Datatilsynet (Norway) - 21/02504: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=21/...")
 
m (Fun fact)
 
(4 intermediate revisions by the same user not shown)
Line 59: Line 59:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Rie Aleksandra Walle
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
|
|
}}
}}


The Norwegian DPA intends to fine a private investigation company €5,000 for an unlawful credit rating and for not adhering to the accountability principle as per Article 5(2), cf. Article 24, and also requires them to implement internal controls for their credit rating process.
The Norwegian DPA intends to fine a private investigation company €5,000 for unlawfully credit rating the former boyfriend of a client and for not adhering to the accountability principle as per [[Article 5 GDPR#2|Article 5(2) GDPR]], cf. [[Article 24 GDPR|Article 24]], and also requires them to implement internal controls for their credit rating process.


== English Summary ==
== English Summary ==
Line 75: Line 75:


=== Holding ===
=== Holding ===
The DPA found that the controller lacked a legal basis as per [[Article 6 GDPR#1|Article 6(1) GDPR]], and informs in their decision that the relevant legal basis as per the GDPR, is Article 6(1)(f). The DPA found that the controller had also breached Article 5(2), cf. Article 24.  
The DPA found that the controller lacked a legal basis as per [[Article 6 GDPR#1|Article 6(1) GDPR]], and informs in their decision that the relevant legal basis as per the GDPR, is [[Article 6 GDPR#1f|Article 6(1)(f)]]. The DPA found that the controller had also breached [[Article 5 GDPR#2|Article 5(2) GDPR]], cf. [[Article 24 GDPR|Article 24]].  


For this, the DPA intends to fine the controller NOK 50,000 (€5,000), for conducting a credit rating without a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] and for not adhering to the accountability principle as per Article 5(2), cf. Article 24. The DPA also requires that the company implement internal controls of their credit rating process.
For this, the DPA intends to fine the controller NOK 50,000 (€5,000), for conducting a credit rating without a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] and for not adhering to the accountability principle as per [[Article 5 GDPR#2|Article 5(2) GDPR]], cf. [[Article 24 GDPR|Article 24]]. The DPA also requires that the company implement internal controls of their credit rating process. The controller has four weeks to fulfill the penalties, unless they appeal.
 
The controller has three weeks to appeal the decision, otherwise it will take full effect.


== Comment ==
== Comment ==

Latest revision as of 05:16, 16 February 2022

Datatilsynet (Norway) - 21/02504
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Type: Investigation
Outcome: Violation Found
Started: 21.06.2021
Decided: 01.02.2022
Published: 11.02.2022
Fine: 50000 NOK
Parties: Etterforsker1 Gruppen AS
National Case Number/Name: 21/02504
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (website article) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA intends to fine a private investigation company €5,000 for unlawfully credit rating the former boyfriend of a client and for not adhering to the accountability principle as per Article 5(2) GDPR, cf. Article 24, and also requires them to implement internal controls for their credit rating process.

English Summary

Facts

The Norwegian DPA (Datatilsynet) received a complaint from a data subject who had been credit rated by a private investigation company, whom had informed in their privacy notice that they should be viewed as the controller as per the GDPR, for any such processing of the personal data of third parties.

The controller had been hired by the data subject's former partner. She claimed to have a financial claim against the data subject. He disputed this and also claimed he did not have any funds to pay for such a claim, regardless. Consequently, the controller conducted a credit rating of the data subject, to validate his claims.

Following the data subject's complaint, the DPA launched an investigation.

Holding

The DPA found that the controller lacked a legal basis as per Article 6(1) GDPR, and informs in their decision that the relevant legal basis as per the GDPR, is Article 6(1)(f). The DPA found that the controller had also breached Article 5(2) GDPR, cf. Article 24.

For this, the DPA intends to fine the controller NOK 50,000 (€5,000), for conducting a credit rating without a legal basis under Article 6(1) GDPR and for not adhering to the accountability principle as per Article 5(2) GDPR, cf. Article 24. The DPA also requires that the company implement internal controls of their credit rating process. The controller has four weeks to fulfill the penalties, unless they appeal.

