Datatilsynet (Norway) - 20/01772

From GDPRhub
Revision as of 12:52, 23 January 2023 by Kk (talk | contribs) (changed order of sentences in the Facts to make it chronological; added two sentences in the Holding about the storage of data after 1 October 2018 and Article 17 GDPR)
Datatilsynet - 20/01772
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(1) GDPR
Article 6(3) GDPR
Article 9(2)(d) GDPR
Article 9(2)(g) GDPR
Article 12(1) GDPR
Article 14(1)(d) GDPR
Article 14(2)(f) GDPR
Article 14(5)(c) GDPR
Article 17(1)(d) GDPR
Article 58(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started: 28.02.2020
Decided: 09.01.2023
Published: 16.01.2023
Fine: n/a
Parties: Church of Norway - Den norske kirke
National Case Number/Name: 20/01772
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Norwegian DPA Datatilsynet (in NO)
Norwegian DPA Datatilsynet (press release) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA reprimanded the Church of Norway for unlawfully collecting information on members' newborns after their legal basis for such processing had expired, and for failing to provide sufficient information as per Articles 14(1)(d), 14(2)(f) and 12(1) GDPR.

English Summary

Facts

The Church of Norway (the controller) used information about new births from the National Population Register disclosed on the basis of national law, including sensitive data. If at least one parent was an existing member of the Church, the controller was allowed to register newborns (as 'affiliated persons') in their member register and, on the same condition, they also had permission as per the national population regulations to receive automatic notifications on newborns. This permission expired on 1 October 2018, and on 1 January 2021 the other relevant regulations were replaced.

The controller, however, still continued to receive the automatic notifications until 14 November 2018. At this point, they still considered that the minors registered during the period 1 October to 14 November were correctly registered as per the (now expired) Norwegian Church law, and did not delete the data.

On 28 February 2020 the Norwegian Humanist Association and lawfirm Bull & Co lodged a complaint with the Norwegian DPA on behalf of eight data subjects, claiming that the controller had unlawfully collected information on the data subjects' newborns, also failing to inform them about this processing. Consequently, the DPA launched an investigation.

Only when the controller realised that the correct end date was 1 October, it initiated an erasure process, but due to a claimed technical error, this was not effectuated until 18 August 2020. The controller informed the DPA that the personal data on affiliated persons would be deleted when the legal basis for this processing expired on 1 January 2021. On 22 January 2021, it informed that the personal data of 108 880 data subjects were deleted. On the topic of information to the data subjects, the controller claimed that it could rely on the exemption in Article 14(5)(c) GDPR and noted that it still provided some information through the main privacy notice for the Church, as well as on local websites.

Holding

The DPA held that the controller violated Article 6(1) GDPR by processing personal data on members' newborns between 1 October and 14 November 2018, and continued to store the personal data without a valid legal basis. The DPA noted that, in line with Article 17(1)(d) GDPR, the controller was obliged to delete data processed unlawfully, unless the exception of Article 17(3) GDPR (fulfillment of a task in public interest) applied. The DPA held that the controller did not full the requirements of performing a task in the public interest as the special regulations ceased to apply to the controller after 1 October 2018. Therefore, the controller had stored the data illegally before deletion in 2021. The DPA also held that the controller violated Articles 14(1)(d), 14(2)(f) and 12(1) GDPR by not providing the data subjects easily available information about the collection of automatic birth notifications from the National Population Register.

In addition, the DPA noted that the controller could not rely on the exemption in Article 14(5)(c) GDPR, because the collection of automatic birth notifications was not expressly provided by the relevant national law (the former Norwegian Church law).

Comment

By initial contributor: Interestingly, the DPA does not impose a fine in this case, despite the processing of special category personal data as per Article 9 GDPR. They comment in the press release that the reason for not opting for a stricter reaction is that the case has "some mitigating factors", without specifying these further. The DPA also does not address or make any comments regarding the complainants claims that the Church violated Articles 24, 33 and 35 GDPR, nor finds a violation of Article 5(1)(a) GDPR, which is a bit surprising considering the violations they did find.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

THE NORWEGIAN CHURCH

Postbox 799 Centrum Excluded from the public:
0106 OSLO Official § 13, cf. Personal Data Act § 24 first paragraph

                                                  2nd period






Your reference Our reference Date

                        20/01772-19 09.01.2023



Decision on reprimand - Processing of minors' information in Den
Norwegian Church



1 Introduction

We refer to our notice of a decision to reprimand the Church of Norway by the Council of Churches

(hereinafter "DNK") dated 23 June 2021, and DNK's comments to the notice of 1 July 2021.

