Datatilsynet (Norway) - 21/02504
|Datatilsynet (Norway) - 21/02504|
|Relevant Law:||Article 5(2) GDPR|
Article 6(1) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Article 24(1) GDPR
Article 24(2) GDPR
|Parties:||Etterforsker1 Gruppen AS|
|National Case Number/Name:||21/02504|
|European Case Law Identifier:||n/a|
|Original Language(s):||Norwegian |
|Original Source:||Datatilsynet (in NO) |
Datatilsynet (website article) (in NO)
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA intends to fine a private investigation company €5,000 for unlawfully credit rating the former boyfriend of a client and for not adhering to the accountability principle as per Article 5(2) GDPR, cf. Article 24, and also requires them to implement internal controls for their credit rating process.
English Summary[edit | edit source]
Facts[edit | edit source]
The Norwegian DPA (Datatilsynet) received a complaint from a data subject who had been credit rated by a private investigation company, whom had informed in their privacy notice that they should be viewed as the controller as per the GDPR, for any such processing of the personal data of third parties.
The controller had been hired by the data subject's former partner. She claimed to have a financial claim against the data subject. He disputed this and also claimed he did not have any funds to pay for such a claim, regardless. Consequently, the controller conducted a credit rating of the data subject, to validate his claims.
Following the data subject's complaint, the DPA launched an investigation.
Holding[edit | edit source]
The DPA found that the controller lacked a legal basis as per Article 6(1) GDPR, and informs in their decision that the relevant legal basis as per the GDPR, is Article 6(1)(f). The DPA found that the controller had also breached Article 5(2) GDPR, cf. Article 24.
For this, the DPA intends to fine the controller NOK 50,000 (€5,000), for conducting a credit rating without a legal basis under Article 6(1) GDPR and for not adhering to the accountability principle as per Article 5(2) GDPR, cf. Article 24. The DPA also requires that the company implement internal controls of their credit rating process. The controller has four weeks to fulfill the penalties, unless they appeal.
The controller has three weeks to appeal the decision, otherwise it will take full effect.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
INTERVIEWER1 GRUPPEN AS Gokstadveien 18 Excluded from the public: 3216 SANDEFJORD Their reference Our reference Date 21 / 02504-7 01.02.2022 Decision on order and infringement fee - Credit assessment without legal basis - Investigator1 Gruppen AS 1 Introduction We refer to our notice of decision on order and infringement fee of 20 December 2021. The Data Inspectorate has not received any comments on the notification by the deadline and informs today that we finally makes a decision in the case. 2. Decision on order and infringement fine The Data Inspectorate makes the following decisions: Pursuant to the Privacy Ordinance, Article 58 (2) (2) is imposed Investigator1 Gruppen AS, with org. No. 913 193 458, to pay a infringement fee to the Treasury of NOK 50,000 for having obtained credit information without a legal basis, cf. the Privacy Ordinance article 6 No. 1. 2. Pursuant to the Privacy Ordinance art. 58 No. 2 letter d is imposed Investigator1 Gruppen AS, with org.nr. 913 193 458, to establish internal control for credit assessments, cf. Article 24 of the Privacy Ordinance. 3. Background of the case The Data Inspectorate received a complaint from Brede Hagen Jørgensen (hereinafter referred to as complaints) on 21 June 2021 after he had been credit-rated by Investigator1. The credit rating was performed 18. June 2021. Following the complainant's inquiry to Investigator1, he was informed that the credit assessment was performed on behalf of a client who has a claim in the complainant's property., Investigator1's client is the complainant's former cohabitant. Complainants state that he has never been in contact with Detective1 earlier. It appears from Investigator1's statement that the purpose of the credit assessment was to implement agreement with client. The client contacted Investigator1 to investigate the complainant's financial situation to assess whether legal action should be taken. Client thinks to have a monetary claim against complaints on the basis of contributions to the common economy and increase in value of shared home. Before the client engaged Investigator1, she contacted complainants and informed about the claim for compensation. According to the statement of Investigator1, the complainants at this time disputed made claims, and stated inability to pay. Complainant's inability to pay was not confirmed with documentation. 4. Legal background 4.1. Responsible for processing The data controller is the primary subject of duty under the Privacy Ordinance, and is overall responsible for complying with the privacy principles and regulations, cf. the regulation Article 5 (2). The controller is the one who determines the purpose of the processing of personal data and which funds are to be used, cf. the Privacy Ordinance Article 4 (7). 