Datatilsynet (Norway) - 21/00872: Difference between revisions

From GDPRhub
No edit summary
(Updated with final decision)
 
Line 11: Line 11:


|Original_Source_Name_1=Datatilsynet
|Original_Source_Name_1=Datatilsynet
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/7c0b5a6b0dd54ea38e2706a7d37ae60b/~-21_00872-7-varsel-om-vedtak-om-overtredelsesgebyr---nav---publisering-av-cv-pa-arbeidsplassen-268675_20_1.pdf
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/92b3164171544950b52f46e9d698d7a2/vedtak-om-overtredelsesgebyr---publisering-av-cv-pa-arbeidsplassen.pdf
|Original_Source_Language_1=Norwegian
|Original_Source_Language_1=Norwegian
|Original_Source_Language__Code_1=NO
|Original_Source_Language__Code_1=NO
|Original_Source_Name_2=Datatilsynet (press release)
|Original_Source_Name_2=Datatilsynet (press release)
|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/varsel-om-overtredelsesgebyr-til-nav/
|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/endelig-vedtak-om-overtredelsesgebyr-til-nav/
|Original_Source_Language_2=Norwegian
|Original_Source_Language_2=Norwegian
|Original_Source_Language__Code_2=NO
|Original_Source_Language__Code_2=NO
Line 73: Line 73:
}}
}}


The Norwegian DPA intends to fine the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,8 million data subject online without a legal basis, in breach of [[Article 6 GDPR#1|Articles 6(1)]], [[Article 6 GDPR#3|(3)]] and [[Article 5 GDPR#1a|Article 5(1)(a)]], and [[Article 5 GDPR|5(1)(f) GDPR]].
The Norwegian DPA fined the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,8 million data subject online without a legal basis, in breach of [[Article 6 GDPR#1|Articles 6(1)]], [[Article 6 GDPR#3|(3)]] and [[Article 5 GDPR#1a|Article 5(1)(a)]], and [[Article 5 GDPR|5(1)(f) GDPR]].


== English Summary ==
== English Summary ==
Line 91: Line 91:
The DPA held that the controller had violated [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 6 GDPR#3|Article 6(3) GDPR]], thus also [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], for lack of legal basis for publishing CVs online. Further, as the controller is subject to a national regulation stipulating that the information in the CVs is confidential, the DPA held that they had violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].
The DPA held that the controller had violated [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 6 GDPR#3|Article 6(3) GDPR]], thus also [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], for lack of legal basis for publishing CVs online. Further, as the controller is subject to a national regulation stipulating that the information in the CVs is confidential, the DPA held that they had violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].


Consequently, the DPA has notified NAV of a €486,700 (NOK 5,000,000) fine. They have three weeks to comment on the decision.
For these violations, the DPA fined NAV (the controller) €486,700 (NOK 5,000,000).


== Comment ==
== Comment ==
Line 103: Line 103:


<pre>
<pre>
THE LABOR AND WELFARE AUTHORITY
THE LABOR AND WELFARE AUTHORITY
PO Box 5 St Olavs Plass
PO Box 354
0130 OSLO
8601 MO I RANA
 
 
 
 
 
 






Their reference Our reference Date
Their reference Our reference Date
AV29358 21 / 00872-7 23.05.2022
AV29358 21 / 00872-11 21.06.2022
 
 
 
Notification of decision on violation fee - NAV - Publication of CV on
arbeidplassen.no




The Norwegian Data Protection Authority refers to reports of breaches of personal data security (hereinafter)
deviation message) submitted 17.02.21, follow-up message dated 23.04.21, final message
of 17.11.21, our request for additional documentation of 23.02.22, submission of
documentation 02.03.22, and contact with the privacy representative in the Labor and Welfare Service


(NAV) during the case processing.
Decision on infringement fee - Publication of CV on arbeidplassen.no - NAV


We have also received 18 complaints from private individuals affected by the incident described in
The Data Inspectorate refers to previous correspondence and contact in connection with notification of breaches
on personal data security (hereinafter non-conformance report) submitted 17.02.21, latest ours


the deviation message. The processing of this case is consequently both a follow-up of
notification of decision on infringement fee dated 23.05.22 and their response to notification of decision
the deviation report, including subsequent additional reports, and these complaints, that is
dated 08.06.22.
treated together.




Notification of decision on infringement fine
1. Decision on infringement fines
We hereby warn that we, pursuant to the Privacy Ordinance art. 58 no. 2 letter i, cf.
Pursuant to the Privacy Ordinance art. 58 no. 2 letter i, cf. art. 83 and
species. 83 and the Personal Data Act § 26 will make the following decisions on infringement fines:
§ 26 of the Personal Data Act, the following decisions are made on infringement fines:




Line 150: Line 135:
       of the Privacy Ordinance art. 5 No. 1 letter f, as a result of that
       of the Privacy Ordinance art. 5 No. 1 letter f, as a result of that
       personal data has been processed in a way that has not been adequately secured
       personal data has been processed in a way that has not been adequately secured
      security of personal data.


      security of personal data.


2. Background of the case
2. Background of the case
Since 2001, NAV has had digital solutions for making jobseekers' CVs available
Since 2001, NAV has had digital solutions for making jobseekers' CVs available
logged in employers. In February 2019, NAV launched a new solution for publishing CVs


logged in employers. In February 2019, NAV launched a new solution for publishing CVs
at the workplace.nav.no (hereinafter «the workplace»). In the workplace, volunteers can
at the workplace.nav.no (hereinafter «the workplace»). In the workplace, volunteers can
Job seekers register their resume based on consent. However, NAV also has in
Job seekers register their resume based on consent. However, NAV also has in
The "candidate search" that employers use, by default published CVs from everyone
The "candidate search" that employers use, by default published CVs from


all jobseekers under follow-up from NAV. The incident is related to the making available
of CVs that were not based on consent.


Postal address: Office address: Telephone: Org.nr: Website:
Following an inquiry to the privacy representative in NAV from a registered jobseeker in the autumn of 2020,
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, jobseekers under follow-up from NAV. The event is related to the making available of
CVs that were not based on consent.


