Datatilsynet (Norway) - 20/03046

From GDPRhub
Datatilsynet (Norway) - 20/03046
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 32 GDPR
Article 33(1) GDPR
Article 33(5) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 06.12.2021
Published: 09.12.2021
Fine: 5000000 NOK
Parties: Trumf
National Case Number/Name: 20/03046
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined the company Trumf €500,185 (NOK 5,000,000) for failing to report and document repeated data breaches where people could register other people's bank account numbers to get access to their detailed purchase history.

English Summary[edit | edit source]

Facts[edit | edit source]

"Trumf" is a customer loyalty program owned and run by the company with the same name (the controller). Users can register their Trumf card at various stores, gas stations, airlines and other Trumf partners to collect bonus points, which can then be used to purchase goods or be withdrawn as cash.

In 2016, it was discovered that people could register other people's bank account numbers to get access to their detailed purchase history. At the time, the Norwegian DPA (Datatilsynet) instructed the controller to mitigate this security risk. The controller confirmed that this would be dealt with promptly by implementing a verification mechanism which would solve the problem.

However, in 2020, the DPA, through various news stories, became aware that the security issue was still unresolved. The controller explained that it had been too challenging to resolve it and, further, that they did not report these breaches because they thought they did not have to. Consequently, they did not adhere to Article 33(5) GDPR, nor Article 33(1).

Holding[edit | edit source]

The Norwegian DPA held that Trumf had breached Article 33(1) for failing to notify them of repeated personal data breaches, Article 33(5) for failing to document these breaches, and Article 32 for failing to implement sufficient technical and organizational measures. For these violations, the DPA fined the controller €500,185 (NOK 5,000,000).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

WIKBORG REINADVOKATFIRMAAS
PO Box 1513 Vika



0117 OSLO


Gry Hvidsten





Their reference Our reference Date
105879-564 20 / 03046-17 06/22 / 22.2022



Decision on infringement fine - Trumf AS


1 Introduction
We refer to our notification of a decision on infringement fines on 6 December 2021, as well as a response to
the forecast from Trump December 22, 2021.


2. Decision on order and infringement fine
The Data Inspectorate has today made the following decision:


Pursuant to the Privacy Ordinance, Article 58 no. 2 letter i, TRUMF AS org.nr.
976 912 047 an infringement fee to the Treasury of NOK 5,000,000 for:



             To have breached its obligations under the Privacy Regulation Article 33 (1) and
                Article 33 (5)


             To have breached its obligations to implement appropriate measures in accordance with
                Article 32 of the Privacy Regulation


3. Details of the facts of the case
Trumf AS ("Trump") is a benefit program that offers private individuals to save bonuses on purchases in

NorgesGruppen's grocery stores and at a number of external Trump partners. Members of
the benefit program can register a bank account number so that a bonus is saved
the transactions they perform with bank cards linked to the bank account. The Trump member will
then get access to detailed information about purchases made in the stores associated with Trump,
                   1
with certain exceptions. Information about where you shopped, when you shopped, and what you shopped
will be available to the Trump member by logging in to Trump's website.




1 Apotek 1 anonymises some of the purchases made with them.

Postal address: Office address: Telephone: Org.nr: Website:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, On 1 March 2016, a meeting was held between Trump and the Norwegian Data Protection Authority. The meeting was initiated by
The Data Inspectorate on the basis of a tip to our guidance service in February 2016. This tip consisted of a
person had tried to enter their own account number on their own Trump membership. This was

however, not possible because an unknown person had already registered his account number.
The person in question had not received information that his account number was registered with Trump.

Based on the content of the tip received, as well as the meeting of 1 March 2016, the Data Inspectorate chose to initiate
letter check to Trump to investigate whether their processing of personal data was in line with
the requirements of the Personal Data Act with regulations.


On April 21, 2016, Trump wrote, among other things, that they were aware that members can enter incorrectly
account number of a third party. Trump, however, pointed out that they had implemented solutions with
intended to prevent such behavior; if a payment card associated with a registered bank account is used, it says
"Trump registered" in the display on the payment terminal, in addition to the fact that the receipt states that Trump
bonus is registered in connection with the purchase. By the way, Trump wrote that to post some other people

their bank account information would constitute a breach of contract.

The Data Inspectorate chose on 17 July 2016 to notify a decision on an order against Trump, which consisted of:

     Order to provide routines for obtaining and checking the consent of all those they process

        information about,

     Order to immediately stop processing of account number and other personal data such as
        Trump has no treatment basis for,


     Order to establish routines to secure information to the registered when Trump collects or
        otherwise process information from anyone other than the member of Trump,

     Order to prepare and adequately document risk assessment, acceptance criteria and measures
        as part of its information security work.


These orders were largely related to the fact that Trump lacked a verification solution such as
ensured that Trump members only registered their own bank account, and not others. Below we gave
the following remark in the notice of decision:

        In the Data Inspectorate's opinion, Trump must ensure that the connection between the two is authenticated
        Trump membership and account holder, so it is not possible to process
                                                                                                     2
        account number on trumf.no, unless the account holder and Trump member are the same person.

On 15 August 2016, Trump responded to the notification of the decision. In this answer it appeared, among other things, that
Trump had considered various alternative ways to verify the identity of bank accounts and
the member of Trump is the same, and found a method to ensure such verification
                        It appeared from the answer that it was somewhat uncertain when this solution would be

implemented, but according to information, this was to be done during the autumn of 2016. Trump

2 Letter from the Norwegian Data Protection Authority, 17 July 2016, «Notification of decision - processing of personal data when registering
account number on trumf.no », page 7.
                                                                                                         2, wrote that this solution would be faster than other alternatives, and that this was the best way to
perform verification on.

The Data Inspectorate decided, in light of Trump's response to the notification of the decision, to close the case. The Data Inspectorate noted

in a letter dated 5 December 2016, among other things, that there was a need for a strong authentication (two-factor) for that
Trump must be confident that the correct person agrees to register the account number in Trump.
The Data Inspectorate noted that the use of Bank ID or security code sent by SMS seemed to be the best
the suggestions for a strong authentication, partly because the mobile number and social security number will be able to
verified in as data is uploaded to this database.

In 2020, the Norwegian Data Protection Authority, through the media and through contact with the privacy ombudsman in Trump, became aware

that it was still possible to enter other people's bank account numbers in Trump's customer program and that
no verification mechanism had been implemented. On this basis, the Data Inspectorate sent Trump
a requirement for a statement on 2 October 2020.

In Trump's statement of 9 November 2020, they write that since 2016, they have worked purposefully to
address the situation, but that it has been challenging to realize a service for verification of

ownership of bank accounts.
                                          Trump must have continuously investigated other possibilities to get
access to a verification service.

On 8 March 2021, the Data Inspectorate asked a number of follow-up questions, including one we wanted
update on the work of finding a verification service, as well as further insight into why Trump
had not sent any reports of breaches of personal data security in cases where Trump had

received information about error registrations.

On April 20, 2021, Trump replied that they would have access to a verification service. The verification solution
means that the member must identify himself with BankID.






When asked why incidents of incorrect registrations have not been reported to the Norwegian Data Protection Authority, he replied
Trump, among other things, that the typical situation is that the account holder wants to change a registration as
the person is already familiar with. Furthermore, Trump points out that there is often a close relationship between
the account holder and the Trump member, including family members or other financial communities.

Trump further mentions that they have not received inquiries where there is a suspicion of wrongdoing
registrations with dishonest intentions. They also note that in June 2020 they contacted the Authority in
in connection with the question of the duty to notify. Their privacy representative must, in dialogue with the Authority, have provided
expression that Trump was not of the opinion that this was a reportable breach
personal data security, and said she was available if further dialogue on the subject was
necessary.





