Datatilsynet (Norway) - 21/00872: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
Line 73: Line 73:
}}
}}


The Norwegian DPA intends to fine the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,8 million data subject online without a legal basis, in breach of [[Article 6 GDPR#1|Articles 6(1)]], [[Article 6 GDPR#3|(3)]] and [[Article 5 GDPR#1a|Article 5(1)(a)]], and [[Article 5 GDPR#1f|5(1)(f)]].
The Norwegian DPA intends to fine the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,8 million data subject online without a legal basis, in breach of [[Article 6 GDPR#1|Articles 6(1)]], [[Article 6 GDPR#3|(3)]] and [[Article 5 GDPR#1a|Article 5(1)(a)]], and [[Article 5 GDPR|5(1)(f) GDPR]].


== English Summary ==
== English Summary ==

Revision as of 16:18, 1 June 2022

Datatilsynet - 21/00872
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 6(3) GDPR
The Labour and Welfare Administration Act § 7
Type: Investigation
Outcome: Violation Found
Started: 17.02.2021
Decided: 23.05.2022
Published: 24.05.2022
Fine: 5000000 NOK
Parties: NAV (the Norwegian Labour and Welfare Administration)
National Case Number/Name: 21/00872
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (press release) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA intends to fine the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,8 million data subject online without a legal basis, in breach of Articles 6(1), (3) and Article 5(1)(a), and 5(1)(f) GDPR.

English Summary

Facts

In February 2021, the Norwegian Labour and Welfare Administration (NAV) notified the Norwegian DPA Datatilsynet about a personal data breach where they had published CVs without a legal basis. The DPA had also received 18 complaints from data subjects regarding the incident.

NAV, the controller, has since 2001 had online solutions for making job applicants' CVs available for logged-in employers. In February 2019, they launched a new online tool where job applicants could voluntarily register their CVs. The controller, however, also made these available to employers through a candidate search, by default, including CVs where the data subjects had not given their consent. In addition, the controller had required data subjects to publish their CV to receive certain social services and benefits.

In 2020, a data subject contacted NAV's Data Protection Officer about the processing and, consequently, the controller launched an internal review. They concluded that they lacked a legal basis as per Article 6(1) GDPR for publishing the CVs, as far back as 2001. The controller had assessed legal bases in national laws pertaining to them, but found that these could not be relied upon for this particular situation. The controller now also realised that they did not either have a legal basis for requiring data subjects to publish their CV like this to receive certain social services and benefits.

The CVs contained information about data subjects' name, place of residence, date of birth, telephone number, e-mail address, education, work and other relevant experience, courses, driver's licenses, access to vehicles, various approvals and certifications, language, stated competencies and job wishes. This information is subject to confidentiality as per national regulations applicable to the controller.

The controller informed the DPA that 535,900 CVs was part of the 2019 system and they estimated that the maximum number of affected data subjects was 1,8 million. When the controller realized the breach, they notified the DPA and tried to inform every affected data subject personally by email or letter, as well as via their website.

Holding

The DPA held that the controller had violated Article 6(1) GDPR and Article 6(3) GDPR, thus also Article 5(1)(a) GDPR, for lack of legal basis for publishing CVs online. Further, as the controller is subject to a national regulation stipulating that the information in the CVs is confidential, the DPA held that they had violated Article 5(1)(f) GDPR.

Consequently, the DPA has notified NAV of a €486,700 (NOK 5,000,000) fine. They have three weeks to comment on the decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 THE LABOR AND WELFARE AUTHORITY
 PO Box 5 St Olavs Plass
 0130 OSLO









Their reference Our reference Date
AV29358 21 / 00872-7 23.05.2022



Notification of decision on violation fee - NAV - Publication of CV on
arbeidplassen.no


The Norwegian Data Protection Authority refers to reports of breaches of personal data security (hereinafter)
deviation message) submitted 17.02.21, follow-up message dated 23.04.21, final message
of 17.11.21, our request for additional documentation of 23.02.22, submission of
documentation 02.03.22, and contact with the privacy representative in the Labor and Welfare Service

(NAV) during the case processing.

