Datatilsynet (Norway) - 20/04401: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/...")
 
Line 57: Line 57:


=== Facts ===
=== Facts ===
A company had conducted a credit check on one of the owners of another company. There was no existing collaboration or customer/vendor relationship between the companies.
A company had conducted a credit check on one of the owners of another company. There was no existing collaboration or customer/vendor relationship between the companies. After finding out about the credit check, the data subject lodged a complaint with the Norwegian DPA. The company explained that the credit check had happened on accident and that it had been caused by their lack of familiarity with the system they used for requesting credit reports.
 
After finding out about the credit check, the data subject lodged a complaint with the Norwegian DPA. The company explained that the credit check had happened on accident and that it had been caused by their lack of familiarity with the system they used for requesting credit reports.


=== Holding ===
=== Holding ===
First, the Norwegian DPA held that the controller had not implemented appropriate technical and organisational measures to prevent unlawful processing, in violation of [[Article 24 GDPR|Article 24 GDPR]]. Even though the controller had internal procedures in place regarding its processing of personal data in general, none of these were specifically aimed at conducting credit checks. The DPA held that any company that uses a credit report tool has an obligation to familiarise themselves with the tool and the legal framework to prevent errors from happening.
First, the Norwegian DPA held that the controller had not implemented appropriate technical and organisational measures to prevent unlawful processing, in violation of [[Article 24 GDPR|Article 24 GDPR]]. Even though the controller had internal procedures in place regarding its processing of personal data in general, none of these were specifically aimed at conducting credit checks. The DPA held that any company that uses a credit report tool has an obligation to familiarise themselves with the tool and the legal framework to prevent errors from happening. Second, the DPA held that the controller lacked legal basis for the processing, in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]].
 
Second, the DPA held that the controller lacked legal basis for the processing, in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]].


As a result of the above infringements, the DPA imposed a fine of 200 000 NOK. When determining the size of the fine, the DPA highlighted that credit reports usually contain information about an individual's financial situation such as information about salary and debt. Such information deserves a high level of protection. As mitigating factors, the breach had only affected one data subject for a short duration.
As a result of the above infringements, the DPA imposed a fine of 200 000 NOK. When determining the size of the fine, the DPA highlighted that credit reports usually contain information about an individual's financial situation, such as information about salary and debt, which especially deserves a high level of protection. As mitigating factors, however, the DPA noted that the breach had only affected one data subject for a short duration.


== Comment ==
== Comment ==

Revision as of 17:22, 17 January 2022

Datatilsynet (Norway) - 20/04401-11
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1) GDPR
Article 24 GDPR
Personopplysningsforskriften § 4-3
Type: Complaint
Outcome: Upheld
Started:
Decided: 13.12.2021
Published: 07.01.2022
Fine: 200.000 NOK
Parties: Elektro & Automasjon Systemer AS
National Case Number/Name: 20/04401-11
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rose

The Norwegian DPA imposed a fine of 200.000 NOK on Elektro & Automasjon Systemer AS for not implementing appropriate technical and organisational measures to prevent unlawful processing, and (therefore) mistakenly conducting a credit check without legal basis.

English Summary

Facts

A company had conducted a credit check on one of the owners of another company. There was no existing collaboration or customer/vendor relationship between the companies. After finding out about the credit check, the data subject lodged a complaint with the Norwegian DPA. The company explained that the credit check had happened on accident and that it had been caused by their lack of familiarity with the system they used for requesting credit reports.

Holding

First, the Norwegian DPA held that the controller had not implemented appropriate technical and organisational measures to prevent unlawful processing, in violation of Article 24 GDPR. Even though the controller had internal procedures in place regarding its processing of personal data in general, none of these were specifically aimed at conducting credit checks. The DPA held that any company that uses a credit report tool has an obligation to familiarise themselves with the tool and the legal framework to prevent errors from happening. Second, the DPA held that the controller lacked legal basis for the processing, in violation of Article 6(1) GDPR.

As a result of the above infringements, the DPA imposed a fine of 200 000 NOK. When determining the size of the fine, the DPA highlighted that credit reports usually contain information about an individual's financial situation, such as information about salary and debt, which especially deserves a high level of protection. As mitigating factors, however, the DPA noted that the breach had only affected one data subject for a short duration.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 EAS / ELEKTRO & AUTOMASJON SYSTEMER AS
 Åshaugveien 62
                                                               Exempt from public:
                                                               Offl. § 13 cf. Popplyl. § 24 (1) 2.
 3170 SEM
                                                               pkt.






