Datatilsynet (Norway) - 20/02172

From GDPRhub
Datatilsynet - DT-20/02172
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 04.01.2021
Published: 06.01.2021
Fine: 100000 NOK
Parties: Lindstrand Trading AS
National Case Number/Name: DT-20/02172
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynets (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) fined Lindstrand Trading AS NOK 100,000 (€9,700) for subjecting the complainant to multiple credit ratings without a legal basis under Article 6(1)(f) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24 GDPR.

English Summary

Facts

The general manager of Lindstrand Trading AS conducted multiple credit ratings of the complaintant and her sole proprietorship, despite having no customer relationship or any other affiliation with the company. The DPA noted that the general manager used the credit rating tool for personal purposes, completely outside of the company's area of business. Consequently, Lindstrand Trading did not have a legal basis for such processing as per Article 6(1)(f) GDPR.

Dispute

Did Lindstrand Trading AS have legal grounds for processing the personal data of the complaintant for a credit scoring, as per Article 6(1)(f) GDPR? And did they have sufficient internal controls for the use of credit scoring in their business?

Holding

No, Lindstrand Trading AS did not have legal grounds for processing the personal data of the complaintant for credit scorings, as per Article 6(1)(f) GDPR. For this offense, the company was fined NOK 100,000.

They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24 GDPR. For this offense, the company is required to establish corresponding internal controls and, within four weeks after the expiry of the appeal period, submit a written confirmation and actual documentation of the internal controls, to the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 ADVOKATFIRMAET ECKHOFF FOSMARK & CO
 DA Excluded from public:
 PO Box 2624 Solli
                                                              Offl. § 13 cf. fvl. § 13 (1) no.1

 0203 OSLO

 Marius Vernan




Their reference Our reference Date

                        20 / 02172-4 03.12.2020



Decisions on orders and infringement fines - Credit assessments without legal action
basis - Lindstrand Trading AS (formerly DSD Pharma AS)

1 Introduction


We refer to our notification of decision of 11 August 2020. We received Lindstrand Trading AS
("Lindstrand Trading")'s comments on the notice via associate attorney Marius Vernan 10.

September 2020. Our comments on the comments follow below.


2. Decision on order

The Data Inspectorate adopts the following order:


    Pursuant to Article 58 (2), letter i of the Privacy Ordinance is imposed
        LINDSTRAND TRADING AS (Formerly DSD PHARMA NORGE AS), org. No. 913 169

        581, to pay an infringement fee to the Treasury of NOK 100,000 in order to four times
        have obtained a credit assessment without a legal basis, cf. the Privacy Ordinance
        Article 6 (1) (f).


    2. Pursuant to the Privacy Ordinance art. 58 No. 2 letter d is imposed
        LINDSTRAND TRADING AS to establish internal control over credit assessment, cf.

        Article 24 of the Privacy Regulation, as it was missing at the time of the inspection.

Our legal basis for issuing orders is Article 58 (2) of the Privacy Ordinance.


The deadline for implementing the orders is stated in section 7 of the decision.


3. Details of the facts of the case

In your reply of 10 September 2020, you confirm that Ketil Lindstrand, the owner of Lindstrand

Trading, has completed the four credit assessments of ("complaints"),



Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 322 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 OSLOhes sole proprietorship, and off, but denies that this
has occurred in violation of the Privacy Ordinance.

You confirm that the credit assessments were carried out in connection with
                                                                                          , men
states that Lindstrand Trading had a legal basis for the four credit assessments that were made
carried out in that context.


In the event that you did not have a legal basis for the credit assessments, you state that
The infringement fee is disproportionately high in relation to the company's financial
situation.

We also refer to our account of the proceedings in the notification of decision section 2.


4. More about the requirements of the Personal Data Act

    4.1. Legal basis for obtaining credit information

Obtaining credit information on individuals and sole proprietorships ("the registered")
constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and
the Personal Data Act § 1.


Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a
legal basis.

When a company must obtain credit information about the registered person without it being available
consent, or the credit rating is strictly necessary to implement an agreement with it

registered, Article 6 (1) (f) is the most relevant legal basis.

Article 6 (1) (f) requires that the collection of credit information is "necessary" to:
safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration
individual privacy.

The legitimate interest must be legal, clearly defined in advance, real and objectively justified

in business. Which interests meet this depends on an assessment there, among other things
what benefits the company obtains with the treatment, how important the interest is for
the business, or whether the treatment has a public interest or safeguards non-profit interests
which benefit more are relevant moments.

Furthermore, the treatment in question must be "necessary" for purposes related to the beneficiary
interests. That is, the business must consider whether it can achieve the purpose in a way that

better safeguards privacy. One must therefore choose the treatment that is least invasive.

Then the business must make a balance of interests to decide whether the individual
privacy outweighs the business' legitimate interest. What type of information
it is relevant to process, for example whether the collection of the relevant information can




                                                                                                2 is perceived as offensive, and what expectations the individual has for the treatment of
the personal data, are relevant factors in the balancing of interests.

                                                          1
The now repealed Personal Data Regulations § 4-3 contained an additional condition that
Credit information could only be obtained unless the business had a "factual need" for it
credit information.


Section 4-3 of the regulations is continued in accordance with the regulations on transitional rules on the processing of
personal data § 4. 2

However, the Privacy Ordinance does not provide national room for maneuver for special regulation of

obtaining credit information. We therefore believe that the requirement for "objective need" does not constitute one
additional terms to Article 6 (1) (f).

However, the assessment of whether the business has a "factual need" pursuant to section 4-3 of the regulations is close
connection with the assessment pursuant to Article 6, paragraph 1, letter f. We therefore believe that earlier

administrative practice regarding the requirement of objective need is still relevant when assessing an article
6 No. 1 letter f.

    4.2. About the duty of internal control


According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to prove that they
processes personal data in accordance with the law. If it stands in a reasonable relation to
the treatment activities, the company shall implement appropriate guidelines for the protection of
personal information.


Credit rating is an intrusive processing of personal data and constitutes a large
encroachment on individuals' right to privacy. Businesses must therefore be able to document
their internal routines or processes, so-called internal control, which meet the requirement of objectivity
by credit rating.


The routines must describe when and how credit information is to be obtained and how to access it
shall be provided, and shall ensure that credit assessments are not obtained without the requirement of objective need being
fulfilled. Furthermore, the company must have routines for handling deviations.


5. The Data Inspectorate's assessment

    5.1. Internal control


Lindstrand Trading has not commented on our notice of an order to establish
internal control.
We therefore maintain our conclusion to order the company to establish internal control
for credit assessments, and refers to our assessment in section 5.1 of the notice.


1
2Personal Information Regulations of 15 December 2000 no. 1265.
 Transitional rules on the processing of personal data of 15 June 2018 no. 877.



                                                                                                    3 5.2. Legal basis for obtaining credit information

The relevant treatment basis for Lindstrand Trading's acquisition of
credit information on complaints and is Article 6 (1) of the Privacy Regulation
letter f. The question is whether the company had a legal basis in Article 6 no. 1 letter f
when the general manager obtained credit information about complaints



Lindstrand Trading's comments

In their comments on the notice of decision, Lindstrand Trading stated that the company had
legitimate interest in credit rating complaints. This justifies you with that











In support of the fact that Lindstrand Trading had a legitimate interest in the credit assessments shows
to the Privacy Board's decision PVN-2010-04. In this decision, the tribunal considered
whether a lawyer on behalf of his client fulfilled the requirement of "factual need" in
the Personal Data Regulations § 4-3.