                                                                                                          3, With the introduction of the Privacy Ordinance in 2018, Trump implemented a digital solution so that
members could request access and access the personal information on trumf.no. The solution was
launched to fulfill the right of access members have under the regulations.


The member could choose which information, which level of detail and which period he wanted
access by selecting from a list of information categories. Detailed purchase history was one of these
the options. There was only access to details about the member who was logged in, so that in a common
membership, members will only see details about their own purchases.

Trump states in an e-mail on November 30, 2021 that the user panel with the self-service solution for access
was considered best practice at the time it was introduced. Trump points out that the functionality was shown

to the Norwegian Data Protection Authority in a meeting in the summer of 2018, and that the authority gave a positive feedback. Before the digital
the solution was launched, the right of access was handled by Trump customer service.

In April 2020, a detailed purchase history was made available to members through a separate button
digital "receipt" from the purchase history on trumf.no. The solution was launched as it should be
easier for members to verify the bonus calculation, as there may be different bonus rates

different product groups / goods. On the digital receipt, the member can see the items per purchase and associated
bonus calculation for the individual item. It is only possible to access the details for that member
which is logged in, so that in a joint membership, members will only see details about their own purchases.

In the comments to the notification, Trump writes that the Data Inspectorate's assessment is taken into account. It appears
further that Trump does not fully agree with the Data Inspectorate's assessment of breaches of the Privacy Ordinance
Article 32, but that the notified fee is accepted.


4. The requirements of the regulations

4.1. Responsible for processing
Article 4 (7) of the Privacy Regulation defines "data controller" as:

        […] A natural or legal person, a public authority, an institution or any other person

        body which alone or together with others determines the purpose of the treatment of
        personal information and what funds are to be used; when the purpose of and the means of
        the treatment is provided for in Union law or in the national law of the Member States, it may
        persons responsible for processing, or the special criteria for appointing the person in question, are determined in
        Union law or in the national law of the Member States,


4.2. Internal control and information security
The basic principles for the processing of personal data follow from the Privacy Ordinance
Article 5 No. 1. In accordance with the principle of integrity and confidentiality, personal data shall
processed in a manner that ensures adequate security of personal data, cf. Article 5 (1)
letter f.

This means, among other things, that appropriate technical or organizational measures must be implemented to protect

against unauthorized or illegal treatment, and against unintentional loss, destruction or alteration. It
persons responsible for processing must be able to demonstrate that the principles of privacy are complied with, cf. Article 5 (2).

                                                                                                           4, As the person responsible for processing, you have a duty to implement appropriate technical and organic measures
to ensure and demonstrate that the processing of personal data is in accordance with
the Privacy Ordinance, cf. Article 24. It is also obligatory to have built-in privacy and

privacy by default in all systems and services that process
personal data, cf. Article 25.

The requirements for personal data security are further regulated in Article 32
treatment managers have a duty to implement appropriate technical and organizational measures for
to achieve a level of safety that is appropriate in terms of risk.Depending on what is
suitable, this applies to, among other things:


        a) pseudonymisation and encryption of personal data,
        b) ability to ensure lasting confidentiality, integrity, availability and robustness in
        treatment systems and services,
        c) ability to restore the availability and access to personal information in a timely manner if

        a physical or technical event occurs,
        d) a process for regular testing, analysis and assessment of how effective the treatment is
        technical and organizational security measures are.

In assessing the appropriate level of safety, special consideration shall be given to the risks involved
with the treatment, in particular as a result of accidental or unlawful destruction, loss, alteration,

or unauthorized disclosure of or access to personal data, cf.
Article 32 (2) of the Privacy Regulation.

4.3. Notification of breach of personal data security
Article 33 of the Privacy Ordinance stipulates that the data controller is in principle obliged to
report "breaches of personal data security" to the Norwegian Data Protection Authority.


"Violation of personal data security" is defined in Article 4 (12) of the Privacy Regulation as:

        […] A breach of security leading to accidental or unlawful destruction, loss, alteration,
        illegal dissemination of or access to personal data that has been transferred, stored or otherwise
        way treated,


It must be reported without undue delay, and no later than 72 hours after the person responsible for treatment has received it
knowledge of the fracture, unless the fracture is unlikely to pose a physical risk
rights and freedoms of persons.

Article 33 (5) states that "the controller shall document any breach
personal data security […]. This documentation should enable
the supervisory authority to verify compliance with this Article '.


Skullerud et al. (updated version of the commentary to the Privacy Ordinance, hereinafter referred to as
as the "commentary") writes the following about this obligation:


                                                                                                          5, Irrespective of whether there is a duty to notify the supervisory authorities or not, it is obliged
    data controllers to document any breach of information security, including those
    actual conditions, potential consequences and what damage mitigation measures may have been
    implemented. It must also be documented which assessments are the basis for the business

    may have failed to report the breach of security to the supervisory authority


5. The Danish Data Protection Agency's assessment

5.1. Responsible for processing
It does not appear disputed that it is Trump who is responsible for processing, as they decide

"The purpose […] and the means to be used", cf. Article 4 (7), in relation to
the treatment activities performed in the context of the Trump benefit program.

5.2. Today's solution for verifying customers
The Data Inspectorate assumes that Trump's current solution, as described in letters of 20 April 2021 and 3.
June 2021, ensures that Trump members can only register bank accounts that belong to themselves. This

the verification solution means that all new members must verify that they are the owner of
the bank account they wish to register before a new membership is created.

Existing members will need to verify that they are the holder of the bank account they have registered on
Trump when the member logs in to his member account.

If such verification is not carried out, the person in question will immediately lose access to functions

such as access to purchase history and detailed receipts. The member will then be given a deadline before the account
deleted. Trump is working to get all customers verified. On that occasion, a meeting was held between
The Data Inspectorate and Trump 20 June 2022.

On 15 December 2021, Trump submitted a report of a breach of personal data security. The new
the technical solution meant that access to historical transactions and receipts was reactivated, but
this then included any historical transactions from payment cards that had been rejected and not

verified by the customer. Trump removed the possibility of access to historical transactions for members
with rejected account number, and further describes in the message that a solution will be developed so that
members with rejected bank accounts only gain access to transactions carried out with verified
bank cards, transactions completed after the bank account has been verified, as well as transactions completed
with Trump Visa and Trump cards. At the meeting on 20 June, we understood that this solution was in place.


5.3. Violation of personal data security - Article 4, point 12
Article 33 (1) states that in the event of a "breach of personal data security", it shall:
responsible for treatment, without undue delay and no later than 72 hours after becoming aware of it, report
the breach to the supervisory authorities. However, this is not necessary if the breach is likely not
will pose a risk to the rights and freedoms of natural persons.






                                                                                                         6, The duty to report may arise in cases where the breach of security entails a treatment that is illegal,
but also if it results in an treatment that is unintentional, regardless of whether the treatment is
illegal. The duty to report also includes incidents that constitute pure accidents. 3


Trump writes in their statement that they have regularly received information about cases where Trump
members register other people's bank account on their own Trump membership.

The first question is whether there is a «breach of personal data security», cf.
Article 33, cf. Article 4 (12), when Trump members register bank accounts that do not belong to them

itself and in this way gain access to personal information about shopping trips performed by the account holder.

Trump writes in their statement that they are of the opinion that this does not constitute a notifiable violation of
personal data security, as defined in Article 4 (12) of the Privacy Regulation.

First, Trump points out that the experience from customer service inquiries is that most people are affected

is aware of the registration. Secondly, that there is typically an economic community, usually one
family or housing association, between the Trump member and the account holder. Third, no one should have
contacted customer service and stated that access to purchase history has been perceived as a problem.