Their reference Our reference Date

                        20 / 04401-11 13.12.2021


Decision on order and infringement fee - Complaint about credit rating without

objective needs - EAS / Elektro & Automasjon Systemer AS


1 Introduction


We refer to our notice of decision on order and infringement fee dated 17 June 2021. We
also refers to their comments on the notice dated 15 July 2021. These comments are dealt with in
points 7.1 and 8.3 of the decision.


2. Decision on order and infringement fine



    1. Pursuant to Article 58 (2) (2) of the Privacy Regulation, EAS /
        Elektro & Automasjon Systemer AS, org.nr. 991 800 492, an infringement fee to

        the Treasury of NOK 200,000 for having obtained credit information without legal action
        basis, cf. the Privacy Ordinance Article 6 No. 1 letter f.


    2. Pursuant to Article 58 (2) (d) of the Privacy Regulation, the EAS /
        Elektro & Automasjon Systemer AS to improve internal control and routines for
        credit assessments, cf. Article 24 of the Privacy Regulation.




3. Details of the facts of the case

On 18 November 2020, we received a complaint from (hereinafter «complaints») that EAS
/ Elektro & Automasjon Systemer AS had carried out a credit assessment of him. Complaints
received information on 6 October 2020 that a credit assessment had been carried out.


Complainants state that the person in question has not had any cooperation, customer relationship or anything else
affiliation with their business. He had no expectation that he would stay



Postal address: Office address: Telephone: Org.nr: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO credit-rated by the company and experiences the incident as unnecessary "grafsing" in his
personal finance.

In your response to our request for a statement, you confirm that the complainant is neither a customer of yours

or has another direct relationship with EAS / Elektro & Automasjon Systemer AS. You describe
that you use Bisnode as a tool to do credit checks of companies that are customers,
suppliers and company in the same industry. The credit check of complainants must have taken place at one
error due to lack of knowledge about the system in Bisnode.

You further describe that you annually review accounts for other players in the industry to

assess your own performance. Complainant is the co-owner of the company which is in the same
industry such as EAS / Elektro & Automasjon Systemer AS. In the process of looking at the accounts
to, the complainant's name was clicked in the list of shareholders. You
explains that the general manager expected that he would then get an overview of ownership interests,
corresponding to the system on proff.no and purehelp.no.


You point out that neither the company nor the general manager has a private interest in obtaining
credit information on complaints. Information obtained in Bisnode was not printed or stored
in any way in the business, and it was assumed that the search was interrupted. You also point out that it is
the first time such a credit check by a private individual has been performed by EAS / Elektro & Automasjon
Systemer AS.


In the statement, you write that you have been in contact with Bisnode to get
the credit assessment tool explained after you received the Data Inspectorate's request for
statement. You indicate that you have routines for processing personal data in
business, but that these routines do not mention credit rating. Furthermore, you write that

this case must be dealt with by you and that routines must be reviewed for any
changes or clarifications.

The Norwegian Data Protection Authority sent a notification of a decision on an order and infringement fee on 17 June 2021. EAS /
Elektro & Automasjon Systemer AS submitted comments on this notice on 20 July 2021.
The comments are dealt with in sections 7.1 and 8.3 of this decision.



4. Treatment responsibility

The person who determines the purpose and means for a processing of personal data is
data controller, cf. the Privacy Ordinance Article 4 no. 7. The data controller
is responsible for ensuring that the processing of personal data takes place in accordance with the basics
the principles in the Privacy Ordinance and must be able to demonstrate this, cf. the Privacy Ordinance

Article 5 (2).

A company is responsible for the processing of personal data performed by an employee when
the treatment has taken place through the company's activities. It is EAS / Elektro &


1The European Privacy Council's guidelines, EDPB Guidelines 07/2020 on the concept of controller and
processor in the GDPR, p. 10.



                                                                                                  2Automasjon Systemer AS which has an agreement with Bisnode and which in our opinion has decided
the purpose and means of the credit assessments.


The data controller has a duty to carry out appropriate technical and organizational measures
measures to ensure and demonstrate that the processing takes place in accordance with the Privacy Ordinance, cf.
Article 24.