The defendant's lawyer had credit-rated his client's counterparty in a dispute, and the client was

disagrees that there was a factual need for credit assessments. The tribunal points in its assessment to
the party constellations in the case, and that the lawyer's client had a claim that was approaching
obsolescence. On the basis of this, the tribunal assessed the case so that it did not appear unnatural
the defendant's attorney's client to consider civil action. The tribunal then came to that
the requirement for objective needs was met. The decision was made in accordance with the Personal Data Act of 2000
and the Personal Data Regulations § 4-3.


The Data Inspectorate's assessment

Article 6 (1) (f) of the Privacy Regulation reads as follows:

        the processing is necessary for purposes related to the legitimate interests such as
        pursued by the data controller or a third party, unless it is registered
        interests or fundamental rights and freedoms take precedence and require protection

        personal data, especially if the data subject is a child

Proposition 47 of the Privacy Ordinance states that in the assessment of «the entitled
the interests of a data controller ", among other things, the data subject's must be taken into account
expectations based on the relationship between the data controller and the data subject. The




                                                                                                4 must also be emphasized whether it was foreseeable for the registered at the time of collection that
the information would be processed for the purpose in question.

The legitimate interest must be legal, clearly defined in advance, real and objectively justified
in business.

It follows from Article 5 (1) (a) of the Privacy Regulation (principle of legality) and
the requirement of a legal basis in Article 6 that it is the person responsible for processing who is

the subject of the obligation in the regulation, and who must meet the requirements of the regulation before processing
personal information starts.

It follows from the wording of Article 6, paragraph 1, letter f and paragraph 47 that what constitutes a

legitimate interest shall be assessed on the basis of the business the operator responsible for processing. This
also follows from the Article 29 Working Party's guidance on "legitimate interest" as a matter of law
basis for processing personal data. 4

Lindstrand Trading AS is responsible for processing the collection of credit information about

complaints. Lindstrand Trading operates according to
Brønnøysundregistrene business with «import and sale in e-commerce, with cosmetic
goods, sporting goods and electronics. "

Lindstrand Trading has referred to PVN-2010-04 as support that the company had one

legitimate interest in carrying out the contested credit assessments in our case.

Section 4-3 of the Personal Data Regulations' requirement for a "factual need" for obtaining
Credit ratings are no longer a direct additional term for the individual

the business that collects credit information. We refer to our account of this in ours
notice of decision section 3.1.

Assessments related to whether a business has an "objective need" for
However, section 4-3 of the Personal Data Regulations is closely related

with the assessment pursuant to Article 6, No. 1, letter f. Previous practice from the Privacy Board
related to "objective need" is therefore still relevant when assessing "legitimate interest" in
Article 6 (1) (f) of the Privacy Regulation.

PVN-2010-04 confirms that the assessment of whether the person responsible for treatment has a «justified

interest ”shall be based on the business of the operator responsible for processing. In the case is the tribunal
assessment of "factual need" related to the person in charge of processing the practice of law,
that the credit assessment of a counterparty took place within this business, and in connection
with an assignment the data controller had for a client. This was the background for

the tribunal's conclusion that the lawyer fulfilled the requirement of "factual need"

On the contrary, the general manager in our case has used Lindstrand Trading's credit assessment tool
for personal purposes completely outside the company's business area.

3
4 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019).
 Article 29 Working Party Opinion 06/2014 on the concept of legitimate interests of the data controller under
Article 7 of Directive 95/46 / EC, WP217, p. 24.



                                                                                                   5No complain personally, her sole proprietorship or have had any relationship with
or contact Lindstrand Trading, and had no expectation that the business would
Obtain their credit information. It was not foreseeable for complaints
the time of collection that Lindstrand Trading should process their credit information.

Lindstrand Trading has obtained credit information about two individuals without any kind of
customer relationship or contact or other affiliation with their business. The entitled

the interest must be objectively justified in the business, and in our case Ketil Lindstrand has
obtained credit information for personal use for a purpose completely outside Lindstrand
Trading's business area.