The Data Inspectorate cannot see that these objections are relevant as to whether there is a «violation of

personal data security 'pursuant to Article 4 (12).

If a Trump member registers another person's bank account, Trump will process
personal information to the account holder, in an unintentional manner. Trump will make personal information about
available to a Trump member, without this being Trump's intention. Trump himself has shown
that the registration of others' bank accounts constitutes a breach of contract and in violation of the guidelines for

membership in Trump. Such registration, and consequently the processing of personal data associated
with this, there will therefore be a «breach of security leading to unintentional […] access to
personal data […] », cf. Article 4 (12).

Trump's objections appear more relevant in the assessment of how great a risk the breach is
the personal data security may entail for the registered person (account holder). One such

However, risk balancing is not included in the definition of what constitutes a breach
personal data security, but is only relevant when assessing whether the matter is notifiable
Article 33 (1). See our assessment in section 5.5.

On this basis, we have concluded that the cases where one Trump member registers another
person's bank account on their own membership then this will constitute a «breach of

personal data security ", cf. Article 4 (12).

Trump receives, according to his own estimates based on their experiences from 2021, information about
such events around 950 times a year.




3 Commentary, in their comments on Article 33 (1).
                                                                                                           7, the Norwegian Data Protection Authority understands that the 950 inquiries have been estimated on the basis of parts of 2021, and that
there may be some uncertainty associated with these numbers. However, Trump himself writes that they consider these
the figures to be representative of previous years. Furthermore, these figures are estimated on the basis of

experience gained after Trump introduced his latest information measure, in the form of the first three
the letters of the Trump member appear on the receipt after a purchase (this measure was implemented in
end of 2020). Consequently, to a greater extent than before, it will be possible for account holders to take directly
contact Trump members whose names they recognize to have the registration removed. This will
be able to reduce the number of account holders who must contact Trump directly to get the registration
repealed, compared to previous years. Although it can not be completely ruled out, at least it is not

indications that more people will make contact in 2021 than in previous years.

If we take into account the experiences from 2021, Trump will receive an average of around 79 inquiries
incorrect registration in the month. To illustrate the scope, this will amount to over 3,000 inquiries
information on incorrect registrations in the time period from June 2018 (when the Personal Data Act came into force)
to October 2021. If instead the starting point is the time period June 2018 to July 2020 (then

The privacy ombudsman contacted the Norwegian Data Protection Authority to announce, among other things, that they believe that these
the events are not subject to notification, and we also received information about the situation through the media)
Trump received just under 2,000 inquiries about such incorrect registrations.

There is some uncertainty associated with the estimated figures, and possibly how the information measure works
the receipt has affected this. Based on what Trump has explained, it can in any case be assumed that

Trump has received inquiries to a significant extent.

The main rule is that all breaches of personal data security must be reported to the Norwegian Data Protection Authority. The
there is an exemption from the duty to notify if «the breach is unlikely to entail a risk of physical
rights and freedoms of persons ", cf. Article 33 no. 1. We assess whether the events are exempt from
the reporting obligation in section 5.5, but first we assess whether Trump has complied with its obligation to

document the breaches of personal data security in accordance with Article 33 (5).

5.4. Article 33 (5)
Trump has informed that categorization of final inquiries has not been done before
recently. Trump has only presented to the Norwegian Data Protection Authority a rough categorization based on an analysis of
inquiries processed in 2021.


If it is assumed that the number of inquiries from 2021 is also representative for previous years, as added
due to Trump, this means that Trump has received over 2,000 inquiries about incorrect registrations of
bank accounts from June 2018 (when the Personal Data Act came into force) to the end of 2020 (around when they
began to categorize their inquiries). This is only an estimate, but the numbers show that there has been one
significant amount of such inquiries that are not categorized or otherwise documented.


Accordingly, Trump does not have documentation showing «[…] the actual circumstances surrounding the said breach,
the effects of it and what measures have been taken to remedy it ", cf. Article 33 (5), for a number of
breach of personal data security.


4 Letter from Wikborg Rein on behalf of Trump, «Reply to new demand for statement - Processing of personal data by
registration of account number via Trump », 20 April 2021, page 2.

                                                                                                             8, This documentation obligation exists regardless of whether the breach
the security of personal data entails a risk to the rights and freedoms of natural persons, and it is

therefore no condition that the breach is notifiable under Article 33 (1).

On this basis, the Data Inspectorate concludes that Trump has breached its obligation to document
the breaches of personal data security that occurred from 18 June 2018 to the end of 2020, cf.
Article 33 (5).


However, the Norwegian Data Protection Authority has chosen not to problematize the overall categorization of
events in 2021 meet the requirements of Article 33 (5).

The next question that the Data Inspectorate will consider is whether Trump has breached its obligation under Article 33 no.
1 by not reporting the breaches of personal data security to the Norwegian Data Protection Authority.


5.5. Article 33, paragraph 1
5.5.1. Risk to the rights and freedoms of natural persons
As concluded above, the cases where a Trump member registers another person will
bank account on their own membership constitute a «breach of personal data security», cf. article
4 No. 12.


If the breach of personal data security «is unlikely to pose a risk to physical
persons' rights and freedoms ", cf. Article 33 no. 1, it is not necessary to report it to the Norwegian Data Protection Authority.

It is the person responsible for treatment who must be able to substantiate that there is no risk associated with the fracture
on personal data security. This emerges, among other things, from preamble 85:


        As soon as the person in charge of treatment becomes aware that a breach has occurred
        personal data security, the person in question should report the said breach to the supervisory authority
        without undue delay and if possible no later than 72 hours after becoming aware of it, unless
        the person in question in accordance with the principle of liability can demonstrate that the said violation of
        personal data security is unlikely to pose a risk to natural persons
        rights and freedoms. (own emphasis)


Consequently, it is Trump who must point to circumstances that indicate that the breach is unlikely to result in one
risk to the rights and freedoms of natural persons. The wording of Article 33 (1) also indicates this,
since what is to be probable is that there is no risk.

The question is thus whether Trump can substantiate that all the cases mentioned above where Trump-

members have registered other people's bank account on their own Trump membership,
"Is unlikely to pose a risk to the rights and freedoms of natural persons", cf. Article 33
no 1.

In the guide to the Article 29 group on breaches of personal data security, last revised in February
2018, it is stated that, among other things, emphasis will be placed on «the nature of the personal data». It must be taken in


5 Guidelines on Personal data breach notification under Regulation 2016/679, page 25.
                                                                                                           9, consideration of whether the breach of personal data security may result in damage or other negatives
consequences. If the breach may have consequences for particularly vulnerable individuals, this must also be included
the assessment. 6


In general, the Data Inspectorate is of the opinion that the breach of personal data security in itself constitutes
an invasion of the privacy of the person who has had his account number registered with Trump without knowledge and will.
The shopping history is made available to unauthorized persons and Trump processes personal information
if unsuspecting registered to a greater extent than intended. In addition to this, there is a
potential for abuse. The security hole can, among other things, be used to identify people living on

secret address; if you have the account number of a person living at a secret address, and
If you register this on your Trump membership, you will receive information about where and when the person trades.
This information can give clear indications of which areas the person is staying in, or
otherwise where the person lives. That it can take as short a time as from a person has shopped for
a Trump member receives information about when, where and what he or she has done, contributes to increase
this risk. Failure to verify account holders can therefore have consequences for the very vulnerable

persons.