In the comments, DNK apologized for the breaches of the data protection regulation and the Data Protection Authority's

notified decision on reprimand for information. In the notes, DNK further writes that
the organization will ensure compliance with the privacy requirements that were explained in
The Norwegian Data Protection Authority's letter pointing out the duty of 1 July 2021. The Norwegian Data Protection Authority received comments
from the Human-Ethical Association (hereinafter "HEF") on behalf of the complainants on 7 September 2021.


2. Notice of decision on reprimand


The Norwegian Data Protection Authority hereby adopts a decision to reprimand the Church of Norway by the Council of Churches,
818 066 872, for:


    • Violation of the personal protection regulation article 6 no. 1, by obtaining birth notifications for
        members' children from the Population Register from 1 October to 14 November 2018, and by
        continue to store the personal data that was collected through

        the birth certificates, without a valid legal basis.
    • Breach of the Personal Data Protection Regulation article 14 no. 1 letter d and no. 2 letter f, cf.
        article 12 no. 1, by not providing easily accessible information to the registered about

        the collection of birth notices for members' children from the National Register of Citizens.

Our authority for issuing a reprimand is the Personal Protection Regulation article 58 no. 2 letter b.


3. Background of the case



Postal address: Office address: Telephone: Org. no: Homepage: 1
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no
0105 OSLO 0191 OSLO The complaint from the Human-Ethical Association dated 28 February 2020

On 28 February 2020, the Norwegian Data Protection Authority received a complaint about the treatment of minors
personal data in The Norwegian Church at the Church Council (hereafter DNK) from Human-Ethical
Forbund (hereafter HEF) and Bull & Co Advokatfirma on behalf of eight registered persons.


It appeared from the complaint that the complainants reacted to the fact that they or their children were still listed as
belonging to the Church of Norway, despite the fact that the state church system was abolished and new
the National Register Act had entered into force. This also applied to a child born after 1 October 2018,
when the authority for access to confidential information from the National Register had ceased.


The complainants wrote that the registration had taken place without their knowledge, and despite the fact that they or
their guardians never did anything active in terms of registration, baptism or church
confirmation. In the complaint, it was also pointed out that certain registered users had tried to opt out
several times, without success. Common for the complainants is that they experienced not being informed about what
that happened to their and their children's personal data.

In the complaint, it was stated that the Church of Norway violates the principle of openness i

the personal protection regulation article 5 no. 1 letter a and the information requirements in article 14.
Furthermore, it was stated that DNK violates the data minimization principle in Article 5 no. 1 letter c
by storing personal data about the dependents until they are 18 years old.

Based on the complaint, the Norwegian Data Protection Authority sent a demand for an explanation to DNK on 12 August 2020, and new
requirements for further explanations on 16 December 2020 and 21 April 2021.


Explanations from DNK in letters dated 2 September 2020, 22 January 2021 and 11 May 2021

DNK responded to the Data Protection Authority's request for explanations on 2 September 2020, 22 January 2021 and 11
May 2021.


In the reply of 2 September 2020, it was stated that DNK processed personal data about
minors belonging to the purpose of fulfilling their duties in the now repealed Church Act §
3. In addition, relatives counted together with DNK's members in the calculation basis for the state's
grants to faith and belief communities in accordance with the Church Act and the Act on Faith Communities and
ymist another. Both the Church Act and the Act on Faithful Communities and a lot of other things became 1 January 2021
replaced with the new Religious Communities Act.


DNK pointed out that their membership registration had a legal basis in the Personal Data Protection Regulation
article 6 no. 1 letters c and e, and that the supplementary legal basis according to article 6 no. 3 was
Church Act § 3 no. 10 and provisions in the related regulations on the Church of Norway
member register. DNK stated that the obligation to register only ceased at the age of 18, and that
personal data could therefore not be deleted earlier. For processing special categories

of personal data, it was stated that the Personal Protection Regulation article 9. no. 2 letter d and
g was fulfilled.


1FOR-2016-04-12-1205



                                                                                                2DNK further stated that DNK was exempt from the obligation to provide information in the Personal Protection Ordinance i
subject to the exception in Article 14 no. 5 letter c. It is nevertheless granted to varying degrees
information at national and regional level through privacy statements at kirken.no or
local websites, as well as through baptism invitations that are sent out. In the report dated 11 May
In 2021, DNK presented documentation of the information that was available to them
registered in the period from 20 July to 1 October 2018.


According to DNK, the reason why not all statements from the complainants have been implemented may be wrong
from the local congregation.

DNK further informed that the delivery of birth notifications from the National Register of Citizens did not stop
up 1 October 2018, when the authority for access to confidential information from
The population register ceased. DNK had an ongoing appeal pending at the Tax Agency

regarding rights to national register information, and was informed by EVRY
Information services that it was recommended not to make changes before this appeal was
settled. The Church Council was eventually brought to the fore that this was an incorrect assessment, and
delivery of birth notifications stopped on 14 November 2018.