We have also received 18 complaints from private individuals affected by the incident described in

the deviation message. The processing of this case is consequently both a follow-up of
the deviation report, including subsequent additional reports, and these complaints, that is
treated together.


Notification of decision on infringement fine
We hereby warn that we, pursuant to the Privacy Ordinance art. 58 no. 2 letter i, cf.
species. 83 and the Personal Data Act § 26 will make the following decisions on infringement fines:


      The Norwegian Labor and Welfare Administration (NAV) is fined 5,000,000 -
      five million - kroner to the Treasury for violation of the Privacy Ordinance
      species. 5 no. 1 letter a and the Privacy Ordinance art. 6 no. 1, cf. no. 3, as a result

      of processing of personal data without legal basis, and for violation
      of the Privacy Ordinance art. 5 No. 1 letter f, as a result of that
      personal data has been processed in a way that has not been adequately secured

      security of personal data.

2. Background of the case
Since 2001, NAV has had digital solutions for making jobseekers' CVs available

logged in employers. In February 2019, NAV launched a new solution for publishing CVs
at the workplace.nav.no (hereinafter «the workplace»). In the workplace, volunteers can
Job seekers register their resume based on consent. However, NAV also has in
The "candidate search" that employers use, by default published CVs from everyone


Postal address: Office address: Telephone: Org.nr: Website:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, jobseekers under follow-up from NAV. The event is related to the making available of
CVs that were not based on consent.

Following an inquiry to the privacy representative in NAV from a registered jobseeker in the autumn of 2020,
NAV conducted a new review of the legal basis for publishing CVs.
After the review, NAV concluded that the publication lacked a legal basis
the Privacy Ordinance art. 6 No. 1. Further investigations concluded that the publication

lacked a legal basis back to 2001. NAV's assessment is that sharing a CV without consent in
self-service solutions require a supplementary legal basis in national law, and that the provisions
in the NAV Act and the Labor Market Act, which regulate employment services, do not authorize such
treatment.

The CVs contain information about the registered persons such as name, place of residence, date of birth, telephone number, e-mail address, education, work experience and other experience, courses, driver's licenses, access to vehicles, approvals (certifications and the like), language, stated competencies and job wishes. NAV's CV solution is partly based on free text fields and special categories
personal information may therefore also be entered by users.

The solutions have also provided the opportunity for generating candidate lists based on employers's
search.


In an additional report dated 23.04.21, it is stated that the information that appears in the CVs is
subject to a duty of confidentiality pursuant to section 7 of the NAV Act, and that the exception in this provision that applies
for employment services does not apply.

NAV has stated that 535,900 CVs are covered by the solution from 2019, and estimates that it
maximum number affected in previous solutions is 1.8 million. We understand it so that everyone

companies that are registered in the Aa register have initially had the opportunity to access
the workplace.

Employers' access to all CVs for jobseekers during follow-up was closed on 17.2.21,
and employers and temporary employment agencies were told to delete any downloaded or stored
information. Those who were, or had been, registered in the solution from 2019 have been notified
the incident, or attempted notification, in person. NAV created a separate page on nav.no and established

notification banner on the registration pages for CV and candidate search. NAV has assessed that the risk
for those registered in the solutions before 2019 does not require notification of these. Decisions made
incorrect basis based on the deviation shall be reversed back to 2016, and for decisions made before
In 2016, NAV will provide general information about the error, and what users must do to get a new one
assessment of previously made decisions.

3. Legal background

3.1 Choice of law
The Privacy Ordinance was incorporated into Norwegian law through a new Personal Data Act, which
entered into force in 2018. The Act also repealed the Personal Data Act (2000) and the rules in
the Personal Data Regulations (2000).





                                                                                               2, Processing of CVs without a legal basis dates back to 2001, before the entry into force of
the Personal Data Act 2018, but has also persisted in the time since, until February 2021. It
must therefore decide whether the case is to be assessed in accordance with the Personal Data Act (2018) or
the Personal Data Act (2000).

There is a special transitional rule in the Personal Data Act (2018) § 33 first paragraph
infringement fine, which reads:


      The rules on the processing of personal data that applied to
      the time of action, shall be used as a basis when a decision is made
      infringement fine. The legislation at the time of the decision shall nevertheless
      used when this leads to a more favorable result for the person responsible.