There may also be a significant potential for abuse in cases where the account holder and Trump
the member has a family or financial relationship. What you buy can reveal private matters. For
For example, the shopping pattern can reveal diets and eating habits, buying pregnancy tests or buying
contraceptives. Nor can it be ruled out that a person's trading history may reveal

religious or similar conditions, for example that one deviates from religious or other norms established in
family or friends, for example by buying alcohol or certain types of meat. When buying, among
other, gluten-free products, the shopping history will also be able to reveal the account holder's allergies.







That Trump has not been directly notified by account holders who have been exposed to such abuse is
not crucial. Trump must not have concrete and unquestionable knowledge that the risk actually has
materialized. If Trump fails to show that it «probably will not pose a risk

[…] », Cf. Article 33 no. 1, the breach of personal data security shall be reported.

However, Trump has referred to a number of general risk mitigation measures that they have implemented. The
seems to be of the opinion that these measures entail a potential risk associated with
the error detection is eliminated, or sufficiently reduced. When using a bank card associated with one
registered bank account, information about the Trump registration will appear on the bank terminal and

the receipt. In November 2020, Trump added further information to the receipt, by the first three
the letters in the first name of the Trump member appear on the receipt.




6 Ibid.
7 Routines for risk assessment page 4, appendix 5 To a letter from Wikborg Rein on behalf of Trump, «Reply to request for
statement - processing of personal data when registering account numbers via Trump », of 9 November 2020.
                                                                                                          10, the Norwegian Data Protection Authority agrees that information measures implemented by Trump can reduce time one
account holder remains unaware of the registration. However, Trump will have already dealt
personal information about this person to a greater extent than what they would have done if
the bank account was not registered. This applies regardless of whether it is assumed that the account holder

immediately receive the information about the registration on its first shopping trip after being registered by a
Trump member. The member who incorrectly registered the bank account of someone else will soon be able to have
received information about the data subject's shopping trip: as noted in the statement to Trump, it will be able to take
as short a time as from the bank card is used for information about the shopping trip becomes available for
the member.

It is also not a given that the account holder will be made aware of the registration through

The customer service receives a number of inquiries after the account holder has become
note of incorrect registrations, as a result of the information measures, does not say anything about the number
customers / account holders who have not discovered the incorrect registration through these information measures.
Trump will never receive information about those customers who do not see that it says "Trump registered"
the payment screen, or who otherwise does not try to register their own bank account on their own
membership.


In continuation of this, as Trump himself notes in his statement, it happens that account holders
turn to customer service because they are trying to register their own bank account on their own
membership, but is then informed that the bank account has already been registered (such inquiries
estimates Trump to be over 200 a year). Consequently, these persons have not received information about
the registration via the information measures described by Trump. This is suitable to illustrate how
people will be able to shop without noticing the information. At the same time, of course, it can not

excluded that these persons had not yet shopped in a store connected to Trump, after that
The Trump member registered their account. Incidentally, this has the presumption against it, since it is a
large number who each year make contact after trying to register their bank account and then discovered that
it is already registered. It seems unlikely that all of them have tried to register for Trump before
his first shopping trip.

Trump has further pointed out how registering someone else's account number represents a breach

the terms of the agreement that the Trump member enters into with Trump, and that it is specified to the member that they
only need to register accounts that belong to themselves. From May 2018 required registration of account number
also a two-factor confirmation from the member, by sending an SMS code to the member's registered
mobile phone number.

Such circumstances may reduce a possible erroneous assumption by Trump members that it is acceptable

to register other people's bank account if e.g. is a familial connection between them.
However, such measures have no real impact on the cases where the Trump member registers someone
others' bank account deliberately in violation of the terms of the agreement, since Trump does not have one
verification mechanism. These measures are also not suitable for preventing unconscious misregistrations,
if the member believes that they are registering their own account number, such measures will not be effective. For
otherwise, the constant inquiries to customer service (estimated to be 950 each year) illustrate that these
the measures are not sufficient to eliminate the risk of incorrect registrations.




                                                                                                          11, The Data Inspectorate believes on this background that there are conditions in one's shopping history (including what one
trades where you trade and when you trade) which indicates that there will be an associated risk
the cases where a third party has access to such personal information, this despite Trump's measures.
This applies regardless of whether this third party is a family member or similar.


As a clear starting point, the Data Inspectorate therefore believes that such matters should be reported in accordance with the article
33 no. 1, with the exception of those cases where reference can be made to specific circumstances of the breach that cause that
the duty to notify nevertheless does not occur.

Trump has, as noted above, concluded that none of the inquiries they have received
notice that there have been incorrect registrations, has indicated a sufficient degree of risk of

actualize the duty to report in Article 33. Trump has given only an overall description of the various
the inquiries they have received, and placed them in different groupings based on experiences from the beginning
of 2021. They note in their statement that the assessment has some uncertainty due to varying
quality and scope of information from the dialogue with the person who directs the inquiry to customer service and
The Trump member who has the account registered. As commented above, Trump has not presented anything
documentation related to the breaches of personal data security that occurred before 2021, and they

writes that the categorization of completed inquiries has not been done until recently.

The Norwegian Data Protection Authority will review these types of cases in the following and comment on any risks associated
with them, before concluding on which breaches of personal data security are
Trump can prove that there is no risk.





























                                                                                                           12,13,14,15, Conclusion on the risk assessment pursuant to Article 33 (1)


As noted above, the Norwegian Data Protection Authority has concluded that there is a potential for abuse in that
Trump members can register other people's account number. If Trump gets to know about such
breaches of personal data security, these shall in principle be reported to the Norwegian Data Protection Authority in accordance
with Article 33 (1).


If the breaches are not reported, Trump must be able to show that the specific breaches
personal data security «is unlikely to pose a risk to natural persons
rights and freedoms ", cf. Article 33 (1) and (4).

Trump has on an overall and general basis referred to conditions in the various inquiries as they
believes that there is no risk to the rights and freedoms of natural persons. The description of the
different types of cases are, as mentioned, general and they contain a number of ambiguities.


The Data Inspectorate is otherwise reluctant to review a specific risk assessment, as this will
be a discretionary exercise. We therefore choose to deal with the cases where we believe it is clear
that Trump can not prove that there is no risk to the rights of natural persons and
freedoms. This applies to those cases where the account holder was not aware that the account was registered on a
Trump member, before the person received information about this via, for example, the receipt or because
the person has tried to register their own bank account on their own membership.


In such cases, the account holder will not be able to do anything to cancel the registration, as
the person - until the person receives such information - will not have any knowledge of the registration.
The account holder will also not be able to adapt where he or she trades, to avoid that
the trading history is made available to a third party. Trump must be able to point to clear concrete
evidence that means that there is still probably no risk in such cases. As

reviewed above, we do not share Trump's view that a family connection or a financial one
community between the Trump member and the account holder itself makes it probable that it does not exist
risk to the account holder. The Norwegian Data Protection Authority can not rule out further investigations, in particular
case, may reveal that there is still no such risk, but Trump has not implemented this in
relation to each individual breach of personal data security.

The Danish Data Protection Agency concludes that Trump has not substantiated that breach

personal data security, in the form of Trump members registering other people's bank account,


                                                                                                         16, "is unlikely to pose a risk to the rights and freedoms of natural persons", cf. Article 33
No. 1, in those cases where the account holder is not familiar with the registration from the beginning.

The question thus becomes how many breaches of personal data security have such a character.

The following is stated in Trump's letter of 9 November 2020:

        According to customer service, the majority of those who go there and ask
        assistance in deleting one's account number from another's membership, even being aware of that
        the account has been registered to another person, typically a close family member. The most common
        the explanation received from the person contacting customer service is that he wants
        change related to marital breakdown or similar. Only a small minority of inquiries to

        customer service applies to people who say they themselves have not been aware of the registration. This
        applies to less than 15 people per month - on an annual basis about 0.0001% of the membership.
        These people state to customer service that they have become aware of the registration, when they have
        tried to register as a new member, or when they have seen the receipt that there is one
        Trump registration on the account that they do not know. This just shows that
        the information measures work. [our emphasis].

















