Datatilsynet (Norway) - 18/04147: Difference between revisions

From GDPRhub
mNo edit summary
(3 intermediate revisions by 2 users not shown)
Line 68: Line 68:
}}
}}


The Norwegian DPA notified the Public Roads Administration of a NOK 4,000,000 (about €396,000) fine for not deleting toll road crossings logs, thus likely violating [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 17 GDPR#1a|Article 17(1)(a)]], [[Article 17 GDPR#1d|Article 17(1)(d)]] and [[Article 25 GDPR#1|Article 25(1)]], cf. [[Article 5 GDPR#1c|Article 5(1)(c)]], [[Article 5 GDPR#1d|Article 5(1)(d)]], [[Article 5 GDPR#1e|Article 5(1)(e)]] and [[Article 5 GDPR#1f|Article 5(1)(f)]].
The Norwegian DPA fined the Public Roads Administration about €396,000 (NOK 4,000,000) for not deleting toll road crossings logs, thus likely violating [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 17 GDPR#1a|Article 17(1)(a)]], [[Article 17 GDPR#1d|Article 17(1)(d)]] and [[Article 25 GDPR#1|Article 25(1)]], cf. [[Article 5 GDPR#1c|Article 5(1)(c)]], [[Article 5 GDPR#1d|Article 5(1)(d)]], [[Article 5 GDPR#1e|Article 5(1)(e)]] and [[Article 5 GDPR#1f|Article 5(1)(f)]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject lodged a complaint against the Norwegian Public Roads Administration (the defendant) for not deleting toll road crossings logs, which included personal data related to the car tag number, location and time of crossing. The complainant demonstrated that the defendant still (at the time of the complaint) stored personal data about his place of residence dating back to 2008 and 2010.
A data subject lodged a complaint against the Norwegian Public Roads Administration (the controller) for not deleting toll road crossings logs, which included personal data related to the car tag number, location and time of crossing. The data subject demonstrated that the controller still (at the time of the complaint) stored personal data about their place of residence dating back to 2008 and 2010.


The defendant may legally store personal data related to toll road crossings for accounting purposes, but when the purposes have been fulfilled (storage for 5 years as per Norwegian accounting rules), the personal data must be deleted in line with [[Article 17 GDPR#1|Article 17(1) GDPR]]. However, the system used for keeping logs of toll road crossings, lacked deletion functionality and the DPA found that the defendant had not assessed, nor implemented, technical and organisational measures as required by the GDPR.
The controller may legally store personal data related to toll road crossings for accounting purposes, but when the purposes have been fulfilled (storage for 5 years as per Norwegian accounting rules), the personal data must be deleted in line with [[Article 17 GDPR#1|Article 17(1) GDPR]]. However, the system used for keeping this data, lacked deletion functionality and the DPA found that the controller had not assessed, nor implemented, technical and organisational measures as required by the GDPR.


The Norwegian DPA's investigation revealed a complex situation of several involved parties and confusion around roles and responsibilities. The DPA, however, reasoned that the defendant was the Controller for the personal data in focus of the investigation.  
The Norwegian DPA's investigation revealed a complex situation of several involved parties and confusion around roles and responsibilities. The DPA, however, reasoned that the Norwegian Public Roads Administration was the controller for the personal data concerned.  


Other parties involved were toll operators and a software supplier. The involved parties had argued amongst themselves who were to blame for the GDPR violations, with letters dating back to May 2017. The defendant claimed they could not delete the personal data in question since the software system (where the toll road crossings logs were kept) lacked deletion functionality. As the DPA had reasoned that the defendant was the controller and thus ultimately responsible for the processing of the personal data, the decision was made against them and not the other parties involved.
Other parties involved were toll operators and a software supplier. The involved parties had argued amongst themselves who were to blame for the violations of the GDPR, with letters dating back to May 2017. The controller claimed they could not delete the personal data in question since the software system (where the toll road crossings logs were kept) lacked deletion functionality.  


