Datatilsynet (Norway) - 19/02450
From GDPRhub
| Datatilsynet (Norway) - 19/02450 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1) GDPR Article 5(1)(b) GDPR Article 5(2) GDPR Article 6 GDPR Article 6(1)(f) GDPR Article 12(1) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 12(4) GDPR Article 13(1)(d) GDPR Article 24 GDPR Article 57(1)(b) GDPR Article 57(2) GDPR Article 70(1) GDPR Forvaltningsloven (Norwegian Public Administration Act) § 2(b), cf. (a) |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 13.08.2019 |
| Decided: | 24.03.2020 |
| Published: | |
| Fine: | None |
| Parties: | The Norwegian DPA Datatilsynet |
| National Case Number/Name: | 19/02450 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Norwegian |
| Original Source: | Excempt from public, shared by data subject on LinkedIn (in NO) |
| Initial Contributor: | Rie Aleksandra Walle |
A data subject lodged a complaint against the Norwegian DPA alleging several GDPR violations. A third party was appointed to handle the case, since the DPA itself cannot handle complaints filed against it. The appointed representative held that the DPA violated Article 13 GDPR for failing to specify the legitimate interests for processing personal data on their website.
English Summary
Facts
A data subject lodged a complaint against the Norwegian DPA for several GDPR violations related to their website (https://www.datatilsynet.no). Since the DPA is disqualified from managing complaints lodged against them, the Ministry of Local Government and Regional Development, administratively superior to the DPA, appointed an external party to assess the complaint and make a decision.
First, the data subject claimed that the DPA violates Article 6 GDPR because they base all processing activities relating to website visits on Article 6(1)(f), when the second paragraph of Article 6(1) states that this lawful basis does not apply to processing carried out by public authorities in the performance of their tasks. The data subject opined that since the DPA is a public authority and operating their website happens as part of their tasks, they could not rely on this lawful basis. In addition, the data subject claims that even if the DPA could base certain processing activities on this lawful basis, the interests claimed are not necessary for the processing in question, for example claiming that storing keyword searches are not necessary to operate the website.
The DPA responds that they have assessed several possible lawful bases for processing of personal data in relation to their website, for example Article 6(1)(e) and Article 6(1)(a). However, they felt that (e) was not appropriate and that (a) was only partly appropriate. Thus, they concluded that Article 6(1)(f) was the correct lawful basis. As for the complaint from the data subject, they refer to the legal preparatory works related to the GDPR, where the Ministry of Justice and Public Security assumes that the exception referred to in the second paragraph of Article 6(1) only refers to the processing of personal data related to the exercise of the public authorities' tasks. The DPA also refers to the French DPA's use of this lawful basis for several of their processing activities and purposes.
Second, the data subject claimed that the DPA violates Article 13(1)(d) because the website privacy notice fails to specify which legitimate interests as per Article 6(1)(f) the DPA claims for the processing of the website feedback function and storing comments on their blog, contrary to the Article 29 Group's recommendations. The DPA admits that this information is missing, due to a mistake, but that it was corrected a long time ago.
Third, the data subject claimed that the DPA violates Article 5(1)(b) for not stating specific enough purposes, and thus also violating Article 5(2). The DPA disagreed and referred to their privacy notice, and to their internal controls system information security, privacy and data protection, as regards the accountability principle.
Fourth, the data subject claimed that the DPA violates Article 57(2) for not allowing data subjects to lodge complaints electronically and for making it unnecessary difficult to find information about how to lodge a complaint. The DPA disagreed and referred to the various ways this information was made available on their website. They agreed, however, that the current setup of lodging complaints was too cumbersome and not user friendly. They had been working on an online solution and expected this to be done during the Spring of 2020.
Fifth, the data subject claimed that the DPA violates Article 77 when requiring data subjects to contact the controller for a complaint, before lodging one with the DPA. The DPA justified this with the dramatic increase in number of cases over the last years and their experience with seeing many cases being resolved when the data subject contacts the controller directly. They admitted, however, that there could be necessary to soften the language, and therefore changed the word "must" to "should".