It is not necessary for the Norwegian Data Protection Authority to decide on the exact number of violations
The personal data security that Trump cannot prove does not pose a risk to physical
rights and freedoms of persons. It is sufficient to state that Trump has regularly, at least 15 times in
an average month, received such inquiries.

5.5.2. Knowledge of the breach of personal data security

In the assessment, we have only taken as our starting point the inquiries about which Trump has received information
through its customer service. Consequently, there is no doubt that Trump has repeatedly exceeded 72-
the time limit, as set out in Article 33 (1).

5.5.3. Conclusion on breach of personal data security
The Data Inspectorate has demonstrated how cases where a Trump member registers others' account numbers constitute
a "breach of personal data security", cf. Article 4 (12).




                                                                                                          17, The starting point is that the supervisory authorities must report breaches of personal data security in
pursuant to Article 33 no. 1. The Norwegian Data Protection Authority has concluded that Trump, in a number of cases, cannot
prove that there is no risk to the rights and freedoms of natural persons, cf. Article 33

The content of the notification must be drafted in accordance with Article 33 (3).

The Norwegian Data Protection Authority has not received any reports of breaches of personal data security from Trump. We
therefore concludes that Trump has repeatedly breached its obligation under Article 33 (1) to
send Datatilsynet notifications of breaches of personal data security.


Our conclusion does not imply that Trump may have sent one message for each event. Article
The 29-group describes the possibility of giving collective messages in cases where there are repeated ones
breach of personal data security with similar content and procedure:

    Strictly speaking, each individual breach is a reportable incident. However, to avoid being overly
    burdensome, the controller may be able to submit a “bundled” notification representing all these

    breaches, provided that they concern the same type of personal data breached in the same way,
    over a relatively short space of time. If a series of breaches take place that concern different types
    of personal data, breached in different ways, then notification should proceed in the normal way,
    with each breach being reported in accordance with Article 33. 8

5.6. Safety of treatment - Article 32

Article 32 establishes an obligation for Trump to implement appropriate technical and organizational measures for
to ensure a level of safety appropriate to the risk. What constitutes suitable technical and
organizational measures depend on «[…] the technical development, the implementation costs and
the nature, scope, purpose and context of the treatment in which it is performed, as well as the risks of varying
probability and severity of natural persons' rights and freedoms […] ».


Trump does not dispute his obligations under Article 32, but writes that the residual risk for individuals
rights and freedoms are at an acceptable level in the light of their already implemented measures.

The question that the Data Inspectorate must decide on is whether Trump has implemented «suitable technical and
organizational measures to achieve a level of safety that is appropriate with regard to the risk […] », cf.
article 32 no. 1. We will take as our starting point the level of security that existed before the verification solution became

implemented.

Trump has for a long time regularly received inquiries that incorrect registrations occur, in the form that
Trump members register other people's bank accounts on their own membership. This means that
Trump receives clear information about constant cases of «unauthorized disclosure of or access to
personal data […] », cf. Article 32 (2) and breaches of« […] confidentiality […] in

their treatment systems and services, cf. Article 32 (1) (b).

As we discussed above, there may be a clear risk to the rights of natural persons and
freedoms by giving a third party access to personal data on trading history (including place of trading,
what one has traded and when one has traded). This will be able to reveal in-depth private matters, and



8 Guidelines on Personal data breach notification under Regulation 2016/679, page 16.
                                                                                                           18, will in any case be experienced as uncomfortable. This risk is anyone who has not already registered
his account number in Trump, exposed to.

This risk assessment must take into account the probability of possible events that may have

occurred without Trump having gained specific knowledge of them, as well as possible future consequences.
Trump can not on this occasion cite a lack of concrete knowledge about, for example, that persons
at a secret address have been disclosed, or that third parties have used the information available to them
to find out if the account holders are at home or on holiday, for example.

Trump has taken certain risk mitigation measures, including that it says "Trump registered" in
the payment display and that information about the Trump membership appears on the receipt. In later

time, Trump has supplemented with additional information on the receipt, in the form of the first three letters
to the Trump member appears. It is also necessary to use your mobile phone to register one
Bank account.

The Data Inspectorate believes that these measures are not sufficient to achieve a required level of security
pursuant to Article 32.


As mentioned above, the repeated inquiries show which the account holder first receives information about
the registration at the time when the account holder himself tries to register his account on his own
membership, that the information measures are not sufficiently effective. Furthermore, even if the account holder
getting information about the registration after a while via such information measures will a potential harm
could have already occurred.


Trump has given their members access to information about the place of trading and shopping history, despite
that Trump has lacked a verification solution. Furthermore, Trump has had concrete knowledge that it constantly
incorrect registrations were made, in violation of their membership terms. This creates a clear call
to respond.

This risk could have been significantly reduced through technical and organizational measures.


If Trump had removed or significantly reduced the information about the place of trading, trading time and what
that were traded, the account holders would no longer be exposed to the relevant risk.
The implementation costs associated with limiting the amount of information available to a
Trump membership is likely to be limited.

The Data Inspectorate understands that such information may be popular among Trump members, and that å

limiting such information (overview of the time of shopping, place of shopping and what was purchased) will reduce
insight into details about the basis for bonus earning. However, the Trump solution will still work in
in line with its primary purpose. Trump himself noted in his letter of 21 April 2016, that Trump is a
loyalty program where members receive a calculated bonus based on purchase history, and the purpose of registering
bank account number is to simplify the collection of bonus basis. This purpose will still be able to
persecuted, even by measures that significantly limit the amount of information available to the Trump
the member, as long as Trump can not verify that the member has registered his own account.


Trump has previously stated that they believe that the information about the trading history is being made

                                                                                                         19, available to the Trump member ensures a privacy-friendly solution, in that the user has easy
access to their own personal information. Trump therefore appears to be of the opinion that a measure, in
form of reducing information on trade history, is not suitable to implement as a result of such

cons.

The Norwegian Data Protection Authority does not agree that this is a privacy-friendly solution, in light of the circumstances of the case. The
Article 12 (2) presupposes that the controller is not obliged to submit
to enable the data subject to exercise his rights under Articles 15 to 22 if
data controllers are not able to identify the data subject. The solution to Trump, given that they

has not been able to verify that the member registers his own account, is consequently not one
privacy-friendly solution, but poses a risk to the rights and freedoms of natural persons.

In other respects, the "scope of the treatment" must be taken into account in the assessment of appropriate technical and
organizational measures. Trump's loyalty program has around 2.395 million members, of which
            has registered a bank account. The figures indicate that more than a dozen people have registered

bank accounts in the solution, without Trump knowing if the account numbers belong to the Trump members they are
registered on.

Trump also states how they have «continuously followed up other possibilities for access to one
verification service ». 9





                                            However, as we have pointed out above, experience shows
Trump's customer service that this did not prevent misregistrations.












The Norwegian Data Protection Authority believes that there are clearly suitable measures that would significantly reduce precisely those risks
as Trump himself identifies. Trump himself is aware of similar measures, as they were mentioned in 2016
the ability to reduce the amount of information available to Trump members.