Following an inquiry to the privacy representative in NAV from a registered jobseeker in the autumn of 2020,
NAV conducted a new review of the legal basis for publishing CVs.
NAV conducted a new review of the legal basis for publishing CVs.
After the review, NAV concluded that the publication lacked a legal basis
After the review, NAV concluded that the publication lacked a legal basis
the Privacy Ordinance art. 6 No. 1. Further investigations concluded that the publication
the Privacy Ordinance art. 6 No. 1. Further investigations concluded that the publication


lacked a legal basis back to 2001. NAV's assessment is that sharing a CV without consent in
 
Postal address: Office address: Telephone: Org.nr: Homepage:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, lacked a legal basis back to 2001. NAV's assessment is that sharing a CV without consent in
self-service solutions require a supplementary legal basis in national law, and that the provisions
self-service solutions require a supplementary legal basis in national law, and that the provisions
in the NAV Act and the Labor Market Act, which regulate employment services, do not authorize such
in the NAV Act and the Labor Market Act, which regulate employment services, do not authorize such an arrangement
treatment.
treatment.


The CVs contain information about the registered persons such as name, place of residence, date of birth, telephone number, e-mail address, education, work experience and other experience, courses, driver's licenses, access to vehicles, approvals (certifications and the like), language, stated competencies and job wishes. NAV's CV solution is partly based on free text fields and special categories
The CVs contain information about the registered persons such as name, place of residence, date of birth,
telephone number, e-mail address, education, work experience and other experience, courses, driver's licenses,
 
access to vehicles, approvals (certifications and the like), language, stated competencies
and job wishes. NAV's CV solution is partly based on free text fields and special categories
personal information may therefore also be entered by users.
personal information may therefore also be entered by users.


The solutions have also provided the opportunity for generating candidate lists based on employers's
The solutions have also provided the opportunity for generating candidate lists based on employers'
search.
search.




In an additional report dated 23.04.21, it is stated that the information that appears in the CVs is
In an additional report dated 23.04.21, it is stated that the information that appears in the CVs is
subject to a duty of confidentiality pursuant to section 7 of the NAV Act, and that the exception in this provision that applies
subject to a duty of confidentiality pursuant to section 7 of the Norwegian Labor and Welfare Administration Act, and that the exception in this provision that applies
for employment services does not apply.
for employment services does not apply.


NAV has stated that 535,900 CVs are covered by the solution from 2019, and estimates that it
NAV has stated that 535,900 CVs are covered by the solution from 2019, and estimates that it
maximum number affected in previous solutions is 1.8 million. We understand it so that everyone
maximum number affected in previous solutions is 1.8 million. We understand it so that everyone
companies that are registered in the Aa register have initially had the opportunity to access


companies that are registered in the Aa register have initially had the opportunity to access
the workplace.
the workplace.


Line 212: Line 202:
the Personal Data Regulations (2000).
the Personal Data Regulations (2000).


Processing of CVs without a legal basis dates back to 2001, before the entry into force of
the Personal Data Act 2018, but has also persisted in the time since, until February 2021. It


                                                                                              2, Processing of CVs without a legal basis dates back to 2001, before the entry into force of
the Personal Data Act 2018, but has also persisted in the time since, until February 2021. It
must therefore decide whether the case is to be assessed in accordance with the Personal Data Act (2018) or
must therefore decide whether the case is to be assessed in accordance with the Personal Data Act (2018) or
the Personal Data Act (2000).
the Personal Data Act (2000).


There is a special transitional rule in the Personal Data Act (2018) § 33 first paragraph
The Personal Data Act (2018) § 33 first paragraph contains a special transitional rule
infringement fine, which reads:
infringement fine, which reads:




      The rules on the processing of personal data that applied to
 
 
                                                                                              2, The rules on the processing of personal data that applied to
       the time of action, shall be used as a basis when a decision is made
       the time of action, shall be used as a basis when a decision is made
       infringement fine. The legislation at the time of the decision shall nevertheless
       infringement fine. The legislation at the time of the decision shall nevertheless
Line 231: Line 220:


The question of choice of law must therefore be assessed on the basis of what is considered the time of action.
The question of choice of law must therefore be assessed on the basis of what is considered the time of action.
The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted


The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted
until the processing of personal data was brought in accordance with the regulations - in this
until the processing of personal data was brought in accordance with the regulations - in this
the case until employers' access to the CVs was closed on 17.02.21. Eventually
the case until employers' access to the CVs was closed on 17.02.21. Eventually
Line 239: Line 228:
shall be assessed in accordance with the Personal Data Act (2018).
shall be assessed in accordance with the Personal Data Act (2018).


We also refer to the preparatory work for the Personal Data Act (2018) (Prop. 56 LS (2017-2018)


We also refer to the preparatory work for the Personal Data Act (2018) (Prop. 56 LS (2017-2018)
page 196), where the Ministry states, among other things, the following on the question of choice of law between
page 196), where the Ministry states, among other things, the following on the question of choice of law between
the Personal Data Act (2000) and the Personal Data Act (2018):
the Personal Data Act (2000) and the Personal Data Act (2018):


       The starting point will be that decisions by the Norwegian Data Protection Authority and the Privacy Board will
       The starting point will be that decisions by the Data Inspectorate and the Privacy Board will
       had to be made on the basis of the material rules in force at any given time.
       had to be made on the basis of the material rules in force at any given time.


The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law


The same follows from the Privacy Board's practice in cases that were submitted to the board before
entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and
new law came into force, but which was considered after the entry into force; see for example PVN-
PVN-2018-06.
2018-05 and PVN-2018-06.


On the basis of this, it is in our assessment clear that the case must be assessed accordingly
On the basis of this, it is in our assessment clear that the case must be assessed accordingly
Line 262: Line 251:
It follows from letter a that personal data shall be processed in a “legal, fair and open manner
It follows from letter a that personal data shall be processed in a “legal, fair and open manner
with regard to the data subject ("legality, fairness and transparency") ", and" in a manner
with regard to the data subject ("legality, fairness and transparency") ", and" in a manner
which ensures adequate security of personal data, including protection against unauthorized or


which ensures adequate security of personal data, including protection against unauthorized or
illegal treatment and against unintentional loss, destruction or damage, using appropriate technical
illegal treatment and against unintentional loss, destruction or damage, using appropriate technical
or organizational measures ("integrity and confidentiality") ", cf. letter f.
or organizational measures ("integrity and confidentiality") ", cf. letter f.
treatment managers who are responsible for ensuring that the principles are complied with, cf. art. 5 No. 2.
treatment managers who are responsible for ensuring that the principles are complied with, cf. art. 5 No. 2.