The controller has three weeks to appeal the decision, otherwise it will take full effect.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details. 

INTERVIEWER1 GRUPPEN AS

Gokstadveien 18 Excluded from the public:

3216 SANDEFJORD









 Their reference Our reference Date

                       21 / 02504-7 01.02.2022



Decision on order and infringement fee - Credit assessment without legal
basis - Investigator1 Gruppen AS

    1 Introduction
We refer to our notice of decision on order and infringement fee of 20 December 2021.
The Data Inspectorate has not received any comments on the notification by the deadline and informs today that we

finally makes a decision in the case.

    2. Decision on order and infringement fine


The Data Inspectorate makes the following decisions:

           Pursuant to the Privacy Ordinance, Article 58 (2) (2) is imposed

               Investigator1 Gruppen AS, with org. No. 913 193 458, to pay a
               infringement fee to the Treasury of NOK 50,000 for having obtained
               credit information without a legal basis, cf. the Privacy Ordinance article
               6 No. 1.


           2. Pursuant to the Privacy Ordinance art. 58 No. 2 letter d is imposed
               Investigator1 Gruppen AS, with org.nr. 913 193 458, to establish internal control
               for credit assessments, cf. Article 24 of the Privacy Ordinance.


    3. Background of the case
The Data Inspectorate received a complaint from Brede Hagen Jørgensen (hereinafter referred to as complaints) on 21 June
2021 after he had been credit-rated by Investigator1. The credit rating was performed 18.

June 2021. Following the complainant's inquiry to Investigator1, he was informed that
the credit assessment was performed on behalf of a client who has a claim in the complainant's property., Investigator1's client is the complainant's former cohabitant. Complainants state that he has never been
in contact with Detective1 earlier.


It appears from Investigator1's statement that the purpose of the credit assessment was to
implement agreement with client. The client contacted Investigator1 to investigate
the complainant's financial situation to assess whether legal action should be taken. Client thinks

to have a monetary claim against complaints on the basis of contributions to the common economy and increase in value of
shared home.

Before the client engaged Investigator1, she contacted complainants and informed about

the claim for compensation. According to the statement of Investigator1, the complainants at this time disputed
made claims, and stated inability to pay. Complainant's inability to pay
was not confirmed with documentation.


    4. Legal background
4.1. Responsible for processing
The data controller is the primary subject of duty under the Privacy Ordinance, and is

overall responsible for complying with the privacy principles and regulations, cf. the regulation
Article 5 (2). The controller is the one who determines the purpose of the processing
of personal data and which funds are to be used, cf. the Privacy Ordinance
Article 4 (7).


4.2. Legal basis for obtaining credit information
Obtaining and storing credit information about individuals and sole proprietorships constitutes one
processing of personal data, cf. the Privacy Ordinance, Article 4, No. 2 and the Act on

processing of personal data of 15 June 2018 no. 38 (Personal Data Act) § 1.
Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a
legal legal basis. When a business should obtain credit information about one
individual is Article 6 No. 1 letter f the relevant legal basis.


Under the old Personal Data Act of 2000, there was an additional requirement that the business
may have an "objective need" to obtain credit information. This is stated in
the Personal Data Regulations § 4-3, which according to the transitional rules has been continued as applicable
    1 2
straight. The new Credit Information Act also continues the requirement for "objective need" for
disclosure of credit information. The new law has been passed, but has not yet entered into force.

However, the Privacy Ordinance does not provide national room for maneuver to regulate it specifically

some recipients' processing of credit information. The new Credit Information Act has
therefore only the credit information companies as a subject of duty, and not the individual
the business or individual who orders credit information. The consequence of this is
that "objective need" is not directly an additional condition for the individual business that obtains

credit information. Collection of credit information is therefore regulated by
the Privacy Ordinance Article 6 No. 1 letter f. Assessments related to whether a business
has a "factual need" according to the Personal Data Regulations § 4-3 is, however, closely related
with the assessment pursuant to Article 6, paragraph 1, letter f. Previous practice related to "objective needs" is
therefore still relevant when assessing "legitimate interest" as a legal basis.


