Datatilsynet (Norway) - 21/00872
|Datatilsynet - 21/00872|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 6(3) GDPR
The Labour and Welfare Administration Act § 7
|Parties:||NAV (the Norwegian Labour and Welfare Administration)|
|National Case Number/Name:||21/00872|
|European Case Law Identifier:||n/a|
|Original Language(s):||Norwegian |
|Original Source:||Datatilsynet (in NO) |
Datatilsynet (press release) (in NO)
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA fined the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,8 million data subject online without a legal basis, in breach of Articles 6(1), (3) and Article 5(1)(a), and 5(1)(f) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
In February 2021, the Norwegian Labour and Welfare Administration (NAV) notified the Norwegian DPA Datatilsynet about a personal data breach where they had published CVs without a legal basis. The DPA had also received 18 complaints from data subjects regarding the incident.
NAV, the controller, has since 2001 had online solutions for making job applicants' CVs available for logged-in employers. In February 2019, they launched a new online tool where job applicants could voluntarily register their CVs. The controller, however, also made these available to employers through a candidate search, by default, including CVs where the data subjects had not given their consent. In addition, the controller had required data subjects to publish their CV to receive certain social services and benefits.
In 2020, a data subject contacted NAV's Data Protection Officer about the processing and, consequently, the controller launched an internal review. They concluded that they lacked a legal basis as per Article 6(1) GDPR for publishing the CVs, as far back as 2001. The controller had assessed legal bases in national laws pertaining to them, but found that these could not be relied upon for this particular situation. The controller now also realised that they did not either have a legal basis for requiring data subjects to publish their CV like this to receive certain social services and benefits.
The CVs contained information about data subjects' name, place of residence, date of birth, telephone number, e-mail address, education, work and other relevant experience, courses, driver's licenses, access to vehicles, various approvals and certifications, language, stated competencies and job wishes. This information is subject to confidentiality as per national regulations applicable to the controller.
The controller informed the DPA that 535,900 CVs was part of the 2019 system and they estimated that the maximum number of affected data subjects was 1,8 million. When the controller realized the breach, they notified the DPA and tried to inform every affected data subject personally by email or letter, as well as via their website.
Holding[edit | edit source]
The DPA held that the controller had violated Article 6(1) GDPR and Article 6(3) GDPR, thus also Article 5(1)(a) GDPR, for lack of legal basis for publishing CVs online. Further, as the controller is subject to a national regulation stipulating that the information in the CVs is confidential, the DPA held that they had violated Article 5(1)(f) GDPR.
For these violations, the DPA fined NAV (the controller) €486,700 (NOK 5,000,000).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE LABOR AND WELFARE AUTHORITY PO Box 354 8601 MO I RANA Their reference Our reference Date AV29358 21 / 00872-11 21.06.2022 Decision on infringement fee - Publication of CV on arbeidplassen.no - NAV The Data Inspectorate refers to previous correspondence and contact in connection with notification of breaches on personal data security (hereinafter non-conformance report) submitted 17.02.21, latest ours notification of decision on infringement fee dated 23.05.22 and their response to notification of decision dated 08.06.22. 1. Decision on infringement fines Pursuant to the Privacy Ordinance art. 58 no. 2 letter i, cf. art. 83 and § 26 of the Personal Data Act, the following decisions are made on infringement fines: The Norwegian Labor and Welfare Administration (NAV) is fined 5,000,000 - five million - kroner to the Treasury for violation of the Privacy Ordinance species. 5 no. 1 letter a and the Privacy Ordinance art. 6 no. 1, cf. no. 3, as a result of processing of personal data without legal basis, and for violation of the Privacy Ordinance art. 5 No. 1 letter f, as a result of that personal data has been processed in a way that has not been adequately secured security of personal data. 2. Background of the case Since 2001, NAV has had digital solutions for making jobseekers' CVs available logged in employers. In February 2019, NAV launched a new solution for publishing CVs at the workplace.nav.no (hereinafter «the workplace»). In the workplace, volunteers can Job seekers register their resume based on consent. However, NAV also has in The "candidate search" that employers use, by default published CVs from all jobseekers under follow-up from NAV. The incident is related to the making available of CVs that were not based on consent. Following an inquiry to the privacy representative in NAV from a registered jobseeker in the autumn of 2020, NAV conducted a new review of the legal basis for publishing CVs. After the review, NAV concluded that the publication lacked a legal basis the Privacy Ordinance art. 6 No. 1. Further investigations concluded that the publication Postal address: Office address: Telephone: Org.nr: Homepage: PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1 0105 OSLO 0191 OSLO, lacked a legal basis back to 2001. NAV's assessment is that sharing a CV without consent in self-service solutions require a supplementary legal basis in national law, and that the provisions in the NAV Act and the Labor Market Act, which regulate employment services, do not authorize such an arrangement treatment. The CVs contain information about the registered persons such as name, place of residence, date