3.3 Requirements for legal basis
The processing of personal data is only legal if at least one of the legal bases
in the regulation art. 6 No. 1 letter a-f applies. Treatments based on


species. 6 no. 1 letter c and e also requires a supplementary legal basis in Union law or
National dish.
3.4 In particular on the imposition of infringement fines






                                                                                                3,3.3 Requirements for legal basis
The processing of personal data is only legal if at least one of the legal bases
in the regulation art. 6 No. 1 letter a-f applies. Treatments based on
species. 6 no. 1 letter c and e also requires a supplementary legal basis in Union law or


National dish.


3.4 In particular on the imposition of infringement fines
                                                                                                3, According to the Regulation art. 58 no. 2 letter i, cf. the Personal Data Act § 26 second paragraph,
According to the regulation art. 58 no. 2 letter i, cf. the Personal Data Act § 26 second paragraph,
the Data Inspectorate may impose an infringement fine on public authorities in accordance with the rules in
the Data Inspectorate may impose an infringement fine on public authorities in accordance with the rules in
Regulation Art. 83 in the event of a breach of the regulations.
Regulation Art. 83 in the event of a breach of the regulations.
Line 288: Line 278:
human rights convention art. 6. A clear preponderance of probabilities is therefore required for offenses
human rights convention art. 6. A clear preponderance of probabilities is therefore required for offenses
to be able to charge a fee.
to be able to charge a fee.


In HR-2021-797-A, the Supreme Court ruled that strict liability for the imposition of corporate penalties
In HR-2021-797-A, the Supreme Court ruled that strict liability for the imposition of corporate penalties
is not compatible with the concept of punishment in the European Convention on Human Rights, as it is
is not compatible with the concept of punishment in the European Convention on Human Rights, as it is
interpreted by the European Court of Human Rights. This means that a requirement is set
 
that the person who has acted on behalf of the company has shown general negligence. 1
interpreted by the European Court of Human Rights. This means that a 1rav is set up
that the person who has acted on behalf of the company has shown general negligence.


The conditions for the imposition of a fee are set out in the ordinance art. 83. The provision provides in
The conditions for the imposition of a fee are set out in the ordinance art. 83. The provision provides in
basically an instruction that the imposition of an infringement fee is based on a discretionary


basically an indication that the imposition of an infringement fee is based on a discretionary
overall assessment, but lays down guidelines for the exercise of discretion by highlighting factors such as
overall assessment, but lays down guidelines for the exercise of discretion by highlighting
special weight shall be given.
moments to be given special weight.


With regard to the size of the fee, Art. 83 Nos. 4 and 5 maximum rates for the fee
With regard to the size of the fee, Art. 83 Nos. 4 and 5 maximum rates for the fee
size depending on which provisions of the Regulation have been violated. The same
size depending on which provisions of the Regulation have been violated. The same
the factors which, when assessing whether a fee is to be imposed, shall be given special weight also
the factors which, when assessing whether a fee is to be imposed, shall be given special weight also
the measurement. The fee should be set so high that it also has an effect beyond the specific case,
the measurement. The fee should be set so high that it also has an effect beyond the specific case,
at the same time as the amount of the fee must be in a reasonable proportion to the infringement and the business,
at the same time as the amount of the fee must be in a reasonable proportion to the infringement and the business,
cf. art. 83 No. 1.
cf. art. 83 No. 1.


4. The Danish Data Protection Agency's assessment


4. The Danish Data Protection Agency's assessment


4.1 The debt claim
4.1 The debt claim
The Norwegian Data Protection Authority has assumed that NAV, through the Director of Labor and Welfare, has acted
The Norwegian Data Protection Authority has assumed that NAV, through the Director of Labor and Welfare, has acted
negligent, cf. HR-2021-797-A, cf. the regulation art. 5 no. 2, and that the guilt claim is thus
negligent, cf. HR-2021-797-A, cf. the regulation art. 5 no. 2, and that the claim for guilt is thus
fulfilled (cf. section 3.4 above).


fulfilled (cf. section 3.4 above).


4.2 Legal basis for processing personal data (basis for processing)
4.2 Legal basis for processing personal data (basis for processing)
NAV has stated that art. 6 no. 1 letter e, which applies to the exercise of public authority, has
NAV has stated that art. 6 no. 1 letter e, which applies to the exercise of public authority, has
been considered as the most relevant basis for treatment. Processing of personal data
been considered the most relevant treatment basis. Processing of personal data
on this basis requires a supplementary legal basis in Union law or national law, cf. art.
6 no. 3. No other treatment basis is considered relevant by NAV.


NAV has concluded that there is a legal basis for making all jobseekers' CVs available
for employers is missing because the regulations governing employment services, including
the Labor Market Act § 10 and the NAV Act § 4, do not authorize such treatment. NAV has
obtained an external legal assessment from the law firm Wiersholm, which agrees with
NAV's assessment. The provisions of the Labor Market Act and the NAV Act that apply




1
1
  The Ministry of Justice and Emergency Management's briefing of 12 May 2021, sent in a letter dated 02.06.21 from Kommunal-
  The Ministry of Justice and Emergency Preparedness' briefing of 12 May 2021, sent in a letter dated 02.06.21 from Kommunal-
and the Ministry of Modernization.
and the Ministry of Modernization.






                                                                                                 4, on this basis requires a supplementary legal basis in Union law or national law, cf. art.
                                                                                                 4, employment service requires an active link between the jobseeker and the employer, which
6 no. 3. No other treatment basis is considered relevant by NAV.
 
NAV has concluded that there is a legal basis for making all jobseekers' CVs available
for employers is lacking because the regulations governing employment services, including
the Labor Market Act § 10 and the NAV Act § 4, do not authorize such treatment. NAV has
obtained an external legal assessment from the law firm Wiersholm, which agrees with
 
NAV's assessment. The provisions of the Labor Market Act and the NAV Act that apply
employment service requires an active link between the jobseeker and the employer, which
the self-service solution in the workplace and those in previous solutions, do not satisfy.
the self-service solution in the workplace and those in previous solutions, do not satisfy.


Line 345: Line 334:
on the basis of the assessment NAV has made of its legal basis for employment services. Based
on the basis of the assessment NAV has made of its legal basis for employment services. Based
from this we come to the conclusion that NAV has violated the requirement for a legal basis for processing
from this we come to the conclusion that NAV has violated the requirement for a legal basis for processing
personal data in the regulation art. 6 No. 1, cf. No. 3.


personal data in the regulation art. 6 No. 1, cf. No. 3.


