relatively complex, given that the violations contested to SATS concern several provisions of

the GDPR, and several complaints were handled jointly. Moreover, the procedure set out in
Articles 56(1) and 60 applies to the present case, which entails additional procedural steps
(compared to the cases reviewed by Personvernnemda and cited by SATS) and requires

cooperation with foreign authorities. This adds to the complexity of the case.

As for the applicant’s conduct, SATS contributed to the prolongation of the proceedings by

asking for an extens200 of the procedural deadlines set by Datatilsynet essentially at each stage
oftheproceedings.      Intotal,SATShasaskedfor—andhasbeengranted—deadlineextensions
for a time period of approximately two months.


As for the conduct of the relevant authorities, Datatilsynet has made efforts aimed at higher
procedural efficiency, for example by handling the complaints jointly in a single procedure,

rather than opening several parallel inquiries. Moreover, it sh201d be noted that Datatilsynet is
currently confronted with an exceptional backlog of cases,        and the ECtHR has found that in
similar circumstances some delays in the proceedings are not unjustified.        202For instance, in

Buchholz v. Germany, the ECtHR came to the conclusion that the duration of the proceedings
was not unreasonable also because it found that it could not “overlook the fact that the delays
[…] occurred at a time of transition marked by a significant increase in the volume of
            203
litigation”.

Thirdly, it should be noted that the ECtHR has almost never found that proceedings lasting less

thantwo yearsviolated Article6(1) ECHR dueto theirexcessiveduration. Intheoverwhelming
majority of cases where the Court found a violation of Article 6(1) the proceedings had lasted


196
   As noted in the Factual Backgound, the first request for information regarding Complaint No 4 was sent on 23
March 2022 and Datatilsynet notified its intention to issue an administrative fine against SATS on 26 September
2022.
197See Datatilsynet’s letter to SATS dated 26 September 2022.
198Cf. PVN-2021-16; PVN-2021-03; PVN-2021-09.
199ECtHR, Liblik and Others v. Estonia, App. Nos. 173/15 and 5 others, judgment of 28 May 2019, para. 91.
200See email from SATS’ Nordic Head of Legal & Compliance to Datatilsynet dated 27 October 2021; email from
Brækhus Advokatfirma to Datatilsynet dated 31 March 2022; email from Brækhus Advokatfirma to Datatilsynet
dated 19 April 2022; email from Advokatfirmaet Wiersholm to Datatilsynet dated 28 September 2022.
201
   The number of cases to be handled by Datatilsynet has been growing exponentially since 2018. Cf.
202atilsynet’s Annual Reports <https://www.datatilsynet.no/om-datatilsynet/arsmeldinger/>.
   ECtHR, Buchholz v. Germany, judgment of 6 May 1981; ECtHR, Zimmermann and Steiner v. Switzerland,
judgment of 13 July 1983; ECtHR, Foti and others v. Italy, judgment of 10 December 1982.
203ECtHR, Buchholz v. Germany, judgment of 6 May 1981, para. 63.



                                                                                                   41four/five years or more.  204This is further supported by legal literature on the ECHR case law
on this subject matter, whichnoteshow“a total durationofupto 2 yearsperlevel ofjurisdiction
                                                                 205
in non-complex cases is generally regarded as reasonable”.          For example, an 206estigation
which lasted one year and eight months was not considered unreasonably long.

Having regard to the above, the duration of the proceedings against SATS has not been

unreasonable.

    7.12.       Conclusion with Regard to Whether to Impose an Administrative Fine


Having had due regard to the factors under Article 83(2), the infringements that have been
identified warrant the imposition of an administrative fine in the circumstances of this case.


Despite the relative limited number of individuals affected by some of the infringements (i.e.,
the infringements connected to the rights of access and erasure) and the remedial actions taken
by SATS, the reoccurrence of similar instances of non-compliance over an extensive period of

time and SATS’ approach towards the interpretation of its storage limitation, transparency and
lawfulness obligations under the GDPR are indicative of systemic compliance flaws within the
company, which—if not remedied—could result in important consequences for data subjects.

In Datatilsynet’s view, the imposition of an administrative fine is therefore warranted to
produce a genuine deterrent effect, and dissuade SATS—as well as companies in general—
from committing similar infringements in the future. Indeed, enforcement efforts must generate
                                                                                          207
sufficient pressure to make non-compliance economically unattractive in practice.            This is
particularly salient with regard to the kinds of infringements contested in the present case, as
most of the administrative fines issued so far by European supervisory authorities concern the
principles relating to processing of personal data; lawfulness of processing; valid consent; and
                                               208
transparency and rights of the data subjects.