DNK then assessed that the children who were registered through birth notifications in the period 1.
October to 14 November 2018 was correctly registered in accordance with § 3 of the Norwegian Church Act, and therefore let

these entries remain.

The date 1 October 2018 gradually became a known date for the changes in access to
population register information. Therefore DNK wanted the automatic registration of those belonging to
the membership register should correspond to this date. DNK therefore ordered a deletion of
the personal details of the children who were registered through birth notifications in the period 1.

October–14. November 2018 in September 2019. Procedure for the deletion job was carried out and
approved in the member register's test environment, but due to an error it was not carried out accurately
same procedure in the member register's production environment. Something smaller was therefore deleted
data in the production environment. Thus, the relatives were born in the period 1 October–14. November
2018 still in the membership register. This information was later deleted on 18 August
2020.


In the statement of 2 September, DNK informed that personal information about relatives would
be deleted upon the termination of the Church Act's automatic affiliation scheme for children in Den norske
church on 1 January 2021, unless the parents registered the child in DNK and DNK thus got a
other legal basis for the processing of your personal data. In the statement of 22.
January 2021, it was informed that of the 109,663 members who were registered in
member register before the turn of the year, the personal information of 108,880 was deleted by DNK.


New complaints in HEF's letter to the Norwegian Data Protection Authority dated 30 September 2020 and 22 February 2021.

HEF has made comments to the reports the Norwegian Data Protection Authority has received from DNK, and has in
in this connection extended the complaint on behalf of the registered.





                                                                                                3HEF states that the transfer of confidential population register information after 1 October
2018, as well as the continued processing of this personal data, was illegal.

Furthermore, it is stated that DNK has not implemented sufficient technical or organizational measures
according to the personal data protection regulation article 24, and that the transfer of confidentiality
population register information after 1 October 2018 was not documented and reported to
The Danish Data Protection Authority's personal protection regulation article 33. It was further stated that DNK did not have

carried out a DPIA in accordance with Article 35 of the Personal Data Protection Regulation.

The Norwegian Data Protection Authority's notice, comments from NDK and comments from HEF

The Norwegian Data Protection Authority announced a decision to reprimand DNK on 23 June 2021 for breach of
the personal protection regulation article 6 no. 1 letter a and article 14 no. 1 letter d and no. 2
letter f, cf. article 12 no. 1.


In its comments to the notice of 1 July 2021, DNK took note of the Danish Data Protection Authority's assessments
and apologized for the violations.

In its comments on the notice of 7 September 2021, HEF asked the Norwegian Data Protection Authority to reconsider its
notify concussion regarding the issue of data minimization, process all complaints
together and in all cases reconsider their notified sanction of reprimand.


4. Legal background

The Personal Data Protection Regulation and processing responsibility

The Personal Data Act implements the Personal Data Protection Regulation in Norwegian law, and entered into force

20 July 2018.

It follows from the personal protection regulation article 4 no. 7 that the data controller is the
which determines the purpose of the processing of personal data and the means to be used
used.

Principles for processing personal data and legal basis


The basic principles for processing personal data follow
the personal protection regulation article 5 no. 1. Here it follows, among other things, that:

    • Personal data must be processed in a legal, fair and transparent manner, cf. letter a.
    • The personal data processed must be adequate, relevant and limited to that

        which is necessary for the purposes for which they are processed, cf. letter c.
    • The personal information must not be stored for longer periods than is necessary
        the purposes for which they are processed, cf. letter e.

The data controller must be able to demonstrate that the privacy price norms are complied with, cf.
Article 5 No. 2.




                                                                                                4 All processing of personal data must have a legal basis according to the Personal Protection Ordinance
Article 6 No. 1 to be legal. Legal grounds for the processing can be:

    • The registered person has consented to the processing of personal data for one or more
        specific purposes, cf. letter a.

    • The processing is necessary to fulfill a legal obligation incumbent upon it
        data controller, cf. letter c.
    • The processing is necessary to carry out a task in the public interest or
        exercise public authority to which the data controller is required, cf. letter e.
    • The processing is necessary for purposes related to the legitimate interests which
        is pursued by the controller or a third party, unless it is registered

        interests or fundamental rights and freedoms take precedence and require protection of
        personal data, especially if the registered person is a child, cf. letter f.

The grounds for processing under Article 6 no. 1 letter c and e shall follow Norwegian law, cf.
article 6 no. 3.

For special categories of personal data, such as personal data about religion, health

or sexual orientation, the starting point is that such treatment is prohibited, unless some of
the exceptions in the regulation's article 9 no. 2 apply. Information about family relationships can
for example infer information about sexual orientation. This requirement is in addition to
the requirement for processing grounds according to Article 6.

Children have the right to special protection of their personal data and privacy, cf.

point no. 38 of the Personal Protection Ordinance.