Processing of personal data without legal basis according to art. 6 No. 1 is also not in
Processing of personal data without legal basis according to art. 6 No. 1 is also not in
Line 353: Line 342:
4.3 Information security
4.3 Information security
The information contained in the CVs is confidential in accordance with the Norwegian Labor and Welfare Administration Act § 7. NAV
The information contained in the CVs is confidential in accordance with the Norwegian Labor and Welfare Administration Act § 7. NAV
has itself assumed that the relevant publication of personal data is in conflict with


has itself assumed that the relevant publication of personal data is in conflict with
this duty of confidentiality. NAV has concluded that the exception in the provision as
this duty of confidentiality provision. NAV has concluded that the exception in the provision as
applies to employment services does not apply, based on the assessment of
applies to employment services does not apply, based on the assessment of
what requirements are set for employment services, cf. section 4.1.
what requirements are set for employment services, cf. section 4.1.


We have used NAV's assessment as a basis, and we have come to the conclusion that the breach of the statutory obligation
We have used NAV's assessment as a basis, and we have come to the conclusion that the breach of the statutory obligation
the duty of confidentiality will also constitute a breach of the principle of confidentiality
the duty of confidentiality will also constitute a breach of the principle of confidentiality
the Privacy Ordinance art. 5 No. 1 letter f.
the Privacy Ordinance art. 5 No. 1 letter f.


4.3 Imposition of infringement fines
4.3 Imposition of infringement fines
The Norwegian Data Protection Authority has come to the conclusion that NAV has violated the Privacy Ordinance art. 6 No. 1, cf. No. 3. I
The Data Inspectorate has come to the conclusion that NAV has violated the Privacy Ordinance art. 6 No. 1, cf. No. 3. I
In addition, we have come to the conclusion that both the Privacy Ordinance art. 5 No. 1 letter a and
In addition, we have come to the conclusion that both the Privacy Ordinance art. 5 No. 1 letter a and
Regulation Art. 5 No. 1 letter f has been violated. There are thus several offenses that can
Regulation Art. 5 No. 1 letter f has been violated. There are thus several offenses that can
provide a basis for the imposition of infringement fines.


provide a basis for the imposition of infringement fines.


The incident has largely taken place before the Personal Data Act and
The incident has largely taken place before the Personal Data Act and
Line 382: Line 371:
has also been ongoing during the period when previous privacy regulations applied.
has also been ongoing during the period when previous privacy regulations applied.


The regulation art. 83 no. 2 sets out factors that must be taken into account in the decision on
whether an infringement fee is to be imposed as well as the amount of the infringement fee. Under
follows our assessment of the factors we consider relevant in the assessment of whether


infringement fines must be imposed;


(a) the nature, gravity and duration of the infringement, taking into account it;
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered,




                                                                                                5, Regulation art. 83 no. 2 sets out factors that must be taken into account in the decision on
whether an infringement fee is to be imposed as well as the amount of the infringement fee. Under
follows our assessment of the factors we consider relevant in the assessment of whether
infringement fines must be imposed;


a) the nature, severity and duration of the infringement, taking into account it
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and


the extent of the damage they have suffered,
                                                                                                  5, NAV has violated basic requirements for the processing of personal data - the requirement for legal
NAV has violated basic requirements for the processing of personal data - the requirement for legal action
basis in art. 6 no. 1 and the principles in art. 5 No. 1 letter a and f.
basis in art. 6 no. 1 and the principles in art. 5 No. 1 letter a and f.


The availability of CVs in the workplace or similar solutions has been going on for approx. 20
The making available of CVs in the workplace or similar solutions has been going on for approx. 20
years, and a very large number of registered persons are affected, cf. section 2 above.
years, and a very large number of registered persons are affected, cf. section 2 above.


The purpose of the treatment has been to make users' information available, and


The purpose of the treatment has been to make users' information available, and
the treatment has been used as a condition of receiving or retaining services and benefits from
the treatment has been used as a condition of receiving or retaining services and benefits from
NAV, to persons who are under follow-up. Some of these may have received a decision to stop in
NAV, to persons who are under follow-up. Some of these may have received a decision to stop in
Line 409: Line 398:
b) whether the infringement was committed intentionally or negligently,
b) whether the infringement was committed intentionally or negligently,
The offense has occurred because NAV did not detect, over the years the workplace and the like
The offense has occurred because NAV did not detect, over the years the workplace and the like
solutions have been in use, that national law does not authorize the publication of CVs in self-service


solutions have been in use, that national law does not authorize the publication of CVs in self-service
solutions, see section 4.1. above. The requirement for an active link between the jobseeker and the employer
solutions, see section 4.1. above. The requirement for an active link between the jobseeker and the employer
in the case of employment services, it appears from the preparatory work for regulations that NAV itself manages.
in the case of employment services, it appears from the preparatory work for regulations that NAV itself manages.
Line 417: Line 406:
2021-797-A, cf. the regulation art. 5 No. 2.
2021-797-A, cf. the regulation art. 5 No. 2.


c) any measures taken by the data controller or data processor to limit


c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects,
the damage suffered by the data subjects,
Employers' access to CVs is closed. The users who were covered by the discrepancy in the new one
Employers' access to CVs is closed. The users who were covered by the discrepancy in the new one
Line 432: Line 421:
e) any relevant previous violations committed by the data controller or
e) any relevant previous violations committed by the data controller or
the data processor,
the data processor,
There are no previous violations that are considered relevant to this case.


There are no previous violations that are considered relevant to this case.


f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it,
possible negative effects of it,
 
NAV reported to the supervisory authority after it was ascertained from the publication of CVs
 
 
 
 
                                                                                                6, NAV reported to the supervisory authority after it was ascertained from the publication of CVs
did not have a legal basis, and has subsequently submitted updates on measures and been
did not have a legal basis, and has subsequently submitted updates on measures and been
available in the case processing process.
available in the case processing process.


g) the categories of personal data affected by the infringement,
g) the categories of personal data affected by the infringement,
The CVs contain information such as name, place of residence, date of birth, contact information,
The CVs contain information such as name, place of residence, date of birth, contact information,
education, work experience and other experience, courses, driving licenses, access to vehicles,
education, work experience and other experience, courses, driving licenses, access to vehicles,
approvals (certifications and the like), language, stated competencies and job requirements.
approvals (certifications and the like), language, stated competencies and job requirements.
NAV's CV solution is partly based on free text fields, and special categories of personal information,
NAV's CV solution is partly based on free text fields, and special categories of personal information,
for example health information or information about ethnicity, can therefore also be entered
 
 
 
 
                                                                                                6, for example health information or information about ethnicity, may therefore also be entered
by users. We have no definite evidence that special categories have been added
by users. We have no definite evidence that special categories have been added
personal data, and for that reason we have not emphasized this in an aggravating direction.
personal data, and for that reason we have not emphasized this in an aggravating direction.
The information is subject to a duty of confidentiality pursuant to section 7 of the Norwegian Labor and Welfare Administration Act.
The information is subject to a duty of confidentiality pursuant to section 7 of the Norwegian Labor and Welfare Administration Act.


h) in what way the supervisory authority became aware of the infringement, in particular if and if so
h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified
the extent to which the data controller or data processor has notified
the infringement,
the infringement,
NAV submitted a report of a breach of personal data security on 17.02.21.
NAV submitted a report of a breach of personal data security on 17.02.21.


