Datatilsynet (Norway) - 21/02873: Difference between revisions

From GDPRhub
No edit summary
 
(10 intermediate revisions by 2 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=EDPB
|Original_Source_Name_1=EDPB
|Original_Source_Link_1=https://edpb.europa.eu/system/files/2022-09/ee_2022-02_decisionpublic_0.pdf
|Original_Source_Link_1=https://edpb.europa.eu/system/files/2022-10/no_2022-05_decisionpublic.pdf
|Original_Source_Language_1=English
|Original_Source_Language_1=English
|Original_Source_Language__Code_1=EN
|Original_Source_Language__Code_1=EN
Line 79: Line 79:
}}
}}


In an [[Article 60 GDPR]] procedure, the Norwegian DPA ordered an HR-services provider, pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to provide
In an [[Article 60 GDPR]] procedure, the Norwegian DPA ordered an HR-services provider, pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to provide the data subject with information he requested in an access request ([[Article 15 GDPR|Article 15 GPDR]]).
the data subject with all the information he requested in an access request ([[Article 15 GDPR|Article 15 GPDR]]).


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was a former employer of a German subsidiary of the controller, a company offering human resources and payroll administration. The controller has its headquarters in Norway and offices in several other European countries.
The data subject was a former employee of a German subsidiary of the controller, a company offering human resources and payroll administration services. The controller had its headquarters in Norway. The data subject filed an access request two times. The ''first request'' was sent on 14 July to the CEO of the controller, who did not respond initially. The data subject filed a complaint with the Norwegian DPA (DPA) on 26 August 2021. The DPA recommended the data subject to send the request to the e-mail address the controller provided for requests. The data subject sent this ''second request'' on 28 September 2021. However, the controller only replied to this second request on 22 December 2021 after a reminder by the DPA. The controller also stated that the ''second request'' had mistakenly been marked as spam and had therefore not been answered. The controller apologised for the late reply and provided a copy of its privacy policy and a copy of personal data. According to the data subject, the controller did not provide all the information.    
 
The data subject filed an access request two times. The first request was send to the CEO, who did not respond. The data subject filed a complaint with the Norwegian DPA (DPA) at 26 August 2021. The DPA recommended the data subject to send the request to the e-mail address the controller provided for inquiries regarding its privacy policy. However, the controller also did not reply to this second request.
 
The DPA send the controller questions and ordered it to respond. This order remained unanswered, after which the DPA send a reminder. The controller replied to this reminder that its response had remained in the outbox folder without sending the e-mail to the DPA.  
The controller provided a copy of personal data and a copy of its privacy policy.


=== Holding ===
=== Holding ===
The DPA stated that the GDPR was applicable, since the controller had multiple establishments in the EU and the EEA (European Economic Area). In the context of the activities of these establishment, it also processed personal data of its employees ([[Article 3 GDPR#1|Article 3(1) GDPR]]).  
The DPA stated that the GDPR was applicable, since the controller had multiple establishments in the EU and the EEA (European Economic Area). It also processed personal data of its employees in the context of the activities of these establishment ([[Article 3 GDPR#1|Article 3(1) GDPR]]). The DPA also determined that the controller had its main establishment ([[Article 4 GDPR#16|Article 4(16) GDPR]]) in Norway and that its processing of the data subject’s personal data was cross-border processing ([[Article 4 GDPR#23|Article 4(23) GDPR]]). Therefore, the cooperation mechanism was applicable [[Article 56 GDPR#1|(Articles 56(1) GDPR]] and [[Article 60 GDPR|60 GDPR)]], with the Norwegian DPA as lead supervisory authority ([[Article 56 GDPR#1|Article 56(1) GDPR]]).  
 
The controller had its main establishment ([[Article 4 GDPR#16|Article 4(16) GDPR]]) in the EEA and its processing of the complainant’s personal data was cross-border ([[Article 4 GDPR#23|Article 4(23) GDPR]]). Therefore, the cooperation mechanism and procedure set out in [[Article 56 GDPR#1|Articles 56(1) GDPR]] and [[Article 60 GDPR|60 GDPR]] was applicable. Because the main establishment was located in Norway, the Norwegian DPA was the lead supervisory authority ([[Article 56 GDPR#1|Articles 56(1) GDPR]]).  
 
<u>First request to CEO</u>
 
The DPA stated that it was legitimate for the controller to expect that the data subject through a communication channel that was specifically meant for these kinds of requests. The CEO of a company cannot be expected to be directly involved in the processing of requests regarding data subject’s rights. Therefore, the controller (the company, not the CEO) did not violate Articles 12(2) and 15 GDPR by failing to respond to the first request.
 
