Datatilsynet (Norway) - 18/04147

From GDPRhub
Revision as of 11:35, 18 November 2023 by Riealeksandra (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet (Norway) - 18/04147
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 17(1)(a) GDPR
Article 17(1)(d) GDPR
Article 25(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 25.02.2020
Published: 02.03.2020
Fine: 1,000,000 NOK
Parties: Public Roads Administration (Statens vegvesen)
National Case Number/Name: 18/04147
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA initially notified the Public Roads Administration of a NOK 4 million fine for failing to delete toll road crossing logs, thus violating Article 5(1) GDPR, Article 17(1)(a), Article 17(1)(d) and Article 25(1), cf. Article 5(1)(c), Article 5(1)(d), Article 5(1)(e) and Article 5(1)(f). The controller, however, contested the decision, leading the DPA to reassess the case and subsequently reduce the fine to NOK 1 million (approximately €98,000 in June 2021).

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject lodged a complaint against the Norwegian Public Roads Administration (the controller) for failing to delete toll road crossings logs, which included personal data related to the car tag number, location and time of crossing. The data subject demonstrated that the controller still (at the time of the complaint) stored personal data about their place of residence dating back to 2008 and 2010.

The controller may legally store personal data related to toll road crossings for accounting purposes, but when the purposes have been fulfilled (storage for 5 years as per Norwegian accounting rules), the personal data must be deleted in line with Article 17(1) GDPR. However, the system used for keeping this data, lacked deletion functionality and the DPA found that the controller had not assessed, nor implemented, technical and organisational measures as required by the GDPR.

The Norwegian DPA's investigation revealed a complex situation of several involved parties and confusion around roles and responsibilities. The DPA, however, reasoned that the Norwegian Public Roads Administration was the controller for the personal data concerned.

Other parties involved were toll operators and a software supplier. The involved parties had argued amongst themselves who were to blame for the violations of the GDPR, with letters dating back to May 2017. The controller claimed they could not delete the personal data in question since the software system (where the toll road crossings logs were kept) lacked deletion functionality.

Holding[edit | edit source]

As the DPA had reasoned that the Norwegian Public Roads Administration was the controller and thus ultimately responsible for the processing of the personal data, the decision was made against them and not the other parties involved.

The Norwegian DPA instructed the controller to, without undue delay, delete the personal data related to the toll road crossings logs where the purpose for storing has been fulfilled. For the violations described above, the DPA held that they intended to fine the controller NOK 4 million for violating Article 5(1) GDPR, Article 17(1)(a), Article 17(1)(d) and Article 25(1), cf. Article 5(1)(c), Article 5(1)(d), Article 5(1)(e) and Article 5(1)(f).

However, the controller contested the decision, leading the DPA to reassess the case and subsequently reduce the fine to NOK 1 million (approximately €98,000 in June 2021).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

ADVOKATFIRMAET FØYEN TORKILDSEN AS PO Box 7086 St. Olavs Plass 0130 OSLO

Their reference

Our reference

20/02194-7 KBK

Date

07.06.2021

Decision on order and infringement fee

1. Introduction We refer to the complaint from 10 December 2018 (18/4147–1), the Norwegian Data Protection Authority's notice of decision on order and infringement fee of 25 February 2020 and Føyen Torkildsen's feedback on notice of decision of 23 March 2020. The case is also submitted to Q-Free and complains. These have given their views, and are attached to the case. In addition, complainants have subsequently pointed out that the same situation complained of in relation to Fjellinjen is also relevant for Vegfinans (see letter of 4 September 2020) and Frende (see letter of 31 March 2021). Reference is also made to other correspondence in the case. The case relating to Vegfinans and Frende is not covered by the decision, but is attached to the case to make it clear that this does not only apply in relation to the Fjellinjen.

Føyen Torkildsen (FT) represents the Swedish Road Administration (SVV) in this case.

The case concerns failure to delete passing information in the toll ring. We explain the case in more detail below, under point 3, but specify at the outset that our decision only applies to transit data that appears in the invoice section. The individual passage through the toll ring is, as informed to the Norwegian Data Protection Authority, deleted in accordance with current regulations. This has an impact on the basis for imposing an infringement fee.

2. Comments from Føyen Torkildsen on the notice In a letter of 23 March 2020, FT points out that the parties (SVV, Q-Free and the Norwegian Data Protection Authority) are based on various issues that should be cleared up. the requirement for a lack of deletion functionality does not apply to ordinary pass information. According to the statement from FT, ordinary pass information has been subject to deletion rules and deletion functionality since CS-Norge's data solution was put into use. FT points out that the shortcoming that applies here concerns the invoice part of CS-Norge, and is less extensive.

3. The Danish Data Protection Authority's assessment of the comments The Danish Data Protection Authority will take into account that the decision shall only include personal data in the invoice part of CS-Norge. It is noted that the part of CS-Norway which includes

Postal address: Office address: Postbox 458 Sentrum Tollbugt 3 0105 OSLO

Telephone: 22 39 69 00

Fax: 22 42 23 50

Company No:

974 761 467

Website: www.datatilsynet.no the pass information has been deleted in accordance with existing regulations. It is also only personal information in the invoice section that is required to be kept according to the Bookkeeping Act.

The Norwegian Data Protection Authority agrees that it has been planned for a long time to discontinue the deletion functionality in CS-Norge. Reference is made here to several meetings between, among others SVV, Q-Free and the Norwegian Data Protection Authority. However, this does not release SVV from responsibility for rectifying the situation.

What is required to be kept according to the Bookkeeping Act was explained by the Personal Protection Board in PVN-2020-09 Processing of pass data in AutoPass, where it says:

"In 2011, the Privacy Board dealt with two cases concerning the question of how long transit data could be kept at the toll company before the information had to be deleted. PVN-2010-07 concerned a complaint about the Norwegian Data Protection Authority's order to the toll company E18 Vestfold AS to delete transit data for prepaid account holders. PVN-2010-08 concerned a complaint against the Norwegian Data Protection Authority's decision to order Fjellinjen AS to delete transit data in the case of arrears-based invoicing. In the first case (which concerned pass-through data for holders who had an advance-based account), the Norwegian Data Protection Authority had issued an order that pass-through data should be deleted within one month of pass-through. In the other case (which concerned arrears-based invoicing, as in our case), the Norwegian Data Protection Authority had issued an order to delete transit data within five months. In both cases, an opinion was obtained from the Directorate of Taxes which concluded that the data controller was obliged to store pass data for ten years in accordance with the Bookkeeping Act, cf. Bookkeeping Act section 13 second paragraph, cf. first paragraph nos. 2 and 3. The Privacy Board agreed with the Tax Directorate's interpretation of the Bookkeeping Act and came to the conclusion that there was a statutory duty to store transit data for ten years (up until 1 February 2014 the law required storage for ten years) and that the toll companies in both cases had grounds for processing in the Personal Data Act 2000 § 8 first sentence, second alternative.

According to the decisions explained above, the documentation obligation under the Bookkeeping Act has not changed, apart from the fact that the storage period for the information has been reduced from ten to five years. The Personal Data Act 2000 has been repealed and replaced by the Personal Data Act 2018, but the basis for processing in Article 6 no. 1 letter c (necessary to fulfill a legal obligation) represents a continuation of a corresponding provision in the Personal Data Act 2000 § 8 letter b. There are also no other provisions in the personal data protection regulation, which requires a different assessment of this today.

The tribunal then assumes that the Bookkeeping Act requires the storage of passenger data for five years after the end of the financial year and that the Personal Protection Regulation Article 6 No. 1 letter c gives Ferde AS and the Norwegian Public Roads Administration a processing basis for storing the information during this time. During this period, the data subject cannot demand that the information be deleted, cf. article 17 no. 3 letter b.

On behalf of SVV, FT requests that the Danish Data Protection Authority specify the decision on orders so that it is clear what needs to be changed, at the same time they ask the Danish Data Protection Authority to specify which orders must be addressed directly to Q-Free in order for them to have the desired effect, as SVV does not has the opportunity to carry out the deletion required by the Norwegian Data Protection Authority.

2 We refer here to our assessment of processing responsibility (see section 6.1 below), where it is concluded that SVV has the main responsibility, and that other players, such as here Q-Free, must be considered data processors. The Norwegian Data Protection Authority therefore concludes that SVV is the correct addressee in this context.

Reference is also made to the feedback from FT section 2.1 last paragraph where it is stated:

"It is emphasized that transit information is not included in invoices to the extent that the Norwegian Data Protection Authority seems to assume. The problem that transit information is included on the invoice and thus has not been deleted applies to a limited proportion of the total amount of invoices. The fact that transit information has been deleted in the system, with the exception of what is included on the invoice, has a privacy consequence. The deletion means that passes will not be searchable in the same way. After deletion in the transaction register, the passage information will only appear in PDF format. It therefore takes a lot to use the information on the invoices to say something about the individual's movement pattern or to compile a "complete movement pattern".

However, this does not change the fact that SVV had not deleted the information. The fact that the information now only appears in PDF format is of no significant importance, as these can be made available for further use with the help of simple software. Further storage of this information will not be compatible with the requirements for deletion pursuant to Article 17 of the Personal Data Protection Regulation.

In the reply from FT of 23 March 2020, section 4.2 states the following:

"As can be seen from the facts of the case, the establishment of functionality for the deletion itself must be carried out by Q-Free. SVV cannot carry out the deletion itself. As can be seen, SVV has tried to demand deletion from Q-Free since March 2018. There has been disagreement regarding risks linked to new functionality, accounting and tax technical matters, methodology and payment for the deletion. QFree's obligation to delete has its basis in, among other things, clause 9 of the contract, cf. appendix 1 clause

4.5, and appendix 1 Customer's Table of Requirements - requirement G 34, as well as Appendix 2 point 4.2.2, point 2.3.6 and point

4.2.1. The Swedish Road Administration is of the opinion that in accordance with the requirements set out in

agreement, the relevant deletion functionality should already have been present in the solution. Q-Free claims that the requirements for deletion that were discussed from March 2018 are new requirements. This does not imply correctness – there are requirements that also follow from the old Personal Data Act, and which Q-Free was contractually obliged to comply with when designing the solution. SVV states that the negotiations with Q-Free in this context mean that there is no "unjustified stay" on SVV's part.

SVV cannot be held responsible for a data processor not complying with the data controller over time. Necessary measures for deleting the information in question should have been present in the solution from the beginning - and should in any case have been introduced by the data processor without undue delay when the requirement was clarified in March 2018. Q-Free should have started immediately development of new deletion functionality. Disagreement as to whether the necessary deletion functionality was covered by the original contract or not (and thus triggered the right to payment for the data processor), should have been resolved after the deletion.

3 As stated in point 2 above, a number of pieces of information have already been deleted during the follow-up of the case. SVV takes the matter seriously, and is working to have the remaining information deleted in accordance with Article 17 a).

According to the plan, CS Norway should have been replaced by a new system solution in the summer of 2019. This has been postponed to 15 January 2021.

In summary, SVV does not dispute that information must be deleted, but states that the lack of complete deletion at the present time is due to circumstances beyond SVV's control, and which SVV has done its utmost to get under control."

It is the Norwegian Data Protection Authority's assessment that an internal disagreement between the parties in a contractual relationship should not come at the expense of the data subjects' rights.

FT has pointed out in its response that Article 25 on built-in privacy should not be applied in this case. Reference was made here to the provision's wording, which states that in the assessment of whether and how built-in privacy protection is to be implemented, "...take into account the technical development, implementation costs, the nature, scope, purpose and context of the processing, as well as the risks of varying probability- and degree of severity for natural persons' rights and freedoms that the processing entails...".

The Norwegian Data Protection Authority has reassessed the provision's application, and finds that as the system is being phased out, it would not be prudent to add large implementation costs to such a system.

The Norwegian Data Protection Authority therefore finds that Article 25 should not be applied in this case.

Secondly, the Norwegian Data Protection Authority has made an assessment of Article 17 no. 1 letter c), and finds that it cannot proceed with this, as it is also not referred to in the application of orders and infringement fees.

The Norwegian Data Protection Authority has also taken into account the FT's comments about the company Deutsche Wohnen SE, in that these have been omitted from the decision letter.

The FT's comments on the notified orders have also been taken into account, which has meant that the infringement fee has been adjusted down.

4. Which regulations are to be applied - questions about choice of law

The new Personal Data Act (Personal Data Act 2018), which in § 1 incorporates the EU's privacy regulation into Norwegian law, entered into force on 20 July 2018. The Act repealed the same law

14.04.2000 No. 31 on the processing of personal data (the Personal Data Act 2000) and the rules in the Personal Data Regulations 15.12.2000 No. 1265 on the processing of 6 personal data (the Personal Data Regulations 2000). Due to the course of events in the case, it is necessary to decide whether the case should be assessed according to the Personal Data Act 2018 or the Personal Data Act 2000.

4 We have come to the conclusion that the Personal Data Act of 2018 must be applied in the case. Thus, the provisions in the Personal Data Protection Ordinance also apply, cf. § 1 of the act. This applies to all sides of the case, including those relating to the imposition of an infringement fee, cf. also the Personal Data Act § 26 second paragraph and § 33.

This case concerns breaches of the regulations that occurred at a time prior to the entry into force of the Personal Data Act 2018. However, the breaches of the regulations have been continuous and have persisted over time. In other words, the events in question have stretched over a longer period.

The Personal Data Act 2018 § 33 first paragraph lays down a special transitional rule on infringement fees which reads as follows:

"The rules on the processing of personal data that applied at the time of the action shall be used as a basis when a decision is made on an infringement fee. The legislation at the time of the decision must nevertheless be applied when this leads to a more favorable result for the person responsible."

When a decision is made on an infringement fee, the question of choice of law must therefore be assessed based on what must be considered the time of action. The Norwegian Data Protection Authority's assessment is that the timing of action in this case is stretched out in time - the unlawful act(s) occurred before 20 July, but it has been, and will continue to be, a constant and continuous breach of regulations until the controller ensures that the processing activities comply with the requirements of the regulations. It thus follows from § 33 of the Personal Data Act that this case must be assessed in accordance with the Personal Data Act 2018. This is also in accordance with EMF Article 7, which refers to respectively "the time of the act" and "the time when [the act] was committed".

We also refer to the preparatory work for the Personal Data Act 2018 (Prop. 56 LS (2017-2018) page 196), where the ministry, among other things, states the following on issues of choice of law between the Personal Data Act 2000 and the Personal Data Act 2018:

"The starting point will be that decisions at the Data Protection Authority and the Personal Data Protection Board will have to be made on the basis of the material rules in force at any given time."

The same follows from the Personal Protection Board's practice in cases that do not apply to infringement fees and which were submitted to the board before the new law, but which are dealt with under the new law. See for example PVN2018-005 and PVN-2018-006.

Against this background, we consider it clear that cases concerning ongoing or persistent breaches of the rules must be assessed in accordance with the Personal Data Act 2018 and the Personal Data Protection Regulation.

After this, the Norwegian Data Protection Authority finds that it wants to adjust the infringement fee to NOK 1,000,000.

5 5. The breach of the law The failure to delete passing information in the toll ring involves conditions that constitute a breach of the Personal Protection Regulation article 5 no. 1 and article 17 no. 1. This applies to:

• Storage of transit information (the invoice part) beyond the time that the Norwegian Public Roads Administration can legally store this is a breach of the Personal Protection Regulation article 5 no. 1 letter a) and article 17 no. 1 letter a) and d).

6. Decision on order and infringement fee

6.1 Decision on order - art. 58 no. 2 letter d)

1) The Norwegian Public Roads Administration must, without undue delay, delete personal data about chip number, location and time of passage (invoice part) that is stored beyond the time the business can legally store this personal data, as the personal data is no longer necessary for the purpose for which it was collected or processed, cf. the personal protection regulation article 17 no. 1 letter a) and d), cf. article 5 no. 1 letter a), c), d), e) and f).

2) The Swedish Road Administration must, without undue delay, delete personal data that is stored about complaints beyond the time the business can legally keep them, cf. the Personal Protection Regulation article 17 no. 1 letter a), cf. article 5 no. 1 letter a) and c) .

Decisions on orders are explained in more detail under section 9.2.

6.2 Decision on infringement fee - article 58 no. 2 letter i) Pursuant to the Personal Information Act § 26 second paragraph, the Norwegian Data Protection Authority may impose infringement fees on public authorities and bodies according to the rules in the Personal Protection Regulation article 58 no. 2 letter i), cf. article 83 no. 7.

• The Norwegian Public Roads Administration is ordered, in accordance with the Personal Data Act § 26, second paragraph, cf. the Personal Protection Ordinance, Article 83, to pay an infringement fee to the Treasury of NOK 1,000,000 - one million - for not having deleted passing information about tag number, location and passing time that is stored beyond the time SVV can legally keep these, cf. article 17 no. 1 letter a) and d), cf. article 5 no. 1 letter a),

Decisions on infringement fees are explained in more detail under section 6.3.

7. The facts of the case The case was initiated in a complaint from a private person, who pointed out that the Fjellinjen stored pass information that was older than five years. Passage information includes all passes that vehicles make through the toll ring, including information about the vehicle's plate number (linked to registration number), location and time of passage. In its response to complaints, Fjellinjen stated that the company was obliged to store passage data for five years in accordance with the accounting rules. The complainant has proven in the complaint that pass data is stored

6 which is older than five years, and that Fjellinjen has also registered and stored information about the complainant's place of residence back to 2008 and 2010. The complainant has requested that this information be deleted.

The system where personal information about vehicles passing the toll booth and associated invoices is stored is called CS Norge. SVV and Fjellinjen have entered into an agreement on joint processing responsibility for the processing of personal data that takes place in this system. SVV and Fjellinjen have also agreed to exchange personal data in the system between them. Similar agreements have been concluded between SVV and the other toll companies.

SVV has ordered all toll companies in Norway to use this system, which is supplied by QFree ASA. SVV is the system owner and responsible for the application's functionality. It is SVV that determines the purpose of the processing and the means for the processing, cf. the data protection regulation article 4 no. 7. SVV has drawn up a specification for changing the system, so that the retention requirements in the data protection regulation were to be met. SVV sent the assignment order to Q-Free on 22 March 2018. In a letter dated 12 April 2019 to SVV, Fjellinjen stated that there is no functionality that allows Fjellinjen to perform deletion on the specified customer.

In a letter of 23 May 2019 to SVV, Fjellinjen states that Fjellinjen cannot "implement the changes that are system-technically necessary to carry out in CS Norway. Even if SVV, like Fjellinjen, has so-called "shared processing responsibility", the system ownership is indisputably SVV via an agreement with QFree as.

Fjellinjen has contacted Q-Free, where it is stated that the relationship is known to SVV. Q-Free has drawn up proposed solutions and over the past six months has been urging SVV on the occasion of the case and most recently before Easter."

Fjellinjen further states in the same letter to SVV:

"Fjellinjen takes into account that Q-Free, as the supplier of the basic system for AutoPass, has an independent responsibility to comply with the GDPR. This cannot, however, be a reason why SVV, as the system manager, fails to request changes that are necessary for the Toll Companies to be able to safeguard the legislation vis-à-vis the customer as for their own company".

In its reply to Fjellinjen of 31 May 2019, SVV states that SVV "already submitted a task order to Q-Free on 23 March 2018 to have data deleted. After the order, it has, among other things, discussions/disagreements have arisen between the parties, where the Norwegian Public Roads Administration believes that Q-Free has essentially contributed to the delays in the process of putting in place a deletion function that takes care of the requirements under the privacy regulations in the best possible way." It goes on to say that it would be "incorrect to portray it as Q-Free has been pressing on for six months, while the Norwegian Public Roads Administration has "failed" to implement the changes that are necessary for regulatory compliance. The deletion process with Q-Free is large and complicated. It is based on an extensive set of agreements and complicated technical conditions."

In a letter of 24 June 2019, Q-Free gives feedback to SVV, where the company points out that SVV gives incorrect information in its letter of 31 May 2019:

7 "In May 2017, Q-Free initiates discussions with SVV about GDPR. SVV postpones the discussion until the summer to keep the focus on the planned implementation of the new MinSide & IF adapter.

In August 2017, SVV hires Eva Jarbekk to write a report on new privacy rules that QFree should have access to. We will never get that. In January 2018, Q-Free points out in a steering group meeting with SVV that we have not been given access to Jarbekk's report. We ask that GDPR become a fixed agenda item in future steering group meetings.

In March 2018, there will be a task order from SVV to Q-Free to delete personal data that SVV is not authorized to store according to the new GDPR rules (requirement for "one-off deletion"). According to Q-Free, SVV's order requires technical changes to the system, but SVV refutes this despite Q-Free documenting its view in a 25-page memo shared with SVV in May 2018.

In May 2018, SVV asks Q-Free to sign a new data processing agreement where Q-Free must confirm that CS Norge meets all the requirements of the GDPR. This is rejected by Q-Free on the basis that a formal change order has not been issued by SVV with planned measures to close deviations that enable CS Norge to fulfill the GDPR requirements.

At the end of May 2018, Q-Free distributes a new note to SVV that maps areas in CS Norway that potentially require changes in connection with the introduction of GDPR. This is the result of a longer GAP investigation by Q-Free and which is used as a basis for further discussions with SVV.

On 28 June 2018, Q-Free shares a technical solution proposal with SVV which takes into account the aspects that have emerged after extensive discussions between the parties and which basically terminates SVV's assignment order and the requirement for "one-off deletion".

On 29 August 2018, Q-Free sends a letter to SVV's data protection representative in which we, as a data processor, inform the controller of known deviations in relation to the new Personal Data Act/GDPR. Immediate feedback from SVV is that the matter will be handled further by the project manager for CS Norway in SVV. On 19 September 2018, after a reminder from Q-Free on 12 September 2018, Q-Free receives an email from SVV's data protection representative in which it refers to ongoing talks about a data processor agreement and is informed that the case has been forwarded to the section for user financing and that further follow-up will happen via them.

In early September 2018, an invoice proposal with, among other things, 200 hours for GDPR work submitted to SVV. This is rejected because the use of hours on GDPR has not been formally clarified.

Towards Christmas 2018, a series of meetings will be held between Q-Free and SVV, where lawyers are also involved, to clarify who will cover the costs of GDPR adaptations. The parties do not agree.

In December 2018, SVV again creates a task order where the requirement for "one-off deletion" is maintained.

8 In January 2019, Q-Free proposes to split the costs 50/50 in order to move forward. SVV accepts this proposal later that month. SVV also accepts that deleting data requires a change in the functionality of CS Norway. A change order on deletion is established by SVV so that Q-Free can finally finalize a formal solution proposal.

In the period February-April 2019, a number of working meetings will be held between the parties. SVV requires that certain issues be discussed with SVV's auditor. This work takes time because the auditor must confer with the Tax Directorate and others along the way. The solution description cannot be finalized until the auditor's feedback has been implemented, but final feedback from the auditor will not arrive until April.

On 12 April 2019, Q-Free distributes a proposed solution after clarifications with SVV's auditor. The agreed process was that SVV should approve the technical solution proposal, and that Q-Free should then make a formal offer based on this. After Easter, Q-Free has repeatedly urged SVV for feedback, including in steering group meetings. We are still waiting, over 2 months after the proposal was sent.”

On 8 June 2019, a meeting was held between SVV and the Data Protection Authority, where SVV informed the Data Protection Authority about the process of deleting personal data in CS Norway. SVV has subsequently informed the Data Protection Authority on an ongoing basis about developments in the case. In parallel with SVV's work to improve privacy in current system solutions, SVV is also working to establish new system solutions in the toll area.

The complainant has not yet had his claim for deletion effected.

8. The rules in the Personal Data Protection Regulation Article 5 of the Data Protection Regulation expresses the core of the data protection law. Violation of the principles in art. 5 may in itself lead to the imposition of sanctions. It follows, for example, from Art. 83 No. 5 that violations of Art. 5 is among the offenses that can result in the highest fines. The maximum amount is 20,000,000 euros, currently about. NOK 200 million, for data controllers or data processors who are not companies, cf. also § 26 second paragraph of the Personal Data Act.

9. The Norwegian Data Protection Authority's rationale for making decisions

9.1 Processing responsibility

SVV and Fjellinjen have joint processing responsibility for the processing of personal data mentioned above. According to the Personal Protection Regulation Article 26 No. 1, two or more data controllers shall be joint data controllers when they jointly determine the purpose and means of the processing. It is also a requirement that they determine their respective responsibilities for complying with the obligations in the regulation. This must be done in an open manner.

It is the authorities that determine the purpose of the use of toll booths, and thus also the purpose of the processing of personal data that takes place in that connection. The mountain line has little influence on this. Likewise, it is SVV that is the system owner, and it is SVV that

9 enters into a contract with the supplier about which system is to be used. It is thus SVV that decides which "funds shall be used", cf. the personal protection regulation article 4 no. 7. Fjellinjen has not had any direct influence on the matters raised in this notice.

9.2 Order on implementation of measures

9.2.1 Illegal storage of passing data in the toll ring SVV can only legally process personal data when passing through the toll ring when there is a processing basis for this, cf. Personal Data Protection Regulation article 6. If the processing of personal data is illegal, then the personal data must be deleted, cf. article 17 no. 1 letter d). Basically, personal data for passing through the toll ring is stored as a basis for invoices, and has a basis for processing in Article 6 no. 1 letter b). The invoice basis will then be deleted when the customer has made up his mind. However, section 13 of the Accounting Act requires that primary documentation be kept for up to 5 years after the end of the accounting year. Storage of passing information in the toll system beyond this time must be deleted without undue delay, cf. article 17 no. 1.

Secondly, it can be established that there will be a breach of Article 17 no. 1 letter a) if personal information is kept for longer than the requirement under the Bookkeeping Act when passing through the toll ring. In that case, the storage of the information does not satisfy the requirement of necessity in the provision, and must then be deleted.

9.2.2 Illegal storage of transit information about complaints The case has been initiated on the basis of a complaint from a person who is to be considered "registered" in the sense of the regulation. The fact that the personal information about the person concerned was not deleted is not compatible with the basic rights the complainant has under the Personal Protection Regulation article 17 no. 1 letter a), c) and d), cf. article 5 no. 1 letter a).

 The Norwegian Data Protection Authority's assessment of the decision on infringement fees The right to impose infringement fees is given as a means of ensuring effective compliance and enforcement of the Personal Data Act. Under domestic law, an infringement fee is not to be considered a penalty, but an administrative sanction. However, it must be assumed that the infringement fee is to be considered a penalty according to ECHR (European Convention on Human Rights) Article 6, and in accordance with the Supreme Court's practice, cf. Rt. 2012 page 1556 with further references.

The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probability for a breach of the law is required in order to be able to impose a fee. The case and the question of imposing an infringement fee have been assessed on the basis of this evidentiary requirement.

Reference is made in this context to Chapter IX of the Public Administration Act on "Administrative sanctions". An administrative sanction means a negative reaction that can be imposed by an administrative body, which targets a committed violation of law, regulation or individual decision, and which is considered a punishment according to the European Convention on Human Rights (ECHR).

10 For enterprises, the assessment of liability is peculiar. Section 46 (1) of the Public Administration Act states:

"When it is stipulated in law that an administrative sanction can be imposed on an enterprise, the sanction can be imposed even if no individual has proven guilty".

In Prop. 62 L (2015-2016) page 199, it is stated about § 46: "The wording that 'no individual has proven guilty' is taken from the section on corporate punishment in § 27 first paragraph of the Criminal Code and must be understood in the same way. The responsibility is therefore objective as a starting point".

As mentioned above, Article 83 basically instructs that the imposition of an infringement fee is based on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting elements that must have particular weight, as it is seen that the imposition of an infringement fee in each individual case must be effective, proportionate and dissuasive.

We have placed particular emphasis on the following points in our assessment:

a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the act concerned as well as the number of registered persons affected, and the extent of the damage they have suffered,

SVV and the toll companies have introduced a new system solution for the collection of fees when passing through the toll. The new system must according to SVV functions so that the passage history can be deleted in a way that falls within the requirements of the Personal Data Protection Regulation. The problem is linked to the old system solution which did not have such functionality. Pass data is not deleted in this system solution. This goes way back in time. The complainant has demonstrated in documentation (appendix 1) that information has been registered in the system going back to 2011.

In the privacy policy for Fjellinjen, it is stated that for vehicles with an agreement, personal data is registered in line with the terms of the agreement, while vehicles without an agreement are registered with a video image of the car's registration number. In addition, it turned out that there was a registered residential address in the system from 2008 and 2010. This indicates that there is personal data registered in the system that it is not legal to process, cf. article 5 no. 1 a) and article 6 and article 17 no 1 a) and d).

As the Danish Data Protection Authority sees it, it is not legal, and therefore not grounds for processing according to Article 6, to process transit data beyond the requirements of the bookkeeping regulations. The scope is significant, and has been effective for a long time. Passing data is not considered a special category of personal data, cf. Article 9, but is perceived by many as worthy of protection, as such information will be able to say something about the individual's movement pattern. If you use the car daily, the movement pattern could almost be complete.

11 It is disturbing that the toll system has existed for almost 20 years without the missing deletion functionality being discovered. This indicates a lack of focus on the rights of the registered and a lack of testing of the system.

b) whether the infringement was committed intentionally or negligently

SVV has been aware of this lack of functionality for a long time, and, as the Danish Data Protection Authority sees it, has not taken sufficient measures to change this. The malfunction has existed in the system solution from the start. This has thus also been a breach of the provisions of the old Personal Data Act (2000). The requirement that the registration of transit data should have processing grounds also followed from the old Personal Data Act Section 8.

SVV has had an ongoing dialogue with the Norwegian Data Protection Authority from April 2019 about putting a functionality in place in the old system so that pass data was deleted. This work has taken time, and as can be seen from the attached documentation, the parties have clearly not agreed on who was responsible for the delay. However, this cannot be emphasized to any great extent, as SVV should have ensured that this functionality was in place from the start.