4.2. Legal basis for obtaining credit information Obtaining and storing credit information about individuals and sole proprietorships constitutes one processing of personal data, cf. the Privacy Ordinance, Article 4, No. 2 and the Act on processing of personal data of 15 June 2018 no. 38 (Personal Data Act) § 1. Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal legal basis. When a business should obtain credit information about one individual is Article 6 No. 1 letter f the relevant legal basis. Under the old Personal Data Act of 2000, there was an additional requirement that the business may have an "objective need" to obtain credit information. This is stated in the Personal Data Regulations § 4-3, which according to the transitional rules has been continued as applicable 1 2 straight. The new Credit Information Act also continues the requirement for "objective need" for disclosure of credit information. The new law has been passed, but has not yet entered into force. However, the Privacy Ordinance does not provide national room for maneuver to regulate it specifically some recipients' processing of credit information. The new Credit Information Act has therefore only the credit information companies as a subject of duty, and not the individual the business or individual who orders credit information. The consequence of this is that "objective need" is not directly an additional condition for the individual business that obtains credit information. Collection of credit information is therefore regulated by the Privacy Ordinance Article 6 No. 1 letter f. Assessments related to whether a business has a "factual need" according to the Personal Data Regulations § 4-3 is, however, closely related with the assessment pursuant to Article 6, paragraph 1, letter f. Previous practice related to "objective needs" is therefore still relevant when assessing "legitimate interest" as a legal basis. 4.2.1 Article 6 (1) (f) of the Privacy Regulation - "legitimate interest" 1Transitional rules on the processing of personal data (FOR-2018-06-15-877). 2 Act on the processing of information in credit information activities (ACT-2019-12-20-109). 2, Article 6, paragraph 1, letter f requires that the collection of credit information is "necessary" to safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration individual privacy. The legitimate interest must be legal, clearly defined in advance, real and objectively justified in business. Advocate 47 of the Privacy Ordinance states that in the assessment of whether an interest is justified, among other things, the data subject's expectations should be taken into account the relationship between the data controller and the data subject. Emphasis should also be placed on whether at the time of collection it was foreseeable for the data subjects that the information would remain processed for the current purpose. Which interests meet this depends on a comprehensive assessment of, among other things, which ones benefits the company achieves with the treatment, how important the interest is for the company, whether the treatment has a public interest or safeguards non-profit interests that benefit more people good, see Article 29 Working Party Statement. 3 Furthermore, the relevant processing of personal data must be necessary for this interests. That is, the business must consider whether it can achieve the purpose in a way that better safeguards privacy. One must therefore choose the treatment that is least invasive for the registered. Then the business must make a balance of interests to determine whether the individual Privacy outweighs the business' legitimate interest. What type of information these are relevant factors for the balancing of interests, eg whether these are worthy of protection and whether the person has an expectation of having the personal data in peace. It is also relevant to consider what kind of disadvantages the processing of personal data imposes on the person whether the processing of the personal data is perceived as infringing, whether the treatment is suitable for creating fear or unrest, and what measures the company has implemented to reduce the privacy implications. 4.2.2 Relevant practice related to the Privacy Regulation Article 6 No. 1 f on «justified interest »and the Personal Data Regulations § 4-3 on« factual needs » According to the Personal Data Regulations § 4-3, credit assessment can only be obtained when one business has a "factual need" for the information, for example in connection with a purchase on credit. As a general rule, there must be an element of credit. The typical cases of Legal collection of credit information is a service provider's need to investigate a customer's creditworthiness, or the need for information on financial matters before any entering into an agreement. It may also be justified for a company to credit a customer in in connection with the recovery of an existing monetary claim. The Privacy Board has elaborated on the additional condition of factual need in several cases, including PVN-2006-03, PVN-2010-05 and PVN-2017-02. In the latter case, the tribunal referred to the following statement from PVN-2006-2003 KLP: The purpose of a credit rating is normally to determine whether a potential customer is creditworthy, and thus whether the company wishes to enter into an agreement with the person in question. This means that when credit information is requested, the requirement of objectivity will be met when the customer must use the credit information in connection with his assessment of 3Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46 / EC, p. 24 and 25. 