4.2.1 Article 6 (1) (f) of the Privacy Regulation - "legitimate interest"


1Transitional rules on the processing of personal data (FOR-2018-06-15-877).
2 Act on the processing of information in credit information activities (ACT-2019-12-20-109).


                                                                                                   2, Article 6, paragraph 1, letter f requires that the collection of credit information is "necessary" to
safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration

individual privacy.

The legitimate interest must be legal, clearly defined in advance, real and objectively justified
in business. Advocate 47 of the Privacy Ordinance states that in the assessment of whether

an interest is justified, among other things, the data subject's expectations should be taken into account
the relationship between the data controller and the data subject. Emphasis should also be placed on
whether at the time of collection it was foreseeable for the data subjects that the information would remain
processed for the current purpose.


Which interests meet this depends on a comprehensive assessment of, among other things, which ones
benefits the company achieves with the treatment, how important the interest is for the company,
whether the treatment has a public interest or safeguards non-profit interests that benefit more people
good, see Article 29 Working Party Statement. 3


Furthermore, the relevant processing of personal data must be necessary for this
interests. That is, the business must consider whether it can achieve the purpose in a way that
better safeguards privacy. One must therefore choose the treatment that is least invasive

for the registered.

Then the business must make a balance of interests to determine whether the individual
Privacy outweighs the business' legitimate interest. What type of information

these are relevant factors for the balancing of interests, eg whether these are
worthy of protection and whether the person has an expectation of having the personal data in
peace. It is also relevant to consider what kind of disadvantages the processing of personal data
imposes on the person whether the processing of the personal data is perceived as infringing,
whether the treatment is suitable for creating fear or unrest, and what measures the company has

implemented to reduce the privacy implications.

4.2.2 Relevant practice related to the Privacy Regulation Article 6 No. 1 f on «justified
interest »and the Personal Data Regulations § 4-3 on« factual needs »

 According to the Personal Data Regulations § 4-3, credit assessment can only be obtained when one
 business has a "factual need" for the information, for example in connection with a purchase
 on credit. As a general rule, there must be an element of credit. The typical cases of
 Legal collection of credit information is a service provider's need to investigate a customer's

 creditworthiness, or the need for information on financial matters before any
 entering into an agreement. It may also be justified for a company to credit a customer in
 in connection with the recovery of an existing monetary claim.


The Privacy Board has elaborated on the additional condition of factual need in several cases, including
PVN-2006-03, PVN-2010-05 and PVN-2017-02. In the latter case, the tribunal referred to the following
statement from PVN-2006-2003 KLP:

        The purpose of a credit rating is normally to determine whether a potential customer

        is creditworthy, and thus whether the company wishes to enter into an agreement with the person in question.
        This means that when credit information is requested, the requirement of objectivity will be met when
        the customer must use the credit information in connection with his assessment of


3Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46 / EC, p. 24 and
25.


                                                                                                  3, credit risk, for example by a loan commitment or agreement on current benefits such as
        invoiced in arrears, typically mobile phone subscription, subscription for
        satellite television etc.


In PVN-2020-21, the Privacy Board dealt with a case where the question was about a credit assessment
had a legal basis under the Privacy Ordinance Article 6 letter f. The question was
whether there was a legitimate interest for the general manager of a company to perform a credit assessment

by a sole proprietorship for private purposes. The collection of credit information took place in
this case for a purpose completely outside the business area of the business and to the general manager
personal use outside the business.

