Datatilsynet (Norway) - 20/02225: Difference between revisions

From GDPRhub
(Updated with DPA decision)
Line 20: Line 20:
|Date_Published=
|Date_Published=
|Year=
|Year=
|Fine=300000
|Fine=100000
|Currency=NOK
|Currency=NOK


Line 50: Line 50:
|Initial_Contributor=n/a
|Initial_Contributor=n/a
|
|
}}
|GDPR_Article_4=Article 5(1)(a) GDPR}}


Datatilsynet held that a credit rating of the complainant, initiated by the company Aquateknikk, did not satisfy the requirements under Article 6(1)(f) GDPR. In addition, the company was required to evaluate and improve their internal guidelines for initiating credit ratings, pursuant to Article 24 GDPR.  
The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (~€9,700) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) and 5(1)(a) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24.  


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The company Aquateknikk AS credit rated the complainant without any connection between the company and the complainant. According to the complainant, this was done due to the fact that the complainant operates a competing business. Aquateknikk stated that the credit rating of the complainant was a mistake, as the intended target of the credit rating was the complainant's business.
The company Aquateknikk AS credit rated an individual and his business, despite having no customer relationship or any other affiliation with either. According to the complainant, the credit rating was conducted because he operates a competing business.  


Datatilsynet decided to issue a request for the logs of the company's credit rating history to Bisnode, the company issuing the credit ratings. In the logs it was clear that both the complainant and the complainant's company was credit rated by Aquateknikk.  
Aquateknikk stated that the credit rating of the complainant personally was a mistake, as the intended target of the credit rating was the complainant's business. However, the DPA found from their credit rating logs from Bisnode, the credit rating bureau, that Aquateknikk had credit rated the complainant's company first and then the complainant personally, "indicating that the action was intentional". The DPA commented that they don't believe Aquateknikk's explanation and noted that the credit rating seems to have been conducted due to "nosiness".


=== Dispute ===
===Dispute===
The issue at hand was whether Aquateknikk had a legitimate interest in rating the credit worthiness of the complainant, pursuant to Article 6(1)(f) GDPR.
Did Aquateknikk have legal grounds for processing the personal data of the complainant for a credit rating, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit ratings in their business?


=== Holding ===
===Holding===
Datatilsynet held that Aquateknikk did not have a legitimate interest in rating the credit worthiness of the complainant. In particular, Datatilsynet highlighted that there were no prior existing relationship between the company and the complainant. On the contrary, the complainant operated a competing business. As such, the complainant could also not have any reasonable expectations that the company would process his personal credit rating.
No, Aquateknikk did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 100,000.  


In addition to a breach of Article 6(1)(f) GDPR, the lack of organisational measures pursuant to Article 5(2) GDPR was weighted when concluding on the size of the fine.  
They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA.


== Comment ==
==Comment==
The controller was fined on the basis of breaches to Articles 6(1)(f) and 5(2) GDPR.  
The company was initially notified of a NOK 300,000 fine. Due to the COVID-19 pandemic, however, the company argued that their financial situation had worsened and such a major fine would be very detrimental and, possibly, lead to bankruptcy. After reviewing the preliminary 2020 financial results of the company, the DPA reduced the fine to NOK 100,000, stating that this would be sufficiently "effective, proportionate and dissuasive" as per Article 83(1).  


While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4) GDPR.  
In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine.  


== Further Resources ==
While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4).
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==Further Resources==
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-gebyr-aquateknikk/
 
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/aquateknikk-as-far-gebyr/
 
==English Machine Translation of the Decision==
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


<pre>
<pre>
 
https://www.datatilsynet.no/contentassets/c5f433a97050467497810b9e891d5b83/vedtak-om-palegg-og-overtredelsesgebyr---aquateknikk-as.pdf
</pre>
</pre>

Revision as of 07:28, 22 January 2021

Datatilsynet - 20/02291
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 100000 NOK
Parties: n/a
National Case Number/Name: 20/02291
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (~€9,700) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) and 5(1)(a) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24.

English Summary

Facts

The company Aquateknikk AS credit rated an individual and his business, despite having no customer relationship or any other affiliation with either. According to the complainant, the credit rating was conducted because he operates a competing business.

Aquateknikk stated that the credit rating of the complainant personally was a mistake, as the intended target of the credit rating was the complainant's business. However, the DPA found from their credit rating logs from Bisnode, the credit rating bureau, that Aquateknikk had credit rated the complainant's company first and then the complainant personally, "indicating that the action was intentional". The DPA commented that they don't believe Aquateknikk's explanation and noted that the credit rating seems to have been conducted due to "nosiness".

Dispute

Did Aquateknikk have legal grounds for processing the personal data of the complainant for a credit rating, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit ratings in their business?

Holding

No, Aquateknikk did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 100,000.

They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA.

Comment

The company was initially notified of a NOK 300,000 fine. Due to the COVID-19 pandemic, however, the company argued that their financial situation had worsened and such a major fine would be very detrimental and, possibly, lead to bankruptcy. After reviewing the preliminary 2020 financial results of the company, the DPA reduced the fine to NOK 100,000, stating that this would be sufficiently "effective, proportionate and dissuasive" as per Article 83(1).

In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine.

While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4).

Further Resources

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-gebyr-aquateknikk/

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/aquateknikk-as-far-gebyr/

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

https://www.datatilsynet.no/contentassets/c5f433a97050467497810b9e891d5b83/vedtak-om-palegg-og-overtredelsesgebyr---aquateknikk-as.pdf