On the basis of this, we maintain our assessment that the requirement of "legitimate interest" in
Article 6 (1) (f) of the Privacy Regulation is not complied with in the case.


We therefore uphold our conclusion that Lindstrand Trading had no legal basis
in the Privacy Regulation Article 6 No. 1 letter f for the four credit assessments in total
of complaints, her sole proprietorship, and

We also refer to our assessment of the legal basis in the notice, section 5.2.

6. Infringement fee


    6.1. General information about infringement fines

Infringement fees are a tool to ensure effective compliance and enforcement of
the personal data regulations. We believe it is necessary to respond to the violations with
infringement fine, cf. Article 83 of the Privacy Regulation.


In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights
Article 6. Therefore, a clear preponderance of probabilities for offenses is required in order to be able to impose
fee. The case and the question of imposing an infringement fee have been considered
starting point in this evidentiary requirement.


In this context, reference is made to Chapter IX of the Public Administration Act on administrative
sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMK).

For companies, the debt assessment is unique. Section 46, first paragraph, of the Public Administration Act states:


        When it is stipulated by law that an administrative sanction may be imposed on an enterprise,
        the sanction can be imposed even if no individual has shown guilt.

In Prop. 62 L (2015-2016) page 199 it is stated about § 46:




                                                                                                6 The wording that ‘no individual has shown guilt’ is taken from the section on
        corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. Responsibility
        is therefore basically objective.


    6.2. Assessment of whether an infringement fee is to be imposed

Lindstrand Trading has commented on the size of the notified fee. Spring
assessment is that these remarks do not change our assessment that a fee should be charged for
the violation, and refers to our assessment of this in section 6.2 of the notice.


    6.3. Assessment of the size of the fee

Lindstrand Trading's comments


Lindstrand Trading has stated that the notified fee of NOK 100,000 has been set too high, and
has in this connection referred to several decisions from the Privacy Board, as well as factors for
determination of infringement fines pursuant to the Personal Data Act of 2000 § 46 with preparatory work.

In conclusion, you state that the fee will affect the company's finances disproportionately
hard, and writes that there are no funds in the company to cover a possible infringement fee.

You have also attached a printout from proff.no with accounting figures from the company.

You refer in the comments to several decisions from the Privacy Board, and note that the fees
in these cases is set lower than in our case and that the persons responsible for processing in the cases had better
economy than Lindstrand Trading. The cases you refer to have been processed accordingly

the Personal Data Act of 2000. Our assessment is that these cases do not govern ours
assessment of the amount of the fee in this case under the Privacy Ordinance Article 83.

The Data Inspectorate's assessment

The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter

the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that
infringement fines shall be determined specifically so that in each individual case it is effective, it says
in a reasonable proportion to the violation and acts as a deterrent. The main purpose of
infringement fines are contraception, ie the risk of being charged a fee must work
deterrent and thereby contribute to increased compliance with the regulations. 5


By Skullerud et al. (2019), page 347, it appears:

        Contraceptive considerations dictate that the fee for a violation must be set so high that this
        actually perceived as an evil by the offender. This means that the offender
        financial ability should be important in the measurement, so that the fee is higher the more

        stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a

5
 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019).



                                                                                                   7 companies, it may be relevant to look at the company's total global annual turnover in
        previous financial year, cf. art. 83 Nos. 4 and 5.

And further:

        The consideration of ensuring an individual assessment in each individual case indicates that
        Regulators should avoid establishing standardized fee rates. This applies

        even if national law allows for standardized rates, cf. the Public Administration Act § 43.

The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual
the business.

When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
to the elements of the Privacy Regulation Article 83 (2) (a) to (k). The Norwegian Data Protection Authority may impose

infringement fee after a discretionary overall assessment, but the listed factors
lays down guidelines for the exercise of discretion by highlighting aspects that are to be given special consideration
weight.