The Privacy Board states in the case that «in assessing whether there is a justified

interest, consideration shall be given to whether the data subject can reasonably expect that
the personal data is used for the relevant purpose ». The fact that there was nothing
customer relationships between complainants and the company that performed the credit assessment were further added
weight in the assessment. The conclusion was that the requirement of legitimate interest had not been met and that
there was therefore a lack of a legal basis for the credit assessment, cf. the Privacy Ordinance

Article 6 No.1.

In case PVN-2010-04, it was a question of whether a lawyer, on behalf of his client, had «factually
need »to carry out a credit assessment of complaints. It was the client's counterpart who

had been credit-rated in connection with a legal dispute. Nemda emphasis
the party constellations in the case and that the lawyer's client had a claim that was approaching
obsolescence. It was stated that it did not appear unnatural to consider civil law steps.
On the basis of this, the tribunal concluded that the requirement for objective needs had been met.


4.3. Internal control
In accordance with the principle of integrity and confidentiality, personal data shall be processed
in a manner that ensures adequate security of personal data, cf. Article 5 (1)
letter f. This means, among other things, that the person responsible for treatment must implement appropriate measures for

to ensure and demonstrate that the processing is carried out in accordance with the Regulation.

Article 32 and Article 24 of the Privacy Ordinance stipulate that the data controller has
obligation to assess the risk of planned processing of personal data before it is initiated. On
on the basis of the risk assessment, the data controller shall carry out appropriate technical

and organizational measures to protect against unauthorized or illegal treatment, and against unintentional
loss, destruction or alteration of personal data. Depending on what is suitable,
This includes:


            a) pseudonymisation and encryption of personal data,
            b) ability to ensure lasting confidentiality, integrity, availability and
                robustness in treatment systems and services,
            c) ability to restore the availability and access to personal data in
                the right time if a physical or technical event occurs

            d) a process for regular testing, analysis and assessment of how effective
                the treatment's technical and organizational security measures are.

It further follows from Article 24 that the person responsible for processing is obliged to be able to prove that they are processing

personal data in accordance with the law. In other words, the business is required

4Personal Information Regulations § 4-3


                                                                                                   4, can document internal routines or processes that meet the requirement of objectivity
credit rating.


On the Data Inspectorate's website, there is more information, support tools and templates for how
to establish internal control: https://www.datatilsynet.no/rettigheter-og-
duties / corporate duties / information security-internal control / establish-internal control /

    5. The Danish Data Protection Agency's assessment

5.1 Responsible for processing
According to the privacy statement of Investigator1, the company acts as
responsible for processing when carrying out assignments on behalf of private individuals, cf.
the Privacy Ordinance Article 4 No. 7. It is therefore clear that Investigator1 is
responsible for processing in this case.


5.2. Article 6 (1) (f) of the Privacy Regulation - "legitimate interest"
The relevant legal basis for obtaining credit information is
Article 6 (1) (f) of the Privacy Regulation. This means that the collection must be considered
"Necessary" to safeguard a "legitimate interest" which, after a balance of interests, weighs

heavier than the consideration of the individual privacy. According to PVN-2020-21, it is the company
who purchases services from the credit reporting company that must have a legitimate interest in
obtain credit information. The first question is therefore whether Investigator1 had one
"Legitimate interest" in obtaining credit information on complaints.


According to the report of Investigator1, the purpose of the credit assessment was to carry out
agreement with client. The client requested assistance from Investigator1 to investigate the complainant's finances
to assess whether legal action should be taken. As a result of contributions to the common economy and
increase in value of shared housing when the cohabitation lasted, the client believed that she had a claim for compensation
against complaints. According to the decision PVN-2010-04, it is important that
the credit information has been obtained with a view to a potential claim for compensation. It is not asked

a requirement in the law that a claim for damages is actually brought or that the claim for damages is successful.
The fact that the credit information was obtained in connection with a potential
A claim for damages against complainants is therefore a factor that suggests that Investigator1 had one
"Legitimate interest".