Information requirements

Anyone who has their personal data processed has the right to information about several matters. When
the personal information has been obtained from someone other than the registered person, it follows
Article 14 of the Personal Data Protection Regulation states that, among other things, one must be informed about the identity and

the contact details of the data controller and their possible privacy representative,
the purposes for which the information is processed, the processing basis, the affected categories of
personal data, the period for storing the data, the source of the data
from and the right to request deletion of personal data, cf. article 14 nos. 1 and 2. If
the processing is based on Article 6 no. 1 letter f, the entitled persons must also be informed
the interests pursued by the controller or a third party, cf. article 14 no.
2.


The controller must take appropriate measures to provide the information that is required
according to Article 14 in a concise, open, understandable and easily accessible way, and in a clear and
single language, cf. Article 12 no. 1.

The information must be provided within a reasonable time after the personal information has been collected, but
at the latest within one month, cf. article 14 no. 3, letter a.




                                                                                                 5 According to article 14 no. 5, this article does not apply if:

    • The registered person already has the information, cf. letter a.
    • It turns out to be impossible to provide said information or it will involve a
        disproportionate effort, cf. letter b.

    • The collection is expressly stipulated in Union law or the national law of the member states
        to which the data controller is subject, and which contains suitable measures to
        protect the data subject's legitimate interests.

Deletion of personal data


Article 17 gives the data subject in many cases a right to have their personal data deleted,
and the data controller also has a duty to delete the personal data on its own
initiative if certain conditions are met. According to Article 17 no. 1 letter d, this applies among
otherwise if the personal data has been processed illegally.

Article 17 nos. 1 and 2 do not apply if the processing is necessary to fulfill
a legal obligation or to perform a task in the public interest or practice

public authority to which the controller is responsible, cf. Article 17 no. 3 letter b.

The affiliation scheme for children in the Church of Norway

The Church Act's automatic affiliation scheme for children in the Church of Norway was repealed by
the entry into force of the new Religious Communities Act on 1 January 2021. The new Religious Communities Act
replaced both the Church Act and the Act on Faithful Communities and many other things. In the draft law, Prop

130 L (2018-2019) p. 141, it follows:

        "Since the law no longer provides rules that children automatically belong to the Church of Norway, then
        unless one or both parents are members, there will not be a statutory requirement that
        relatives must be included in the register, cf. also the notes to the individual provisions in
        § 17 of the bill."


Before the new Religious Communities Act came into force on 1 January 2021, it followed from the Church Act section 3 no. 2
that children are considered to belong to the Church of Norway if one of the parents is a member.

Children who were considered to belong to the Church of Norway became members of this when they were baptized.
If the child turned 18 without being baptised, the person was no longer considered to belong
under the Church of Norway, cf. § 3 no. 5.


Persons who were considered to belong to or were members of the Church of Norway were registered in
The Norwegian Church's central membership register, cf. § 3 no. 10. Rules on the keeping of the register were given
by the Church Meeting, and the Church Council is responsible for processing the central membership register, cf.
regulation on the Church of Norway's membership register § 4.

Collection of information about members' children from the national register




                                                                                                 6Previously, DNK has received digital birth notifications directly from the National Register of Citizens. Connected to
the member information registered on parents, DNK could thus lead relatives into the church's
membership register based on this information.

In the National Register Act, which entered into force on 1 October 2017, information about kinship is subject
obligation of confidentiality, cf. the National Register Act § 9-1, and can only be disclosed to public and private parties

businesses that are authorized by law to obtain this information, cf. § 10-2.
DNK was authorized to receive the birth notifications in the transition scheme in the National Register Act
§ 13-1 until 1 October 2018, but after this has no such legal authority.

5. The Norwegian Data Protection Authority's assessment

5.1. Limitation in the Norwegian Data Protection Authority's assessments


The Personal Data Act implements the Personal Data Protection Regulation in Norwegian law, and entered into force
20 July 2018. The Norwegian Data Protection Authority has limited our investigations in this case to processing of
personal data that has taken place after the Personal Data Protection Regulation entered into force.

5.2. Processing of birth notifications collected from the Population Register from 1 October to 14
    November 2018 – Article 6


The collection of birth notifications from the National Register of Citizens from 1 October to 14 November 2018

DNK has informed in its reports that the deliveries of birth notices from the National Register of Citizens
did not stop on 1 October 2018, but continued until 14 November 2018.


Any processing of personal data requires a legal basis according to Article 6 No. 1 in order to
be legal, including the collection of personal data.

The Norwegian Data Protection Authority is thus assessing whether DNK had a legal basis for the collection of
birth notices from the Population Register from 1 October to 14 November 2018.

In our demand for an explanation of 16 December 2020, the Norwegian Data Protection Authority asked DNK to explain which

legal basis in the personal protection regulation article 6 no. 1 DNK had to collect
the personal information about members' children through birth notifications from the National Register of Citizens i
the period 1 October to 14 November 2018.