Trump writes in the comments that they do not agree with the Data Inspectorate's assessments of breaches
Article 32 of the Privacy Regulation as some of the measures were implemented when it was not
available any verification solution in the market. The Data Inspectorate, on the other hand, is of the opinion that when it happened
clear that Trump could not soon implement a verification solution should Trump have reduced the risk


9 Letter from Wikborg Rein, on behalf of Trump, «Reply to request for statement - processing of personal data by
registration of account number via Trump », 9 November 2020.
                                                                                                            20, so that Trump members could gain access to the personal information of others, for example by removing,
or significantly reduce, the information about the place of trade, time and information about what was traded for
the members, until they became clear that they did not disclose personal information about the account holder to

second.

In light of the above, we conclude that Trump has not implemented «suitable technical and
organizational measures to achieve a level of safety that is appropriate with regard to the risk […] », cf.
Article 32 (1).


The Data Inspectorate concludes that Trump has breached its obligation under Article 32.

In 2016, as mentioned, Trump noted the possibility of implementing a risk reduction measure, in
expecting that they could ensure an adequate degree of verification. Trump asked for guidance on this
the point.


        [F] or to alleviate the risk that purchase history can be used to find out where third parties actually are
        has resided, Trump will, until the relationship account owner - account number is verified, be able to hide
        the place name of the store in the shopping history, as described in point 3 below. This solution
        is complete and can be implemented immediately. The solution will, however, mean reduced transparency for
        the vast majority of members, who then lose a built-in privacy measure on trumf.no.
        Trump asks for the Data Inspectorate's guidance on whether the measure should be implemented. 10


However, the Data Inspectorate did not respond to this request for guidance in 2016.

That Trump sought guidance, and consequently considered the possibility of a specific risk mitigation measure, gets
a certain significance in the assessment of the severity of the breach. We address this further below
point 6.2.


In other respects, the responsibility according to Article 32 is placed with the person responsible for processing, which also follows from
the principle of liability, cf. Article 5 no. 2. This point is also emphasized in the commentary.
The fact that guidance was sought from the Norwegian Data Protection Authority therefore does not change the position that Trump has broken his
obligation under Article 32. This is particularly the case in light of the fact that new regulations have been implemented in
meanwhile, which must be considered to particularly actualize a new, independent, assessment on Trump's part.


Furthermore, it must be noted that Trump also had certain information measures implemented in 2016. The Data Inspectorate was
even then, which is clearly stated for Trump in the notification of the decision of 17 June 2016, of that opinion
that such information measures did not sufficiently reduce the risk of incorrect registrations and that one
verification solution was necessary to ensure adequate information security. Then
the verification solution still did not become available, Trump had a clear call to investigate

alternative risk reduction measures. Lack of guidance from the Data Inspectorate on this point must be seen in light
that the audit was of the opinion that Trump would secure a verification solution soon.

As mentioned above, we have concluded that Trump has violated Article 32, but we do not impose Trump



10 Letter from Wikborg Rein on behalf of Trump, «Reply to notification of decision - Registration of account number on Trumf.no», 15.
August 2016.
                                                                                                           21, an order to implement such organizational and / or technical measures, as Trump now has
implemented a verification solution.

Infringement fee

6.1. General information about infringement fines
Violation fees are a tool to ensure effective compliance and enforcement of
the personal data regulations. We believe it is necessary to react to the violation, and warn with
this imposition of infringement fines, cf. the Privacy Ordinance Article 83. In accordance with
The Supreme Court's case law (cf. Rt. 2012 page 1556) we assume that the infringement fee is to be regarded as
punishment under Article 6 of the European Convention on Human Rights
overriding probability of an offense in order to impose a fee.


In this context, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a
administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects
against a committed violation of law, regulation or individual decision, and which is considered a punishment
according to the European Convention on Human Rights (ECHR).


6.2. Assessment of whether an infringement fee is to be imposed
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate may impose
infringement fee after a discretionary overall assessment, but the listed factors add up
guidelines on the exercise of discretion by highlighting factors that are to be given special weight.

We will here assess the relevant factors on an ongoing basis.


        a) the nature, severity and duration of the infringement, taking into account it
        the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
        the extent of the damage they have suffered

The Norwegian Data Protection Authority is of the opinion that the degree of seriousness justifies the imposition of an infringement fine. Trump
currently has around 2.4 million members. All members have had the opportunity to register

account numbers on their memberships, without Trump having verified that the account numbers belong to the members they
is connected to. This weakness has been open in Trump's systems for many years. Trump has not only
have been aware that there is a risk of incorrect registrations in their solution, but have also had concrete
knowledge that this risk is constantly materializing.

The background of the case sharpens the severity. In 2016, the Danish Data Protection Agency made it clear that we were looking seriously

the situation, and emphasized to Trump how important it was to ensure verification, as we were off
the perception that lack of verification opened up for misuse of the solution. This led to
The Norwegian Data Protection Authority announced a decision aimed at Trump, which among other things meant that they had to stop processing
of account numbers and other personal information for which Trump had no basis for processing
(The Data Inspectorate believed that Trump lacked a basis for treatment in cases where the Trump member registered
someone else's account number, in light of missing verification mechanism).


The Data Inspectorate nevertheless chose not to make a final decision in the case as Trump gave a supplement
information on how they, among other things, would soon implement a solution that would

                                                                                                        22, ensure that Trump members only had the opportunity to register their own bank account numbers. Trump was
however, already in the winter of 2016/2017 aware that it was not possible to use.
That Trump violated his duty to report under such circumstances must be characterized as serious.


The extent of violations of Article 33 no. 1 is challenging for the Data Inspectorate to determine. Based on
the estimates given by Trump, they have received a significant number of inquiries about incorrect registrations, which
The Data Inspectorate believes that Trump should have reported in accordance with Article 33 no. 1. At the same time, the Data Inspectorate is cautious
with placing too much emphasis on the large number of breaches of personal data security, as it
there is some uncertainty about the numbers. We are particularly reluctant to emphasize the lack
messages related to the breaches of personal data security that Trump received after June 2020. On
at this time, Trump's privacy representative contacted the Data Inspectorate, and provided information that they did not

assessed cases of incorrect registrations as notifiable violations.

The key for the Data Inspectorate is that Trump has had repeated breaches of personal data security such as
has not been reported to the Data Inspectorate, despite the fact that Trump was aware of the Data Inspectorate's opinion on
that failure to verify account numbers entails a risk to the account holders' rights and
freedoms.


With regard to Article 33 (5), it is important that companies document their breaches
personal data security. Such documentation is not only intended to ensure that the Data Inspectorate can
assess whether the data controller complies with its obligations in relation to Article 33, but will
also be useful for the data controller's work to ensure an adequate degree of security. 11
That Trump has not provided such documentation is in itself a breach, at the same time as it has done so
more difficult for the Data Inspectorate to investigate Trump's compliance with Article 33 No. 1.


The Norwegian Data Protection Authority understands that the assessment made in accordance with Article 33, No. 1, concerns the risk to them
the data subject's rights and freedoms, are discretionary and that this can be challenging in the specific
case. However, the obligation to document breaches under Article 33 (5) is clear and lacks
discretionary assessments.

Trump has put forward some arguments as to why they believe that cases of misregistration do not

represents a "breach of personal data security", which we reviewed above. These were in
reality only relevant in the risk assessment pursuant to Article 33 (1), and did not appear to be relevant
for the assessment of whether such erroneous registrations in themselves meet the definition in Article 4 (12)
it is clear to the Norwegian Data Protection Authority that such incidents are «breaches of personal data security».

The breach of Article 33 no. 5 must also be seen in the light of the communication between Trump and the Norwegian Data Protection Authority in

2016, when it became clear to Trump that they would not be able to implement a verification solution, as first
described to the Norwegian Data Protection Authority. That documentation and grouping of the incorrect registrations first, apparently,
was implemented in 2021, we consider, in these circumstances, to be serious. The Danish Data Protection Agency has also chosen
not to problematize whether the overall descriptions and groupings given by the 2021 cases are
sufficient to comply with Article 33 (5).