<u>Second request to e-mail for requests.</u>
 
The DPA stated that the controller violated article 12(2) GDPR by failing to facilitate the right to access under [[Article 15 GDPR]]. It treated the second request, which was legitimate, as a spam e-mail, which lead to the fact that this e-mail remained unanswered for almost three months. However, this was a minor infringement because It affected only one data subject. The controller also stopped using the specific e-mail address that lead to the infringement and started using a new communication channel using a CAPTCHA solution for data protection inquiries. Lastly, Although the controller did not respond to the access request submitted on 28 September 2021 within the standard statutory one-month period—as it should have done under [[Article 12 GDPR#3|Article 12(3) GDPR]]—the controller did respond on 22 December 2021 within the maximum 3 months’ period in [[Article 12 GDPR#3|Article 12(3) GDPR]]. Based on these mitigating factors, the DPA did not issue any corrective measures.
 
<u>Failure to provide all the information</u>


The DPA held that the controller did not provide all the personal data and information the data subject was entitled to under [[Article 15 GDPR]]. Specifically, the controller did not provide sufficient information on the purposes of processing, categories of data concerned and storage periods, by only referring to its privacy policy in the reply. The privacy policy did provide sufficient information on recipients, data subject’s rights. The right to lodge a complaint with the supervisory authority, the source of personal data, automated decision making and international transfers.  
The DPA stated that it was legitimate for the controller to expect that data subjects exercise their GDPR rights by using a communication channel specifically meant for such purpose. The CEO of a company could not be expected to be responsible for handling such requests. Therefore, the controller did not violate [[Article 12 GDPR|Articles 12(2)]] and [[Article 15 GDPR|15 GDPR]] by failing to respond to the ''first request.'' The controller referred EDPB Guidelines to support its argument ([https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf “EDPB Guidelines on the Right of Access”, par. 55]). However, the DPA stated that the controller violated [[Article 12 GDPR|Article 12(2) GDPR]] by failing to facilitate the right to access regarding the ''second request''. Referring to the EDPB guidelines again, the DPA stated that the controller had, amongst other things, the obligation to take adequate technical and organizational measures to ensure that it can receive and handle access requests in a timely manner. Controllers must ensure that their communication channel is easy to use and effective. This includes providing '''state-of-the-art anti-spam protection''<nowiki/>' for email. The controller mistakenly treated the second request as spam, which led to the fact that this e-mail remained unanswered for almost three months. This resulted in the violation of [[Article 12 GDPR|Article 12(2) GDPR]] because the right of access [[Article 15 GDPR|(Article 15 GDPR]]) was not facilitated. This was a minor infringement because of several mitigating factors, such as the fact that that only one data subject was affected and that the controller had started using a CAPTCHA solution, which should be better at accurately detecting spam. Lastly, the controller did respond on 22 December 2021 to the request within the maximum 3 months’ period in [[Article 12 GDPR#3|Article 12(3) GDPR]]. Therefore, the DPA did not issue any corrective measures.  


<u>Failure to provide access to all the information</u>
The DPA also held that the controller did not provide all the personal data and information under Articles [[Article 15 GDPR|Article 15(1)(a) to (h)]] and [[Article 15 GDPR|15(2) GDPR]] . Specifically, the controller did not provide sufficient information on the purposes of processing ([[Article 15 GDPR|Article 15(1)(a) GDPR]]), because it processed data for other purposes besides those mentioned in the privacy policy [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf (“EDPB Guidelines on the Right of Access”, par. 112]). The controller also did not provide enough information regarding categories of data concerned ([[Article 15 GDPR|Article 15(1)(b) GDPR]]) because the provided information was not tailored to the individual case ([https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf “EDPB Guidelines on the Right of Access”, par. 113]) The controller also did not provide enough information regarding storage periods ([[Article 15 GDPR|Article 15(1)(d) GDPR]]), because it did not enable the data subject to assess what the retention period would be for specific data/purposes. However, the DPA determined that the privacy policy provided sufficient information regarding the other information and data in [[Article 15 GDPR|Articles 15(1)]] and [[Article 15 GDPR|15(2) GDPR.]] 