DNK replied in the statement of 22 January 2021 that it was not DNK's intention to collect the
relevant confidential personal information in violation of the law. It was nevertheless considered that
DNK had a legal basis to continue to store the personal data on the persons concerned

through birth notifications from the National Register of Citizens from 1 October to 14 November 2018 in their
membership register pursuant to Article 6 no. 1 letters c and e.

For the processing of personal data with a legal basis in Article 6 no. 1 letters c and e,
it is required that the basis for the processing is laid down in national law, cf. Article 6 no. 3 DNK




                                                                                               7 has shown that the supplementary legal basis for storing the personal information about them
relatives received through birth notifications from the National Register of Citizens from 1 October to 14 November
2018 in DNK's membership register, was § 3 no. 10 of the Church Act cf. § 3 no. 5.

The Norwegian Data Protection Authority first assesses whether the basis for collection of the data belongs to them
birth notifications from 1 October to 14 November 2018 were stipulated in national law, cf. Article 6
No. 3.


It follows from recital 45 that a special statutory provision is not required for each individual
treatment. A law may be sufficient as a basis for several processing activities. The
the legal basis can further specify the regulation's general conditions for legal processing
of personal data.

As mentioned in point 5.2, the church has been authorized to register members in their

member register, cf. § 3 no. 10 cf. § 3 no. 5. It further followed from § 10 of the regulation on Den
church's membership register that DNK obliged to keep the membership register up to date on the basis of
information from the National Map Agency's cadastral register, the central population register and the Unit Register.

The collection and use of population register information is, however, specially regulated in
the National Register Act which entered into force on 1 October 2017. According to section 1-2, the purpose of the act is to contribute
so that the information in the National Register can be used for official and public tasks

administration, research, statistics and to look after basic societal needs. After this one
the Act, information about kinship is subject to a duty of confidentiality, cf. the National Register Act § 9-1, and
can therefore only be disclosed to public and private enterprises that are authorized by law to
obtain this information, cf. § 10-2.

Section 3 of the Church Act said nothing about the disclosure of confidential information about kinship from

Folkeregisteret, and did not give authority as mentioned in the Folkeregister Act § 10-2 first paragraph. DNA
also had no other legal authority for the disclosure of confidential information from
The National Register.

However, DNK had permission to release the birth notices through a decision dated 18
June 2001 according to the old National Register Act, and was thus entitled to receive
the birth notices through the transition scheme in the National Register Act § 13-1 first sentence

until it lapsed a year after the law came into force. The People's Register Act entered into force on 1 October
2017, and the right to receive birth notifications therefore ceased on 1 October 2018.

If the party had applied within this year for "equivalent disclosure of information", it applied
access until the register authority has made a decision in the matter, cf. the National Register Act §
13-1 second sentence. Based on the correspondence between DNK, the Ministry of Finance and
The Norwegian Tax Administration, in the view of the Norwegian Data Protection Authority, it was clarified no later than 19 September 2018 that DNK

did not have an application for processing for "equivalent disclosure" of information to
processing, as DNK's current case did not include access to those subject to confidentiality
the information about kinship. DNK's permission to receive confidential information about
kinship therefore did not apply from 1 October 2018.





                                                                                                  8 That later misunderstandings arose through DNK's communication with EVRY, and that
as a result of this, it was decided that the collection of birth notices from the National Register of Citizens would not
should be stopped, does not change the conclusion that the collection of birth notifications was in
contrary to the National Register Act. We further point out that it is DNK as the data controller
was responsible for ensuring and demonstrating that the processing of personal data takes place in line with
the rules in the personal protection regulation, cf. article 5 no. 2 and article 24 no. 1. We show for the sake of order
also due to the fact that it followed from point 3.1 of the current agreement between DNK and EVRY:


        "Access to the Services is dependent on permission from SKD (competent
        population registration authority). The customer is himself responsible for managing such an application.
        The customer is responsible for processing Data in accordance with applicable laws and
        regulations.”

As DNK's collection of the relatives' birth notifications from 1 October to 14 November

2018 was contrary to the National Register Act, was not the basis for the collection of the relatives
birth notices from the National Register of Citizens stipulated in national law, cf. article 6 no. 3.

It is thus clear that this collection was not "necessary to fulfill a legal
obligation incumbent on the controller, or "necessary to carry out a task
in the public interest', cf. article 6 no. 1 letters c and e.


The Norwegian Data Protection Authority clarifies for the record that unlawful collection of personal data does not
will not be able to constitute a "legitimate interest" for the data controller, cf. Article 6
No. letter f.

DNK thus had no legal basis in Article 6 for the collection of birth notices
from the National Register of Citizens from 1 October to 14 November 2018, and the relevant processing of

personal data was illegal.

