Datatilsynet (Norway) - 21/03126

From GDPRhub
Revision as of 05:16, 24 March 2023 by Riealeksandra (talk | contribs) (→‎Facts: typo + added information on appeal)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 21/03126
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 33(1) GDPR
Article 58(2)(i) GDPR
Article 83(4)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started: 24.09.2021
Decided: 08.03.2023
Published: 16.03.2023
Fine: 2500000 NOK
Parties: n/a
National Case Number/Name: 21/03126
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined US-based Argon Medical Devices €220,337 (NOK 2,5 million) for failing to timely report a personal data breach affecting one employee in Norway, in violation of Article 33(1) GDPR.

English Summary

Facts

Between 21 May and 14 June 2021, Argon Medical Devices, Inc. (the controller) experienced a cyber security incident. It was discovered on 14 June 2021 when the controller's US Senior Vice President of Human Resources noticed missing emails in his inbox.

Upon further investigation, the controller determined that it had been subject to a business email compromise, perpetrated through an internal platform by an unauthorized third party, most likely through a phishing email. Consequently, the Director of Global IT Security put in place several cyber security measures, which appear to have contained the incident on 14 June 2021.

On 15 June 2021, they reported the incident to the local FBI Cybercrime Unit in the US and commenced an internal investigation to determine the extent and nature of the incident.

On 19 July 2021 they realized that personal data such as salary and benefits of all of their (20) European employees, including one in Norway, had been affected, and proceeded to assess whether the incident was reportable under Article 33(1) GDPR.

On 24 September 2021, after concluding that the incident was indeed reportable, the controller hired a Norwegian law firm to notify the Norwegian DPA. Since the controller has several establishments in the EU/EEA, they also sent similar breach notifications to several other European supervisory authorities.

In this regard, they acknowledged that “Argon in the US [i.e., Argon Medical Devices, Inc.] is the data controller with respect to the personal data connected to this Incident”. They also stated that their "European head office resides in Switzerland, and only its Swiss establishment enjoys a power of direction and control over its other EU/EEA establishments. Therefore, Argon does not have a main establishment in the EU/EEA for the purposes of Article 4(16) GDPR."

Consequently, the DPA concluded that the cooperation mechanism and procedure set out in Article 56(1) GDPR and Article 60 GDPR did not apply in this case and, thus, pursuant to Article 55(1) GDPR, the DPA was competent to perform the tasks assigned to them and exercise the powers conferred on them by the GDPR in relation to the personal data breach notification. The controller did not dispute this in their written representations.

On 4 October 2021 the DPA sent the controller a request for further information and asked them to, in particular, clarify why they concluded that the incident was reportable only on 21 September 2021.

The controller held that they had acted "without undue delay, to notify the supervisory authorities within 72 hours". Their main claim was that it was necessary to investigate the incident in order to determine if it was reportable or not, which they were only able to conclude on 21 September 2021.

On 31 January 2022, the DPA sent the controller an advance notification of their intention to fine them NOK 2 500 000 for having violated Article 33(1) GDPR. Despite several exchanges where the controller continued to argue they had indeed sent the notification in time, the DPA upheld their conclusion and issued the final decision on 8 March 2023.

The controller then appealed the decision to the Norwegian Privacy Appeals Board, where it's currently pending.

Holding

Pursuant to Article 58(2)(i) GDPR and Article 83(4)(a) GDPR, the DPA imposed an administrative fine of €220,337 (NOK 2 500 000) against Argon Medical Devices, Inc. for violating Article 33(1) GDPR by failing to notify a personal data breach without undue delay.

Comment

Comment by initial contributor (RAW): Notably, the Norwegian DPA decided to impose a rather signficant fine despite the UK Information Commissioner’s Office (ICO) and other EU supervisory authorities closing the case with no further action, after having received essentially the same notification. The case concerned only one person and, as the DPA writes themselves, "Thus, potentially, it could have serious consequences and adverse effects for data subjects, although no such effects appear to have materialized to date." and "the level of potential impact for the affected individuals is significant".