In the assessment of legitimate interest, emphasis shall also be placed on the party constellations, cf.
PVN-2010-04. Advocate 47 for the Privacy Ordinance emphasizes that in this
the assessment shall take into account the data subject's reasonable expectations based on the relationship
between the data controller and the data subject. In other words, it must have been
predictable for complaints that Investigator1 obtained credit information about him in connection with

the claim for compensation.

The client had informed complaints, prior to the credit rating, that she thought she had one
claims in his property. Complainants, however, had never before had any contact with
Investigator1 and was completely unfamiliar with the company when he received the copy letter. Even with

knowledge of a potential claim for damages, it is not foreseeable that a private investigator
collects credit information. At this point, the case differs from the fact in PVN-2010-04
where it was assumed that a lawyer who within his business assesses the credit of the other party
in connection with an assignment for a client, meets the requirement of "objective need". It's after
The Data Inspectorate's view is a significant difference between a lawyer and a private investigator

business. It explicitly follows from the Disputes Act § 3-3 that «lawyers can be
legal counsel in cases dealt with in accordance with this Act »and § 3-4 that« legal counsel can


                                                                                                 5, perform all procedural acts on behalf of his party ». Lawyers are further subject to rules for
good legal practice and confidentiality. In our case, a private individual has engaged a private investigator
to obtain information about his former cohabitant's finances, including ability to pay,

income information and any payment remarks. This is information that
one has by and large an expectation of being kept private and not shared with unauthorized persons.

The Data Inspectorate's conclusion is that the requirement of "legitimate interest" in the Privacy Ordinance
Article 6 (1) (f) is not fulfilled. As all three conditions of Article 6 (1) (f) must

be met in order to satisfy the law's requirements for legal basis, it is not necessary to
assess the other terms. The credit assessment was due to a lack of legal basis
obtained illegally.

In the report, Investigator1 writes that obtaining credit information about third parties

in the future will be based on the consent of the data subject. It is expressed in Investigator1's
privacy statement that:
Legal basis for the processing of personal data about other individuals such as
covered by the report follows GDPR article 6 no. 1 letter f (to safeguard a beneficiary
interest). Persons who may be covered by the report itself must, as a general rule, submit

consent for us to process their personal data, cf. GDPR article 6 no. 1 letter a.

The Data Inspectorate questions how a consent can constitute a legal basis for
obtaining credit information about third parties in practice, and asks Investigator1 to elaborate on this
further in the privacy statement.


5.3. Internal control
According to Article 24 of the Privacy Regulation, all companies are obliged to be able to prove that they
processes personal data in accordance with the law. In other words, it is required that
the company can document internal routines that meet the requirements for treatments of

credit information. These guidelines must be appropriate and proportionate
the treatment activities, cf. Article 24 no. 2. This means, among other things, that the routines must
describe when and how credit information should be obtained, and should ensure that credit ratings
not obtained without a lawful legal basis. Furthermore, the company must have routines for
non-conformance handling.


Investigator1 has submitted its internal routines to the Norwegian Data Protection Authority. According to the statement
it appears that Investigator1 has been made aware that these are deficient and not
affects the collection of credit information about third parties. The routine does not mention that obtaining
of credit information is a type of processing of personal data, cf.

Article 4 (1) and (2) of the Privacy Regulation. There is also no reference to legal action
basis under Article 6 or the purpose for which credit information may be obtained. After
The Data Inspectorate's view is that the company lacks an understanding of the rules on obtaining
credit information and lacks appropriate privacy policies
to treatment.


The Norwegian Data Protection Authority has the authority to order the data controller to ensure that
the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf.
Privacy Regulation Article 58 No. 2 letter d. In our opinion, the establishment of
internal routines related to the processing of credit information could have a preventive effect against that

later unfair credit assessments are carried out.




                                                                                                 6, the Norwegian Data Protection Authority states that Investigator1 does not have sufficient routines for obtaining
credit information, cf. the Privacy Ordinance, Article 24, Nos. 1 and 2. The Norwegian Data Protection Authority imposes
therefore Investigator1 to prepare suitable routines for credit assessment, cf.

