Datatilsynet (Norway) - 18/04147
|Datatilsynet (Norway) - 18/04147|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 17(1)(a) GDPR
Article 17(1)(d) GDPR
Article 25(1) GDPR
|Parties:||Public Roads Administration (Statens vegvesen)|
|National Case Number/Name:||18/04147|
|European Case Law Identifier:||n/a|
|Original Language(s):||Norwegian |
|Original Source:||Datatilsynet (in NO) |
Datatilsynet (in NO)
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA initially notified the Public Roads Administration of a NOK 4 million fine for failing to delete toll road crossing logs, thus violating Article 5(1) GDPR, Article 17(1)(a), Article 17(1)(d) and Article 25(1), cf. Article 5(1)(c), Article 5(1)(d), Article 5(1)(e) and Article 5(1)(f). The controller, however, contested the decision, leading the DPA to reassess the case and subsequently reduce the fine to NOK 1 million (approximately €98,000 in June 2021).
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject lodged a complaint against the Norwegian Public Roads Administration (the controller) for failing to delete toll road crossings logs, which included personal data related to the car tag number, location and time of crossing. The data subject demonstrated that the controller still (at the time of the complaint) stored personal data about their place of residence dating back to 2008 and 2010.
The controller may legally store personal data related to toll road crossings for accounting purposes, but when the purposes have been fulfilled (storage for 5 years as per Norwegian accounting rules), the personal data must be deleted in line with Article 17(1) GDPR. However, the system used for keeping this data, lacked deletion functionality and the DPA found that the controller had not assessed, nor implemented, technical and organisational measures as required by the GDPR.
The Norwegian DPA's investigation revealed a complex situation of several involved parties and confusion around roles and responsibilities. The DPA, however, reasoned that the Norwegian Public Roads Administration was the controller for the personal data concerned.
Other parties involved were toll operators and a software supplier. The involved parties had argued amongst themselves who were to blame for the violations of the GDPR, with letters dating back to May 2017. The controller claimed they could not delete the personal data in question since the software system (where the toll road crossings logs were kept) lacked deletion functionality.
Holding[edit | edit source]
As the DPA had reasoned that the Norwegian Public Roads Administration was the controller and thus ultimately responsible for the processing of the personal data, the decision was made against them and not the other parties involved.
The Norwegian DPA instructed the controller to, without undue delay, delete the personal data related to the toll road crossings logs where the purpose for storing has been fulfilled. For the violations described above, the DPA held that they intended to fine the controller NOK 4 million for violating Article 5(1) GDPR, Article 17(1)(a), Article 17(1)(d) and Article 25(1), cf. Article 5(1)(c), Article 5(1)(d), Article 5(1)(e) and Article 5(1)(f).
However, the controller contested the decision, leading the DPA to reassess the case and subsequently reduce the fine to NOK 1 million (approximately €98,000 in June 2021).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.