In its written representations, SATS claimed that the imposition of an administrative fine would

be at odds with Datatilsynet’s administrative practice regarding corrective measures, and hence
with the principle of equal treatment. SATS claims that the imposition of a reprimand would
be a more suitable measure in the present circumstances. In this respect, SATS referred to a
prior case in which Datatilsynet imposed a reprimand against a company that failed to comply
                                                                209
with some of its transparency obligations under the GDPR.          The latter case is, however, not


204Cf. European Commission for the Efficiency of Justice (CEPEJ), Length of court proceedings in the member
states of the Council of Europe based on the case law of the European Court of Human Rights (Council of Europe,
2018), pp. 112-122 <https://rm.coe.int/cepej-2018-26-en-rapport-calvez-regis-en-length-of-court-proceedings-
e/16808ffc7b>.
205
   See Henzelin and Rordorf, ‘When Does the Length of Criminal Proceedings Become Unreasonable According
206the European Court of Human Rights?’ 5(1) (2014) New Journal of European Criminal Law 79-109, p. 93.
207ECtHR, Idalov v. Russia, App. No. 5826/03, judgment of 22 May 2012, paras. 190-191.
   See Opinion of Advocate General Geelhoed in Case C-304/02, Commission v. France, delivered on 29 April
2004, para. 39.
208EDPB, Contribution of the EDPB to the evaluation of the GDPR under Article 97, Adopted on 18 February
2020, pp. 33-34.
209See SATS’ letter to Datatilsynet dated 31 October 2022, p. 9 (referring to Reprimand and Compliance Order -
Mowi ASA, Doc. No 21/03656-12).



                                                                                                  42comparable with the present one, as it concerns only: (1) a failure to respond to a single access
request on time due to the fact that such request ended up in the spam folder of the company’s
email inbox, a matter that was eventually amicably settled; and (2) a delayed provision of all of
the information in Article 14 GDPR (which—contrary to Article 13—does not require that

information be provided at the time of the processing, but within a month), which was
eventually considered satisfactory by the relevant complainant.


At present, Datatilsynet has not handled other cases which may be deemed largely comparable
to the present one. However, it should be emphasised that Datatilsynet has issued fines against
other controllers too, including in circumstances where theyhad violated onlysome of the legal
requirements violated by SATS and where such violations affected a single data subject.       210


    7.13.       Calculation of the Amount of the Administrative Fine

Having had due regard to the factors under Article 83(1) and (2), we find an administrative fine

of NOK 10 000 000 (ten million) to be appropriate in the circumstances of this case. This is for
the reasons outlined below. In this respect, it should be noted that the setting of a fine is not an
arithmetically precise exercise,   211 and supervisory authorities have a certain margin of
discretion in this respect.212 Nonetheless, they should indicate the factors that influenced the
                                                  213
exercise of their discretion when setting a fine.

In terms of the requirement under Article 83(1) to ensure that the imposition of the fine in the
circumstances of this case is effective, proportionate and dissuasive, the financial position of

SATS must be taken into account. The financial position of SATS is also relevant to determine
the maximum fine applicable in the present case.

                                                                                      214
In 2021, SATS’ total annual turnover appears to be of NOK 3 247 million.                  Thus, the
maximum fine applicable in the present case is EUR 20 000 000 (i.e., around
NOK 200 000 000), as the latter amount is higher than 4% of the company’s total annual
turnover, and Article 83(5) provides that infringements of Articles 5, 6, 12, 15 and 17 GDPR

shall be subject to “administrative fines up to 20 000 000 EUR, or in the case of an undertaking,
up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is
higher” (emphasis added).


Having considered the above, a fine of NOK 10 000 000 (ten million) seems appropriate, as it
represents approximately 5% of the maximum applicable fine and sits within the lower end of
the spectrum of possible fines. Therefore, such a fine is commensurate with the seriousness of



210See e.g. Case 20/01874, Basaren Drift AS; Case 20/02220, Flisleggingsfirma AS; Case 20/02375, Ultra-
Technology AS.
211See, inter alia, Case T-425/18, Altice Europe NV v Commission, para. 362; Case T-11/06, Romana Tabacchi v
Commission, para. 266.
212See, inter alia, Case T-192/06, Caffaro Srl v Commission, para. 38.
213EDPB, Decision 01/2022 on the dispute arisen on the draft decision of the French Supervisory Authority
regarding Accor SA under Article 65(1)(a) GDPR, adopted on 15 June 2022, para. 75.
214See SATS Annual Report 2021, available at <https://satsgroup.com/wp-content/uploads/2022/03/SATS-ASA-
Annual-Report-2021.pdf>.




                                                                                                  43the infringements for which it is imposed, taking into account all of the aggravating and
mitigating factors outlined above (see sections 7.1-7.12 above).


Suchafinewouldrepresentapproximately0.3%ofSATS’annualturnoverfor2021.Therefore,
it would have some significance to the company relative to its revenue—which is essential to
ensure its dissuasive effect—without being disproportionate relative to the company’s financial

position and the infringements viewed as a whole.