The question of choice of law must therefore be assessed on the basis of what is considered the time of action.

The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted
until the processing of personal data was brought in accordance with the regulations - in this
the case until employers' access to the CVs was closed on 17.02.21. Eventually
the time of action in this case persisted over time, and in the time after the effective date of
the Personal Data Act (2018), it follows from the Personal Data Act (2018) § 33 that the case
shall be assessed in accordance with the Personal Data Act (2018).


We also refer to the preparatory work for the Personal Data Act (2018) (Prop. 56 LS (2017-2018)
page 196), where the Ministry states, among other things, the following on the question of choice of law between
the Personal Data Act (2000) and the Personal Data Act (2018):

      The starting point will be that decisions by the Norwegian Data Protection Authority and the Privacy Board will
      had to be made on the basis of the material rules in force at any given time.


The same follows from the Privacy Board's practice in cases that were submitted to the board before
new law came into force, but which was considered after the entry into force; see for example PVN-
2018-05 and PVN-2018-06.

On the basis of this, it is in our assessment clear that the case must be assessed accordingly
the Personal Data Act (2018) and the Privacy Ordinance.


3.2. The basic principles for the processing of personal data
The basic principles for the processing of personal data are set out in
the Privacy Ordinance art. 5 No. 1 letter a-f.

It follows from letter a that personal data shall be processed in a “legal, fair and open manner
with regard to the data subject ("legality, fairness and transparency") ", and" in a manner

which ensures adequate security of personal data, including protection against unauthorized or
illegal treatment and against unintentional loss, destruction or damage, using appropriate technical
or organizational measures ("integrity and confidentiality") ", cf. letter f.
treatment managers who are responsible for ensuring that the principles are complied with, cf. art. 5 No. 2.





                                                                                                 3,3.3 Requirements for legal basis
The processing of personal data is only legal if at least one of the legal bases
in the regulation art. 6 No. 1 letter a-f applies. Treatments based on
species. 6 no. 1 letter c and e also requires a supplementary legal basis in Union law or

National dish.

3.4 In particular on the imposition of infringement fines
According to the regulation art. 58 no. 2 letter i, cf. the Personal Data Act § 26 second paragraph,
the Data Inspectorate may impose an infringement fine on public authorities in accordance with the rules in
Regulation Art. 83 in the event of a breach of the regulations.


Infringement fee is to be regarded as a penalty under the European
human rights convention art. 6. A clear preponderance of probabilities is therefore required for offenses
to be able to charge a fee.


In HR-2021-797-A, the Supreme Court ruled that strict liability for the imposition of corporate penalties
is not compatible with the concept of punishment in the European Convention on Human Rights, as it is
interpreted by the European Court of Human Rights. This means that a requirement is set
that the person who has acted on behalf of the company has shown general negligence. 1

The conditions for the imposition of a fee are set out in the ordinance art. 83. The provision provides in

basically an indication that the imposition of an infringement fee is based on a discretionary
overall assessment, but lays down guidelines for the exercise of discretion by highlighting
moments to be given special weight.

With regard to the size of the fee, Art. 83 Nos. 4 and 5 maximum rates for the fee

size depending on which provisions of the Regulation have been violated. The same
the factors which, when assessing whether a fee is to be imposed, shall be given special weight also
the measurement. The fee should be set so high that it also has an effect beyond the specific case,
at the same time as the amount of the fee must be in a reasonable proportion to the infringement and the business,
cf. art. 83 No. 1.


4. The Danish Data Protection Agency's assessment

4.1 The debt claim
The Norwegian Data Protection Authority has assumed that NAV, through the Director of Labor and Welfare, has acted
negligent, cf. HR-2021-797-A, cf. the regulation art. 5 no. 2, and that the guilt claim is thus

fulfilled (cf. section 3.4 above).

4.2 Legal basis for processing personal data (basis for processing)
NAV has stated that art. 6 no. 1 letter e, which applies to the exercise of public authority, has
been considered as the most relevant basis for treatment. Processing of personal data



1
 The Ministry of Justice and Emergency Management's briefing of 12 May 2021, sent in a letter dated 02.06.21 from Kommunal-
and the Ministry of Modernization.