We consider it beyond doubt that SVV has had knowledge of the necessity for the establishment of organizational and technical measures in the system. By not taking the necessary steps, SVV has acted grossly negligently.

We find that there is a clear preponderance of probability that SVV has violated articles 5 and 17 of the personal data protection regulation.

c) any measures taken by the controller or data processor to limit the damage that the data subjects have suffered

SVV is working together with Q-Free to put in place a functionality in the old system solution which means that deletion can take place.

d) the controller's or data processor's degree of responsibility, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32

The Personal Data Protection Regulation has introduced a much higher degree of responsibility for the controller, cf. the principle of responsibility in Article 5 no. 2. SVV has not ensured that the old system solution had the necessary functionality. It can therefore be stated that SVV has acted in a reprehensible manner, in connection with a failure to ensure that the solution was in accordance with the Personal Data Protection Regulation.

12 e) any relevant previous violations committed by the controller or data processor

No previous violations can be ascertained.

f) the degree of cooperation with the supervisory authority to remedy the breach and reduce the possible negative effects of it

From spring 2019, the Norwegian Data Protection Authority has been informed about the work to get a new functionality in place in the old solution.

g) the categories of personal data affected by the breach

Personal data that has been registered is passing data in the toll ring. In addition, the necessary information to be able to issue an invoice has been registered.

h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has informed about the infringement

The Norwegian Data Protection Authority became aware of this through the claim made by the complainant to Fjellinjen in the autumn of 2018.

i) if measures mentioned in Article 58 no. 2 have previously been taken against the affected controller or data processor with regard to the same subject matter, that said measures are complied with

No measures have previously been taken against SVV with regard to the same subject matter.

j) compliance with approved standards of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42

This point is not relevant to the case.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits obtained, or losses avoided, directly or indirectly, as a result of the infringement

The Norwegian Data Protection Authority has not established that SVV has benefited financially, or avoided losses directly or indirectly as a result of the infringement. Nor can anything be stated in mitigation.

Nor has the Norwegian Data Protection Authority taken SVV's financial capacity into account.

13 9.4 Summary and conclusion In assessing whether an infringement fee should be imposed, the Norwegian Data Protection Authority attaches particular importance to the fact that the infringements have significantly violated fundamental principles protected by the regulation, cf. regulation article 5 no. 1, article 6 and article 17 of the personal protection regulation.

The Norwegian Data Protection Authority attaches particular importance to the fact that SVV has for a long time processed personal data without a basis for processing. The Norwegian Data Protection Authority considers this to be serious. Citizens have a clear and protectable interest in personal data being processed without this being lawful. General preventive reasons and the consideration that the rules should have an effect and work as intended, then speak strongly for reacting with an instrument such as an infringement fee.

The Norwegian Data Protection Authority cannot see that the other elements highlighted by the law apply to any significant extent - neither in an aggravating nor mitigating direction.

The Norwegian Data Protection Authority's conclusion is that an infringement fee should be imposed.

9.5 Amount of the fee When it comes to the amount of the fee, the same elements as when assessing whether a fee should be imposed shall be given particular weight. The conditions the Norwegian Data Protection Authority has pointed out above speak for a fee of a certain size. The fee should be set so high that it also has an effect beyond the specific case. At the same time, the size of the fee must be in a reasonable proportion to the infringement and the business.

We have particularly taken care that SVV in the old system solution has not established a functionality that enabled compliance with the Personal Data Protection Regulation. Furthermore, we have looked at the general expectation that citizens should be able to have that state bodies follow the rules that have been given, and in particular those that give individuals rights that are intended to be a protection for them.

The signaling effect of this case, the general preventive considerations, we believe are clear. It should be a wake-up call for SVV about how to manage personal information about those who pass through the toll ring.

The violation only covers transit information included in the invoice section, and not transit information in general.

After an overall assessment of the case, where we have taken into account the input provided by SVV, we have come to the conclusion that an infringement fee of 1,000,000 is considered appropriate.

14 10. Right to appeal You can appeal the decision. Any complaint must be sent to us within three weeks after this letter is received, cf. Norwegian Public Administration Act §§ 28 and 29. If we uphold our decision, we will send the case to the Personal Data Protection Board for complaint processing, cf. Norwegian Personal Data Act § 22.

With best regards

Bjørn Erik Thon director

Knut Brede Kaspersen legal professional director

The document is electronically approved and therefore has no handwritten signatures

Copy to:

STATE HIGHWAYS AUTHORITY

15