Continued storage of personal data collected through birth notifications from
The population register from 1 October to 14 November 2018

Although it was eventually clarified from DNK's side that the transfer of birth notifications from
The population register from 1 October to 14 November 2018 was not in line with the Population Register Act,

DNK considered that the children who were registered through birth notifications in the period from 1 October to
14 November 2018 was correctly registered in accordance with § 3 of the Church Act, and let these
the entries remain.

All processing of personal data, including storage, requires a legal basis in the article
6 No. 1 to be legal.


Furthermore, the starting point is that the controller is obliged to delete personal data
without unjustified stay if they have been processed illegally, cf. Article 17 no. 1 letter d.
The Danish Data Protection Authority has concluded above the collection of birth notifications from
The population register from 1 October to 14 November 2018 was in breach of the Population Register Act, and that





                                                                                                 9 it did not have a legal basis in the personal protection regulation article 6. The relevant
the processing of personal data was thus illegal.

However, it follows from Article 17 no. 3 letter b that Article 17 no. 1 does not apply if
the processing is necessary to fulfill a legal obligation or to perform a task i

public interest or exercising public authority as the data controller
imposed. This provision refers to the processing of personal data that has a legal basis
basis in Article 6 no. 1 letters c and e.

The Danish Data Protection Authority is therefore assessing whether DNK had a legal basis in the Personal Data Protection Regulation
article 6 no. 1 for further storage of the personal data collected through

birth notices from the Population Register from 1 October to 14 November 2018.

DNK has shown that you had a legal basis in Article 6 no. 1 letters c and e to store
the personal information about the relatives received through birth notifications from the National Register of Citizens
from 1 October to 14 November 2018 in their membership register.

For the processing of personal data with a legal basis in Article 6 no. 1 letters c and e,

it is required that the basis for the processing is laid down in national law, cf. Article 6 No. 3 DNK
has, as mentioned, stated that the supplementary legal basis for storing the personal data
about the relatives received through birth notifications from the National Register of Citizens from 1 October to 14
November 2018 in their membership register, the Church Act was § 3 no. 10 cf. § 3 no. 5.

The Danish Data Protection Authority first assesses whether the basis for the storage of personal data about them

relatives collected from birth notifications from the Population Register 1 October to 14 November 2018
was laid down in national law, cf. Article 6 no. 3.

It follows from recital 45, as mentioned, that no special statutory provision is required for each
simple treatment. A law may be sufficient as a basis for several processing activities.
The legal basis can further specify the regulation's general conditions for legality

processing of personal data.

It follows from Section 3 of the Norwegian Church Act that DNK must register members in their membership register.
However, the collection of the relevant birth notifications was in breach of the National Register Act §
10-2. It also follows from the National Register Regulations Section 10-2-1 that confidential information
must not be used for purposes other than those for which permission has been granted. DNK did not have permission from

The tax authorities to use the confidential information, and continued storage of the information
was thus also in breach of the National Register Regulations § 10-2-1. The People's Register Act and
associated regulations are a special regulation for population register information, and will follow
The Norwegian Data Protection Authority's assessment here takes precedence over the older church law in the event of a conflict. We
points out, however, for the record, that neither the Church Act nor related regulations required DNK
to obtain the relevant birth notifications from the National Register of Citizens.





2FOR-2017-07-14-1201



                                                                                                10 Due to continued storage of the confidential national register information collected through
birth notices were in breach of the national register regulations, was not the basis for continuation
storage of the personal data from the illegally obtained birth certificates from
The population register laid down in national law, cf. article 6 no. 3.

DNK thus had no legal basis for the continued storage of personal data from
birth notices collected from the Population Register from 1 October to 14 November 2018, and the

the current processing of personal data was illegal.

5.3. Information to the registered about the processing of personal data - article 14

HEF has stated that DNK breached the information requirements in Article 5 of the Personal Data Protection Regulation
letter a and articles 12-14 related to the processing of personal data about relatives.


In our demand for an explanation of 12 August 2020, we asked DNK to explain how DNK has
fulfilled the information requirements in Article 14 where children's personal data have been registered
based on population register information until this scheme ceased on 1 October 2018.

In the statement of 2 September 2020, DNK stated that DNK was covered by the exception in
the personal protection regulation article 14 no. 5 letter c. However, it is indicated that it is nevertheless
carried out some information measures, including through privacy statements on

kirken.no and articles on the website.

It follows from the personal protection regulation article 14 no. 5 letter c that article 14 no. 1-4 may not
application if "collection or disclosure is expressly provided for in Union law or
the national law of the Member States to which the data controller is subject, and which
contains suitable measures to protect the data subject's legitimate interests".


The Norwegian Data Protection Authority first assesses whether DNK's collection of birth notifications from the National Register of Citizens was
expressly provided for by the national law of the Member States in which the data controller is
subject to, and which contain suitable measures to protect the data subject's legitimate interests,
cf. article 14 no. 5 letter c.