The DPA also stated that the controller did not provide a copy of all the personal data being processed by the controller. The DPA used an example, stating that the controller had refused to provide access the data subject’s personal data contained in commercial documentation. The controller did not consider this this material in the context of GDPR related to the employment relationship between data subject and controller. The DPA stated that the fact that personal data was not processed in the context of the employment relationship was not per se sufficient to deny access. The controller had to provide a copy of all his personal data being processed by the company, unless the controller was able to demonstrate that one of the exceptions in [[Article 12 GDPR#5|Articles 12(5) GDPR]] or [[Article 15 GDPR#4|15(4) GDPR]] or Article 16 of the Norwegian Personal Data Act were applicable. However, the controller did not have to provide a copy of entire documents in which personal data are contained. It only refers to an unaltered copy the personal data undergoing processing.
The DPA concluded that the controller had to provide a copy of all the data subject's personal data being processed by the controller, unless the controller was able to demonstrate that one of the exceptions in [[Article 12 GDPR#5|Article 12(5) GDPR]], [[Article 15 GDPR#4|Article 15(4) GDPR]] or Article 16 of the Norwegian Personal Data Act were applicable. The DPA ordered the controller ([[Article 58 GDPR|Article 58(2)(d) GDPR]]) to provide all of the information the data subject requested, which had to be understandable and clear ([[Article 12 GDPR|Article 12(1) GDPR]]). This meant that the controller might needed to supply additional information explaining the data. However, the information did not need to be provided in machine readable format and could be provided in English, because the data subject had also been corresponding in English with the controller before.  


== Comment ==
== Comment ==
The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”) Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint Committee Decision”)
The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”) Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint Committee Decision”).


The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal Data Act and the GDPR entered into force in Norway on 20 July 2018.
The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal Data Act and the GDPR entered into force in Norway on 20 July 2018.

Latest revision as of 16:20, 6 December 2023

Datatilsynet - 21/02873-22
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 3(1) GDPR
Article 4(16) GDPR
Article 4(23) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 12(5) GDPR
Article 15 GDPR
Article 15(4) GDPR
Article 56(1) GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started: 26.08.2022
Decided: 22.05.2022
Published:
Fine: n/a
Parties: Zalaris ASA
National Case Number/Name: 21/02873-22
European Case Law Identifier: EDPBI:NO:OSS:D:2022:365
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 GDPR procedure, the Norwegian DPA ordered an HR-services provider, pursuant to Article 58(2)(d) GDPR, to provide the data subject with information he requested in an access request (Article 15 GPDR).

English Summary

Facts

The data subject was a former employee of a German subsidiary of the controller, a company offering human resources and payroll administration services. The controller had its headquarters in Norway. The data subject filed an access request two times. The first request was sent on 14 July to the CEO of the controller, who did not respond initially. The data subject filed a complaint with the Norwegian DPA (DPA) on 26 August 2021. The DPA recommended the data subject to send the request to the e-mail address the controller provided for requests. The data subject sent this second request on 28 September 2021. However, the controller only replied to this second request on 22 December 2021 after a reminder by the DPA. The controller also stated that the second request had mistakenly been marked as spam and had therefore not been answered. The controller apologised for the late reply and provided a copy of its privacy policy and a copy of personal data. According to the data subject, the controller did not provide all the information.

Holding

The DPA stated that the GDPR was applicable, since the controller had multiple establishments in the EU and the EEA (European Economic Area). It also processed personal data of its employees in the context of the activities of these establishment (Article 3(1) GDPR). The DPA also determined that the controller had its main establishment (Article 4(16) GDPR) in Norway and that its processing of the data subject’s personal data was cross-border processing (Article 4(23) GDPR). Therefore, the cooperation mechanism was applicable (Articles 56(1) GDPR and 60 GDPR), with the Norwegian DPA as lead supervisory authority (Article 56(1) GDPR).

The DPA stated that it was legitimate for the controller to expect that data subjects exercise their GDPR rights by using a communication channel specifically meant for such purpose. The CEO of a company could not be expected to be responsible for handling such requests. Therefore, the controller did not violate Articles 12(2) and 15 GDPR by failing to respond to the first request. The controller referred EDPB Guidelines to support its argument (“EDPB Guidelines on the Right of Access”, par. 55). However, the DPA stated that the controller violated Article 12(2) GDPR by failing to facilitate the right to access regarding the second request. Referring to the EDPB guidelines again, the DPA stated that the controller had, amongst other things, the obligation to take adequate technical and organizational measures to ensure that it can receive and handle access requests in a timely manner. Controllers must ensure that their communication channel is easy to use and effective. This includes providing 'state-of-the-art anti-spam protection' for email. The controller mistakenly treated the second request as spam, which led to the fact that this e-mail remained unanswered for almost three months. This resulted in the violation of Article 12(2) GDPR because the right of access (Article 15 GDPR) was not facilitated. This was a minor infringement because of several mitigating factors, such as the fact that that only one data subject was affected and that the controller had started using a CAPTCHA solution, which should be better at accurately detecting spam. Lastly, the controller did respond on 22 December 2021 to the request within the maximum 3 months’ period in Article 12(3) GDPR. Therefore, the DPA did not issue any corrective measures.