3, credit risk, for example by a loan commitment or agreement on current benefits such as invoiced in arrears, typically mobile phone subscription, subscription for satellite television etc. In PVN-2020-21, the Privacy Board dealt with a case where the question was about a credit assessment had a legal basis under the Privacy Ordinance Article 6 letter f. The question was whether there was a legitimate interest for the general manager of a company to perform a credit assessment by a sole proprietorship for private purposes. The collection of credit information took place in this case for a purpose completely outside the business area of the business and to the general manager personal use outside the business. The Privacy Board states in the case that «in assessing whether there is a justified interest, consideration shall be given to whether the data subject can reasonably expect that the personal data is used for the relevant purpose ». The fact that there was nothing customer relationships between complainants and the company that performed the credit assessment were further added weight in the assessment. The conclusion was that the requirement of legitimate interest had not been met and that there was therefore a lack of a legal basis for the credit assessment, cf. the Privacy Ordinance Article 6 No.1. In case PVN-2010-04, it was a question of whether a lawyer, on behalf of his client, had «factually need »to carry out a credit assessment of complaints. It was the client's counterpart who had been credit-rated in connection with a legal dispute. Nemda emphasis the party constellations in the case and that the lawyer's client had a claim that was approaching obsolescence. It was stated that it did not appear unnatural to consider civil law steps. On the basis of this, the tribunal concluded that the requirement for objective needs had been met. 4.3. Internal control In accordance with the principle of integrity and confidentiality, personal data shall be processed in a manner that ensures adequate security of personal data, cf. Article 5 (1) letter f. This means, among other things, that the person responsible for treatment must implement appropriate measures for to ensure and demonstrate that the processing is carried out in accordance with the Regulation. Article 32 and Article 24 of the Privacy Ordinance stipulate that the data controller has obligation to assess the risk of planned processing of personal data before it is initiated. On on the basis of the risk assessment, the data controller shall carry out appropriate technical and organizational measures to protect against unauthorized or illegal treatment, and against unintentional loss, destruction or alteration of personal data. Depending on what is suitable, This includes: a) pseudonymisation and encryption of personal data, b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services, c) ability to restore the availability and access to personal data in the right time if a physical or technical event occurs d) a process for regular testing, analysis and assessment of how effective the treatment's technical and organizational security measures are. It further follows from Article 24 that the person responsible for processing is obliged to be able to prove that they are processing personal data in accordance with the law. In other words, the business is required 4Personal Information Regulations § 4-3 4, can document internal routines or processes that meet the requirement of objectivity credit rating. On the Data Inspectorate's website, there is more information, support tools and templates for how to establish internal control: https://www.datatilsynet.no/rettigheter-og- duties / corporate duties / information security-internal control / establish-internal control / 5. The Danish Data Protection Agency's assessment 5.1 Responsible for processing According to the privacy statement of Investigator1, the company acts as responsible for processing when carrying out assignments on behalf of private individuals, cf. the Privacy Ordinance Article 4 No. 7. It is therefore clear that Investigator1 is responsible for processing in this case. 5.2. Article 6 (1) (f) of the Privacy Regulation - "legitimate interest" The relevant legal basis for obtaining credit information is Article 6 (1) (f) of the Privacy Regulation. This means that the collection must be considered "Necessary" to safeguard a "legitimate interest" which, after a balance of interests, weighs heavier than the consideration of the individual privacy. According to PVN-2020-21, it is the company who purchases services from the credit reporting company that must have a legitimate interest in obtain credit information. The first question is therefore whether Investigator1 had one "Legitimate interest" in