With the wording "expressly", it is clear that something more than just the foundation is required here

for the processing is stipulated in the national law of the Member State in which the data controller is
subject to, as follows from Article 6 No. 3. For Article 6 No. 3, a special
statutory provision for each individual treatment, cf. paragraph 45. A law may be sufficient
as a basis according to article 6 no. 3 for several processing activities that are based on a legal
obligation incumbent on the controller, or if the processing is necessary
to carry out a task in the public interest or exercise public authority.


Article 29 Data Protection Working Party, the predecessor of the Personal Protection Council (EDPB), has i
Guidelines on transparency under Regulation 2016/679 stated that the exceptions in Article 14 b







                                                                                                11 3
"should, as a general rule, be interpreted and applied narrowly." Furthermore, it is specifically stated
about the exception in article 14 no. 5 letter c in point 66:

        "Such a law must directly address the data controller and the obtaining or disclosure
        in question should be mandatory upon the data controller. Accordingly, the data

        controller must be able to demonstrate how the law in question applies to them and
        requires them to either obtain or disclose the personal data in question.”

Such an interpretation, where the relevant collection or disclosure of the personal data
must follow directly from national law and be mandatory for the data controller, harmonizes
also with the principle of transparency in Article 5 no. 1 letter a. The principle applies in particular

"further information to ensure fair and open treatment for the affected individuals
persons as well as their right to obtain confirmation of and be informed about the personal data
which applies to those who are processed", cf. paragraph 39. If the data subject can foresee
from national law that a collection of your personal data takes place, that is the starting point
not necessary to ensure fair and open processing that the data controller
informs the data subject about the processing. However, such predictability presupposes that
the collection in question follows directly from national law and is mandated by it

data controller.

It is clear that DNK's general duty to register minor relatives was express
laid down in national law in the Church Act § 3. The specific collection of birth notices for
However, members' children from the National Register did not follow § 3 of the Church Act. The collection
of birth notices for members' children from the National Register of Citizens was thus not express

laid down in section 3 of the Church Act, and the exception in article 14 no. 5 letter c thus did not apply
application based on this provision.

The current collection of birth notifications for members' children from the National Register of Citizens
nor did it expressly comply with the National Register of Citizens Act or associated regulations.


Of the current regulation on the Church of Norway's membership register § 10 on up-to-date information, given in
in accordance with § 3 of the Church Act, it followed, however, that on the basis of information from the person who
is registered, the central and local data controller is obliged to keep the membership register up to date.
The central data controller is also obliged to keep the membership register up to date on the basis of
information from the National Map Agency's cadastral register, the central population register and the Unit Register.


The Norwegian Data Protection Authority is therefore considering whether the collection of birth notifications for members' children from
The folk register expressly followed the regulations on the Church of Norway's member register § 10.

According to Store norske lexikon, À jour is a French expression that is most often used in the meaning
"updated", and the Norwegian Data Protection Authority considers that this is also the natural understanding of the wording.


That DNK should keep the membership register up-to-date based on information from the National Register of Citizens,
dictates, according to the Danish Data Protection Authority's assessment, that existing members and related information must


3 Point 57



                                                                                                 12 is kept up-to-date on the basis of population register information, for example related to changes
in names, contact details or deaths. The provision did not expressly state that it
birth notifications for members' children are collected from the National Register of Citizens, and the provision can
nor is it understood that DNK had a duty to collect birth notifications from
The National Register.


The Norwegian Data Protection Authority thus considers that the collection of birth notifications for members' children from
The population register did not expressly comply with regulations on the Church of Norway's membership register §
10.

The exception in Article 14 no. 5 letter c therefore did not apply to DNK's collection

of birth notifications for members' children from the National Register of Citizens.

The Norwegian Data Protection Authority then assesses whether DNK met the information requirements in Article 14 regarding
the collection of birth notices for members' children from the National Register of Citizens.

It follows from article 14 no. 1 letter d that the data controller must give the data subject
information about "the affected categories of personal data" that are processed. It follows

also of article 14 no. 2 letter f that the data controller must give the data subject
information about "from which source the personal data originates", which is necessary to
ensure fair and open treatment for the data subject.