Article 58 (2) (d) of the Privacy Regulation.

    Infringement fee
6.1. General information about infringement fines
Violation fees are a tool to ensure effective compliance and enforcement of

the personal data regulations. In accordance with the case law of the Supreme Court (cf. Rt. 2012 page 1556)
we assume that the infringement fine is to be regarded as a penalty under the European
ECHR) Article 6. It is therefore clear
overriding probability of an offense in order to impose a fee.


In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, and which is considered a punishment under the ECHR.


Section 46, first paragraph, of the Public Administration Act states:
When it is stipulated in law that an administrative sanction may be imposed on an enterprise,
the sanction is imposed even if no individual has shown guilt.


In judgment HR-2021-797-A, the Supreme Court has assumed that the objective responsibility for
corporate punishment that follows from the Penal Code § 27 is not compatible with the concept of punishment in the ECHR as such
it is interpreted by the EMD. The Supreme Court states in the judgment that the person who has acted on behalf of
the company must have shown guilt, and that general negligence is sufficient to fulfill this.


As infringement fines are considered a penalty under the ECHR, we assume that we can only
impose an infringement fine on an enterprise if the person who has acted on behalf of the enterprise has
shown guilt, and that general negligence is sufficient, cf. HR-2021-797-A.

6.2. The guilt claim when imposing an infringement fine

In order for the Data Inspectorate to be able to impose an infringement fee on Investigator1, it is therefore required that it
who has acted on behalf of the enterprise has shown guilt. In this case, our assessment is that
negligence is the current form of guilt.

The requirement of negligence follows from the Penal Code § 26 that «[d] a who at the time of the action on

due to ignorance of legal rules is unaware that the act is illegal, punished when
ignorance is negligent. " In accordance with the requirement of diligence, companies must familiarize themselves with
which legislation applies in the area, and organize the business in accordance with them
framework that follows from the relevant regulations.


In the Data Inspectorate's assessment, Investigator1, through the company's chief executive, should have made sure to have
a legal basis before the credit information was obtained, in accordance with the regulations. We
refers in this connection to the Privacy Regulation Article 5 No. 2 and assumes that
the action qualifies for negligence.


Our conclusion is that it was negligent of Investigator1, by the top manager, to assess credit
complaints without legal basis. The guilt requirement for imposing an infringement fee is thus fulfilled.

6.3 Assessment of whether an infringement fee is to be imposed


                                                                                                7, When assessing whether a fee should be charged, and when measuring, the Data Inspectorate shall take into account
to the elements of the Privacy Regulation Article 83 (2) (a) to (k). The Data Inspectorate may impose
infringement fee after a discretionary overall assessment, but the listed factors

lays down guidelines for the exercise of discretion by highlighting aspects that are to be given special consideration
weight. In the following, we will assess the relevant aspects on an ongoing basis.

            a) the nature, severity and duration of the infringement, as taken
                the nature, extent or purpose of the treatment concerned and the number

                registered who are affected, and the extent of the damage they have suffered

The violation in this case only applies to one person and a single case of treatment
of credit information without legal basis. The duration and extent of the breach draws in
direction that no infringement fine should be imposed.


On the other hand, the infringement violates the fundamental requirement of legality
in the Privacy Regulation Article 5 (1) and the requirement for a legal basis in Article 6.

This was also emphasized by the Privacy Board as an aggravating factor in case PVN-2020-

21:
This is a serious violation of the Privacy Ordinance. The principle of legality in
Article 5 (1) and the requirement for a basis for treatment in Article 6 represent the basics
requirements for the processing of personal data. These are broken. Private individuals have an expectation
that companies do not collect credit information about them without this being justified in a

legitimate interest in the business as a result of a real customer relationship.