Holding
The General Director's replacement ("GDR") held the following:
1) The DPA had not violated Article 6(1)(f). The GDR agreed with the DPA that there are no other lawful bases for the processing of personal data in relation to their website. The GDR referred to Recital 47 GDPR and that the DPA's tasks as per Article 57(1)(b) falls outside of the exception referred to in the second paragraph of Article 6(1). Finally, the GDR considers the necessity requirement to be fulfilled since the GDPR itself outlines the needs for information, cf. Article 57(1)(b).
2) The DPA violated Article 13(1)(d) because they failed to specify the legitimate interests claimed for the processing of the website feedback function and storing comments on their blog. As this was already recified by the DPA, the GDR only sufficed by stating his criticism in this regard.
3) The DPA had not violated Article 5(1)(b) or Article 5(2), cf. Article 24. The GDR notes that the DPA states 12 different purposes for processing personal data in their website privacy notice. To properly assess this allegation, the GDR would have to do a relatively comprehensive review of each purpose. Since the complaint does not specify exactly why the purposes are not explicit enough and does not specify any particular negative consequences for the data subject, the GDR does not find any violations in this regard.
4) The DPA had not violated Article 57(2) as the GDR found the information about how to lodge a complaint to the DPA, as sufficient, and because he does not interpret the Article to require electronic submissions of complaints.
5) The DPA violated Article 77 in requiring data subjects to first contact the controller directly and provide documentation relating to their complaint, to the DPA. The GDR assumes that the DPA will take necessary measures to correct these violations.
Comment
The GDR makes a rather interesting comment in his decision: "(...) the processing only uses the IP address as the only identifiable element and will, in practice, be perceived as "anonymous" personal data only available to a few people. In this instance, I view the risk (...) as so minimal that the legitimate interest (...) undoubtably [outweighs the rights and freedoms of data subjects]".
Further Resources
The data subject has shared the original complaint here.
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Decision in a case concerning the Data Inspectorate's processing of personal data, etc. 1 Introduction On 13 August 2019, the Danish Data Protection Agency received an undated complaint from Milo5 Novovi € (hereinafter complaints). The complaint concerned the Data Inspectorate's processing of personal data in connection with the website www.datatilsynet.no. The Data Inspectorate was sued, and the Data Inspectorate's direct year was thus incompetent to process the case. The Ministry of Local Government and Modernization appointed therefore Professor Dr. Juris Dag Wiese Schartum at the Center for Forensic Informatics, UiO as set directly with the task of making a decision in the case. To prepare the case, Schartum has become assisted by two employees in the Norwegian Data Protection Authority who were not involved in the design of and content in www.datatilsynet.no. These caseworkers have performed tasks at the request of set directly clean. In a letter dated 20 December 2019, the Norwegian Data Protection Authority was asked to provide answers to questions such as settedirekt ren had formulated on the basis of the complaint, with a response deadline of 20 January 2020. This The deadline was for practical reasons later set at 27 January 2020. The Norwegian Data Protection Authority gave its response in letter of 27 January 2020. The reply was accompanied by ten appendices with various types of documentation such as substantiated the Data Inspectorate's view of the case. Notification of a decision was sent to the Norwegian Data Protection Authority on 24 February 2020, with a deadline of 20 March 2020. I The feedback on the notification from the Norwegian Data Protection Authority, dated 20 March 2020, provided the Authority with information on how they have reformulated the text regarding the current complaint to the Danish Data Protection Agency in line with Article 77 of the Privacy Regulation, cf. point E in the notice of decision. Set directly clean found after this reason to clarify the said point in the decision. Otherwise, the Data Inspectorate had none notes to the notice. The complaint was submitted in August 2019, and the case processing has taken more than half a year The long case processing time is largely due to extra time spent in connection with appointment of settedirekt r. Below, I will assess the various complaints in the case as they appear in the claim statement dated 20 December 2019. I also refer to the mentioned requirement for an account what applies the legal basis in the case and sees no need for the agent this here. 2. On the right of appeal Registered persons have the right to appeal to a supervisory authority, cf. the Privacy Ordinance Article 77 no. 1. In this case, the supervisory authority is the Norwegian Data Protection Authority. The right of appeal after the aforesaid provision presupposes that the complaint concerns the processing of personal data about complaints (the registered). The right to appeal in this case has not been disputed. It has nevertheless been rt noted that the complainants have not indicated that any concrete treatment has taken place personal information about complaints themselves. B de Datatilsynet and settedirekt ren have, however, added due to the fact that complainants