As noted, the Data Inspectorate has also concluded that Trump violated its obligation under Article 32,

as a result of Trump not implementing appropriate measures when they became aware that one

11 Commentary in relation to Article 33 (5).
                                                                                                           23, verification solution could not be implemented in the short term. However, Trump described the possibility of
limit some of the amount of information that became available to Trump members back in 2016.
Trump asked the Data Inspectorate for guidance regarding the measure, but the Data Inspectorate did not answer this
the request. We take this into account in our assessment of the severity. At the same time, we must emphasize

that the liability under Article 32 is placed with the controller, and Trump had any
reason to carry out a new independent assessment, especially in light of the new privacy regulations
came into force after they sought guidance from the Norwegian Data Protection Authority. Furthermore, the Data Inspectorate did not have a strong
encouragement to provide such guidance or comment on the subject as Trump provided information that they
would implement a verification solution soon.

In addition, it must be emphasized, as above, that the Data Inspectorate in 2016 announced that Trump had to prepare and

adequately document risk assessment, acceptance criteria and measures as part of its
information security work. The Danish Data Protection Agency wrote the following about this point, under the heading
"Information security and internal control":

        As the situation is today, the solution on trumf.no means that it can easily happen unauthorized
        processing of account numbers, location data and shopping history for household members and

        persons who are not members of Trump. In the Data Inspectorate's opinion, Trump must provide one
        authentication of the link between Trump membership and account holder, so it is not
        possible to process account numbers on trumf.no, unless the account holder and Trumf-
        member is the same person. Knowledge of who is the account holder is also one
        prerequisite for obtaining and checking that there is valid consent from the data subject.

This statement made visible to Trump how the security level, as a result of lack

verification solution, was not sufficient. Further measures were necessary, in addition to the Data Inspectorate
believed that the basis for treatment had to be secured. As previously noted, the reason why the Data Inspectorate was not
followed up this warning, among other things, that Trump wrote that they would secure a verification solution.
measures, as identified above, were not implemented when it became clear that Trump would still not be able to get
implemented a verification solution must be considered reprehensible.

        b) whether the infringement was committed intentionally or negligently,


The fact that Trump members register others' account numbers on their membership is not intentional by Trump,
on the contrary, such registration is contrary to Trump's contract terms. However, it is clear that it has been
intention of Trump not to report these incidents to the Data Inspectorate. Trump also made a conscious choice
about not implementing measures that reduced the risk of abuse that existed due to
missing verification mechanism. We consider the infringements in relation to Article 33, paragraphs 1 and 32

consequently to be intentional, by the management of the business. This pulls in an aggravating direction.

        c) any measures taken by the data controller or data processor to limit
        the damage suffered by the data subjects.

The Article 29 Working Party's Guidelines on Infringement Fees state, inter alia, the following
the point:




                                                                                                          24, This provision acts as an assessment of the degree of responsibility of the controller after the
        infringement has occurred. It may cover cases where the controller / processor has clearly not
        taken a reckless / negligent approach but where they have done all they can to correct their
                                                               12
        actions when they became aware of the infringement.

The Article 29 Working Party gives an example of such a case:

        […] Timely action taken by the data controller / processor to stop the infringement from
        continuing or expanding to a level or phase which would have had a far more serious impact

        than it did.

Trump has implemented information measures that are intended to make account holders aware of their
bank account is registered on a Trump membership, and consequently increase the chance of detecting incorrect registration.
Furthermore, in 2018 they introduced two-factor authentication via SMS to the member's registered
The fact that Trump has taken such measures is an argument against infringement fines. Trump

did not, however, implement measures to reduce the information available to their members, i
in case there should be incorrect registrations - as Trump knew occurred many times a year. Such
information restriction could reduce the damage to the data subjects. Like what happened
commented above, we take into account the fact that Trump sought guidance from the Norwegian Data Protection Authority on measures
to be implemented.


        (d) the degree of responsibility of the controller or processor, taking into account those
        technical and organizational measures they have implemented in accordance with Articles 25 and 32

Trump has breached its obligation under Article 32 due to a lack of appropriate technical and
organizational measures to achieve a level of security that is appropriate in light of the risk. This therefore speaks for itself
imposition of infringement fines.


        e) any relevant previous violations committed by the data controller or
        the data processor

We have not identified any previously relevant violations, and this relationship therefore does not speak for itself
imposition of infringement fines.


        f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
        possible negative effects of it

Trump has collaborated with the Norwegian Data Protection Authority, and answered the questions that were asked. This is, however
Trump ordered to do.The Article 29 Working Party notes on this occasion the following:


        […] It would not be appropriate to give additional regard to cooperation that is already
        required by law for example, the entity is in any case required to allow the supervisory
        authority access to premises for audits / inspections.



12 Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679,
pages 12 to 13.
                                                                                                          25, That Trump has given complementary answers to the Data Inspectorate's requirements for statements is not a mitigating
circumstance in itself.


However, Trump's privacy ombudsman, in connection with the media reports, contacted
The Data Inspectorate to inquire about the Authority's further process, as well as to inform the parent of the measures
Trump had implemented. This pulls in a somewhat mitigating direction, in isolation.

By the way, it already became clear in the winter of 2016/2017 that Trump would not be able to implement
the verification solution that Trump envisioned the Data Inspectorate when we closed the case in 2016. Trump did not

the Authority some information on this. If the Data Inspectorate had received information that the challenge with
verification would not still be resolved we could have considered the possibility of, for example, imposing
Trump to limit the amount of personal information that became available to the Trump member. Trump was
required to provide us with such information, in light of the fact that the lack of verification mechanism led to repeated
cases of notifiable breaches of personal data security. The degree of cooperation with
On this basis, the supervisory authorities have not been considered as a mitigating circumstance in particular

importance.

        g) the categories of personal data affected by the infringement

The Article 29 group's supervisor points out that the assessment under letter g is, among other things, related to whether
dissemination of personal data may cause harm or inconvenience to the data subjects. We are showing

to previous comments about the potential for abuse that exists as a result of Trump members
can get information about purchase history etc. to other people.

        (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in
        the extent to which the data controller or data processor has notified
        the infringement


In 2020, the Data Inspectorate was informed, via media coverage and contact with the Privacy Ombudsman, that
the verification solution was not implemented in line with Trump's progress plan from 2016. On
At the time when the privacy ombudsman contacted the Danish Data Protection Agency, it was obvious that the media would
further describe how Trump had not implemented a verification solution. Despite this
the contact from the privacy representative must be emphasized as a mitigating circumstance under letter h.


        (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
        data controller or data processor with respect to the same subject matter that that mentioned
        measures are complied with

In 2016, the Data Inspectorate announced a decision on an order against Trump. However, this did not result in a final

decisions, and related to old regulations. For this reason, we never used the expertise as
is stated in Article 58 (2). This factor is therefore not relevant when assessing whether
infringement fines must be imposed.

        (j) compliance with approved standards of conduct in accordance with Article 40 or approved
        certification mechanisms in accordance with Article 42


13 Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, page 14.
                                                                                                         26, We do not find this moment relevant.


        k) any other aggravating or mitigating factor in the case, e.g. economic benefits such as
        has been obtained, or losses that have been avoided, directly or indirectly, as a result of the infringement

In its practice, the Privacy Board has stated that long case processing time shall constitute a mitigating factor
circumstance. In PVN-2021-03, the Privacy Board emphasizes that the facts of the case became essentially
clarified in May 2019, while it took over a year before the audit notified the order and infringement fee. In PVN-

2021-09, the Privacy Board also emphasized the long case processing time at the audit. In that case
It had been six months since the audit received a report of a breach of personal data security
a statement was requested. After receiving the report, it took approx. four months before notice
decision was sent, and then ten months from the notice was sent until the decision was made. After
the company complained, it took another three months before the case was received by the Privacy Board.
The Supreme Court has otherwise in its practice assumed that only in the case of total inactivity of around one year is considered
                                                                                           14
processing time to violate the European Convention on Human Rights.