(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data processor with respect to the same subject matter that that mentioned
data controller or data controller with respect to the same subject matter, that mentioned
 
measures are complied with,
measures are complied with,
No measures have previously been taken against NAV with regard to
No measures have previously been taken against NAV with regard to
same subject matter.
same subject matter.


(j) compliance with approved standards of conduct in accordance with Article 40 or approved
(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42 and
certification mechanisms in accordance with Article 42 and
Not relevant to the case.
Not relevant to the case.


k) any other aggravating or mitigating factor in the case, e.g. economic benefits
k) any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement
NAV is in a special position of power vis-à-vis the users, who have limited opportunities to
NAV is in a special position of power vis-à-vis the users, who have limited opportunities to
Line 481: Line 469:
services and services the individual depends on.
services and services the individual depends on.


4.4 Overall assessment


4.4 Overall assessment
The Data Inspectorate views NAV's follow-up of the discrepancy positively, both towards the registered and
The Data Inspectorate views NAV's follow-up of the discrepancy positively, both towards the registered and
supervisory authority.
supervisory authority.
Line 488: Line 476:
It is nevertheless very serious that an authority such as NAV lacks a legal basis for one
It is nevertheless very serious that an authority such as NAV lacks a legal basis for one
long-term and intrusive processing of personal data against such a large number
long-term and intrusive processing of personal data against such a large number
registered. NAV's processing of users' personal data is largely based on
registered. NAV's processing of users' personal data is largely based on
statutory treatment basis. NAV therefore has a special responsibility to ensure that
statutory treatment basis. NAV therefore has a special responsibility to ensure that
the legal basis is adequate for the treatment that is done.
the legal basis is adequate for the treatment that is done.


 
Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that NAV should be imposed
 
 
 
 
                                                                                                7, After an overall assessment, the Data Inspectorate has come to the conclusion that NAV should be imposed a
infringement fine.
infringement fine.


5. Measurement of the fee
5. Measurement of the fee
In assessing the size of the fee, we have emphasized that NAV has violated the basics and
In assessing the size of the fee, we have emphasized that NAV has violated the basics and
principal provisions of the Privacy Regulation. NAV has made available
principal provisions of the Privacy Regulation. NAV has made available
confidential information for a very long time about a large number of people, without
confidential information for a very long time about a large number of people, without
treatment basis, and set this availability as a condition for receiving services and
treatment basis, and set this availability as a condition for receiving services and
benefits.
benefits.


We have also placed considerable emphasis on the balance of power in the relationship between NAV and the individual
 
 
 
 
                                                                                                7, We have also placed considerable emphasis on the balance of power in the relationship between NAV and the individual
users, who have been incorrectly informed that registration in the solution has been a condition for
users, who have been incorrectly informed that registration in the solution has been a condition for
be registered as a jobseeker, and thus to receive benefits from NAV.
be registered as a jobseeker, and thus to receive benefits from NAV.


As the person responsible for processing, NAV is responsible for ensuring that treatments performed are legal, and
As the person responsible for processing, NAV is responsible for ensuring that treatments performed are legal, and
the deviation is due to a misinterpretation of NAV's own regulations.
the deviation is due to a misinterpretation of NAV's own regulations.


In a mitigating direction, we have seen to it that NAV itself reported the deviation to us when it became clear that
 
the treatment lacked a legal basis and that the deviation was followed up in a good way. We add
mitigating direction, we have seen to it that NAV itself reported the deviation to us when it became clear that
the treatment lacked a legal basis, and that the discrepancy has been followed up in a good way. We add
also emphasis on the fact that the illegal treatment for a significant part has taken place in the period then
also emphasis on the fact that the illegal treatment for a significant part has taken place in the period then
the Personal Data Act (2000) applied.
the Personal Data Act (2000) applied.


After a total assessment of the above factors, and look at the severity of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case


After an overall assessment of the above factors, and look at the severity of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case
should be effective, proportionate and dissuasive, we have come to that one
should be effective, proportionate and dissuasive, we have come to that one
violation fee of 5,000,000 - five million - kroner is considered correct.
violation fee of 5,000,000 - five million - kroner is considered correct.


6. Right of appeal
This decision can be appealed within three weeks after you have received this letter, cf.
Sections 28 and 29 of the Public Administration Act. Any complaint is sent to the Danish Data Protection Agency. If we do not take
as a result of the complaint, the case will be sent to the Privacy Board for complaint processing, cf.


5. Further proceedings
the Personal Data Act § 22.
This is a prior notice of a decision on an infringement fee, cf. the Public Administration Act § 16.
If you have comments on the notice, we ask that these be sent to us within three weeks
receipt of this letter.
 
If you have any questions, you can contact Kristin Lindberg on telephone 22 39 69 62, or e-mail
kkl@datatilsynet.no.
 
 
6. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We also provide information
that all the documents are in principle public, cf. the Public Access to Information Act § 3.


If you have any questions, you can contact the case officer.


With best regards
With best regards
Line 549: Line 530:
Janne Stang Dahl
Janne Stang Dahl
acting director
acting director
                                                                  Kristin Karlsen Lindberg
                                                                  Kristin Karlsen Lindberg
 
                                                                  legal adviser
 
 
 
                                                                                                8, legal counsel


The document is electronically approved and therefore has no handwritten signatures
The document is electronically approved and therefore has no handwritten signatures
                                                                                              9
</pre>
</pre>

Latest revision as of 08:21, 27 June 2022

Datatilsynet - 21/00872
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 6(3) GDPR
The Labour and Welfare Administration Act § 7
Type: Investigation
Outcome: Violation Found
Started: 17.02.2021
Decided: 23.05.2022
Published: 24.05.2022
Fine: 5000000 NOK
Parties: NAV (the Norwegian Labour and Welfare Administration)
National Case Number/Name: 21/00872
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (press release) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,8 million data subject online without a legal basis, in breach of Articles 6(1), (3) and Article 5(1)(a), and 5(1)(f) GDPR.