have used the Data Inspectorate's website with the consequence that personal information about complaints have been processed. In the view of the direct director, the complaint could not have been rejected as unjustified without it being in any case stated that no personal data on complaints had been processed. The principle of legality, fairness and justice, cf. Article 5 (1) (a) of the Privacy Regulation, indicates that the supervisory authority should actually process complaints even if it is not clear which ones personal data processed about the complainant. This assumes that it is it is probable that personal data about the person in question has been processed. Alleged violation of Article 6 of the Privacy Regulation Complainants state that the Data Inspectorate bases all processing activities related to website visits the basis for consideration of interests in accordance with the Privacy Ordinance, Article 6, paragraph 1, letter 1 f. He believes that the Data Inspectorate can not legally process personal data after this the basis for treatment in this context because the Privacy Regulation Article 6 (1) the second paragraph stipulates that no. 1 letter may be applied to treatment performed by public authorities as part of the performance of their tasks. As the Data Inspectorate is one public authority and the operation of the website takes place as part of the performance of the Authority's tasks, considers the complainants that the processing of personal data on this basis of processing is illegal. Even if the Data Inspectorate had been able to base the processing on the processing basis balancing of interests in some cases, complainants claim that the interests mentioned in the Data Inspectorate's privacy statement does not meet the requirements related to legitimate interests. This because it in the complainant's view there is no logical way to justify that it is necessary to treat them the relevant personal data for the relevant interests; for example, storage is not off s keord n necessary for the website to work. The Data Inspectorate's response states that several possible processing bases for personal data in connection with the websites has been considered. This specifically applies to a possible basis in Article 6, paragraph 1, letter e (statement in the public interest or in public authority) and Article 6 (1) (a), after which the data subject's consent is given basis for treatment. The Data Inspectorate argues that the alternative in letter e is not applicable and that the alternative in letter a only partially fits. The Danish Data Protection Agency has therefore intended that Article 6, paragraph 1, is the only option which is fully applicable to it the processing of personal data that takes place in connection with the use of www.datatilsynet.no. To the objection that the alternative in Article 6 No. 1 letter fikke can be used by public authorities, the Data Inspectorate responds by referring to a statement from the Ministry of Justice and Emergency Preparedness and Prop. 56 LS (2017-2018) section 6.3.1. Here the ministry writes, among other things: As the exception from Article 6, paragraph 1, letter fbare addresses public authorities and their tasks, the Ministry [...] assumes that the exception as a starting point only applies to the processing of personal data in connection with the exercise of public authority. They further write that the scope of the exemption from the application of Article 6 (1) (f) to the public authorities m: fasin clarification through practice. The Danish Data Protection Agency also states that the French Data Protection Agency, Commission N ationale des Informations et des Libertes (CNIL), states Article 6 (1) (f) as the legal basis for processing personal data in connection with a number of their own processing activities and form of treatment l. My assessment I agree with the Data Inspectorate's justification that no other basis for processing in Article 6 no. 1 than the alternative in letter f may be useful as a basis for treatment of personal information in connection with the use of www.datatilsynet.no. The crucial question is whether the exception in letter f second paragraph nevertheless means that this basis for treatment is inapplicable to a public authority such as the Norwegian Data Protection Authority. The wording of the exception applies to public authorities as part of the performance of their tasks (highlighted here). The question is whether tasks should be understood as tasks as authority or also m understand as other tasks a public authority has. In Article 6, paragraph 1 letter e is perform a task and exercise public authority used as alternatives. This may be an argument that tasks in the letter f must be understood as something more than that applies to the exercise of authority. However, it is important to note the premise / justification for the exception as it comes for expression in the preamble, section 47: As it is up to the legislature by law to determine the legal basis for public authorities' processing of personal data should be mentioned in court basis does not apply to treatment performed by public authorities in connection with with the performance of the tasks assigned to them. In my opinion, this statement is only an implicit reference authority in the strict sense. In any case, I mean a task that is performed independently of individual case processing or otherwise authority exercise at the Norwegian Data Protection Authority, and which has the form of supporting one of the central tasks of the supervisory authorities under Article 57 (1) of the Privacy Regulation letter bom promote the public's knowledge of risks, rules, guarantees and rights (...), Falls outside the exceptions mentioned in Article 6, paragraph 1, letter f, second paragraph. The premise m however, the information provided by the Norwegian Data Protection Authority is not so arranged and formulated that it gives a definite and authoritative expression of the duties and rights of the user www.datatilsynet.no has or can have. S led will e.g. a service on the websites as direct 3 offers support for the application of law and discretion in specific cases could come under mentioned exemption provision. However, I do not consider that www.datatilsynet.no has one facility or content, and I therefore believe the exception does not apply. The application of Article 6 (1) (f) as a basis for treatment requires that there is a preponderance of interests in favor of legitimate interests stated by the data controller, cf. the wording is at the front of the provision. The legitimate interests must also do so necessary a na the form l that justifies the treatment. In the Data Inspectorate's privacy statement, the Authority states: The legitimate interest [as justifies the processing of personal data] is to improve and further develop information p our websites. This interest is in accordance with the legal obligation of the Data Inspectorate pursuant to Article 57 (1) (b) to promote public awareness of risks, rules, guarantees and rights (...). The rationale is all about promoting privacy using information services on the Data Inspectorate's website. The processing of personal data what happens has only the user's IP address as an identifying element and will in practice be experienced as anonymous information that is only available to a few people. I consider in this the case that the risk of violating the data subjects' fundamental rights and freedoms is so minimal that the legitimate interest in spreading knowledge about rules and rights etc. about privacy undoubtedly must weigh heaviest. It is clear that the Data Inspectorate can promote the public's knowledge of risks, rules, guarantees and rights (...) in other ways than by having a website. The website is then also only one of the measures that the Data Inspectorate uses to inform about the privacy regulations. However, the website is especially important because it is always available, allowing for constant updating the information and has a usage capacity that is independent of available human resources. Although the service is very important, it still can not be seen as n necessary in the strictest sense of the word, ie in the sense only possible means. The Data Inspectorate's website and the processing of personal data the service entails, m however, it is considered necessary to have an information service that is in proportion to the need for information created by the privacy policy. I consider in other words n the requirement of necessity in Article 6 (1) (f) as satisfied. Overall, I have therefore come to the conclusion that the Data Inspectorate has a valid basis for processing in Article 6 (1) (f) of the Privacy Regulation for the processing of personal data which takes place in connection with the website www.datatilsynet.no. 4. Alleged violation of Article 13 of the Privacy Regulation Complainants allege that the Data Inspectorate has violated the requirement in the Privacy Ordinance, Article 13, No. 1 letter d about information to the data subject. The reason for this is that the Data Inspectorate p the website has not provided specific information on which legitimate interest under Article 6 no. 1 letter f which forms the basis for the processing of personal data in the following contexts: • the feedback function Did you find what you were looking for? 4 • when saving comments on the Privacy Blog Where the Data Inspectorate states the legitimate interests on which a processing is based, it is nevertheless not provided information on the result of the balance of interests. Complainants state that this is in conflict with the recommendation of the Article 29 Working Party. The Norwegian Data Protection Authority admits that this information has not been explicitly provided in the event of an incursion. The states that the privacy statement stated that the processing of information in connection to the feedback function was based on a legitimate interest in accordance with Article 6 (1) letter f. However, it was not stated what specific legitimate interest was involved about. Nor in connection with the comment function on the Privacy Blog was it given information on the specific legitimate interest. The Data Inspectorate points out that the legitimate interest associated with the Privacy Blog is to add facilitate that readers can express their opinion on and discuss the blog posts and that this is common practice for bloggers. They therefore assume that this has hardly created uncertainty among readers. In a In summary, the Data Inspectorate states in its response that to the extent that this can be described as a breach, the breach has not posed a real risk to the data subjects' rights and freedoms. They also remind that the relationship has long since been rectified. My assessment If a data controller bases the processing of personal data on p Article 6 (1) (f) of the Privacy Regulation on legitimate interest, and the collection of information takes place directly from the registered person, the data controller must always state which one legitimate interest in question. It is not sufficient that it is stated that the person in charge of treatment considers to have a legitimate interest; it must also be stated which or what legitimate interests are at stake. The reason for the obligation to provide specific information is that the basis for processing in Article 6, paragraph 1 letter f differs from the other treatment bases in that the provision is very broadly worded: It is not only the person responsible for the treatment, but also a third party, interests that can be included in the assessment of whether there is a legitimate interest. The basis for processing Article 6, paragraph 1, letter also applies in particular in that the provision refers to a broad balance of interests between the legitimate interests on the one hand, and the the interests of data subjects and fundamental rights and freedoms on the other hand. The various grounds for treatment in Article 6, paragraph 1, are in principle equal, ie they are no prioritization between them. For a treatment manager, it can be easier argue for a legitimate interest, cf. Article 6 (1) in letter f, than for example obtain an informed consent from the data subject, cf. Article 6 no. 1 letter a. Article 6 no. l gives the data controller full access to argue that his own, possibly third parties, interests are so significant and weighty that the treatment of personal information can be obtained without obtaining consent or referring to others specific treatment bases. 5 The wide right to process personal data as provided for in Article 6 (1) (1), makes it especially important to provide adequate information to registered persons. Registered can then have a basis for assessing whether the stated specific legitimate interests, as well as the balance between them, is durable or not. I agree with the Norwegian Data Protection Authority that Article 6 no. 1 letter f on legitimate interest is the only one applicable treatment basis for the mentioned feedback and comment functions, cf. also the discussion in point 3 above. In this case, the use of legitimate interest is as treatment basis thus not only an easy solution, but the only possible solution. A very special aspect of the relevant processing of personal data is that it takes place for promote personal data protection. In other words, it is about legitimate interests such as primarily gives positive effects for personal data protection, because the Data Inspectorate will be better able to see their tasks as specified in the Privacy Ordinance (see in particular Article 57 (1) (b) of the Privacy Ordinance on the task of promoting knowledge about personal data protection). At the same time, the treatment takes place in a way that to a very small degree creates a risk of violations by the data subjects. B the feedback and comment functions can moreover, it is said to support freedom of expression - albeit in a simple way. I find it clear that the Data Inspectorate should have provided information about the specific legitimate interests who justified the feedback and comment functions, but finds this lack difficult can be said to have had a significant negative impact on the protection of the users of the services (registered persons). It is not claimed that the missing information has been damaged some kind. The relationship is focused on and no longer has current interest. I therefore find that it only is the basis for direct criticism of the Norwegian Data Protection Authority for the period when information about specific legitimate interests were not given, and I note that Article 13 (1) (d) the time was broken. 5. Alleged violation of Article 5 of the Privacy Regulation Complaints state at an overall level that the Data Inspectorate, through its online services, is violating with some of the principles set out in the Privacy Ordinance Article 5 No. 1. Complaints believes that the principle of form limitation is violated by the form lene specified in the privacy statement is not specific enough. Furthermore, complaints to the Danish Data Protection Agency, as a consequence of the above, has also violated the principle of liability in Article 5 (2). In its response, the Data Inspectorate disagrees that the terms of reference are not precise enough and refers to privacy statement. When it comes to compliance with the principle of accountability, shows The Norwegian Data Protection Authority's management system for information security and privacy, version 3.0. My assessment At this point, the complaint is of a very general nature. The Data Inspectorate's privacy statement describes in detailed ways twelve common types of processing of personal data such as The Data Inspectorate is responsible for. For each of these, information is given about form l. In the very In most cases this is done by using the term form l, while in some cases in the site is given a description of what the information will be used for. 6 Form ls statements have significance for several other legal issues l. For that I know the treatment of this case should be able to take a position on the question of whether the formal statements are sufficient specific, it would require a relatively comprehensive discussion of each form l. Complainants have only given general statements about the lack of specific formalities, and as far as I can understand is not complaining about any particular situation that has had negative consequences for him. I therefore finds no reason to go into more detail about each of the many formal statements in the privacy statement is sufficiently specific or not. The requirement for a specific form statement will vary depending on the risk of privacy breaches. Such risk in connection with www.datatilsynet.no_er, as far as I can First, review the end very low. As far as I can tell, there are no clues claim that the statements of form in the Data Inspectorate's privacy statement are not very specific. Overall, I do not find grounds to conclude that there is a breach of the principle on the limitation of formalities in Article 5 (1) (b) of the Privacy Regulation or the principle of liability in Article 5 (2), cf. Article 24. 6. Alleged violation of Articles 57 and 77 of the Privacy Regulation My assessment - Article 57 (2) of the Privacy Regulation Complainants claim that the Data Inspectorate makes it unnecessarily difficult for the registered complaints to be submitted matters to them. Information on how to proceed with a complaint is, in the complainant's view, not easy available, either by primary or secondary navigation on the website. The Data Inspectorate disagrees in this and refers to the different ways in which this information is made available. The right to appeal arises from information that becomes available via the search function on the site. Here is the information if you are applying for a complaint or appeal to The Data Inspectorate (on the other hand, not by so-called right of appeal, for example). Alternatively, the user can follow the path Contact us How to complain to the Norwegian Data Protection Authority. Information about the right of appeal appears also directly if someone outside the Data Inspectorate's website searches Google for the Data Inspectorate complaint or the like. The information about the right of appeal states that users can submit a formal complain to the Norwegian Data Protection Authority if they have experienced something they believe is a breach of the privacy regulations. It would obviously be possible for the Data Inspectorate to expose the information on the right of appeal better than is the case today on www.datatilsynet.no. On the other hand, the information is good available via general search functions, both within the website and via general websites. After this, I can not find support for the complainants' claim of lack of availability. Furthermore, the complainants maintain that the Norwegian Data Protection Authority does not make it possible for the registered applicants complain electronically, but require them to send a complaint in physical format by post. This means complaints is a violation of the Privacy Regulation Article 57 No. 2, which states that each the supervisory authority shall facilitate the submission of complaints as mentioned in no. 1 letter fved with the help of measures such as a complaint form that can also be filled in electronically, without exclusion other means of communication. 7 To this point in the complaint, the Data Inspectorate replies that complaints often have a content that requires that the shipment is satisfactorily protected. The audit has not yet developed its own secure digital solution for filing a complaint, and they admit that the current procedure is cumbersome and small user friendly. However, a new digital solution is under construction and is expected to be completed by 2020. The Data Inspectorate reminds that complaints are not infrequently containing sensitive information character. Ordinary e-mail is therefore not a sufficiently secure procedure for filing of complaint. Only in special cases where complainants can encrypt their communication, will the Data Inspectorate therefore could receive complaint by email. The main rule is that the complaint must be sent by letter to The Data Inspectorate's mailbox address. If anyone has objections to the way the Data Inspectorate processes personal information, they can also contact the Authority's privacy representative, who in turn can provide advice and guidance on complaints. The Data Inspectorate's privacy statement contains more information information about this. The provision in Article 57 (2) to which the complainants refer stipulates that the supervisory authorities shall facilitate the filing of complaints [...] by means of measures such as a complaint form as can also be filled in electronically (...). The key here is the duty to facilitate submission of complaint. Facilitation using a form that can also be filled in electronically (digitally) is here is an example of how such an arrangement can take place. The Privacy Ordinance only sets requirements for the use of electronic aids and standardized routines etc. in the communication between the various authorities, see e.g. Article 60 (12), (61), (6) and (6) and Article 64 (4) and (5) responsible for processing and registered, become electronic routines etc. either maintained as permitted or as an example of how communication can take place. The provision of Article 57 (2) on The Data Inspectorate's arrangements for filing complaints must be seen in this wider context. In my opinion, the provision can neither be seen as a duty to have digital routines for filing a complaint or obligation for such digital routines to contain forms. The eGovernment Regulations (efvf.) 'regulate the use of electronic by public administrative bodies means of communication, including communication with citizens. According to these rules it is up to the executive body itself to decide whether they want to facilitate electronically communication and whether specific procedures should be used as such communication is used, cf. $ 3 first paragraph. The Danish Data Protection Agency can thus determine this a specific form, a special address, etc. must be used. These Norwegian, national regulations does not contravene the provision of Article 57 (2) of the Privacy Regulation and supplements hence the Regulation. After this, I come to the conclusion that the Data Inspectorate's requirement that an appeal should as a general rule be submitted as letter mail does not contravene the Privacy Ordinance Article 57 No. 2. This understanding harmonizes with the requirements of the eGovernment Regulations. Admittedly, it gives p g end the digitalisation of society a clear expectation of the use of digital aids. B de 1 Regulation 25 June 2004 No. 988. 8 The Privacy Ordinance and the eGovernment Regulations facilitate such digitization. In addition, Article 57 (2) of the Privacy Regulation is understood to be a non-electronic order means of communication in any case shall be retained, cf. the wording without exclusion other means of communication. It must always be possible to lodge a complaint by letter, even after that electronic routines become available. My assessment - Article 77 (I) of the Privacy Regulation Article 77 (1) of the Privacy Ordinance gives registered persons the right to appeal to the supervisory authority if they believe that the processing of personal data about them is contrary to Regulation. Complainants believe it is contrary to the Privacy Ordinance Article 77 n r The Norwegian Data Protection Authority requires that the registered persons contact the company responsible for processing before they complain to the supervisory authority. In the information on the website www.datatilsynet.no about submitting a complaint to the Data Inspectorate it says, among other things: To ensure efficient case processing, you must contact the company beforehand you complain to us. Often the case will be able to be seen even then. We demand that you attach relevant correspondence with the company and any other documentation. We demand a concrete description of what the breach is about ut p. In the continuation of this information, it is determined which information and which documentation The Data Inspectorate must have before they process the appeal. In its response to the complaint, the Data Inspectorate justifies the scheme of referring complainants to a closer contact with the person in charge of treatment with the dramatic increase in the number of cases in recent years rene. The number of cases in 2017, the year before the Privacy Ordinance came into force, was approx. 1800. This kte to approx. 3010 cases in 2019. The Data Inspectorate's experience is that many cases will be resolved if registered persons make direct contact with the data controller. The audit has also looked into what the English and French data protection authorities require for their appeal proceedings and believes that these inspections make similar demands as the Norwegian. In a concluding comment in The Data Inspectorate's response to the complaint, the Authority admits that there may be a need to soften the requirements for complaints. They state that it has been decided to change the text referred to above from m you contact the company until you should contact the company (highlighted here). The processing and decision of appeals is regarded as individual case processing and individual decisions, cf. Public Administration Act $ 2 letter b, cf. letter a. To the extent that it does not conflict with requirements the case processing in the ordinance, m appeal proceedings according to the privacy ordinance Article 77 shall take place in accordance with the detailed provisions of individual decisions in the Public Administration Act and be in line with administrative law principles. For assessment of complaint procedures in cases concerning the data subjects' rights (Articles 15 -22), it is also relevant withdraw the provisions of Article 12, paragraphs 1, 2 and 4. In other cases where registered complaints applies to Article 12, paragraph 1. 9 Article 12 (4) of the Privacy Ordinance imposes requirements on the person responsible for processing in situations where the latter completely or partially refuses to comply with the data subject's request use of rights. In such situations, the data controller must provide information such as explains why the request cannot be complied with. If the data subject chooses a on appeal such a refusal in accordance with Article 77 No. 1, it is this justification Datatilsynet m assess the durability of. The communication between the data controller and the data subject shall be open and easily understood, cf. Article 12 (1). The same provision requires written communication or communication in another way. To be understandable and easily accessible as the provision requires, the communication must be documented so that the data subject can relate to one concrete and clarified justification for refusing to use the right. There must be one documented communication between the data controller and the data subject. This the documentation will be the primary basis for the appeal proceedings. If so documentation does not exist because the data controller has not complied with the requirement in Article 12, No. 4, m The Danish Data Protection Agency shall require the data controller to send to the Authority a written basis for refusing to comply with the data subject's request. A duty of assessment and activity in complaints for the person responsible for processing, as mentioned above, is a well-founded scheme: It is the person in charge of treatment who in most cases has best knowledge of current rules and practices. This is a consequence of the principle of responsibility in Article 5 (2) The provision means that the person responsible for processing must familiarize himself with his obligations under the Regulation. Participation from the person responsible for treatment to inform Appeals also mean that the duty is imposed on a file that the Data Inspectorate can grant