of birth, telephone number, e-mail address, education, work experience and other experience, courses, driver's licenses, access to vehicles, approvals (certifications and the like), language, stated competencies and job wishes. NAV's CV solution is partly based on free text fields and special categories personal information may therefore also be entered by users. The solutions have also provided the opportunity for generating candidate lists based on employers' search. In an additional report dated 23.04.21, it is stated that the information that appears in the CVs is subject to a duty of confidentiality pursuant to section 7 of the Norwegian Labor and Welfare Administration Act, and that the exception in this provision that applies for employment services does not apply. NAV has stated that 535,900 CVs are covered by the solution from 2019, and estimates that it maximum number affected in previous solutions is 1.8 million. We understand it so that everyone companies that are registered in the Aa register have initially had the opportunity to access the workplace. Employers' access to all CVs for jobseekers during follow-up was closed on 17.2.21, and employers and temporary employment agencies were told to delete any downloaded or stored information. Those who were, or had been, registered in the solution from 2019 have been notified the incident, or attempted notification, in person. NAV created a separate page on nav.no and established notification banner on the registration pages for CV and candidate search. NAV has assessed that the risk for those registered in the solutions before 2019 does not require notification of these. Decisions made incorrect basis based on the deviation shall be reversed back to 2016, and for decisions made before In 2016, NAV will provide general information about the error, and what users must do to get a new one assessment of previously made decisions. 3. Legal background 3.1 Choice of law The Privacy Ordinance was incorporated into Norwegian law through a new Personal Data Act, which entered into force in 2018. The Act also repealed the Personal Data Act (2000) and the rules in the Personal Data Regulations (2000). Processing of CVs without a legal basis dates back to 2001, before the entry into force of the Personal Data Act 2018, but has also persisted in the time since, until February 2021. It must therefore decide whether the case is to be assessed in accordance with the Personal Data Act (2018) or the Personal Data Act (2000). The Personal Data Act (2018) § 33 first paragraph contains a special transitional rule infringement fine, which reads: 2, The rules on the processing of personal data that applied to the time of action, shall be used as a basis when a decision is made infringement fine. The legislation at the time of the decision shall nevertheless used when this leads to a more favorable result for the person responsible. The question of choice of law must therefore be assessed on the basis of what is considered the time of action. The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted until the processing of personal data was brought in accordance with the regulations - in this the case until employers' access to the CVs was closed on 17.02.21. Eventually the time of action in this case persisted over time, and in the time after the effective date of the Personal Data Act (2018), it follows from the Personal Data Act (2018) § 33 that the case shall be assessed in accordance with the Personal Data Act (2018). We also refer to the preparatory work for the Personal Data Act (2018) (Prop. 56 LS (2017-2018) page 196), where the Ministry states, among other things, the following on the question of choice of law between the Personal Data Act (2000) and the Personal Data Act (2018): The starting point will be that decisions by the Data Inspectorate and the Privacy Board will had to be made on the basis of the material rules in force at any given time. The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and PVN-2018-06. On the basis of this, it is in our assessment clear that the case must be assessed accordingly the Personal Data Act (2018) and the Privacy Ordinance. 3.2. The basic principles for the processing of personal data The basic principles for the processing of personal data are set out in the Privacy Ordinance art. 5 No. 1 letter a-f. It follows from letter a that personal data shall be processed in a “legal, fair and open manner with regard to the data subject ("legality, fairness and transparency") ", and" in a manner which ensures adequate security of personal data, including protection against unauthorized or illegal treatment and against unintentional loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality") ", cf. letter f. treatment managers who are responsible for ensuring that the principles are complied with, cf. art. 5 No. 2. 3.3 Requirements for legal basis The processing of personal data is only legal if at least one of the legal bases in the regulation art. 6 No. 1 letter a-f applies. Treatments based on species. 6 no. 1 letter c and e also requires a supplementary legal basis in Union law or National dish. 3.4 In particular on the imposition of infringement fines 3, According to the Regulation art. 58 no. 2 letter i, cf. the Personal Data Act § 26 second paragraph, the Data Inspectorate may impose an infringement fine on public authorities in accordance with the rules in Regulation Art. 83 in the event of a breach of the regulations. Infringement fee is to be regarded as a penalty under the European human rights convention art. 6. A clear preponderance of probabilities is therefore required for offenses to be able to charge a fee. In HR-2021-797-A, the Supreme Court ruled that strict liability for the imposition of corporate penalties is not compatible with the concept of punishment in the European Convention on Human Rights, as it is interpreted by the European Court of Human Rights. This means that a 1rav is set up that the person who has acted on behalf of the company has shown general negligence. The conditions for the imposition of a fee are set out in the ordinance art. 83. The provision provides in basically an instruction that the imposition of an infringement fee is based on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting factors such as special weight shall be given. With regard to the size of the fee, Art. 83 Nos. 4 and 5 maximum rates for the fee size depending on which provisions of the Regulation have been violated. The same the factors which, when assessing whether a fee is to be imposed, shall be given special weight also the measurement. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the amount of the fee must be in a reasonable proportion to the infringement and the business, cf. art. 83 No. 1. 4. The Danish Data Protection Agency's assessment 4.1 The debt claim The Norwegian Data Protection Authority has assumed that NAV, through the Director of Labor and Welfare, has acted negligent, cf. HR-2021-797-A, cf. the regulation art. 5 no. 2, and that the claim for guilt is thus fulfilled (cf. section 3.4 above). 4.2 Legal basis for processing personal data (basis for processing) NAV has stated that art. 6 no. 1 letter e, which applies to the exercise of public authority, has been considered the most relevant treatment basis. Processing of personal data on this basis requires a supplementary legal basis in Union law or national law, cf. art. 6 no. 3. No other treatment basis is considered relevant by NAV. NAV has concluded that there is a legal basis for making all jobseekers' CVs available for employers is missing because the regulations governing employment services, including the Labor Market Act § 10 and the NAV Act § 4, do not authorize such treatment. NAV has obtained an external legal assessment from the law firm Wiersholm, which agrees with NAV's assessment. The provisions of the Labor Market Act and the NAV Act that apply 1 The Ministry of Justice and Emergency Preparedness' briefing of 12 May 2021, sent in a letter dated 02.06.21 from Kommunal- and the Ministry of Modernization. 4, employment service requires an active link between the jobseeker and the employer, which the self-service solution in the workplace and those in previous solutions, do not satisfy. NAV is closest to interpreting the regulations that regulate NAV's own tasks, and we add on the basis of the assessment NAV has made of its legal basis for employment services. Based from this we come to the conclusion that NAV has violated the requirement for a legal basis for processing personal data in the regulation art. 6 No. 1, cf. No. 3. Processing of personal data without legal basis according to art. 6 No. 1 is also not in compliance with the basic requirement of the Privacy Ordinance art. 5 No. 1 letter a. 4.3 Information security The information contained in the CVs is confidential in accordance with the Norwegian Labor and Welfare Administration Act § 7. NAV has itself assumed that the relevant publication of personal data is in conflict with this duty of confidentiality. NAV has concluded that the exception in the provision as applies to employment services does not apply, based on the assessment of what requirements are set for employment services, cf. section 4.1. We have used NAV's assessment as a basis, and we have come to the conclusion that the breach of the statutory obligation the duty of confidentiality will also constitute a breach of the principle of confidentiality the Privacy Ordinance art. 5 No. 1 letter f. 4.3 Imposition of infringement fines The Data Inspectorate has come to the conclusion that NAV has violated the Privacy Ordinance art. 6 No. 1, cf. No. 3. I In addition, we have come to the conclusion that both the Privacy Ordinance art. 5 No. 1 letter a and Regulation Art. 5 No. 1 letter f has been violated. There are thus several offenses that can provide a basis for the imposition of infringement fines. The incident has largely taken place before the Personal Data Act and the Privacy Ordinance enters into force in 2018. The Danish Data Protection Agency could also impose earlier infringement fee, cf. the Personal Data Act (2000) § 46, but the amount was then limited to up to 10 times the National Insurance basic amount (currently approx. 1,060,000 NOK). However, we refer to the discussion under section 3.1, and assumes that the fee will be measured according to new regulations. There is thus a basis for imposing on NAV an infringement fee of up to 20,000,000 euros (p.t. about. NOK 200,000,000), cf. Article 83 no. 5 of the Regulation. We will nevertheless see to it that the deviation in has also been ongoing during the period when previous privacy regulations applied. The regulation art. 83 no. 2 sets out factors that must be taken into account in the decision on whether an infringement fee is to be imposed as well as the amount of the infringement fee. Under follows our assessment of the factors we consider relevant in the assessment of whether infringement fines must be imposed; (a) the nature, gravity and duration of the infringement, taking into account it; the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered, 5, NAV has violated basic requirements for the processing of personal data - the requirement for legal basis in art. 6 no. 1 and the principles in art. 5 No. 1 letter a and f. The making available of CVs in the workplace or similar solutions has been going on for approx. 20 years, and a very large number of registered persons are affected, cf. section 2 above. The purpose of the treatment has been to make users' information available, and the treatment has been used as a condition of receiving or retaining services and benefits from NAV, to persons who are under follow-up. Some of these may have received a decision to stop in benefits for not having fulfilled the condition. b) whether the infringement was committed intentionally or negligently, The offense has occurred because NAV did not detect, over the years the workplace and the like solutions have been in use, that national law does not authorize the publication of CVs in self-service solutions, see section 4.1. above. The requirement for an active link between the jobseeker and the employer in the case of employment services, it appears from the preparatory work for regulations that NAV itself manages. The Norwegian Data Protection Authority finds that NAV, through the Director of Labor and Welfare, has acted negligently, cf. 2021-797-A, cf. the regulation art. 5 No. 2. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, Employers' access to CVs is closed. The users who were covered by the discrepancy in the new one the solution from 2019 has been announced. Information about deviations in previous solutions is given in general form on nav.no. NAV has done a manual review back to 2016 to uncover and reverse any invalid management decisions. d) the degree of responsibility of the data controller or data processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32, Not relevant in this case. e) any relevant previous violations committed by the data controller or the data processor, There are no previous violations that are considered relevant to this case. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it, NAV reported to the supervisory authority after it was ascertained from the publication of CVs did not have a legal basis, and has subsequently submitted updates on measures and been available in the case processing process. g) the categories of personal data affected by the infringement, The CVs contain information such as name, place of residence, date of birth, contact information, education, work experience and other experience, courses, driving licenses, access to vehicles, approvals (certifications and the like), language, stated competencies and job requirements. NAV's CV solution is partly based on free text fields, and special categories of personal information, 6, for example health information or information about ethnicity, may therefore also be entered by users. We have no definite evidence that special categories have been added personal data, and for that reason we have not emphasized this in an aggravating direction. The information is subject to a duty of confidentiality pursuant to section 7 of the Norwegian Labor and Welfare Administration Act. h) in what way the supervisory authority became aware of the infringement, in particular if and if so the extent to which the data controller or data processor has notified the infringement, NAV submitted a report of a breach of personal data security on 17.02.21. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data controller with respect to the same subject matter, that mentioned measures are complied with, No measures have previously been taken against NAV with regard to same subject matter. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 and Not relevant to the case. k) any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement NAV is in a special position of power vis-à-vis the users, who have limited opportunities to influence NAV's use of personal data, especially in cases where the use is linked to services and services the individual depends on. 4.4 Overall assessment The Data Inspectorate views NAV's follow-up of the discrepancy positively, both towards the registered and supervisory authority. It is nevertheless very serious that an authority such as NAV lacks a legal basis for one long-term and intrusive processing of personal data against such a large number registered. NAV's processing of users' personal data is largely based on statutory treatment basis. NAV therefore has a special responsibility to ensure that the legal basis is adequate for the treatment that is done. Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that NAV should be imposed infringement fine. 5. Measurement of the fee In assessing the size of the fee, we have emphasized that NAV has violated the basics and principal provisions of the Privacy Regulation. NAV has made available confidential information for a very long time about a large number of people, without treatment basis, and set this availability as a condition for receiving services and benefits. 7, We have also placed considerable emphasis on the balance of power in the relationship between NAV and the individual users, who have been incorrectly informed that registration in the solution has been a condition for be registered as a jobseeker, and thus to receive benefits from NAV. As the person responsible for processing, NAV is responsible for ensuring that treatments performed are legal, and the deviation is due to a misinterpretation of NAV's own regulations. mitigating direction, we have seen to it that NAV itself reported the deviation to us when it became clear that the treatment lacked a legal basis, and that the discrepancy has been followed up in a good way. We add also emphasis on the fact that the illegal treatment for a significant part has taken place in the period then the Personal Data Act (2000) applied. After a total assessment of the above factors, and look at the severity of the infringement and the legislation's requirement that the imposition of infringement fines in each individual case should be effective, proportionate and dissuasive, we have come to that one violation fee of 5,000,000 - five million - kroner is considered correct. 6. Right of appeal This decision can be appealed within three weeks after you have received this letter, cf. Sections 28 and 29 of the Public Administration Act. Any complaint is sent to the Danish Data Protection Agency. If we do not take as a result of the complaint, the case will be sent to the Privacy Board for complaint processing, cf. the Personal Data Act § 22. If you have any questions, you can contact the case officer. With best regards Janne Stang Dahl acting director Kristin Karlsen Lindberg legal adviser The document is electronically approved and therefore has no handwritten signatures