English Summary

Facts

In February 2021, the Norwegian Labour and Welfare Administration (NAV) notified the Norwegian DPA Datatilsynet about a personal data breach where they had published CVs without a legal basis. The DPA had also received 18 complaints from data subjects regarding the incident.

NAV, the controller, has since 2001 had online solutions for making job applicants' CVs available for logged-in employers. In February 2019, they launched a new online tool where job applicants could voluntarily register their CVs. The controller, however, also made these available to employers through a candidate search, by default, including CVs where the data subjects had not given their consent. In addition, the controller had required data subjects to publish their CV to receive certain social services and benefits.

In 2020, a data subject contacted NAV's Data Protection Officer about the processing and, consequently, the controller launched an internal review. They concluded that they lacked a legal basis as per Article 6(1) GDPR for publishing the CVs, as far back as 2001. The controller had assessed legal bases in national laws pertaining to them, but found that these could not be relied upon for this particular situation. The controller now also realised that they did not either have a legal basis for requiring data subjects to publish their CV like this to receive certain social services and benefits.

The CVs contained information about data subjects' name, place of residence, date of birth, telephone number, e-mail address, education, work and other relevant experience, courses, driver's licenses, access to vehicles, various approvals and certifications, language, stated competencies and job wishes. This information is subject to confidentiality as per national regulations applicable to the controller.

The controller informed the DPA that 535,900 CVs was part of the 2019 system and they estimated that the maximum number of affected data subjects was 1,8 million. When the controller realized the breach, they notified the DPA and tried to inform every affected data subject personally by email or letter, as well as via their website.

Holding

The DPA held that the controller had violated Article 6(1) GDPR and Article 6(3) GDPR, thus also Article 5(1)(a) GDPR, for lack of legal basis for publishing CVs online. Further, as the controller is subject to a national regulation stipulating that the information in the CVs is confidential, the DPA held that they had violated Article 5(1)(f) GDPR.

For these violations, the DPA fined NAV (the controller) €486,700 (NOK 5,000,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

THE LABOR AND WELFARE AUTHORITY
PO Box 354
8601 MO I RANA



Their reference Our reference Date
AV29358 21 / 00872-11 21.06.2022



Decision on infringement fee - Publication of CV on arbeidplassen.no - NAV

The Data Inspectorate refers to previous correspondence and contact in connection with notification of breaches
on personal data security (hereinafter non-conformance report) submitted 17.02.21, latest ours

notification of decision on infringement fee dated 23.05.22 and their response to notification of decision
dated 08.06.22.


1. Decision on infringement fines
Pursuant to the Privacy Ordinance art. 58 no. 2 letter i, cf. art. 83 and
§ 26 of the Personal Data Act, the following decisions are made on infringement fines:


      The Norwegian Labor and Welfare Administration (NAV) is fined 5,000,000 -
      five million - kroner to the Treasury for violation of the Privacy Ordinance
      species. 5 no. 1 letter a and the Privacy Ordinance art. 6 no. 1, cf. no. 3, as a result

      of processing of personal data without legal basis, and for violation
      of the Privacy Ordinance art. 5 No. 1 letter f, as a result of that
      personal data has been processed in a way that has not been adequately secured
      security of personal data.


2. Background of the case
Since 2001, NAV has had digital solutions for making jobseekers' CVs available
logged in employers. In February 2019, NAV launched a new solution for publishing CVs

at the workplace.nav.no (hereinafter «the workplace»). In the workplace, volunteers can
Job seekers register their resume based on consent. However, NAV also has in
The "candidate search" that employers use, by default published CVs from

all jobseekers under follow-up from NAV. The incident is related to the making available
of CVs that were not based on consent.

Following an inquiry to the privacy representative in NAV from a registered jobseeker in the autumn of 2020,

NAV conducted a new review of the legal basis for publishing CVs.
After the review, NAV concluded that the publication lacked a legal basis
the Privacy Ordinance art. 6 No. 1. Further investigations concluded that the publication


Postal address: Office address: Telephone: Org.nr: Homepage:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, lacked a legal basis back to 2001. NAV's assessment is that sharing a CV without consent in
self-service solutions require a supplementary legal basis in national law, and that the provisions
in the NAV Act and the Labor Market Act, which regulate employment services, do not authorize such an arrangement
treatment.

The CVs contain information about the registered persons such as name, place of residence, date of birth,
telephone number, e-mail address, education, work experience and other experience, courses, driver's licenses,

access to vehicles, approvals (certifications and the like), language, stated competencies
and job wishes. NAV's CV solution is partly based on free text fields and special categories
personal information may therefore also be entered by users.

The solutions have also provided the opportunity for generating candidate lists based on employers'
search.


In an additional report dated 23.04.21, it is stated that the information that appears in the CVs is
subject to a duty of confidentiality pursuant to section 7 of the Norwegian Labor and Welfare Administration Act, and that the exception in this provision that applies
for employment services does not apply.

NAV has stated that 535,900 CVs are covered by the solution from 2019, and estimates that it
maximum number affected in previous solutions is 1.8 million. We understand it so that everyone
companies that are registered in the Aa register have initially had the opportunity to access

the workplace.

Employers' access to all CVs for jobseekers during follow-up was closed on 17.2.21,
and employers and temporary employment agencies were told to delete any downloaded or stored
information. Those who were, or had been, registered in the solution from 2019 have been notified
the incident, or attempted notification, in person. NAV created a separate page on nav.no and established

notification banner on the registration pages for CV and candidate search. NAV has assessed that the risk
for those registered in the solutions before 2019 does not require notification of these. Decisions made
incorrect basis based on the deviation shall be reversed back to 2016, and for decisions made before
In 2016, NAV will provide general information about the error, and what users must do to get a new one
assessment of previously made decisions.

3. Legal background

3.1 Choice of law
The Privacy Ordinance was incorporated into Norwegian law through a new Personal Data Act, which
entered into force in 2018. The Act also repealed the Personal Data Act (2000) and the rules in
the Personal Data Regulations (2000).

Processing of CVs without a legal basis dates back to 2001, before the entry into force of
the Personal Data Act 2018, but has also persisted in the time since, until February 2021. It

must therefore decide whether the case is to be assessed in accordance with the Personal Data Act (2018) or
the Personal Data Act (2000).