According to Article 24, in assessing appropriate measures, account shall be taken of the nature of the treatment,

the scope, purpose and context in which it is carried out, as well as the risks of varying probabilities
and the severity of the data subjects' rights and freedoms. The measures will be reviewed
new and updated as needed.

Based on this, the Data Inspectorate considers EAS / Elektro & Automasjon Systemer AS as

responsible for processing in accordance with the Privacy Ordinance, Article 4, No. 7 for the person in question
the credit check made by complainants.


5. Legal basis for obtaining credit information


5.1. In particular on the legal basis for obtaining credit information

Obtaining and storing credit information about individuals and sole proprietorships constitutes one
processing of personal data, cf. the Privacy Ordinance, Article 4, No. 2 and the Act on
processing of personal data of 15 June 2018 no. 38 (Personal Data Act) § 1.


Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a
legal basis. When a business should obtain credit information about the registered without
that there is consent, or the credit rating is strictly necessary to implement one
agreement with the data subject, Article 6 (1) (f) is the most relevant legal basis.


Under the old Personal Data Act of 2000, there was an additional requirement that the business
may have an "objective need" to obtain credit information. This is stated in
the Personal Data Regulations § 4-3, which according to the transitional rules has been continued as applicable
straight.

                                   3
The new Credit Information Act also continues the requirement for a "factual need" for disclosure
of credit information. The new law has been passed, but has not entered into force yet.
However, the Privacy Ordinance does not provide national room for maneuver to regulate it specifically
some recipients' processing of credit information. The new Credit Information Act has
therefore only the credit information companies as a subject of duty, and not the individual

the business that orders credit information.

The consequence of this is that "objective need" is not directly an additional condition for the individual
the business that collects credit information. Their collection is thus regulated by

2
3Transitional rules on the processing of personal data (FOR-2018-06-15-877).
 Act on the processing of information in credit information activities (LOV-2019-12-20-109).



                                                                                                   3Privacy Ordinance Article 6 No. 1 letter f. Assessments related to whether a business
has a "factual need" according to the Personal Data Regulations § 4-3 is, however, closely related
with the assessment pursuant to Article 6, paragraph 1, letter f. Previous practice related to "objective needs" is
therefore still relevant when assessing "legitimate interest" as a basis for treatment.


5.2. Article 6 (1) (f) of the Privacy Regulation - "legitimate interest"

Article 6 (1) (f) requires that the collection of credit information is "necessary" to:
safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration
individual privacy.

The legitimate interest must be legal, clearly defined in advance, real and objectively justified

in business. Advocate 47 of the Privacy Ordinance states that in the assessment of whether
an interest is justified, among other things, the data subject's expectations should be taken into account
the relationship between the data controller and the data subject. Emphasis should also be placed on
whether at the time of collection it was foreseeable for the data subjects that the information would remain
processed for the current purpose.


Which interests meet this depends on a comprehensive assessment of, among other things, which ones
benefits the company achieves with the treatment, how important the interest is for the company,
whether the treatment has a public interest or safeguards the non-profit interests that come more
for good, see the Article 29 Working Party statement. 4


Furthermore, the relevant processing of personal data must be necessary for this
interests. That is, the business must consider whether it can achieve the purpose in a way that
better safeguards privacy. One must therefore choose the treatment that is least invasive.

Then the business must make a balance of interests to determine whether the individual

Privacy outweighs the business' legitimate interest. What type of information
these are relevant factors for the balancing of interests, eg whether these are
worthy of protection and whether the person has an expectation of having the personal data in
peace. It is also relevant to consider what kind of disadvantages the processing of personal data

imposes on the person whether the processing of the personal data is perceived as infringing,
whether the treatment is suitable for creating fear or unrest, and what measures the company has
implemented to reduce the privacy implications.


5.3. Relevant practice related to the Personal Data Regulations § 4-3 - «factual need»
According to the Personal Data Regulations § 4-3, credit assessment can only be obtained when one

business has a "factual need" for the information, for example in connection with a purchase
on credit. As a general rule, there must be an element of credit. This will typically be when
the business must provide credit to a customer and need to see if he or she is creditworthy.




4Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive
95/46 / EC, pages 24 and 25.