The DPA also held that the controller did not provide all the personal data and information under Articles Article 15(1)(a) to (h) and 15(2) GDPR . Specifically, the controller did not provide sufficient information on the purposes of processing (Article 15(1)(a) GDPR), because it processed data for other purposes besides those mentioned in the privacy policy (“EDPB Guidelines on the Right of Access”, par. 112). The controller also did not provide enough information regarding categories of data concerned (Article 15(1)(b) GDPR) because the provided information was not tailored to the individual case (“EDPB Guidelines on the Right of Access”, par. 113) The controller also did not provide enough information regarding storage periods (Article 15(1)(d) GDPR), because it did not enable the data subject to assess what the retention period would be for specific data/purposes. However, the DPA determined that the privacy policy provided sufficient information regarding the other information and data in Articles 15(1) and 15(2) GDPR.

The DPA concluded that the controller had to provide a copy of all the data subject's personal data being processed by the controller, unless the controller was able to demonstrate that one of the exceptions in Article 12(5) GDPR, Article 15(4) GDPR or Article 16 of the Norwegian Personal Data Act were applicable. The DPA ordered the controller (Article 58(2)(d) GDPR) to provide all of the information the data subject requested, which had to be understandable and clear (Article 12(1) GDPR). This meant that the controller might needed to supply additional information explaining the data. However, the information did not need to be provided in machine readable format and could be provided in English, because the data subject had also been corresponding in English with the controller before.

Comment

The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”) Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint Committee Decision”).

The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal Data Act and the GDPR entered into force in Norway on 20 July 2018.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

FORDATAPRIVACYANDFREEDOMOFINFORMATION












                                                           Your: 12.11.2021
Management board member
                                                           Our: 28.02.2022 nr 2.1.-1/21/3286





Notice oftermination of the proceeding inregardto the protectionofpersonaldata

The proceeding of the Estonian DataProtection Inspectorate concerned the claim of a Lithuania
citizen                     (complainant) in regard to the fact that the
violated the requirements of GDPR.


Given the above, we initiated a supervision proceeding on the basis of clause 56 (3) 8) of the
PersonalData Protection Act.

During the proceeding,                      stated the following:

Our position is that in the case that was detailed in the inquiry, which includes a breach in
security regarding the processingof personaldata,                        is notat fault.

              has not processed the personal data of                        in their system in
relation to the described case because the services described in the case were notordered in
the systems of                       nor according to                       ’s guidelines. The
          application does notallow the commencementof ordering the services describedin
the inquiry and the applicationdoes nothave the functionality to do such things. The
is a tool for authentication and electronic signing which is meant for signing documents

electronically andlogging in to differentenvironments. We stress that                     does
notand has never takenpayments from               users.

It is true that on 23 March 2021 we requested on the             website that users update the
Android systemcomponents of their phones in the Google Play Store. The reasonfor this was
that Google had released a broken update for Google Chrome and Android SystemWebview
which was causing errors in differentapplications, including the             application. The

problemwasalsoconfirmedbyGooglethemselves.Googlethenreleasedanupdatewhichfixed
the issues that were caused by the previous update and the newupdate was required for not
only the seamless operation of               but also other applications. More information
regarding Google’s problemcan be found here.

Through the            website, we directedthe users ofthe service to applythe fixedupdate in
order for the service to function properly once again. Please note thatthere were no links, QR-

codes, or telephone numbers in the message we publishedon the              website. We simply
requested our clients to update their Google Chrome and Android System Webview in the
Google Play Store. The message readsas follows:                                        FORDATAPRIVACYANDFREEDOMOFINFORMATION





          application started crashing? Please update Google Chrome and Android System
Webview in Google Play Store. Google released a broken updatethatcauses applications to

crash and they have now also released fix for it. If thatdoes nothelp, please callour helpline
or contactus through the e-mailform.

In the message,                       did not request clients to scan a single QR-code, and
furthermore, the shortnumber1394is notused by us nor is itunder our control.


Therefore,                      does not knowwhere the person could have received the QR-
code for scanning or what exactly could have happened.                       doesnothave any
connections to the case besides requesting on our website that              users update their
Android components,as was described above.


                     has no knowledgeof the services provided by                        or the
details connected to the order that was described in the inquiry. Furthermore,
               does not have a contractual or any other kind of relationship with

                   .

Basedon the above, the Estonian Data Protection Inspectorate did not identify any violation of
the GDPR. For this reason, we are terminating the supervision proceedings.

This decision may be challenged within 30 days by submitting one of the two:
    -   A challenge to the Director General of the Estonian Data Protection Inspectorate
        pursuant to the Administrative Procedure Act , or
                                                                                              2
    -   Anappealto anadministrative court under the Code ofAdministrative Court Procedure
        (in this case,the challenge in the same matter canno longer be reviewed).


Respectfully



Lawyer
Authorised by the Director General




















1
2https://www riigiteataja.ee/en/eli/527032019002/consolide
 https://www riigiteataja.ee/en/eli/512122019007/consolide