=== Holding ===
=== Holding ===
The Norwegian DPA instructed the Public Roads Administration to, without undue delay, delete the personal data related to the toll road crossings logs where the purpose for storing has been fulfilled, including for the complainant.
As the DPA had reasoned that the Norwegian Public Roads Administration was the controller and thus ultimately responsible for the processing of the personal data, the decision was made against them and not the other parties involved. The Norwegian DPA instructed the controller to, without undue delay, delete the personal data related to the toll road crossings logs where the purpose for storing has been fulfilled. For the violations described above, the DPA held that they intend to fine the defendant NOK 4,000,000 (about €396,000) for violating [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 17 GDPR#1a|Article 17(1)(a)]], [[Article 17 GDPR#1d|Article 17(1)(d)]] and [[Article 25 GDPR#1|Article 25(1)]], cf. [[Article 5 GDPR#1c|Article 5(1)(c)]], [[Article 5 GDPR#1d|Article 5(1)(d)]], [[Article 5 GDPR#1e|Article 5(1)(e)]] and [[Article 5 GDPR#1f|Article 5(1)(f)]].
 
For the violations described above the DPA held that they intend to fine the defendant NOK 4,000,000 (about €396,000) for violating [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 17 GDPR#1a|Article 17(1)(a)]], [[Article 17 GDPR#1d|Article 17(1)(d)]] and [[Article 25 GDPR#1|Article 25(1)]], cf. [[Article 5 GDPR#1c|Article 5(1)(c)]], [[Article 5 GDPR#1d|Article 5(1)(d)]], [[Article 5 GDPR#1e|Article 5(1)(e)]] and [[Article 5 GDPR#1f|Article 5(1)(f)]].


== Comment ==
== Comment ==

Revision as of 15:19, 26 January 2022

Datatilsynet (Norway) - 18/04147
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 17(1)(a) GDPR
Article 17(1)(d) GDPR
Article 25(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 25.02.2020
Published: 02.03.2020
Fine: 4,000,000 NOK
Parties: Public Roads Administration (Statens vegvesen)
National Case Number/Name: 18/04147
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined the Public Roads Administration about €396,000 (NOK 4,000,000) for not deleting toll road crossings logs, thus likely violating Article 5(1) GDPR, Article 17(1)(a), Article 17(1)(d) and Article 25(1), cf. Article 5(1)(c), Article 5(1)(d), Article 5(1)(e) and Article 5(1)(f).

English Summary

Facts

A data subject lodged a complaint against the Norwegian Public Roads Administration (the controller) for not deleting toll road crossings logs, which included personal data related to the car tag number, location and time of crossing. The data subject demonstrated that the controller still (at the time of the complaint) stored personal data about their place of residence dating back to 2008 and 2010.

The controller may legally store personal data related to toll road crossings for accounting purposes, but when the purposes have been fulfilled (storage for 5 years as per Norwegian accounting rules), the personal data must be deleted in line with Article 17(1) GDPR. However, the system used for keeping this data, lacked deletion functionality and the DPA found that the controller had not assessed, nor implemented, technical and organisational measures as required by the GDPR.

The Norwegian DPA's investigation revealed a complex situation of several involved parties and confusion around roles and responsibilities. The DPA, however, reasoned that the Norwegian Public Roads Administration was the controller for the personal data concerned.

Other parties involved were toll operators and a software supplier. The involved parties had argued amongst themselves who were to blame for the violations of the GDPR, with letters dating back to May 2017. The controller claimed they could not delete the personal data in question since the software system (where the toll road crossings logs were kept) lacked deletion functionality.

Holding

As the DPA had reasoned that the Norwegian Public Roads Administration was the controller and thus ultimately responsible for the processing of the personal data, the decision was made against them and not the other parties involved. The Norwegian DPA instructed the controller to, without undue delay, delete the personal data related to the toll road crossings logs where the purpose for storing has been fulfilled. For the violations described above, the DPA held that they intend to fine the defendant NOK 4,000,000 (about €396,000) for violating Article 5(1) GDPR, Article 17(1)(a), Article 17(1)(d) and Article 25(1), cf. Article 5(1)(c), Article 5(1)(d), Article 5(1)(e) and Article 5(1)(f).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


    
    


    
    
        
            
                Notification of infringement fee to the Norwegian Public Roads Administration

            



The Norwegian Data Protection Authority has notified the Norwegian Public Roads Administration of an order and infringement fee of NOK 4 million. The case concerns failure to delete passage information in the toll ring.