obtaining credit information on complaints. According to the report of Investigator1, the purpose of the credit assessment was to carry out agreement with client. The client requested assistance from Investigator1 to investigate the complainant's finances to assess whether legal action should be taken. As a result of contributions to the common economy and increase in value of shared housing when the cohabitation lasted, the client believed that she had a claim for compensation against complaints. According to the decision PVN-2010-04, it is important that the credit information has been obtained with a view to a potential claim for compensation. It is not asked a requirement in the law that a claim for damages is actually brought or that the claim for damages is successful. The fact that the credit information was obtained in connection with a potential A claim for damages against complainants is therefore a factor that suggests that Investigator1 had one "Legitimate interest". In the assessment of legitimate interest, emphasis shall also be placed on the party constellations, cf. PVN-2010-04. Advocate 47 for the Privacy Ordinance emphasizes that in this the assessment shall take into account the data subject's reasonable expectations based on the relationship between the data controller and the data subject. In other words, it must have been predictable for complaints that Investigator1 obtained credit information about him in connection with the claim for compensation. The client had informed complaints, prior to the credit rating, that she thought she had one claims in his property. Complainants, however, had never before had any contact with Investigator1 and was completely unfamiliar with the company when he received the copy letter. Even with knowledge of a potential claim for damages, it is not foreseeable that a private investigator collects credit information. At this point, the case differs from the fact in PVN-2010-04 where it was assumed that a lawyer who within his business assesses the credit of the other party in connection with an assignment for a client, meets the requirement of "objective need". It's after The Data Inspectorate's view is a significant difference between a lawyer and a private investigator business. It explicitly follows from the Disputes Act § 3-3 that «lawyers can be legal counsel in cases dealt with in accordance with this Act »and § 3-4 that« legal counsel can 5, perform all procedural acts on behalf of his party ». Lawyers are further subject to rules for good legal practice and confidentiality. In our case, a private individual has engaged a private investigator to obtain information about his former cohabitant's finances, including ability to pay, income information and any payment remarks. This is information that one has by and large an expectation of being kept private and not shared with unauthorized persons. The Data Inspectorate's conclusion is that the requirement of "legitimate interest" in the Privacy Ordinance Article 6 (1) (f) is not fulfilled. As all three conditions of Article 6 (1) (f) must be met in order to satisfy the law's requirements for legal basis, it is not necessary to assess the other terms. The credit assessment was due to a lack of legal basis obtained illegally. In the report, Investigator1 writes that obtaining credit information about third parties in the future will be based on the consent of the data subject. It is expressed in Investigator1's privacy statement that: Legal basis for the processing of personal data about other individuals such as covered by the report follows GDPR article 6 no. 1 letter f (to safeguard a beneficiary interest). Persons who may be covered by the report itself must, as a general rule, submit consent for us to process their personal data, cf. GDPR article 6 no. 1 letter a. The Data Inspectorate questions how a consent can constitute a legal basis for obtaining credit information about third parties in practice, and asks Investigator1 to elaborate on this further in the privacy statement. 5.3. Internal control According to Article 24 of the Privacy Regulation, all companies are obliged to be able to prove that they processes personal data in accordance with the law. In other words, it is required that the company can document internal routines that meet the requirements for treatments of credit information. These guidelines must be appropriate and proportionate the treatment activities, cf. Article 24 no. 2. This means, among other things, that the routines must describe when and how credit information should be obtained, and should ensure that credit ratings not obtained without a lawful legal basis. Furthermore, the company must have routines for non-conformance handling. Investigator1 has submitted its internal routines to the Norwegian Data Protection Authority. According to the statement it appears that Investigator1 has been made aware that these are deficient and not affects the collection of credit information about third parties. The routine does not mention that obtaining of credit information is a type of processing of personal data, cf. Article 4 (1) and (2) of the Privacy Regulation. There is also no reference to