Furthermore, it follows from Article 12 No. 1 that the data controller must take appropriate measures for
to present information to the data subject as mentioned in Article 14 in a "concise, open,

comprehensible and easily accessible manner and in clear and simple language'. Article 29 Data Protection
The Working Party has stated the following in its Guidelines on transparency under Regulation 2016/679
on the requirement that the information be provided in an "easily accessible manner":

        "The "easily accessible" element means that the data subject should not have to seek
        out the information; it should be immediately apparent to them where and how this

        information can be accessed, for example by providing it directly to them, by linking
        them to it, by clearly signposting it or as an answer to a natural language question (for
        example in an online layered privacy statement/ notice, in FAQs, by way of contextual
        pop-ups which activate when a data subject fills in an online form, or in an interactive
        digital context through a chatbot interface, etc."4


The provisions must also be seen in connection with the transparency principle in Article 5 no. 1 letter
a, as well as paragraph 39, where it follows:

        "The principle of transparency requires that all information and communication in connection with
        processing of said personal data is easily accessible and easy to understand, and that
        the language used is clear and simple. The principle applies in particular to information to them

        registered about the identity of the data controller and the purposes of
        the processing as well as additional information to ensure fair and open processing


4 Point 11



                                                                                                13 for the affected natural persons as well as their right to receive confirmation of and be informed
        about the personal data concerning them, which is processed"

In its statement of 11 May 2021, DNK has explained and submitted documentation for
what information was given to the registered about the collection of birth notifications for

members' children from the National Register of Citizens in the period from 20 July to 1 October 2018.

From the documentation, it appears that DNK did not inform those registered in the current one
the privacy statement from 2017 that birth notifications from the National Register of Citizens are processed,
or otherwise that information is obtained from other than the registered person that members
have children. The population register was not mentioned in the privacy policy.


From the other documentation DNK has presented, the Norwegian Data Protection Authority can only see that the collection
of birth notifications for members' children from the National Register of Citizens is mentioned in two contexts.
The first is the Church Council's circular no. 2 of 3 September 2018 and circular no. 3 of 28.
September 2018 to the parish offices, the ecclesiastical joint council offices, the parish offices and
the diocesan offices. These were available to the general public at https://kirken.no/rundskriv
and https://kirken.no/nb-NO/om-kirken/for-medarbeidere/rundskriv-fra-kirkeradet/. The other

is the article "Adoption and belonging" of 23 October 2017, which was available at
https://kirken.no/nb-NO/om-kirken/medlemskap/om-medlemskapet/adopsjon-og-tilhorighet/,
and was available with a link from the About membership and Affiliation and membership pages.

The relevant circulars from the Church Council were aimed at the church's subordinate bodies, and the one in question
the article on adoption and belonging only appears to be relevant to a very small group

registered – those who have adopted a child. It was not intuitive or clear to the registrants that
they had to seek out these parts of kirken.no to find information about the treatment of theirs
personal data, and these sources of information did not ensure an open and fair
treatment. The Norwegian Data Protection Authority finds it clear that neither the circulars nor the article on adoption
and affiliation met the requirements that the information should be "easily accessible" to them
registered.


The Norwegian Data Protection Authority thus finds that DNK has not provided information about the collection of
birth notices for members' children from the Folkeregisteret in line with the requirements in article 12 no.
1. DNK has thus not given the registered person "readily accessible" information about "those affected
the categories of personal data" that are processed or "from which source
the personal information originates from", cf. article 14 no. 1 letter d and no. 2 letter f, cf.

Article 12 No. 1.

6. About reprimand, right of appeal and further proceedings

A reprimand is an administrative reaction with the purpose of highlighting criticism of those mentioned
the violations of the rules. The imposition of a reprimand may be emphasized at a later date

assessment of the imposition of an infringement fee if a corresponding breach occurs
the regulations cf. the personal data protection regulation art. 83 no. 2 letter i.


5https://kirken.no/globalassets/kirken.no/personvernerklaering_2017.pdf



                                                                                                14DNK can appeal against the decision on reprimand. Any complaint must be sent to us within three
weeks after this letter has been received, cf. the Public Administration Act §§ 28 and 29. If we
If our decision is upheld, we will forward the case to the Personal Protection Board for complaint processing.

7. Publicity, transparency and confidentiality


We would like to inform you that all documents are basically public, cf.
Public Relations Act § 3. If you believe there are grounds for exempting all or part of
the document from public inspection, we ask you to give reasons for this.

The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal information
relationship. The duty of confidentiality follows, among other things, from the Personal Information Act § 24 and
Section 13 of the Public Administration Act. As a party to the case, you may nevertheless be made aware of such

information from the Norwegian Data Protection Authority, cf. the Administration Act § 13 b first paragraph no. 1. You also have the right
for inspection of the case's documents, cf. section 18 of the Public Administration Act.

We draw your attention to the fact that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority
the complainant's identity, personal circumstances and other identifying information, and that you only
can use this information to the extent necessary to safeguard its interests
theirs in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that

breach of this duty of confidentiality can be punished according to Section 209 of the Criminal Code.


With best regards



Jørgen Skorstad
department director
                                                                    Anders Sæve Obrestad
                                                                    senior legal advisor

The document is electronically approved and therefore has no handwritten signatures



Copy to: BULL & CO ADVOKATFIRMA AS















                                                                                                15