The Personal Data Act (2018) § 33 first paragraph contains a special transitional rule
infringement fine, which reads:




                                                                                               2, The rules on the processing of personal data that applied to
      the time of action, shall be used as a basis when a decision is made
      infringement fine. The legislation at the time of the decision shall nevertheless
      used when this leads to a more favorable result for the person responsible.

The question of choice of law must therefore be assessed on the basis of what is considered the time of action.
The relevant deviation arose before the entry into force of new regulations on 20.07.2018, but persisted

until the processing of personal data was brought in accordance with the regulations - in this
the case until employers' access to the CVs was closed on 17.02.21. Eventually
the time of action in this case persisted over time, and in the time after the effective date of
the Personal Data Act (2018), it follows from the Personal Data Act (2018) § 33 that the case
shall be assessed in accordance with the Personal Data Act (2018).

We also refer to the preparatory work for the Personal Data Act (2018) (Prop. 56 LS (2017-2018)

page 196), where the Ministry states, among other things, the following on the question of choice of law between
the Personal Data Act (2000) and the Personal Data Act (2018):

      The starting point will be that decisions by the Data Inspectorate and the Privacy Board will
      had to be made on the basis of the material rules in force at any given time.

The same follows from the Privacy Board's practice in cases that were submitted to the board before the new law

entered into force, but which were dealt with after the entry into force; see for example PVN-2018-05 and
PVN-2018-06.

On the basis of this, it is in our assessment clear that the case must be assessed accordingly
the Personal Data Act (2018) and the Privacy Ordinance.


3.2. The basic principles for the processing of personal data
The basic principles for the processing of personal data are set out in
the Privacy Ordinance art. 5 No. 1 letter a-f.

It follows from letter a that personal data shall be processed in a “legal, fair and open manner
with regard to the data subject ("legality, fairness and transparency") ", and" in a manner
which ensures adequate security of personal data, including protection against unauthorized or

illegal treatment and against unintentional loss, destruction or damage, using appropriate technical
or organizational measures ("integrity and confidentiality") ", cf. letter f.
treatment managers who are responsible for ensuring that the principles are complied with, cf. art. 5 No. 2.

3.3 Requirements for legal basis
The processing of personal data is only legal if at least one of the legal bases
in the regulation art. 6 No. 1 letter a-f applies. Treatments based on

species. 6 no. 1 letter c and e also requires a supplementary legal basis in Union law or
National dish.

3.4 In particular on the imposition of infringement fines





                                                                                                 3, According to the Regulation art. 58 no. 2 letter i, cf. the Personal Data Act § 26 second paragraph,
the Data Inspectorate may impose an infringement fine on public authorities in accordance with the rules in
Regulation Art. 83 in the event of a breach of the regulations.


Infringement fee is to be regarded as a penalty under the European
human rights convention art. 6. A clear preponderance of probabilities is therefore required for offenses
to be able to charge a fee.

In HR-2021-797-A, the Supreme Court ruled that strict liability for the imposition of corporate penalties
is not compatible with the concept of punishment in the European Convention on Human Rights, as it is

interpreted by the European Court of Human Rights. This means that a 1rav is set up
that the person who has acted on behalf of the company has shown general negligence.

The conditions for the imposition of a fee are set out in the ordinance art. 83. The provision provides in
basically an instruction that the imposition of an infringement fee is based on a discretionary

overall assessment, but lays down guidelines for the exercise of discretion by highlighting factors such as
special weight shall be given.

With regard to the size of the fee, Art. 83 Nos. 4 and 5 maximum rates for the fee
size depending on which provisions of the Regulation have been violated. The same
the factors which, when assessing whether a fee is to be imposed, shall be given special weight also

the measurement. The fee should be set so high that it also has an effect beyond the specific case,
at the same time as the amount of the fee must be in a reasonable proportion to the infringement and the business,
cf. art. 83 No. 1.

4. The Danish Data Protection Agency's assessment


4.1 The debt claim
The Norwegian Data Protection Authority has assumed that NAV, through the Director of Labor and Welfare, has acted
negligent, cf. HR-2021-797-A, cf. the regulation art. 5 no. 2, and that the claim for guilt is thus
fulfilled (cf. section 3.4 above).


4.2 Legal basis for processing personal data (basis for processing)
NAV has stated that art. 6 no. 1 letter e, which applies to the exercise of public authority, has
been considered the most relevant treatment basis. Processing of personal data
on this basis requires a supplementary legal basis in Union law or national law, cf. art.
6 no. 3. No other treatment basis is considered relevant by NAV.


NAV has concluded that there is a legal basis for making all jobseekers' CVs available
for employers is missing because the regulations governing employment services, including
the Labor Market Act § 10 and the NAV Act § 4, do not authorize such treatment. NAV has
obtained an external legal assessment from the law firm Wiersholm, which agrees with
NAV's assessment. The provisions of the Labor Market Act and the NAV Act that apply


1
 The Ministry of Justice and Emergency Preparedness' briefing of 12 May 2021, sent in a letter dated 02.06.21 from Kommunal-
and the Ministry of Modernization.



                                                                                                 4, employment service requires an active link between the jobseeker and the employer, which
the self-service solution in the workplace and those in previous solutions, do not satisfy.

NAV is closest to interpreting the regulations that regulate NAV's own tasks, and we add
on the basis of the assessment NAV has made of its legal basis for employment services. Based
from this we come to the conclusion that NAV has violated the requirement for a legal basis for processing
personal data in the regulation art. 6 No. 1, cf. No. 3.


Processing of personal data without legal basis according to art. 6 No. 1 is also not in
compliance with the basic requirement of the Privacy Ordinance art. 5 No. 1 letter a.

4.3 Information security
The information contained in the CVs is confidential in accordance with the Norwegian Labor and Welfare Administration Act § 7. NAV
has itself assumed that the relevant publication of personal data is in conflict with

this duty of confidentiality. NAV has concluded that the exception in the provision as
applies to employment services does not apply, based on the assessment of
what requirements are set for employment services, cf. section 4.1.

We have used NAV's assessment as a basis, and we have come to the conclusion that the breach of the statutory obligation
the duty of confidentiality will also constitute a breach of the principle of confidentiality
the Privacy Ordinance art. 5 No. 1 letter f.