                                                                                                  4The Privacy Board has elaborated on the additional condition of factual need in several cases, including
PVN-2006-03 KLP, PVN-2010-05 Credit rating and PVN-2017-02 Bertram Bil. IN
the latter case, the tribunal referred to the following statement from PVN-2006-03 KLP:

        The purpose of a credit rating is normally to determine whether a potential customer
        is creditworthy, and thus whether the company wishes to enter into an agreement with the person in question.
        This means that when credit information is requested, the requirement of objectivity will be met when

        the customer must use the credit information in connection with his assessment of
        credit risk, for example by a loan commitment or agreement on current benefits such as
        invoiced in arrears, typically mobile phone subscription, subscription for
        satellite television etc.

The tribunal also referred to the statement in PVN-2010-05 Credit rating, where it was stated that
the opposite of "objective need" is "curiosity and binocular mentality".


6. On the duty to implement appropriate technical and organizational measures

Pursuant to Article 24 of the Privacy Regulation, the data controller shall carry out appropriate procedures
technical and organizational measures to ensure and demonstrate that the treatment is carried out in accordance with
the Personal Data Act and the Privacy Ordinance.

If it is in a reasonable relation to the treatment activities, the company must implement
appropriate guidelines for the protection of personal data.


Credit rating is an intrusive processing of personal data and constitutes a large
encroachment on individuals' right to privacy. Companies that carry out
credit assessments must therefore document their internal routines or processes (internal control),
which meets the requirement of objectivity in credit assessment. The routines must describe when and how

credit information can be obtained and how access is to be provided. The routines must ensure that
credit information is not obtained without the requirement of objective need being met.

7. The Danish Data Protection Agency's assessment


7.1. The duty of internal control and the principle of accountability
It appears from the report that EAS / Elektro & Automasjon Systemer AS had
routines for processing personal data, but that these did not include routines for
conducting credit assessments. We assume that EAS / Electrical & Automation
Systemer AS did not have routines for credit assessments at the time of the inspection.

In the statement, you explain that the general manager's lack of understanding of
the credit assessment tool was the reason why the relevant credit assessment was carried out.

You point out that you use Bisnode for credit checks of companies that are customers, suppliers
and companies in the same industry. Even if you do not normally want to obtain credit information about
individuals, access to the credit rating tool indicates that you must have an awareness
around the regulations and functions in Bisnode when it comes to obtaining
credit information on natural persons and sole proprietorships.




                                                                                               5The lack of awareness of the regulations, the company's access to
credit assessment services, as well as the fact that there has been a breach of the regulations in this case indicates
that EAS / Elektro & Automasjon Systemer AS is ordered to establish internal control for
credit ratings. In our opinion, the establishment of routines could have a preventive effect against that
unlawful credit assessments are later carried out.


In its comments on the Data Inspectorate's notification, EAS / Elektro & Automasjon Systemer AS has added
by revised routines for processing personal data with a new «Routine 8: Routine for
credit assessment, cf. Article 24 of the Privacy Ordinance ». In the routine, one is included
reproduction of the Privacy Regulation Article 24 and a brief description of who can
carry out credit assessment and in which cases credit assessment can be carried out.


The Data Inspectorate believes that it is positive that a clear demarcation has been made of who can
conduct credit reviews. Nevertheless, the routines should refer to the legal basis
the business has for credit assessments in case individuals and sole proprietorships become
credit rated. The routine should to a greater extent be linked to the rules and assessments that should be made

done in accordance with the privacy regulations. It is important to be aware of that privacy policy
applies to credit assessments of sole proprietorships, as this information is closely linked to
information about the finances of the private individual who has the enterprise.

EAS / Elektro & Automasjon systems AS should in their routines emphasize article 6 no. 1 letter
f as a relevant treatment basis for their business, as well as provide for organizational measures
which ensures that the requirements of the Privacy Ordinance are met before credit information about
private individuals and sole proprietorships are obtained.


The Norwegian Data Protection Authority has the competence to order the data controller to ensure that
the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf.
Privacy Regulation Article 58 No. 2 letter d. This is the background for the order to
Improve credit rating procedures.


EAS / Elektro & Automasjon Systemer AS must improve the routines to ensure that credit rating
only occurs when the conditions of the Privacy Ordinance are met.

7.2. Processing basis for obtaining credit information
The question is whether EAS / Elektro & Automasjon Systemer AS had a valid one

basis for processing pursuant to Article 6, paragraph 1, letter f when you obtained credit information about
complaints.