                        
            
                    
                        
                    
                        
        
            
                
                        
                            
                        
                
            
    
    
        
            
            
                



The Norwegian Public Roads Administration has not deleted passage information such as chip number, location and time of passage in its database. In the original system for storing passes in the toll ring, it was not possible to delete pass information.
- The Norwegian Public Roads Administration has processed personal data illegally. The delete function has been missing, and there is an enormous amount of information that has not been necessary to store, says director Bjørn Erik Thon.
Unnecessary registrations
In the assessment, special emphasis was placed on the fact that the system had not considered built-in privacy, such as automatic deletion.
- Then it is serious that the system was not set up according to the privacy regulations. People should be able to travel without unnecessary registrations, says Thon.
An infringement fee of NOK 4 million is the highest the Norwegian Data Protection Authority has so far notified in accordance with the new regulations (GDPR).
Working on a new database
In notification of orders, the Norwegian Data Protection Authority asks the Norwegian Public Roads Administration to delete personal data, such as chip number, location and time of passage, which are stored beyond the time the Norwegian Public Roads Administration can legally store this personal data. The reason is that such personal information is no longer necessary for the purpose for which it was originally collected or processed.
The Norwegian Public Roads Administration is currently working to rectify the deficiencies, and will introduce a new database where the functionality to delete data is present.
download
Notification of decision on order and infringement fee (pdf)

            
        

        
        
                Contact person

    
        
                
                    

    
        

            Janne Stang Dahl
    

                
        
        
            
                
                    Janne Stang Dahl
                

                    
                        communications director
                    
            
            
                    
                        Office:
                    
                    
                        
                    

                    
                        Mobile:
                    
                    
                        
                    

                    
                        Email:
                    
                    
                        
                    
            
        
    








            
            

                
                    
                        Published:
                        02.03.2020
                    
                


            
        
    

















    
    
        
            
                Notification of infringement fee to the Norwegian Public Roads Administration

            



The Norwegian Data Protection Authority has notified the Norwegian Public Roads Administration of an order and infringement fee of NOK 4 million. The case concerns failure to delete passage information in the toll ring.

                        
            
                    
                        
                    
                        
        
            
                
                        
                            
                        
                
            
    
    
        
            
            
                



The Norwegian Public Roads Administration has not deleted passage information such as chip number, location and time of passage in its database. In the original system for storing passes in the toll ring, it was not possible to delete pass information.
- The Norwegian Public Roads Administration has processed personal data illegally. The delete function has been missing, and there is an enormous amount of information that has not been necessary to store, says director Bjørn Erik Thon.
Unnecessary registrations
In the assessment, special emphasis was placed on the fact that the system had not considered built-in privacy, such as automatic deletion.
- Then it is serious that the system was not set up according to the privacy regulations. People should be able to travel without unnecessary registrations, says Thon.
An infringement fee of NOK 4 million is the highest the Norwegian Data Protection Authority has so far notified in accordance with the new regulations (GDPR).
Working on a new database
In notification of orders, the Norwegian Data Protection Authority asks the Norwegian Public Roads Administration to delete personal data, such as chip number, location and time of passage, which are stored beyond the time the Norwegian Public Roads Administration can legally store this personal data. The reason is that such personal information is no longer necessary for the purpose for which it was originally collected or processed.
The Norwegian Public Roads Administration is currently working to rectify the deficiencies, and will introduce a new database where the functionality to delete data is present.
download
Notification of decision on order and infringement fee (pdf)

            
        

        
        
                Contact person

    
        
                
                    

    
        

            Janne Stang Dahl
    

                
        
        
            
                
                    Janne Stang Dahl
                

                    
                        communications director
                    
            
            
                    
                        Office:
                    
                    
                        
                    

                    
                        Mobile:
                    
                    
                        
                    

                    
                        Email:
                    
                    
                        
                    
            
        
    








            
            

                
                    
                        Published:
                        02.03.2020