This case was initiated by the Data Inspectorate sending Trump a request for a statement. This requirement
statement was sent on October 2, 2020. Trump, through their representative, asked for an extended deadline to
answer the Data Inspectorate's questions. This request was granted. The Norwegian Data Protection Authority received the report
Trump November 9, 2020. A new request for a statement was sent to Trump on March 8, 2021. March 23

In 2021, Trump was granted a postponed deadline to respond to the statement. On April 20, 2021 received
The Data Inspectorate Trump's new statement. On 3 June 2021, the Norwegian Data Protection Authority received further information from
Trump, of which Trump informed that the implementation of their verification solution went as
planned. The factual circumstances of the case were consequently only, in essence, clarified in June 2021, cf.
PVN-2021-03.


The Norwegian Data Protection Authority believes that the progress of the case and the case processing time in general should not constitute one
mitigating circumstance in this case. The longest inactivity has been around 5 months, from
the factual circumstances of the case were essentially clarified until notification of the decision. The significance of the case
and scope means that 5 months is not an unacceptably long time. Furthermore, 6 months have passed
Trump gave his comments until this decision is made. Nor can this be considered to be
unacceptable.


Based on the assessment above, the Danish Data Protection Agency concludes that an infringement fee should be imposed. The next
the question is the size of the fee.

6.3. Assessment of the size of the fee
When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in

the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case
above. The violation fee must be effective, be in a reasonable proportion to the violation and work
deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in
each case.




14 HR-2016-225-S, section 32.
                                                                                                           27, The fee should be set so high that it also has an effect beyond the specific case, at the same time as the fee
size must be in a reasonable proportion to the infringement and the activity, cf. Article 83 no. 1.

The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter

the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee
shall be determined concretely so that in each individual case it is effective, is in a reasonable relation to
the violation and acts as a deterrent. The main purpose of the infringement fee is contraception, ie that
the risk of being charged a fee shall have a deterrent effect and thereby contribute to increased compliance with
the regulations.

The commentary, in relation to Article 83, states:


        Contraceptive considerations dictate that the fee for a violation must be set so high that it is in fact
        perceived as an evil by the offender. This means that the offender's financial capacity should
        have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender
        hair. […] When assessing the financial viability of an enterprise, it may be relevant to look at
        the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5.


And further:

        The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities
        should avoid establishing standardized fee rates. This applies even if national law allows for it
        standardized rates, cf. the Public Administration Act § 43.


The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business.

It has been concluded that Trump has breached its obligations under Article 32, Article 33 (1) and
Article 33, paragraph 5. Trump did not send reports of violations to regulators
personal data security and did not otherwise implement appropriate security measures, despite the fact that
it was clear - based on the circumstances of the case - that the Data Inspectorate was very clear on the need
to verify account holders. The Data Inspectorate was clear on this need, among other things, due to

the abuse potential that lay in making account holder information available to Trump members.

Pursuant to Article 83 (4), an infringement fine of up to EUR 10 000 000 or, where
is an "undertaking" ("undertaking" in English) of up to 2% of the total global
annual turnover in the previous financial year, where the highest amount is used. In Advocate 150
note the following:


        If an undertaking is charged an infringement fee, an undertaking for these purposes should be understood as one
        undertakings within the meaning of Articles 101 and 102 of the TEU.

The European Court of Justice has, inter alia in C-231/11 P - C-233/11, given the following remarks related to
the understanding of "enterprise", but then in a different legal context:


        The authors of the Treaties chose to use the concept of an undertaking to designate the
        perpetrator of an infringement of competition law, who is liable to be punished pursuant to

                                                                                                           28, Articles 81 EC and 82 EC, and not other concepts such as the concept of a company or firm or
        of a legal person, used, inter alia, in Article 48 EC (see, to that effect, Case

        C-501/11 P Schindler Holding and Others v Commission [2013] ECR, paragraph 102).

        The Court of Justice has consistently held that the concept of an undertaking covers any entity
        engaged in an economic activity, regardless of the legal status of the entity or the way in which
        it is financed. That concept must be understood as covering an economic unit, even if, from a

        legal perspective, that unit is made up of a number of natural or legal persons (see, inter alia,
        Joined Cases C-628/10 P and C-141/11 P Alliance One International and Standard
        Commercial Tobacco v Commission [2012] ECR, paragraph 42 and the case-law cited).

In «The EU General Data Protection Regulation, GDPR, ACommentary», pages 1187-1188, it is given
the following comment to Article 83:


        Articles 101 and 102 TFEU do not themselves contain any definition of the concept of
        'undertaking'. Consequently, the reference in recital 150 should be understood as a reference to
        the whole body of jurisprudence concerning the definition of an 'undertaking' under the TFEU.


        In this respect, the case law of the EU courts in the area of competition law has defined an
        undertaking as an economic unit, which may comprise several natural or legal persons or
        'which may be formed by the parent company and all involved subsidiaries', together referred to
        as a 'single economic entity'. Moreover, under this case law, each person forming part of a
        single economic entity may be held liable for an infringement of EU competition law committed
        by that economic entity.15


According to Proff, NorgesGruppen ForbrukerserviceAS is the only shareholder in Trump. NorgesGruppen
ForbrukerserviceAS is owned by NorgesGruppenASA. On this basis, we assume that Trump
AS and NorgesGruppenASA are part of the same «enterprise», cf. Article 83 no. 4, and the turnover of
NorgesGruppenASA must be taken into account when determining the infringement fee.


The annual result for NorgesGruppenASA, for 2020, shows a turnover of NOK 101.56 billion, a
increase from NOK 90.5 billion in 2019. 16

The fee must be set so high that it is effective and achieves a sufficient deterrent effect. Out from
the company's high turnover, as well as the serious violations of the Privacy Ordinance in the case, we have

concluded that an infringement fee of NOK 5,000,000 is considered correct. The amount is approx. 0.005 percent
of the company's turnover in the previous financial year.

The infringement fee is consequently at the very bottom of what the Privacy Ordinance Article 83 no.
3 gives the Norwegian Data Protection Authority competence to impose.


7. Right of appeal and further proceedings

15 THE EU GENERAL DATAPROTECTION REGULATION (GDPR), ACommentary, edited by Kuner, Bygrave and
Docksey, 2020.
16 https://www.dn.no/handel/norgesgruppen/kiwi/meny/rekordar-for-koronavinneren-norgesgruppen-over-100-milliarder-i-
turnover / 2-1-986439 and https://www.norgesgruppen.no/globalassets/finansiell-informasjon/rapporter/2020/ars-og-
barekraftsrapport-2020.pdf.
                                                                                                         29, You can appeal the decision. Any complaint must be sent to us within three weeks after this letter is
received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will send the case
on to the Privacy Board for complaint handling.


If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after
the expiry of the appeal period, cf. the Personal Data Act § 27.

8. Publicity
We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3.
If you believe there are grounds for exempting all or part of the document from public access, please
we you to justify this.



If you have questions about the case, you can contact Ida Småge Breidablikk on telephone 22 39 69
70.





With best regards


Jørgen Skorstad
department director, law

                                                                   Ida Småge Breidablikk
                                                                   senior legal adviser

The document is electronically approved and therefore has no handwritten signatures