                                                                                                 4, on this basis requires a supplementary legal basis in Union law or national law, cf. art.
6 no. 3. No other treatment basis is considered relevant by NAV.

NAV has concluded that there is a legal basis for making all jobseekers' CVs available
for employers is lacking because the regulations governing employment services, including
the Labor Market Act § 10 and the NAV Act § 4, do not authorize such treatment. NAV has
obtained an external legal assessment from the law firm Wiersholm, which agrees with

NAV's assessment. The provisions of the Labor Market Act and the NAV Act that apply
employment service requires an active link between the jobseeker and the employer, which
the self-service solution in the workplace and those in previous solutions, do not satisfy.

NAV is closest to interpreting the regulations that regulate NAV's own tasks, and we add
on the basis of the assessment NAV has made of its legal basis for employment services. Based
from this we come to the conclusion that NAV has violated the requirement for a legal basis for processing

personal data in the regulation art. 6 No. 1, cf. No. 3.

Processing of personal data without legal basis according to art. 6 No. 1 is also not in
compliance with the basic requirement of the Privacy Ordinance art. 5 No. 1 letter a.

4.3 Information security
The information contained in the CVs is confidential in accordance with the Norwegian Labor and Welfare Administration Act § 7. NAV

has itself assumed that the relevant publication of personal data is in conflict with
this duty of confidentiality provision. NAV has concluded that the exception in the provision as
applies to employment services does not apply, based on the assessment of
what requirements are set for employment services, cf. section 4.1.

We have used NAV's assessment as a basis, and we have come to the conclusion that the breach of the statutory obligation

the duty of confidentiality will also constitute a breach of the principle of confidentiality
the Privacy Ordinance art. 5 No. 1 letter f.

4.3 Imposition of infringement fines
The Norwegian Data Protection Authority has come to the conclusion that NAV has violated the Privacy Ordinance art. 6 No. 1, cf. No. 3. I
In addition, we have come to the conclusion that both the Privacy Ordinance art. 5 No. 1 letter a and
Regulation Art. 5 No. 1 letter f has been violated. There are thus several offenses that can

provide a basis for the imposition of infringement fines.

The incident has largely taken place before the Personal Data Act and
the Privacy Ordinance enters into force in 2018. The Danish Data Protection Agency could also impose earlier
infringement fee, cf. the Personal Data Act (2000) § 46, but the amount was then limited to
up to 10 times the National Insurance basic amount (currently approx. 1,060,000 NOK). However, we refer to
the discussion under section 3.1, and assumes that the fee will be measured according to new regulations.


There is thus a basis for imposing on NAV an infringement fee of up to 20,000,000 euros (p.t.
about. NOK 200,000,000), cf. Article 83 no. 5 of the Regulation. We will nevertheless see to it that the deviation in
has also been ongoing during the period when previous privacy regulations applied.





                                                                                                 5, Regulation art. 83 no. 2 sets out factors that must be taken into account in the decision on
whether an infringement fee is to be imposed as well as the amount of the infringement fee. Under
follows our assessment of the factors we consider relevant in the assessment of whether
infringement fines must be imposed;

a) the nature, severity and duration of the infringement, taking into account it
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and

the extent of the damage they have suffered,
NAV has violated basic requirements for the processing of personal data - the requirement for legal action
basis in art. 6 no. 1 and the principles in art. 5 No. 1 letter a and f.

The availability of CVs in the workplace or similar solutions has been going on for approx. 20
years, and a very large number of registered persons are affected, cf. section 2 above.


The purpose of the treatment has been to make users' information available, and
the treatment has been used as a condition of receiving or retaining services and benefits from
NAV, to persons who are under follow-up. Some of these may have received a decision to stop in
benefits for not having fulfilled the condition.

b) whether the infringement was committed intentionally or negligently,
The offense has occurred because NAV did not detect, over the years the workplace and the like

solutions have been in use, that national law does not authorize the publication of CVs in self-service
solutions, see section 4.1. above. The requirement for an active link between the jobseeker and the employer
in the case of employment services, it appears from the preparatory work for regulations that NAV itself manages.