Credit information is a type of personal information that is particularly worthy of protection. One
Credit rating is the result of compiling personal information from many different sources
sources, and shows a number that indicates the probability that a person is solvent. One

Credit rating will also show details about individuals' personal finances, including any
payment remarks, voluntary mortgages and debt ratio. This is private information
which one has an expectation of not being treated unless there is a valid reason.
The Norwegian Data Protection Authority is of the opinion that private individuals should enjoy special protection against
obtaining credit information.


Complainants have also never had contact with Eterforsker1 before. The nature of the violation
is considered serious overall and is an aggravating factor in the assessment.

            b) whether the infringement was committed intentionally or negligently,


Investigator1 informs in its statement that the complainant's credit information was obtained for
to implement the agreement with his client. However, it was only after inquiry from
The Data Inspectorate that the company became aware that there was a failing legal basis and

lack of internal routines. The Data Inspectorate therefore has no reason to believe that Investigator1
intentionally obtained the information illegally.

It follows from the Penal Code § 26 that «[d] a as at the time of the action due to ignorance
if legal rules are unknown that the act is illegal, is punished when the ignorance is negligent. " IN

according to the requirement of diligence, companies must familiarize themselves with which legislation
applies to the area, and organize the business in accordance with the framework that follows from it
current regulations. Investigator1 should have made sure to have a legal basis before



                                                                                                8, the credit information was obtained, in accordance with the regulations. The violation qualifies for
negligence and we emphasize this as an aggravating factor in the assessment.


            c) any measures taken by the data controller or data processor
                to limit the damage suffered by the data subjects,


Investigator1 states in its statement that they will seek legal assistance to audit
current routines associated with the processing of personal data. The business has also deleted
the relevant credit information from their systems. This pulls in a mitigating direction.


            d) the degree of responsibility of the data controller or data controller, as
                take into account the technical and organizational measures they have implemented in
                pursuant to Articles 25 and 32,

We assume that Investigator1 has a lack of knowledge about the rules for obtaining

credit information, and that the business had not implemented technical or organizational
measures to ensure proper treatment. In the report, Investigator1 acknowledges that internal
routines are deficient. This relationship is moving in an aggravating direction.


            e) any previous violations committed by the data controller or
                the data processor,

The Data Inspectorate does not know whether there have been previous violations.


            (f) the degree of cooperation with the supervisory authority to remedy the infringement; and
                reduce the possible negative effects of it,


Investigator1 has contributed to the information in the case and admits in the report that the collection
of the complainant's credit information may have been based on a failing legal basis. The business
further acknowledges that internal routines are deficient in connection with the treatment of
credit information. According to the guidelines of the Article 29 Working Party, continued by it

European Privacy Council (EDPB), however, should not be mitigated
statutory cooperation on the part of the data controller.

            g) the categories of personal data affected by the infringement,


Special categories of personal data pursuant to Article 9 are not affected by this spring's infringement
case. However, information on salary, debt and creditworthiness is information that has a
special need for protection due to its private nature. This pulls in an aggravating direction,
and advocates for the imposition of infringement fines.


            (h) the manner in which the supervisory authority became aware of the infringement, in particular:
                and possibly to what extent the data controller or data processor
                has notified the infringement,


We were notified of the breach of complaints. Investigator1 has not reported the incident as
a discrepancy. We therefore do not find this aspect relevant.



5Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, WP 253, page
14.


                                                                                                   9, (i) if the measures referred to in Article 58 (2) have previously been taken against it
                affected data controllers or data processors with respect to the same
                subject matter, that the said measures are complied with,


We do not know that measures have previously been taken against the company with regard to the same
case subject.

            (j) compliance with approved standards of conduct in accordance with Article 40 or

                approved certification mechanisms in accordance with Article 42,

We do not find the moment relevant in our case.


            k) and any other aggravating or mitigating factor in the case, e.g.
                financial benefits gained, or losses avoided, direct or
                indirectly, as a result of the infringement.

We do not see that there are other aggravating or mitigating factors in the case. After

a comprehensive assessment of the nature and severity of the infringement, the Data Inspectorate believes that
is necessary to respond with an infringement fee, cf. Article 83 of the Privacy Ordinance.