The first condition that must be met for the processing to be legal is that EAS /
Elektro & Automasjon Systemer AS had a "legitimate interest" in obtaining
the information.

EAS / Elektro & Automasjon Systemer AS writes in their statement that this is correct

complainants point out that he is neither a customer nor has other direct relationships with the business.
Furthermore, you write that this was done by mistake as you wanted to get information about



                                                                                               6 owner interests in a company where the complainant is a part-owner. Regardless of whether it was done on purpose
or not, EAS / Elektro & Automasjon Systemer AS has obtained credit information about
an individual without any kind of customer relationship, supplier relationship or other affiliation
to the business. There is agreement between the parties that the credit rating should not have been
done. Complainants had no expectation that EAS / Elektro & Automasjon Systemer AS

was to process his credit information and it was also not foreseeable that the business
should obtain the information.

Our assessment is that the requirement of "legitimate interest" in the Privacy Regulation Article 6 No. 1
letter f is not fulfilled.


We do not consider it appropriate to assess the requirement of "necessity" as our assessment
is that the company did not have a legitimate interest in carrying out the credit assessment.

The third condition in Article 6 (1) (f) is the specific balance of interests between
the company's interest in processing the personal data and those registered
privacy interests.


Credit information is a type of personal information that is particularly worthy of protection. One
Credit rating is the result of compiling personal information from many different sources
sources, and shows a number that indicates the probability that a person will pay a claim. One
Credit rating will also show details about individuals' personal finances, including any
payment remarks, voluntary mortgages and debt ratio. This is private information
as individuals have an expectation that is not obtained by businesses unless it
are objectively justified in their relationship with them. Private individuals should therefore enjoy special protection against

obtaining credit information.

Consideration of the complainants' right to privacy weighs heavily in the treatment of this type
personal information. The business did not need to obtain credit information about
complaints and a possible collection of credit information on the basis of curiosity will

not meet the balance of interests in Article 6 (1) (f).

The conclusion is after this that EAS / Elektro & Automasjon Systemer AS did not have legal action
basis under Article 6 (1) (f) to process credit information on complaints communicated
complaints 6 October 2020.



Infringement fee

8.1. General information about infringement fines

Violation fees are a tool to ensure effective compliance and enforcement of
the personal data regulations. We believe it is necessary to respond to the violation, and
notifies with this the imposition of infringement fines, cf. the Privacy Ordinance Article 83.






                                                                                               7In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights
Article 6. A clear preponderance of probabilities for offenses is therefore required in order to be able to impose
fee.

In this context, reference is made to Chapter IX of the Public Administration Act on administrative matters
sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual

decision, which is considered a punishment under the European Convention on Human Rights
(EMK).

8.2. Assessment of whether an infringement fee is to be imposed

When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account
to the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Data Inspectorate can
impose infringement fines after a discretionary overall assessment, but they listed
the moments lay down guidelines for the exercise of discretion by highlighting moments that should
special emphasis is placed on.


We will here assess the relevant factors on an ongoing basis.

a) the nature, severity and duration of the infringement, taking into account it
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered,

The principle of legality in the Privacy Regulation Article 5 No. 1 and the requirement to
basis of treatment in Article 6 is one of the basic requirements that must be met when one

business processes personal data.

As we have explained above, credit information is a type of personal information that is
particularly worthy of protection and which private individuals have an expectation that is not obtained by

businesses, unless it is objectively justified in their relationship with them. No complaints
any relationship with the business that made it predictable that you should treat
credit information about him. The violation is therefore serious, and indicates that it is imposed
infringement fine.


In the mitigating direction draws the fact that an illegal credit rating will not be one
violation over longer duration. In this case, EAS / Electrical & Automation Systems shows
AS that you thought the search was interrupted and that you have not stored credit information about complaints
in business. However, the damage occurred at the time of personal credit information
is obtained and processed by someone without a basis for treatment.

b) whether the infringement was committed intentionally or negligently,


You describe that the credit assessment must have been performed by accident, as the general manager expected
Getting information about ownership interests in the company the complainant is part-owner in when he clicked on the complainant




                                                                                               8 names in the list of shareholders. Furthermore, it appears from the statement that neither
general manager personally or EAS / Elektro & Automasjon Systemer AS was interested in getting
access to the complainant's credit information. There are no grounds for concluding
that the credit rating was made intentionally.