4.3 Imposition of infringement fines
The Data Inspectorate has come to the conclusion that NAV has violated the Privacy Ordinance art. 6 No. 1, cf. No. 3. I
In addition, we have come to the conclusion that both the Privacy Ordinance art. 5 No. 1 letter a and
Regulation Art. 5 No. 1 letter f has been violated. There are thus several offenses that can
provide a basis for the imposition of infringement fines.


The incident has largely taken place before the Personal Data Act and
the Privacy Ordinance enters into force in 2018. The Danish Data Protection Agency could also impose earlier
infringement fee, cf. the Personal Data Act (2000) § 46, but the amount was then limited to
up to 10 times the National Insurance basic amount (currently approx. 1,060,000 NOK). However, we refer to
the discussion under section 3.1, and assumes that the fee will be measured according to new regulations.


There is thus a basis for imposing on NAV an infringement fee of up to 20,000,000 euros (p.t.
about. NOK 200,000,000), cf. Article 83 no. 5 of the Regulation. We will nevertheless see to it that the deviation in
has also been ongoing during the period when previous privacy regulations applied.

The regulation art. 83 no. 2 sets out factors that must be taken into account in the decision on
whether an infringement fee is to be imposed as well as the amount of the infringement fee. Under
follows our assessment of the factors we consider relevant in the assessment of whether

infringement fines must be imposed;

(a) the nature, gravity and duration of the infringement, taking into account it;
the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and
the extent of the damage they have suffered,




                                                                                                  5, NAV has violated basic requirements for the processing of personal data - the requirement for legal
basis in art. 6 no. 1 and the principles in art. 5 No. 1 letter a and f.

The making available of CVs in the workplace or similar solutions has been going on for approx. 20
years, and a very large number of registered persons are affected, cf. section 2 above.

The purpose of the treatment has been to make users' information available, and

the treatment has been used as a condition of receiving or retaining services and benefits from
NAV, to persons who are under follow-up. Some of these may have received a decision to stop in
benefits for not having fulfilled the condition.

b) whether the infringement was committed intentionally or negligently,
The offense has occurred because NAV did not detect, over the years the workplace and the like
solutions have been in use, that national law does not authorize the publication of CVs in self-service

solutions, see section 4.1. above. The requirement for an active link between the jobseeker and the employer
in the case of employment services, it appears from the preparatory work for regulations that NAV itself manages.

The Norwegian Data Protection Authority finds that NAV, through the Director of Labor and Welfare, has acted negligently, cf.
2021-797-A, cf. the regulation art. 5 No. 2.

c) any measures taken by the data controller or data processor to limit

the damage suffered by the data subjects,
Employers' access to CVs is closed. The users who were covered by the discrepancy in the new one
the solution from 2019 has been announced. Information about deviations in previous solutions is given in general form
on nav.no. NAV has done a manual review back to 2016 to uncover and reverse
any invalid management decisions.


d) the degree of responsibility of the data controller or data processor, taking into account
the technical and organizational measures they have implemented in accordance with Articles 25 and 32,
Not relevant in this case.

e) any relevant previous violations committed by the data controller or
the data processor,
There are no previous violations that are considered relevant to this case.


f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it,
NAV reported to the supervisory authority after it was ascertained from the publication of CVs
did not have a legal basis, and has subsequently submitted updates on measures and been
available in the case processing process.


g) the categories of personal data affected by the infringement,
The CVs contain information such as name, place of residence, date of birth, contact information,
education, work experience and other experience, courses, driving licenses, access to vehicles,
approvals (certifications and the like), language, stated competencies and job requirements.
NAV's CV solution is partly based on free text fields, and special categories of personal information,




                                                                                                 6, for example health information or information about ethnicity, may therefore also be entered
by users. We have no definite evidence that special categories have been added
personal data, and for that reason we have not emphasized this in an aggravating direction.
The information is subject to a duty of confidentiality pursuant to section 7 of the Norwegian Labor and Welfare Administration Act.

h) in what way the supervisory authority became aware of the infringement, in particular if and if so
the extent to which the data controller or data processor has notified

the infringement,
NAV submitted a report of a breach of personal data security on 17.02.21.

(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data controller with respect to the same subject matter, that mentioned
measures are complied with,
No measures have previously been taken against NAV with regard to

same subject matter.

(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42 and
Not relevant to the case.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits

which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement
NAV is in a special position of power vis-à-vis the users, who have limited opportunities to
influence NAV's use of personal data, especially in cases where the use is linked to
services and services the individual depends on.

4.4 Overall assessment

The Data Inspectorate views NAV's follow-up of the discrepancy positively, both towards the registered and
supervisory authority.

It is nevertheless very serious that an authority such as NAV lacks a legal basis for one
long-term and intrusive processing of personal data against such a large number
registered. NAV's processing of users' personal data is largely based on
statutory treatment basis. NAV therefore has a special responsibility to ensure that

the legal basis is adequate for the treatment that is done.

Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that NAV should be imposed
infringement fine.

5. Measurement of the fee
In assessing the size of the fee, we have emphasized that NAV has violated the basics and

principal provisions of the Privacy Regulation. NAV has made available
confidential information for a very long time about a large number of people, without
treatment basis, and set this availability as a condition for receiving services and
benefits.





                                                                                                7, We have also placed considerable emphasis on the balance of power in the relationship between NAV and the individual
users, who have been incorrectly informed that registration in the solution has been a condition for
be registered as a jobseeker, and thus to receive benefits from NAV.

As the person responsible for processing, NAV is responsible for ensuring that treatments performed are legal, and
the deviation is due to a misinterpretation of NAV's own regulations.


mitigating direction, we have seen to it that NAV itself reported the deviation to us when it became clear that
the treatment lacked a legal basis, and that the discrepancy has been followed up in a good way. We add
also emphasis on the fact that the illegal treatment for a significant part has taken place in the period then
the Personal Data Act (2000) applied.

After a total assessment of the above factors, and look at the severity of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case

should be effective, proportionate and dissuasive, we have come to that one
violation fee of 5,000,000 - five million - kroner is considered correct.

6. Right of appeal
This decision can be appealed within three weeks after you have received this letter, cf.
Sections 28 and 29 of the Public Administration Act. Any complaint is sent to the Danish Data Protection Agency. If we do not take
as a result of the complaint, the case will be sent to the Privacy Board for complaint processing, cf.

the Personal Data Act § 22.

If you have any questions, you can contact the case officer.

With best regards



Janne Stang Dahl
acting director
                                                                  Kristin Karlsen Lindberg
                                                                  legal adviser

The document is electronically approved and therefore has no handwritten signatures