legal action basis under Article 6 or the purpose for which credit information may be obtained. After The Data Inspectorate's view is that the company lacks an understanding of the rules on obtaining credit information and lacks appropriate privacy policies to treatment. The Norwegian Data Protection Authority has the authority to order the data controller to ensure that the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf. Privacy Regulation Article 58 No. 2 letter d. In our opinion, the establishment of internal routines related to the processing of credit information could have a preventive effect against that later unfair credit assessments are carried out. 6, the Norwegian Data Protection Authority states that Investigator1 does not have sufficient routines for obtaining credit information, cf. the Privacy Ordinance, Article 24, Nos. 1 and 2. The Norwegian Data Protection Authority imposes therefore Investigator1 to prepare suitable routines for credit assessment, cf. Article 58 (2) (d) of the Privacy Regulation. Infringement fee 6.1. General information about infringement fines Violation fees are a tool to ensure effective compliance and enforcement of the personal data regulations. In accordance with the case law of the Supreme Court (cf. Rt. 2012 page 1556) we assume that the infringement fine is to be regarded as a penalty under the European ECHR) Article 6. It is therefore clear overriding probability of an offense in order to impose a fee. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, and which is considered a punishment under the ECHR. Section 46, first paragraph, of the Public Administration Act states: When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction is imposed even if no individual has shown guilt. In judgment HR-2021-797-A, the Supreme Court has assumed that the objective responsibility for corporate punishment that follows from the Penal Code § 27 is not compatible with the concept of punishment in the ECHR as such it is interpreted by the EMD. The Supreme Court states in the judgment that the person who has acted on behalf of the company must have shown guilt, and that general negligence is sufficient to fulfill this. As infringement fines are considered a penalty under the ECHR, we assume that we can only impose an infringement fine on an enterprise if the person who has acted on behalf of the enterprise has shown guilt, and that general negligence is sufficient, cf. HR-2021-797-A. 6.2. The guilt claim when imposing an infringement fine In order for the Data Inspectorate to be able to impose an infringement fee on Investigator1, it is therefore required that it who has acted on behalf of the enterprise has shown guilt. In this case, our assessment is that negligence is the current form of guilt. The requirement of negligence follows from the Penal Code § 26 that «[d] a who at the time of the action on due to ignorance of legal rules is unaware that the act is illegal, punished when ignorance is negligent. " In accordance with the requirement of diligence, companies must familiarize themselves with which legislation applies in the area, and organize the business in accordance with them framework that follows from the relevant regulations. In the Data Inspectorate's assessment, Investigator1, through the company's chief executive, should have made sure to have a legal basis before the credit information was obtained, in accordance with the regulations. We refers in this connection to the Privacy Regulation Article 5 No. 2 and assumes that the action qualifies for negligence. Our conclusion is that it was negligent of Investigator1, by the top manager, to assess credit complaints without legal basis. The guilt requirement for imposing an infringement fee is thus fulfilled. 6.3 Assessment of whether an infringement fee is to be imposed 7, When assessing whether a fee should be charged, and when measuring, the Data Inspectorate shall take into account to the elements of the Privacy Regulation Article 83 (2) (a) to (k). The Data Inspectorate may impose infringement fee after a discretionary overall assessment, but the listed factors lays down guidelines for the exercise of discretion by highlighting aspects that are to be given special consideration weight. In the following, we will assess the relevant aspects on an ongoing basis. a) the nature, severity and duration of the infringement, as taken the nature, extent or purpose of the treatment concerned and the number registered who are affected, and the extent of the damage they have suffered The violation in this case only applies to one person and a single case of treatment of credit information without legal basis. The duration and extent of the breach draws in direction that no infringement fine should be imposed. On the other hand, the infringement violates the fundamental requirement of legality in the Privacy Regulation Article 5 (1) and the requirement for a legal basis in Article 6. This was also emphasized by the Privacy Board as an aggravating factor in case PVN-2020- 21: This is a serious violation of the Privacy Ordinance. The principle of legality in Article 5 (1) and the requirement for a basis for treatment in Article 6 represent