in court binding on leg, cf. article 5 8 no. 1 letter a. I have therefore come to the conclusion that the Data Inspectorate cannot demand that the data subject himself provide information appeals relating to Articles 15 to 22. In such cases, the Data Inspectorate can only demand from the complainant that the person in question identifies the person responsible for processing and what the complaint concerns. The duty to inform the case is mainly on the person responsible for processing. This division of responsibilities m appear in the information about the appeal proceedings. The Danish Data Protection Agency may request that the complainant provides relevant information in its case, but can not request this in a way that can give the impression of the further case processing is dependent on this happening. In the case of complaints from registered persons in matters not relating to rights and Article 15 -22, the starting point is probably the opposite of what is mentioned above. In such cases do not come the provisions of Article 12 (2) and (4) shall apply. The starting point is then that the Data Inspectorate can organize the case investigation in ways that provide appropriate and sound information of the case. It can not be ruled out that in such cases it may be justifiable to impose registered persons who complain about a duty to% inform the case, in a similar way as the Data Inspectorate today requires. In light of the principle of justice, cf. the Privacy Ordinance, Article 5 no. In letter a, it is reason to be careful about imposing on complainants the duty to contribute to the case investigation, at least as a fixed, standardized requirement. The reason is primarily that the privacy regulations are so special 10 comprehensive and complex and therefore demanding to understand and apply. A treatment manager will typically have better conditions for complying with these regulations, either by themselves or by with the help of lawyers or other advisers. Standard routines that, in particular, add complaints contributing to the enlightenment of the case will therefore easily run counter to the principle of justice. Placement of duty on the presumed inferior party in a dispute may also mean that the registered becomes more skeptical of using their right of appeal. In summary, I mean the current requirements for registered persons who complain to the Norwegian Data Protection Authority, in in the event of a complaint regarding rights and articles 15 - 22, is not in accordance with Article 77 (1) of the Privacy Regulation, cf. Article 5 (1) (a). Also in other cases In my opinion, it is doubtful whether the current complaints system fully satisfies the requirements that follows from the said provisions. 7. Decision Following this, the Data Inspectorate's Directorate sets the basis for making the following decisions: A. Not a violation of Article 6 of the Privacy Regulation The Norwegian Data Protection Authority has a valid basis for processing in accordance with Article 6 of the Privacy Ordinance No. 1 letter f for the processing of personal data that takes place in connection with www .datatilsynet.no. B. Violation of Article 13 of the Privacy Regulation The Data Inspectorate's failure to state the specific legitimate interests such as The reasoned feedback and comment functions on www.datatilsynet.no involve a violation of the Privacy Regulation Article 13 No. 1 letter d. The relationship is directed at, no longer has a current interest and can not be seen to have had a significant negative impact on the freedoms and rights of data subjects. There is therefore no basis for further follow-up. C. Not a violation of Article 5 of the Privacy Regulation There is no basis for concluding that there is a breach of the principle of Article 5 (1) (b) or (b) of the Privacy Regulation the principle of liability in Article 5 (2), cf. Article 24. D. No violation of Article 57 of the Privacy Regulation I) The Data Inspectorate's information on the right of appeal is considered satisfactory, cf. Article 57 (2) of the Privacy Regulation. II) The Data Inspectorate's requirement that a complaint as a general rule must be submitted as a letter post is not in breach of Article 57 (2) of the Privacy Regulation. E. Violation of Article 77 of the Privacy Regulation In appeals concerning the rights in Articles 15 - 22, the Data Inspectorate may not provide as which is to process the complaint that the registered person must first inform the case by contacting the data controller. Such a condition would constitute a breach of 11 Article 77 of the Privacy Ordinance. The Norwegian Data Protection Authority may not provide information on the right of appeal in a way that gives the impression that it is the data subject himself, and not the one those responsible for processing, who have the primary responsibility for informing cases concerning rende Article 15-22. In other types of appeals that registrants promote, the Data Inspectorate may require that complainants inform the case to the extent required by the Public Administration Act 17 and p far the requirement of participation does not conflict with the Privacy Ordinance Article 5 (1) (a) on fair treatment. I assume that the Data Inspectorate takes adequate measures to ensure compliance with point E i the decision. Right of appeal The Data Inspectorate can appeal the decision. Any complaint must be sent to the undersigned within three weeks after this letter has been received, cf. the Public Administration Act 28 and 29. If I. If the decision is upheld, I will forward the case to the Privacy Board for processing complaints. Sincerely, <'4.caa 12