The Norwegian Data Protection Authority finds that NAV, through the Director of Labor and Welfare, has acted negligently, cf.
2021-797-A, cf. the regulation art. 5 No. 2.


c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects,
Employers' access to CVs is closed. The users who were covered by the discrepancy in the new one
the solution from 2019 has been announced. Information about deviations in previous solutions is given in general form
on nav.no. NAV has done a manual review back to 2016 to uncover and reverse
any invalid management decisions.


d) the degree of responsibility of the data controller or data processor, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32,
Not relevant in this case.

e) any relevant previous violations committed by the data controller or
the data processor,

There are no previous violations that are considered relevant to this case.

f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it,





                                                                                                 6, NAV reported to the supervisory authority after it was ascertained from the publication of CVs
did not have a legal basis, and has subsequently submitted updates on measures and been
available in the case processing process.

g) the categories of personal data affected by the infringement,
The CVs contain information such as name, place of residence, date of birth, contact information,
education, work experience and other experience, courses, driving licenses, access to vehicles,

approvals (certifications and the like), language, stated competencies and job requirements.
NAV's CV solution is partly based on free text fields, and special categories of personal information,
for example health information or information about ethnicity, can therefore also be entered
by users. We have no definite evidence that special categories have been added
personal data, and for that reason we have not emphasized this in an aggravating direction.
The information is subject to a duty of confidentiality pursuant to section 7 of the Norwegian Labor and Welfare Administration Act.


h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified
the infringement,
NAV submitted a report of a breach of personal data security on 17.02.21.

(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data processor with respect to the same subject matter that that mentioned

measures are complied with,
No measures have previously been taken against NAV with regard to
same subject matter.

(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42 and

Not relevant to the case.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement
NAV is in a special position of power vis-à-vis the users, who have limited opportunities to
influence NAV's use of personal data, especially in cases where the use is linked to
services and services the individual depends on.


4.4 Overall assessment
The Data Inspectorate views NAV's follow-up of the discrepancy positively, both towards the registered and
supervisory authority.

It is nevertheless very serious that an authority such as NAV lacks a legal basis for one
long-term and intrusive processing of personal data against such a large number

registered. NAV's processing of users' personal data is largely based on
statutory treatment basis. NAV therefore has a special responsibility to ensure that
the legal basis is adequate for the treatment that is done.






                                                                                                7, After an overall assessment, the Data Inspectorate has come to the conclusion that NAV should be imposed a
infringement fine.

5. Measurement of the fee
In assessing the size of the fee, we have emphasized that NAV has violated the basics and
principal provisions of the Privacy Regulation. NAV has made available
confidential information for a very long time about a large number of people, without

treatment basis, and set this availability as a condition for receiving services and
benefits.

We have also placed considerable emphasis on the balance of power in the relationship between NAV and the individual
users, who have been incorrectly informed that registration in the solution has been a condition for
be registered as a jobseeker, and thus to receive benefits from NAV.


As the person responsible for processing, NAV is responsible for ensuring that treatments performed are legal, and
the deviation is due to a misinterpretation of NAV's own regulations.

In a mitigating direction, we have seen to it that NAV itself reported the deviation to us when it became clear that
the treatment lacked a legal basis and that the deviation was followed up in a good way. We add
also emphasis on the fact that the illegal treatment for a significant part has taken place in the period then
the Personal Data Act (2000) applied.


After an overall assessment of the above factors, and look at the severity of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case
should be effective, proportionate and dissuasive, we have come to that one
violation fee of 5,000,000 - five million - kroner is considered correct.


5. Further proceedings
This is a prior notice of a decision on an infringement fee, cf. the Public Administration Act § 16.
If you have comments on the notice, we ask that these be sent to us within three weeks
receipt of this letter.

If you have any questions, you can contact Kristin Lindberg on telephone 22 39 69 62, or e-mail
kkl@datatilsynet.no.


6. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We also provide information
that all the documents are in principle public, cf. the Public Access to Information Act § 3.


With best regards



Janne Stang Dahl
acting director
                                                                   Kristin Karlsen Lindberg




                                                                                                8, legal counsel

The document is electronically approved and therefore has no handwritten signatures





















































                                                                                              9