The next question is the size of the fee.


6.4 Assessment of the size of the fee
The amount of the fee is assessed in accordance with Article 83 (1):
Each supervisory authority shall ensure the imposition of infringement fines in accordance with this Article
for infringements of this Regulation referred to in paragraphs 4, 5 and 6 in each case
effective, is proportionate to the infringement and has a deterrent effect.


In determining the fee, the factors described in section 6.3 shall be given weight, cf. Article 83.
No. 2. It follows from Article 83, paragraph 5, letter a, that violations of the fundamental
the principles of treatment in the Privacy Regulation, including Articles 5, 6, 7 and 9, shall
sanctioned with a higher violation fee than other violations of

the Privacy Regulation.

In an aggravating direction, we place particular emphasis on the fact that there is a breach of the basics
the principle of legality in the Privacy Regulation Article 5 No. 1 letter a. The violation includes
personal data of a very private nature, which the data subject has an expectation that

kept private unless there is a valid reason for it. This is weighty
moments that argue for a fee of a certain size.

In a mitigating direction, we emphasize that the violation only applies to one registered person and that the complainant
was only credit-rated in a single case. Investigator1 has further acknowledged that the treatment

may have had a failing legal basis and shown a willingness to comply with rules by starting
the process of improving their internal routines.

Investigator1 writes in the statement that they are willing to accept a small violation fee
if the Data Inspectorate concludes with a lack of legal basis. Contraceptive considerations

indicates, however, that the fee for a violation must be set so high that this is actually perceived as
an evil for the offender. This means that the offender's financial ability should be important
when measuring, so that the fee is higher the greater the strong load-bearing capacity of the offender.



                                                                                                 10, Public accounting figures show that the turnover of Investigator1 was 2,121,000
NOK in 2020. After an overall assessment of the seriousness of the case and Investigator1's
financial situation, we have come to the conclusion that the infringement fee is set at NOK 50,000. This

is in our opinion a reaction that is sufficiently dissuasive, effective and stands in a
reasonable relation to the illegal processing of personal data that has taken place in the case.

    7. Right of appeal and further proceedings

You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will
forward the case to the Privacy Board for complaint processing.


If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after
the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act. The decision is a coercive basis for disbursement and
recovery of the claim will be carried out by the Central Government Collection Agency.

The deadline for implementing section 2 of the order on written routines (internal control) is 4 weeks after

expiry of the time limit for appeal. If you do not appeal the order point 2, you must within this deadline
you must send us a written confirmation, as well as documentation, of that order
internal control has been completed.


    8. Publicity, transparency and duty of confidentiality
We will inform you that all the documents are basically public, cf.
§ 3 of the Public Access to Information Act If you believe there is a basis for exempting all or part of it
the document from public access, we ask you to justify this.


The Data Inspectorate has a duty of confidentiality about who has complained to us, and about the complainant's personal
relationship. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and
Section 13 of the Public Administration Act As a party to the case, you may nevertheless be made aware of such
information from the Norwegian Data Protection Authority, cf. the Public Administration Act § 13 b first paragraph no. 1. You are also right

for access to the case documents, cf. the Public Administration Act § 18.

We point out that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority
the complainant's identity, personal circumstances and other identifying information, and that you only
may use this information to the extent necessary to safeguard the interests

their in this case, cf. the Public Administration Act § 13 b second paragraph. We also point out that
Violation of this duty of confidentiality can be punished according to the Penal Code § 209.

If you have any questions, you can contact Kristin Skolt on telephone 45 72 02 94 or at

email address kristin.skolt@datatilsynet.no

With best regards


Jørgen Skorstad
Department director
                                                               Kristin Skolt
                                                               Legal adviser


The document is electronically approved and therefore has no handwritten signatures
Copy to: Complaints

6The figures are taken from proff.no, 17.09.2021


                                                                                                 11
Retrieved from "https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_21/02504&oldid=23339"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki