Difference between revisions of "Datatilsynet (Norway) - 20/02319"

From GDPRhub
Line 66: Line 66:
  
 
=== Facts ===
 
=== Facts ===
A data subject received direct marketing in e-mail from the controller Komplett Bank ASA despite of having previously objected to such processing pursuant to Article 21(3) GDPR.
+
A data subject received direct marketing in e-mail from the controller Komplett Bank ASA despite of having previously objected to such processing pursuant to [[Article 21 GDPR#3|Article 21(3) GDPR]].
  
The controller's privacy statement and on-line customer portal suggested the lawful basis used for the direct marketing was ''«Consent»'' pursuant to Article (6)(1)(a) GPDR. The data subject had at no point given consent for processing of his personal information for direct marketing purposes.
+
The controller's privacy statement and on-line customer portal suggested the lawful basis used for the direct marketing was ''«Consent»'' pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The data subject had at no point given consent for processing of his personal information for direct marketing purposes.
  
Communication between the data subject and the controller's data privacy officer eventually revealed that the controller was using another lawful basis for this processing, specifically ''«Necessary for the performance of a contract»'' pursuant to Article (6)(1)(b) GDPR.
+
Communication between the data subject and the controller's data privacy officer eventually revealed that the controller was using another lawful basis for this processing, specifically ''«Necessary for the performance of a contract»'' pursuant to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]].
  
 
The contract in question regarded a credit card service bundled with a non-optional customer benefit / loyalty program. While the customer benefit program part of the contract did contain a clause stating the controller would send direct marketing to its customers, the data subject considered that such marketing activity could not be considered objectively necessary for the performance of the contract.
 
The contract in question regarded a credit card service bundled with a non-optional customer benefit / loyalty program. While the customer benefit program part of the contract did contain a clause stating the controller would send direct marketing to its customers, the data subject considered that such marketing activity could not be considered objectively necessary for the performance of the contract.

Revision as of 11:55, 20 February 2022

Datatilsynet (Norway) - 20/02319
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(b) GDPR
Article 12(1) GDPR
Article 12(3) GDPR
Article 13(1)(c) GDPR
Article 13(2)(b) GDPR
Article 21(3) GDPR
Article 21(4) GDPR
Type: Complaint
Outcome: Upheld
Started: 17.04.2020
Decided: 11.11.2021
Published:
Fine: None
Parties: Komplett Bank ASA
National Case Number/Name: 20/02319
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: Datatilsynet (in EN)
Initial Contributor: Tore Anderson

The Norwegian DPA held that Article 6(1)(b) GDPR «Necessary for the performance of a contract» can not be used as a lawful basis for direct marketing purposes, when direct marketing is not the main subject-matter of the contract in question.

English Summary

Facts

A data subject received direct marketing in e-mail from the controller Komplett Bank ASA despite of having previously objected to such processing pursuant to Article 21(3) GDPR.

The controller's privacy statement and on-line customer portal suggested the lawful basis used for the direct marketing was «Consent» pursuant to Article 6(1)(a) GDPR. The data subject had at no point given consent for processing of his personal information for direct marketing purposes.

Communication between the data subject and the controller's data privacy officer eventually revealed that the controller was using another lawful basis for this processing, specifically «Necessary for the performance of a contract» pursuant to Article 6(1)(b) GDPR.

The contract in question regarded a credit card service bundled with a non-optional customer benefit / loyalty program. While the customer benefit program part of the contract did contain a clause stating the controller would send direct marketing to its customers, the data subject considered that such marketing activity could not be considered objectively necessary for the performance of the contract.

The responses from the controller's data privacy officer to the data subject's requests for information did on multiple occasions exceed the maximum time limit of 30 days pursuant to Article 12(3) GDPR.

Holding

The DPA held that Komplett Bank ASA had:

  • violated Article 6(1) GDPR by processing personal data for direct marketing purposes without a lawful basis. The DPA held that main subject-matter of the contract was the issuance of a credit card, not direct marketing, and that the controller's use of Article 6(1)(b) GDPR «Necessary for the performance of a contract» was unlawful.
  • violated Articles 12(1) and 13(1) GDPR by providing misleading information about the lawful basis used for processing of personal data for direct marketing purposes.
  • violated Article 12(3) GDPR by exceeding the time limit for responding to the data subjects requests for information.
  • violated Articles 13(2) and 21(4) GDPR by not making the data subject aware of his right to object to the processing of his personal data for direct marketing purposes.
  • violated Article 21(3) GDPR by not respecting the data subject's prior objection to direct marketing.

For the above violations, the DPA issued Komplett Bank ASA a Compliance Order and Reprimand.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

The Decision

Datatilsynet


KOMPLETT BANK ASA
Postboks 448
1327 LYSAKER


Your reference  Our reference   Date
                20/02319-8      11.11.2021


FINAL DECISION – COMPLIANCE ORDER AND REPRIMAND

We refer to our advance notification of 16 December 2020 and previous correspondence. We also refer to the answer to the advance notification from Komplett Bank ASA (Komplett Bank) of 22 January 2021 and to the e-mail with additional comments from the complainant of 10 January 2021.

    1. Compliance Order and Reprimand

The Norwegian Data Protection Authority issues the following decision to Komplett Bank:

    1. Komplett Bank ASA must implement measures to ensure that requests from data subjects that constitute objections against direct marketing pursuant to Article 21(3) GDPR, leads to the personal data in question no longer being processed for such purposes.

    2. Komplett Bank ASA must implement measures to ensure that requests from data subjects under Articles 15–22 GDPR are answered within the time limits set forth in Article 12(3) GDPR.

    3. Collectively, for having processed personal data in breach of Articles Art. 6(1), 12(1) and (3), 13(1) and (2), 21(3) and (4) GDPR, Komplett Bank ASA is given a reprimand.

We are competent to issue corrective measures pursuant to Article 58(2) GDPR.

    2. Case Background

The complainant states that he has been a customer of Komplett Bank since 2016. He argues that his personal data has been processed unlawfully, as he has received direct marketing by e-mail without having the possibility to opt out from this upon registration of his e-mail address.

The complainant further states that he, after having received the first e-mail containing direct marketing in September 2018, contacted Komplett Bank to object to this use of his personal data. Still, he again received an e-mail containing direct marketing in November 2019.

The complainant has been in contact with the Data Protection Officer of Komplett Bank on several occasions, and has documented that, on some of the occasions, more than one month elapsed before his requests was answered.

Based on information available online and provided in the initial e-mail correspondence with the Data Protection Officer, the complainant was of the understanding that the legal basis for Komplett Bank’s processing his personal data was consent. When the complainant expressed this understanding in an e-mail, the Data Protection Officer wrote in response that the legal basis was not consent, but rather necessity for the performance of a contract pursuant to Article 6(1)(b) GDPR. Later, in an e-mail from the Data Protection Officer of 26 June 2020, the legal basis for processing was reported to be Article 6(1)(f) GDPR for the purpose of marketing the bank’s products within the same product category towards customers, and Article 6(1)(b) GDPR for the purpose of marketing in relation to the customer benefit program for Komplett Bank Mastercard.

From the documentation we have received from the complainant, there does not seem to be a designated opt out possibility for marketing from Komplett Bank. Conversely, under the tab called ‘My Consents’, there is a possibility to ‘approve’ digital marketing via e-mail and SMS.

In a letter of 18 June 2020, Komplett Bank answered questions from the Norwegian Data Protection Authority regarding the case. Also in this letter, the legal basis for processing of personal data relevant for the case is stated to be Articles 6(1)(f) and (b) for the two above- mentioned purposes. Routines for handling access requests and the balancing of interests assessment pursuant to Article 6(1)(f) was attached.

In the letter, you write that customers who wish to opt out from direct marketing can do so by changing their consents when logged into the bank’s online banking service, or by contacting customer service.

The routines for handling requests for access to personal data, attached in the letter from Komplett Bank, state that a weekly meeting is held to go through access requests. Access requests are said to be answered within one month. Further, it is stated that in some cases the time limit can be extended. Which cases that qualify for extension is not specified.

In an e-mail with additional comments from the complainant of 10 January 2021, he raises questions on compliance with Article 15(3) of the Marketing Practices Act:

    ‘Article 15(3) of the Marketing Practices Act and Article 15(2) ePrivacy both sets a condition that the customer must be given a possibility to object against such marketing when the electronic address is gathered. In other words, it will not be sufficient to give access to object at a later stage, e.g., on a “My Page”, as this does not fulfil the condition of simultaneousness.’

These are questions for which the Consumer Agency is competent authority (see Section 3.1 below).

In Komplett Bank’s answer to the advance notification of 22 January 2021, you have given your comments to the assessment by the Norwegian Data Protection Authority. We have implemented the comments in our assessment (see Section 4 below).

    3. Legal Background

Personal data shall be processed in a lawful, fair and in a transparent manner pursuant to Article 5(1)(a) GDPR, cf. Article 1 of the Personal Data Act.

Pursuant to Article 5(2) GDPR, the controller has an independent responsibility to be in, and must be able to demonstrate, compliance with the principles relating to processing of personal data in Article 5(1) (the accountability principle).

        3.1. Lawful processing of personal data

The Norwegian Data Protection Authority is not the competent authority for issues specifically regulated by the Marketing Practices Act. Pursuant to Article 15(3) of the Marketing Practices Act, consent is required in some situations. However, consent is not required for direct marketing via e-mail in existing customer relationships, on certain conditions. The Consumer Agency is competent authority for the control of companies’ compliance with the provision. Nonetheless, companies must still ensure that the processing of personal data is also in compliance with the GDPR.

To be lawful, the processing of personal data must have a basis in one of the alternatives in Article 6(1)(a)–(f) GDPR.

If a contract with the data subject is to be used as basis for the processing of personal data, the processing must be necessary for the performance of the contract to be lawful, cf. Article 6(1)(b) GDPR. The European Data Protection Board (EDPB) has stated that the processing must be objectively necessary. This means that the controller should be able to demonstrate how the main subject-matter of the specific contract with the data subject cannot be performed if the specific processing of the personal data in question does not occur.[1] The fact that a processing of personal data is written in the contractual terms, is neither sufficient, nor necessary for Article 6(1)(b) GDPR to be applicable.

Pursuant to Article 6(1)(f) GDPR a processing of personal data can be done lawfully if based on a balancing of interests. The processing must be necessary for the purposes of the legitimate interests pursued by the controller, which can be pursued if the interests or fundamental rights and freedoms of the data subject override these interests. This basis for the processing is divided into three. The controller must have a legitimate interest, the processing must be necessary to be able to achieve the legitimate purpose, and a balancing of this interest against, i.e., the data subjects’ right to privacy must be done in the specific case.

        3.2. Retroactive change of legal basis for the processing

A controller that has used one basis for their processing of personal data, cannot at a later stage go back and base an already executed processing on a different basis. If the basis that the processing originally was based on turns out to be invalid, the processing that has taken place will be unlawful. The reasoning behind this is that the controller must make the assessment at the outset of processing, and that the data subject should be able to trust that the information given about the basis for processing is correct.[2]

        3.3. The data subject’s right to object

The data subject shall at any time have the right to object to processing of personal data concerning him or her that is based on Article 6(1)(f) GDPR. The same applies to personal data processed for the direct marketing purposes, regardless of what the basis for processing is, cf. Article 21(2) GDPR. When the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes, cf. Article 21(3) GDPR.

        3.4. The data subject’s right to information

            3.4.1. Right to information about the legal basis for processing, purpose of the processing and the right to object

A person that has their personal data processed, has the right to information about several circumstances. The information shall be given in a concise, transparent, intelligible and easily accessible form, using clear and plain language, cf. Article 5(1)(a) and Article 12(1) GDPR. This can for instance be done through a privacy statement.

When personal data is collected from the data subject, the controller shall inform, inter alia, of the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, cf. Article 13(1)(c) GDPR. If the processing is based on point (f) of Article 6(1), the data subject shall also be informed of the legitimate interests pursued. This information shall be given at the time when the personal data are obtained.

The controller should seek to avoid confusion regarding which legal basis they apply for processing of personal data. The data subject can, e.g., get the impression that they are consenting to a specific processing, while the processing in reality is based on contract pursuant to Article 6(1)(b) GDPR.[3]

At the latest at the time of the first communication with the data subject, he or she shall be explicitly informed of the right to object in Article 21(1) and (2) GDPR. The information shall be presented clearly and separately from any other information, cf. Article 21(4) GDPR.

            3.4.2. Time limits for answering data subject requests

If the data subject asks for the fulfilment of a right pursuant to Article 15–22 GDPR, the controller shall give an answer without undue delay and in any event within one month of receipt of the request, cf. Article 12(3) GDPR. The answer shall contain information on action taken on the request. Where necessary, taking into account the complexity and number of the requests, the time limit can be extended by two further months. If so, the data subject shall be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.

    4. The Norwegian Data Protection Authority’s assessment

        4.1. Lawful processing of personal data

Komplett Bank writes in the letter of 18 June 2020 that direct marketing towards customers is a processing of personal data that is based on a balancing of interests pursuant to Article 6(1)(f) GDPR.

Komplett Bank has attached the evaluation on balancing of interests that is made regarding the processing of personal data for the purposes of direct marketing towards customers of the bank’s products within the same product category. The Norwegian Data Protection Authority is of the perception that the balancing of interests provides basis for lawful processing of personal data for this purpose pursuant to Article 6(1)(f) GDPR.

Further, you write that the processing of personal data in connection to the customer benefit program for Komplett Bank Mastercard is based on contract pursuant to Article 6(1)(b) GDPR. You write that you see it as a contractual obligation to inform participants in the benefit program about campaigns and other related benefits. The membership terms for the customer benefit program, dated 18 September 2015, point 1.1, state that Komplett Bank undertakes to inform the customers periodically about earning possibilities and possibilities to withdraw bonus points.

As mentioned, one can only use Article 6(1)(b) as legal basis for processing if the main subject-matter of the specific contract with the data subject cannot be performed if the specific processing of the personal data in question does not occur. To identify the main subject-matter, one should look at the nature of the service provided, the contract’s purpose and essential elements. Especially, one should consider how the service is promoted or advertised to the data subject, since this can shed light on what were the mutual perspectives and expectations of the parties, as well as which reasonable expectations the customers can have regarding how their personal data will be processed.[4]

This case primarily regards a credit card service. Taken into account how Komplett Bank advertises the credit card on their own website, it seems like the essential elements that can be expected by the customer are a charge-free and non-contact credit card with until 50 days of interest-free credit, bonus point acquirement and insurances.5 Therefore, we assume this the main subject-matter of the service.

In other words, it does not seem like sending out offers from Komplett Bank and from the bank’s collaborating partners is part of the main subject-matter of the service, even if this is written in the membership terms for Komplett Bank’s customer benefit program, point 1.1.

In Komplett Bank’s answer to the advance notification of 22 January 2021, you write:

    ‘As the Norwegian Data Protection Authority points out, the main subject-matter of the customer benefit program is credit, earning of bonus points and insurance. When we send newsletters and campaigns to customers to motivate use of the credit card and promote the benefits of the benefit program, it will necessarily also include our collaborator’s services, that is, insurance partners or stores where bonus points can be earned. This is all the same marketing of Komplett Bank’s own service, that is, our service in giving out bonus points and negotiating for good terms with our collaborators.’

We agree with Komplett Bank’s remark in that marketing of collaborators’ services is all the same marketing of Komplett Bank’s own service in this context. However, we cannot see that marketing of the service is the main subject-matter of the contract. Use of the credit card, with its benefits, bonus point acquirement and insurances, can be executed without the processing personal data for direct marketing purposes. It is therefore the Norwegian Data Protection Authority’s assessment that the processing of personal data for marketing purposes on Komplett Bank’s or other parties’ behalf is not objectively necessary for the performance of a contract to which the data subject is a party.

Further, in Komplett Bank’s answer to the advance notification of 22 January 2021, you write:

    ‘As an illustration that it can be relevant to use alternative (b) instead of alternative (f), we can point to former legal sources. In the travaux preparatoires of the former Personal Data Act Article 26 (the right to opt out from direct marketing) it was expressed that it can be ‘hard and unnatural to separate objective information connected to the contractual relationship and marketing of closely related products.’ Further, Article 7-7 of the former Norwegian Regulation on Data Protection made an exception for the duty to give notice for processing of customer data as part of administration and execution of the contractual obligations. This shows that it is not unnatural, considering the legal sources, to deem processing of personal data relating to marketing in existing customer relationships as ‘necessary for the performance of a contract’ and therefore with legal basis in Article 6(1)(b) GDPR’.

It is the responsibility of the controller to follow applicable data protection rules. The new Personal Data Act and the GDPR has been applicable in Norway since 20 July 2018. In the EU, the GDPR has been applicable since 25 May 2018. Article 26 of the former Personal Data Act was set aside in 2009.[6] This case regards processing executed in the period after these dates. Former legal sources may carry limited weight in this regard.

The processing of personal data for marketing purposes on Komplett Bank’s or other parties’ behalf was not necessary for the performance of the contract. Therefore, Article 6(1)(b) GDPR cannot provide legal basis for the processing.

The processing in question was executed without a legal basis in Article 6(1) GDPR. This constitutes a breach of Article 6(1) GDPR.

In Komplett Bank’s answer to the advance notification of 22 January 2021, you have also written that you assume that our compliance order only regards the processing that relates to the case and not the activities of the bank in general. This is a correct interpretation. We have constricted the wording in the compliance order for clarification. The requirement of having a valid legal basis, however, applies generally to all processing of personal data executed by a controller.

        4.2. Retroactive change of legal basis for the processing

It is not possible to retroactively “change” to another legal basis after having commenced with the processing, e.g., because the original legal basis did not cover the processing after all.[7] Any change in the legal basis for processing shall in any event be informed to the data subjects pursuant to the duty to inform in Articles 12–14 GDPR.

The Norwegian Data Protection Authority is of the understanding that the same legal basis had been used for the processing activities in question from start to end, and that there is no kind of retroactive “change” of legal basis, e.g., from consent to contract. The fact that the complainant may have been of the understanding that this is the case, may on the other hand suggest that Komplett Bank has provided insufficient information (see Section 4.4 below).

Komplett Bank writes, in your answer to the advance notification of 22 January 2021, that you are willing to change the legal basis for processing of personal data for marketing of the customer benefit program:

    ‘The Norwegian Data Protection Authority recognises that Komplett Bank has legal basis in Article 6(1)(f) GDPR for the processing of personal data concerning the marketing towards customers of the bank’s own products within the same product category.
Conversely, the Norwegian Data Protection Authority finds that Komplett Bank does not have legal basis in Article 6(1)(b) for processing of personal data in relation to the marketing of the customer benefit program. The Norwegian Data Protection Authority’s conclusion is that this in the future will have to be based on another legal basis, for instance a legitimate interest, if the requirements are fulfilled.

    We take note of this. In the future, we will base our marketing of the customer benefit program on Article 6(1)(f) GDPR.’

Further, you write:

    ‘For the sake of good order, we would like to bring attention to the fact that we have intended no substantial difference between basing one type of marketing on Article 6(1)(f) GDPR, and the other on Article 6(1)(b) GDPR. For both processing activities, we have found the requirements in the Article 15(3) of the Marketing Practices Act to be fulfilled – meaning there is an existing customer relationship, and the marketing relates to our own services corresponding to the one that the customer relationship is built on. Whether alternative (b) or (f) is used as legal basis will then not make a difference to the processing of personal data.

    […]

    Distinguishing between alternative (b) or (f) for direct marketing in existing customer relationships is still mostly of theoretical interest. It does not affect the extent or the way in which we send newsletters or marketing, and it does not affect the customers’ privacy rights, including the right to reserve oneself against marketing. When we now will follow the decision of the Norwegian Data Protection Authority, and clarify that our legal basis is Article 6(1)(f) GDPR, cf. Article 15(3) of the Marketing Practices Act, this implies no difference in practice. Our potential reference to a wrong legal basis therefore has not had any negative effects for the data subjects.’

We recognise that you have considered the marketing activity in question to be in line with the requirements in Article 15(3). As mentioned, we do not have competence to examine the statement. These requirements come in addition to your duties pursuant to data protection rules. In other words, compliance with the Marketing Practices Act does not remedy breaches to the Personal Data Act.

We also recognise that if Komplett Bank had used a different legal basis for the processing from the outset, it may not have had any impact on how the processing was executed. This does not, however, necessarily mean that the reference to an inapplicable legal basis has not had negative effects for the data subjects. Furthermore, it does not make the already executed processing lawful pursuant to data protection rules.

All processing of personal data must follow the principles of ‘lawfulness, fairness and transparency’ pursuant to Article 5(1)(a) GDPR. The principle of transparency entails that the legal basis for the processing should be transparent to the data subject from the outset. A retroactive change from one legal basis to another after the processing has started, leads to a lack of predictability for the data subjects. The controller is required to disclose the legal basis upon collection of the personal data, and must therefore have correctly identified in advance of collection what the applicable lawful basis is.[8]

The processing in question can therefore in the future be based on Article 6(1)(f) GDPR, provided that the requirements set out in that provision are fulfilled. There is, however, no room for a retroactive change to this legal basis for processing of personal data that was initially based on Article 6(1)(b).

The change of legal basis cannot remedy the inapplicability of the specified legal basis for the processing already executed.

        4.3. The data subject’s right to object

The complainant has provided documentation that he, in an e-mail to the Data Protection Officer of Komplett Bank of 27 September 2018, asked you to stop sending him direct marketing. The wording he used connected to direct marketing via e-mail was: ‘Further, I ask for a guarantee that this will not repeat itself.’

The Norwegian Data Protection Authority considers this an objection pursuant to Article 21 GDPR. Upon an objection to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes, cf. Article 21(3) GDPR. The complainant still received new direct marketing from Komplett Bank after the request.

The continued processing of personal data for direct marketing purposes after the complainant’s objection to the Data Protection Officer of Komplett Bank, constitutes a breach of Article 21(3) GDPR.

        4.4. The data subject’s right to information

Documentation provided by the complainant shows that there evidently is no designated opt out possibility for marketing from Komplett Bank in the online banking service. On the contrary, under the tab called ‘My Consents’, there is a possibility to ‘approve’ digital marketing via e-mail and SMS. According to the complainant, this box was pre-ticked with the answer ‘yes’ to marketing via e-mail. If this is the alternative you have referred to as a simple possibility to opt out from direct marketing from Komplett Bank, it does not provide information in a transparent and easily accessible form. Firstly, the information indicates that the legal basis for the processing is consent. Secondly, the information can be understood in a way in which there is only a possibility to limit direct marketing from Komplett Bank that is sent electronically.

In the membership terms for the customer benefit program, dated 18 September 2015, the processing of personal data is also connected with the notion of ‘consent’, see point 4. The Norwegian Data Protection Authority assumes that these membership terms were applicable at the time of the events of the present case, and that the Personal Data Act of 2018 therefore is applicable.

A request for consent that is implemented into a longer text with different contractual terms is not a valid consent pursuant to Article 6(1)(a) GDPR.[9] Komplett Bank does not in reality seem to have been of this conviction either. Conversely, Komplett Bank has informed us that the legal basis for this processing has been evaluated under Article 6(1)(b). Nonetheless, the membership terms gives misleading information, as it indicates that the legal basis for the processing is consent pursuant to Article 6(1)(a) GDPR. Komplett Bank has not given the data subjects information about using Article 6(1)(b) GDPR as legal basis for processing of personal data.

Assessing the information provided in combination, can lead to the person having their personal data processed believing that the legal basis is consent.

The documentation provided by the complainant on correspondence with the Data Protection Officer of Komplett Bank, also shows that he is given insufficient information about which legal basis is used for which processing activity, even if this was corrected at a later stage.

The Norwegian Data Protection Authority further cannot see that Komplett Bank made the complainant aware of his right to object to the processing of his personal data for direct marketing purposes, pursuant to Article 21(4) GDPR.

On this background, the Norwegian Data Protection Authority finds that there is a breach of Articles 13(1), 12(1) and 21(4) GDPR.

In the answer to the advance notification of 22 January 2021, Komplett Bank states that you have implemented measures to correct the wording in your communication, by clarifying that the legal basis is Article 6(1)(f). You also state that measures have been implemented to make sure that the data subjects are made explicitly aware that they have the right to object at the latest at the time of the first communication.

            4.4.1. Time limits for answering data subject requests

We cannot see that Komplett Bank has given the complainant information on actions taken due to his requests without undue delay, and in any event within one month of receipt of the request. We also cannot see that Komplett Bank has given the complainant information about the delay, and the reasons for the delay within one month. Several times, the complainant has experienced that more than one month has passed without receiving neither a final, nor a temporary answer to his requests. Furthermore, we cannot see that Komplett Bank’s routines for handling access requests from data subjects state that the time limits in Article 12(3) GDPR are to be followed.

In the answer to the advance notification of 22 January 2021, Komplett Bank explains that the time limits was exceeded in this case due to a lack of capacity and a backlog at the customer service. In the first instance, the delay was only a couple of days after the one-month limit.
Thereafter, you explain that some time was spent investigating the complainant’s additional questions and comments to your answers.

Article 12(3) states that where necessary, taking into account the complexity and number of the requests, the time limit can be extended by two further months. In any case, the data subject shall be informed of the extension within one month of receipt of the request, together with the reasons for the delay. This requirement needs to be incorporating into your routines for handling access requests from data subjects, to provide compliance also when exceeding the one-month time limit is permitted.

We find that there is a breach of Article 12(3) GDPR.

    5. Judicial review

As we have informed earlier, this is a cross-border case. We have cooperated with other concerned supervisory authorities in the case handling. As mentioned, the Norwegian Data Protection Authority has, as lead supervisory authority in the case, a duty to hear all concerned supervisory authorities before a final decision is made.

In cross border cases, the Norwegian Privacy Appeals Board does not have competence to review the Norwegian Data Protection Authority’s decisions, cf. Article 22(2) second sentence of the Personal Data Act.

The decision can be challenged before the courts. Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, cf. Article 78(1) GDPR. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established, cf. Article 78(1) GDPR. Court proceedings against the Norwegian Data Protection Authority shall be brought before Oslo District Court.[10]

    6. Access to documents

The Norwegian Data Protection Authority has a duty of secrecy regarding the complainant’s identity, cf. Article 24 of the Personal Data Act and Article 13 of the Public Administration Act. As a party to the case, you have the right to such information, cf. Article 13(b)(1)(1) Public Administration Act. You also have the right to access the documents in this case, cf. Article 18 of the Public Administration Act.

We also want to inform that all documents generally are subject to freedom of information requests, cf. Article 3 of the Norwegian Freedom of Information Act. If you are of the opinion that the document or parts of the document is exempt from public access, we ask you to give reasons for this.


Kind regards


Tobias Judin
Head of International


Guro Fiskvik Åsbø
Legal Adviser


This letter has electronic approval and is therefore not signed


Copy to: Complainant

[1] EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0, para. 30.
[2] EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0, para. 17.
[3] EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0, para. 20.
[4] EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0, para. 33.
[5] https://www.komplettbank.no/kredittkort/.
[6] By the Marketing Practices Act.
[7] See EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0, para. 34 and EDPB Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.1, para. 123.
[8] EDPB Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.1, para. 123.
[9] See especially Article 7(2) GDPR and EDPB Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.1, para. 71.
[10] Article 4-4(4) of the Act of 17 June 2005 no. 90 relating to mediation and procedure in civil disputes, cf. Article 25 of the Personal Data Act.