the basics requirements for the processing of personal data. These are broken. Private individuals have an expectation that companies do not collect credit information about them without this being justified in a legitimate interest in the business as a result of a real customer relationship. Credit information is a type of personal information that is particularly worthy of protection. One Credit rating is the result of compiling personal information from many different sources sources, and shows a number that indicates the probability that a person is solvent. One Credit rating will also show details about individuals' personal finances, including any payment remarks, voluntary mortgages and debt ratio. This is private information which one has an expectation of not being treated unless there is a valid reason. The Norwegian Data Protection Authority is of the opinion that private individuals should enjoy special protection against obtaining credit information. Complainants have also never had contact with Eterforsker1 before. The nature of the violation is considered serious overall and is an aggravating factor in the assessment. b) whether the infringement was committed intentionally or negligently, Investigator1 informs in its statement that the complainant's credit information was obtained for to implement the agreement with his client. However, it was only after inquiry from The Data Inspectorate that the company became aware that there was a failing legal basis and lack of internal routines. The Data Inspectorate therefore has no reason to believe that Investigator1 intentionally obtained the information illegally. It follows from the Penal Code § 26 that «[d] a as at the time of the action due to ignorance if legal rules are unknown that the act is illegal, is punished when the ignorance is negligent. " IN according to the requirement of diligence, companies must familiarize themselves with which legislation applies to the area, and organize the business in accordance with the framework that follows from it current regulations. Investigator1 should have made sure to have a legal basis before 8, the credit information was obtained, in accordance with the regulations. The violation qualifies for negligence and we emphasize this as an aggravating factor in the assessment. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects, Investigator1 states in its statement that they will seek legal assistance to audit current routines associated with the processing of personal data. The business has also deleted the relevant credit information from their systems. This pulls in a mitigating direction. d) the degree of responsibility of the data controller or data controller, as take into account the technical and organizational measures they have implemented in pursuant to Articles 25 and 32, We assume that Investigator1 has a lack of knowledge about the rules for obtaining credit information, and that the business had not implemented technical or organizational measures to ensure proper treatment. In the report, Investigator1 acknowledges that internal routines are deficient. This relationship is moving in an aggravating direction. e) any previous violations committed by the data controller or the data processor, The Data Inspectorate does not know whether there have been previous violations. (f) the degree of cooperation with the supervisory authority to remedy the infringement; and reduce the possible negative effects of it, Investigator1 has contributed to the information in the case and admits in the report that the collection of the complainant's credit information may have been based on a failing legal basis. The business further acknowledges that internal routines are deficient in connection with the treatment of credit information. According to the guidelines of the Article 29 Working Party, continued by it European Privacy Council (EDPB), however, should not be mitigated statutory cooperation on the part of the data controller. g) the categories of personal data affected by the infringement, Special categories of personal data pursuant to Article 9 are not affected by this spring's infringement case. However, information on salary, debt and creditworthiness is information that has a special need for protection due to its private nature. This pulls in an aggravating direction, and advocates for the imposition of infringement fines. (h) the manner in which the supervisory authority became aware of the infringement, in particular: and possibly to what extent the data controller or data processor has notified the infringement, We were notified of the breach of complaints. Investigator1 has not reported the incident as a discrepancy. We therefore do not find this aspect relevant. 5Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, WP 253, page 14. 9, (i) if the measures referred to in Article 58 (2) have previously been taken against it affected data controllers or data processors with respect to the same subject matter, that the said measures are complied with, We do not know that measures have previously been taken against the company with regard to the same case subject. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42, We do not find the moment relevant in our case. k) and any other aggravating or mitigating factor in the case, e.g. financial benefits gained, or losses avoided, direct or indirectly, as a result of the infringement. We do not see that there are other aggravating or mitigating factors in the case. After a comprehensive assessment of the nature and severity of the infringement, the Data Inspectorate believes that is necessary to respond with an infringement fee, cf. Article 83 of the Privacy Ordinance. The next question is the size of the fee. 6.4 Assessment of the size of the fee The amount of the fee is assessed in accordance with Article 83 (1): Each supervisory authority shall ensure the imposition of infringement fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 in each case effective, is proportionate to the infringement and has a deterrent effect. In determining the fee, the factors described in section 6.3 shall be given weight, cf. Article 83. No. 2. It follows from Article 83, paragraph 5, letter a, that violations of the fundamental the principles of treatment in the Privacy Regulation, including Articles 5, 6, 7 and 9, shall sanctioned with a higher violation fee than other violations of the Privacy Regulation. In an aggravating direction, we place particular emphasis on the fact that there is a breach of the basics the principle of legality in the Privacy Regulation Article 5 No. 1 letter a. The violation includes personal data of a very private nature, which the data subject has an expectation that kept private unless there is a valid reason for it. This is weighty moments that argue for a fee of a certain size. In a mitigating direction, we emphasize that the violation only applies to one registered person and that the complainant was only credit-rated in a single case. Investigator1 has further acknowledged that the treatment may have had a failing legal basis and shown a willingness to comply with rules by starting the process of improving their internal routines. Investigator1 writes in the statement that they are willing to accept a small violation fee if the Data Inspectorate concludes with a lack of legal basis. Contraceptive considerations indicates, however, that the fee for a violation must be set so high that this is actually perceived as an evil for the offender. This means that the offender's financial ability should be important when measuring, so that the fee is higher the greater the strong load-bearing capacity of the offender. 10, Public accounting figures show that the turnover of Investigator1 was 2,121,000 NOK in 2020. After an overall assessment of the seriousness of the case and Investigator1's financial situation, we have come to the conclusion that the infringement fee is set at NOK 50,000. This is in our opinion a reaction that is sufficiently dissuasive, effective and stands in a reasonable relation to the illegal processing of personal data that has taken place in the case. 7. Right of appeal and further proceedings You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will forward the case to the Privacy Board for complaint processing. If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act. The decision is a coercive basis for disbursement and recovery of the claim will be carried out by the Central Government Collection Agency. The deadline for implementing section 2 of the order on written routines (internal control) is 4 weeks after expiry of the time limit for appeal. If you do not appeal the order point 2, you must within this deadline you must send us a written confirmation, as well as documentation, of that order internal control has been completed. 8. Publicity, transparency and duty of confidentiality We will inform you that all the documents are basically public, cf. § 3 of the Public Access to Information Act If you believe there is a basis for exempting all or part of it the document from public access, we ask you to justify this. The Data Inspectorate has a duty of confidentiality about who has complained to us, and about the complainant's personal relationship. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and Section 13 of the Public Administration Act As a party to the case, you may nevertheless be made aware of such information from the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You are also right for access to the case documents, cf. the Public Administration Act § 18. We point out that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority the complainant's identity, personal circumstances and other identifying information, and that you only may use this information to the extent necessary to safeguard the interests their in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that Violation of this duty of confidentiality can be punished according to the Penal Code § 209. If you have any questions, you can contact Kristin Skolt on telephone 45 72 02 94 or at email address firstname.lastname@example.org With best regards Jørgen Skorstad Department director Kristin Skolt Legal adviser The document is electronically approved and therefore has no handwritten signatures Copy to: Complaints 6The figures are taken from proff.no, 17.09.2021 11