However, it must be possible to assume that the general manager of a company has knowledge of key issues
features of the credit rating tool the company uses. The Data Inspectorate adds
due to the fact that the company, through the general manager, has shown negligence in obtaining
credit information on complaints.


c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects,

The report refers to the fact that the general manager assumed that the search was interrupted and that it was not saved

credit information about complaints in the business. This therefore does not pull in an aggravating direction.


d) the degree of responsibility of the data controller or data processor, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32,

In an aggravating direction, we emphasize that the violations were committed by the general manager of
the business, as the Privacy Ordinance presupposes that compliance with the regulations is

particularly rooted in the management of an enterprise, cf. Article 5 No. 2.

Furthermore, we emphasize in an aggravating direction that EAS / Elektro & Automasjon Systemer AS
had a lack of awareness of the regulations, and that the company had neither technical
or organizational measures in the form of routines to ensure compliance with the regulations and it

necessary knowledge of the credit rating tool the company uses.


e) any previous violations committed by the data controller or
the data processor,

The Data Inspectorate does not know whether there have been previous violations.


f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it,

The company apologizes for the incident and has shown willingness to contribute to the information of the case and to

learn from the incident by processing the case in their deviation system, reviewing and adjusting routines
for the processing of personal data in the business. This therefore does not pull in aggravating
direction.


g) the categories of personal data affected by the infringement,




                                                                                                9Special categories of personal data (sensitive personal data) are not affected by
the infringement in our case. However, information on salary, debt and creditworthiness is
information that has a special need for protection due to its private nature. This
pulls in the aggravating direction.


h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified
the infringement,


We were notified of the breach of complaints. The company did not inform though
the infringement. This can in some cases pull in an aggravating direction, but the Data Inspectorate has not
emphasized this in a particularly aggravating direction in this case as there are no specifics
evidence that EAS / Elektro & Automasjon Systemer AS should have behaved differently
to the Norwegian Data Protection Authority in this case.


(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned

data controller or data processor with respect to the same subject matter that that mentioned
measures are complied with,

We do not know that measures have previously been taken against the company with regard to the same
case subject. This therefore does not pull in an aggravating direction.


(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42,


We do not find this aspect relevant.


k) and any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement

The Data Inspectorate cannot see that EAS / Elektro & Automasjon Systemer AS has achieved any
benefits as a result of the violation, and we do not emphasize this aspect in aggravating

direction.

Based on the assessment above, the Danish Data Protection Agency concludes that an infringement fee should be imposed. The
The next question is the size of the fee.

8.3. Assessment of the size of the fee

When measuring the size of the fee, emphasis shall be placed on the same assessment factors
as in the question of whether fee should be imposed. We therefore refer to the assessments of the case
severity above. The infringement fee must be effective, be in a reasonable proportion to





                                                                                                10 violation and act as a deterrent. This means that the supervisory authority must make one
concrete, discretionary assessment in each individual case.

The fee should be set so high that it also has an effect beyond the specific case, at the same time as

the amount of the fee must be in a reasonable proportion to the infringement and the activity, cf. Article 83
no 1.

The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter
the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that
infringement fines shall be determined specifically so that in each individual case it is effective, it says

in a reasonable proportion to the violation and acts as a deterrent. The main purpose of
infringement fines are contraception, ie the risk of being charged a fee must work
deterrent and thereby contribute to increased compliance with the regulations. 5

By Skullerud et al. (2019), page 347, it appears:

        Contraceptive considerations dictate that the fee for a violation must be set so high that this
        actually perceived as an evil by the offender. This means that the offender
        financial ability should be important in the measurement, so that the fee is higher the more
        stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a
        companies, it may be relevant to look at the company's total global annual turnover in
        previous financial year, cf. art. 83 Nos. 4 and 5.


And further:
        The consideration of ensuring an individual assessment in each individual case indicates that
        Regulators should avoid establishing standardized fee rates. This applies to yourself
        whether national law allows for standardized rates, cf. the Public Administration Act § 43.


The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual
the business.

Article 83 (5) of the Privacy Regulation sets a higher maximum amount for fees when the case

deals with violations of the basic principles of treatment of
personal data in accordance with Articles 5 and 6 of the Privacy Regulation.

In our case, EAS / Elektro & Automasjon Systemer AS lacked a basis for treatment
obtaining credit information on complaints (principle of legality). In addition, was missing
the company technical and organizational measures for compliance with the privacy regulations
(principle of accountability). Lack of knowledge about the credit rating tool and

guidelines for when credit assessment can be carried out, have facilitated that
credit rating has been conducted illegally. This pulls in an aggravating direction.

In an aggravating direction, we place particular emphasis on the fact that the credit assessment was initiated by
the company's general manager, and that the company's management lacked knowledge of how



5
 Skullerud et al. (2019).



                                                                                                  11credit assessment tool should be used to avoid performing illegal credit assessments of
private individuals.

The fee must be set so high that it is effective and achieves a sufficient deterrent effect.
In measuring the size of the fee, we therefore also place emphasis on the company's finances. EAS
/ Elektro & Automasjon Systemer AS ’comments on the size of the notified fee have
therefore significance for the measurement.


EAS / Elektro & Automasjon Systemer AS has made several comments
the company's finances related to the ongoing changing situation as a result of Covid-19-
pandemic. EAS / Elektro og Automasjon Systemer AS states that the company has
completed layoffs in the last year to adapt to a small situation
order access. At the time of the comments, 7 employees in the company have been laid off, corresponding to 24
% of the workforce. You point out that in light of this, the fee should be significantly reduced.


The notified fee of NOK 250,000 has been measured according to the latest available accounting figures from 2019 on
the time of the notice. In 2019, EAS / Elektro & Automasjon Systemer AS had registered
operating revenues of NOK 34,630,000.

EAS / Elektro & Automasjon Systemer AS has submitted accounting figures for 2020 and preliminary
accounting figures for period 1-4 of 2021. In 2020, the business had a turnover of NOK

33 095 228. This amounts to approx. 95% of turnover for 2019. In period 1-4 of 2021 had
the business had operating revenues of NOK 9,526,603. For the same period in 2020, the business had
operating revenues of NOK 11,425,258. Operating revenues for the period 1-4 2021 amount to approx. 83% of
operating revenues for the same period in 2020.

Based on the financial situation the company is in as a result of

coronary pandemic, our assessment is that a lower fee could have the preventive and
deterrent effect Article 83 presupposes.

After taking into account the seriousness of the violations and EAS / Electrical & Automation Systems
AS 'comments, the Data Inspectorate sets the final fee at NOK 200,000. We have this
reduced the notified fee of NOK 250,000 by approx. 20%, corresponding to EAS / Elektro &
Automasjon Systemer AS 'turnover fall between 2019 and period 1-4 of 2021.


We remind you that violations of Article 6 of the Privacy Ordinance can lead to sanctions in the form
of infringement fines of up to EUR 20 million, see Article 83 (5) of the Privacy Regulation
letter a. This corresponds to approx. NOK 214,000,000. The fee imposed in this case is
thus at the very bottom layer of what the regulation prescribes for such breaches of regulations.






9. Right of appeal and further proceedings





                                                                                             12You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will
forward the case to the Privacy Board for complaint processing.

If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after
the expiry of the appeal period, cf. the Personal Data Act § 27.


The deadline for implementing section 2 of the order on written routines (internal control) is 4 weeks after
expiry of the time limit for appeal. If you do not appeal the order point 2, you must within this deadline
send us a written confirmation, as well as documentation, that the order for internal control is
completed.

10. Publicity, transparency and duty of confidentiality

We will inform you that all the documents are basically public, cf.
§ 3 of the Public Access to Information Act If you believe there is a basis for exempting all or part of it
the document from public access, we ask you to justify this.


The Data Inspectorate has a duty of confidentiality about who has complained to us, and about the complainant's personal
relationship. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and
Section 13 of the Public Administration Act As a party to the case, you may nevertheless be made aware of such
information from the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You are also right
for access to the case documents, cf. the Public Administration Act § 18.


We point out that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority
the complainant's identity, personal circumstances and other identifying information, and that you only
may use this information to the extent necessary to safeguard the interests
their in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that
Violation of this duty of confidentiality can be punished according to the Penal Code § 209.


If you have questions about the case, you can contact Ida Småge Breidablikk by phone
22 39 69 70.


With best regards



Jørgen Skorstad
department director, law
                                                                   Ida Småge Breidablikk
                                                                   senior legal adviser

The document is electronically approved and therefore has no handwritten signatures



Copy to:




                                                                                              1314