Obtaining credit information about an individual or sole proprietorship without
basis for processing constitutes a violation of the basic principle of legality in
Article 5 (1) (a) of the Privacy Ordinance

very private character, which the data subject has a high expectation of not obtaining
unless it is objectively justified in their relationship with a data controller. This is
weighty factors that argue for a fee of a certain size.

In our case, Lindstrand Trading has illegally obtained credit ratings a total of four times. This
we emphasize in an aggravating direction.


The violations in our case are also committed by the general manager, who in the case shows little knowledge
about the requirements of the Privacy Ordinance that must be met in order to obtain
credit information. We emphasize this in an aggravating direction, as
The Privacy Ordinance presupposes a strong anchoring with the data controller
management, cf. the principle of liability in Article 5 (2).


We also place aggravating emphasis on the fact that the business, according to the information, was not in place
technical or organizational measures in the form of written routines to ensure compliance with
the regulations, cf. Article 24 of the Privacy Regulation.

We also refer to our assessment of the seriousness of the infringement in the notification section 6.2, and maintain
this assessment.


The serious circumstances we have pointed out above and in our notice of decision justify a fee of
a certain size. Contraceptive considerations dictate that the fee for a violation must be set so high that
this is actually perceived as an evil by the offender. This means that the offender






                                                                                                 8economic ability should be important when measuring, so that the fee is higher the stronger
carrying capacity of the offender.

At the same time, the company's finances are only one of several factors that the supervisory authority can add

emphasis in the determination of infringement fines under the Privacy Regulation Article 83. The
The financial situation is not in itself sufficient to avoid an infringement charge
supervisory authority, and must be seen in relation to the seriousness of the infringement.

In the case, you have argued that there are no funds in the company to cover a fee, and you

has attached accounting figures from proff.no which show that the company has not had turnover in
financial years 2018 and 2019.

In our calculation of the notified fee of NOK 100,000, we have already emphasized

the business's financial situation. We remind you that violations of the Privacy Regulation
Article 6 may lead to sanctions in the form of infringement fines of up to EUR 20 million, see
the Privacy Ordinance, Article 83, No. 5, letter a. This corresponds to NOK 214,000,000. 7
The fee imposed in this case is thus at the very bottom of what the regulation is

prescribes for such breaches of regulations.

The accounting figures show that Lindstrand Trading is registered with a share capital of 800,000
NOK. Lindstrand Trading also runs the online store DSD de Luxe, which sells beauty

and wellness products. It appears from the online store's website that it is in operation, that it sells one
large selection of goods, and that it currently has a stock sale. Our assessment is that the company's high
share capital, and the fact that there is operation in the company's online store, suggests that Lindstrand Trading can
bear an infringement charge.


On the basis of the serious violations in the case, and after taking into account the business
financial situation, we maintain our assessment that the infringement fee is set at 100
000 kroner.


We also refer to our justification for the calculation of the fee in the notice, sections 6.2 and 6.3.

7. Right of appeal and further proceedings


You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will
forward the case to the Privacy Board for complaint processing.


If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after
the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act.





6 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019).
Calculated on 2 December, acc. information at norges-bank.no/tema/Statistikk/Valutakurser
8https: //www.dsddeluxe.no/ (last visited 20.11.20).




                                                                                                     9The deadline for implementing the order section 2 on internal control is 4 weeks after the expiry of the appeal deadline.
If you do not appeal the order point 2, you must within this deadline you must send us one
written confirmation, as well as documentation, that the order for internal control has been implemented.

8. Transparency and publicity

You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform

that all documents are in principle public, cf. the Public Access to Information Act § 3. If
you believe that there is a basis for exempting all or part of the document from public access
we you to justify this.

If you have questions about the case, you can contact Ole Martin Moe on telephone 22 39
69 59 or e-mail omm@datatilsynet.no.





With best regards


Jørgen Skorstad

department director, law
                                                                 Ole Martin Moe
                                                                 legal adviser

The document is electronically approved and therefore has no handwritten signatures



Copy to:























                                                                                             10