The amount of the fine set out above takes into account that SATS’ total annual turnover for

2021 decreased by 8% compared to 2020, primarily due to club closures and visit restrictions
becauseoftheCovid-19 pandemic.       215Whilethis is not amitigatingfactor,Datatilsynet believes
that the fine should be slightly adjusted in view of the difficult economic context in which the

company is operating due to the pandemic.

For the sake of clarity, it should be noted that Datatilsynet has calculated the above fine on the
basis of all of the infringements viewed as a whole, and has not cumulated separate fines for

each of the individual infringements identified. In any event, given that all of the provisions
violated by SATS may be fined up to 20 000 000 EUR, the total amount of the administrative
fine has not exceed the amount specified for the gravest infringement, as demanded by Article

83(3) GDPR.

In its written representations, SATS claimed that the amount of the fine indicated above is

disproportionately high and it would not be in line w216 the existing administrative practice
acrosstheEU/EEA regardingadministrativefines.            Inthis respect, wereiteratethat thesetting
of a fine is not an arithmetically precise exercise, 217and supervisory authorities have a certain
margin of discretion in this respect. 218In any event, the cherry-picked selection of cases listed

in SATS’ written representations in support of its claim—none of which is entirely analogous
to the present one—only focuses on the numeric value of the fines imposed, but does not show
how each of the amounts relate to the economic size of the recipient of the fine.    219 The size of

the undertaking concerned is one of the key elements that should be taken into accou220in the
calculation of the amount of the fine in order to ensure its dissuasive nature.         Taking into
consideration the resources of the undertaking in question is indeed justified by the impact
sought on the undertaking concerned, in order to ensure that the fine has sufficient deterrent




215Ibid.
216See SATS’ letter to Datatilsynet dated 31 October 2022, p. 10.
217See, inter alia, Case T-425/18, Altice Europe NV v Commission, para. 362; Case T-11/06, Romana Tabacchi v
Commission, para. 266. See too EDPB, Decision 01/2022 on the dispute arisen on the draft decision of the French

218ervisory Authority regarding Accor SA under Article 65(1)(a) GDPR, adopted on 15 June 2022, para. 74.
   See, inter alia, Case T-192/06, Caffaro Srl v Commission, para. 38. See too EDPB, Decision 01/2022 on the
dispute arisen onthe draft decisionofthe FrenchSupervisoryAuthorityregarding Accor SA under Article 65(1)(a)
GDPR, adopted on 15 June 2022, para. 74.
219Cf. SATS’ letter to Datatilsynet dated 31 October 2022, p. 10.
220EDPB, Decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding
WhatsApp Ireland under Article 65(1)(a) GDPR, paras. 405-412; EDPB, Decision 01/2022 on the dispute arisen
on the draft decision of the French Supervisory Authority regarding Accor SA under Article 65(1)(a) GDPR,
adopted on 15 June 2022, para. 76.



                                                                                                  44effect, given that the fine must not be negligible in the light, particularly, of its financial
capacity.221


Having regard to the above, a fine equal to 0.3% of SATS’ annual turnover for 2021 is in line
with fines issued in partially similar cases, including cases reviewed by Personvernnemda. In
this respect, it suffices to note that in a case concerning violations of Articles 6(1) and 13 that

Personvernnemda did not consider too serious, Personvernnemda deemed a fine e222l to 0.9%
of the annual turnover of the preceding financial year to be adequate.           Further, in a case
concerningaseriousviolationofArticle6(1),Personvernnemdaconsideredafineequalto7.9%
of the annual turnover of the preceding financial year to be “not too high”.   223In this respect, it

should be emphasized that SATS’ infringements concern more provisions of the GDPR and
affected more individuals compared to the latter two cases.

    8. Right of Appeal


As this decision has beenadoptedpursuant to Article56 andChapterVIIGDPR, pursuant toArticle
22(2) of the Norwegian Data Protection Act, the present decision may not be appealed before
Personvernnemda. However, the present decision may be challenged before Oslo District Court

(“Oslo tingrett”) in accordance with Article 78(1) GDPR, Article 224of the Norwegian Data
Protection Act and Article 4-4(4) of the Norwegian Dispute Act.

Kind regards


Line Coll
Data Protection Commissioner



                                                                       Luca Tosoni
                                                                       Specialist Director


This letter has electronic approval and is therefore not signed

 Copy to: Complainants; ADVOKATFIRMAET WIERSHOLM AS









221
   Case C-408/12 P, YKK and Others v Commission, para 85; Case C-413/08 P, Lafarge v European Commission,
para.104andthecaselawcitedtherein.SeetooEDPB,Decision01/2022onthedisputearisenonthedraftdecision
of the French Supervisory Authority regarding Accor SA under Article 65(1)(a) GDPR, adopted on 15 June 2022,
para. 76.
222See PVN-2021-13.
223See PVN-2020-21.
224Act of 17 June 2005 no. 90 relating to mediation and procedure in civil disputes (Lov om mekling og rettergang
i sivile tvister (tvisteloven)).




                                                                                                 45