Finally, the decision seems not to be in line with other cases when comparing the sanctions imposed to case matter, see for example AP - booking.com B.V., UODO - DKN.5131.6.2020 and DPC (Ireland) - DPC ref: IN-20-4-1 where significant higher numbers of data subjects were affected, concerning arguably more sensitive personal data.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Argon Medical Devices, Inc.
 2600 Dallas Parkway, Suite 440
 Frisco, TX 75034 USA










Your reference          Our reference                                      Date

                        21/03126-13                                        08.03.2023



Administrative Fine — Argon Medical Devices, Inc.

    1. Introduction and Summary


The Norwegian Data Protection Authority (“Datatilsynet”, “we”, “us”, “our”) is the
independent supervisory authority responsible for monitoring the application of the General
                                        1
Data Protection Regulation (“GDPR”) with respect to Norway.

On 24 September 2021, Argon Medical Devices, Inc. (“Argon”, “you”, “your”, the “company”)
submitted a personal data breach notification to Datatilsynet pursuant to Article 33(1) GDPR.
Such notification concerned a cyber security incident that Argon experienced between 21 May

and 14 June 2021, which affected the personal data of all of Argon’s European employees,
including one employee in Norway.


Further to an inquiry into this matter, Datatilsynet found that Argon became aware of the
personal data breach in question at least on 19 July 2021, and that it notified the breach to
Datatilsynet 67 calendar days after that date, thus well beyond the statutory deadline imposed

by Article 33(1) GDPR for personal data breach notifications.

In light of the above and for the reasons outlined below, Datatilsynet issues an administrative

fine of NOK 2 500 000 (two million and five hundred thousand) against Argon for having
infringed Article 33(1) GDPR.


    2. Decision

Pursuant to Articles 58(2)(i) and 83(4)(a) GDPR, we impose an administrative fine of NOK

2 500 000 (two million and five hundred thousand) against Argon Medical Devices, Inc. for:


1
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) OJ [2018] L 119/1.

Postal address:  Office addressPhone:         Ent.reg:        Home page:
P.O. Box 458 Sentrum Trelastgat+47 22 39 69 00974 761 467     www.datatilsynet.no/en/
N-0105 OSLO      N-0191 OSLO    •   having infringed Article 33(1) GDPR by failing to notify a personal data breach without

        undue delay.

Our inquiry has only focused on Argon’s compliance with Article 33(1) GDPR. Thus, the

present decision is without prejudice to the possibility of opening future inquiries into Argon’s
compliance with other provisions of the GDPR, including with the security requirements
imposed by Articles 5(1)(f) and 32 GDPR and the data protection officer requirements laid
down in Articles 37-39 GDPR.


    3. Factual Background


On 24 September 2021, the law firm Ræder AS wrote to Datatilsynet to inform us—on behalf
of Argon—that between 21 May and 14 June 2021 Argon had experienced a cyber security
incident, which affected the personal data of all of Argon’s employees in Europe, including one
                       2
employee in Norway. Argon sent an analogous personal data breach notification to several
other European supervisory authorities.   3


The incident at hand concerned an unauthorized access to the mailbox account of Argon’s US
Senior Vice President of Human Resources. Most notably, the threat actor had accessed a
spreadsheet containing personal data such as salary and benefits of all of Argon’s European
employees, including a Norwegian employee, which was contained in the
                                     7
connected to that mailbox account.

Argon has indicated that the personal data affected by the incident include the following kinds

of data:

        (a) Name


        (b) Job Title


        (c) Location (which only includes the City and Country of the respective employee)

        (d) Employee Hire date


        (e) Statutory holiday entitlement

        (f) Total salary 2020


2See Notification of Personal Data Breach - Argon Medical Devices, lnc. (ref: 129172) (hereinafter “Argon’s
Notification”). Argon’s Notification was wrongly dated 24 September 2020, but it was submitted to Datatilsynet
on 24 September 2021.
3Ibid., para. 2.7.
4
5Ibid., paras. 1.1-1.7.
6Ibid., paras. 1.4 and 2.2-2.6.
 It should be noted that, although Argon’s notification generally refers to “Argon's employees within the EU and
UK” or “EU/UK employees”, such references are to be understood as encompassing also EEA employees, as
Argon’s Notification makes express reference to Norway (see e.g. para. 2.5).
7Argon’s Notification, para. 1.4.



                                                                                                  2        (g) Bonus


        (h) Employer paid social charges


        (i) Employer paid pension & Insurance

        0) Additional employer paid benefits


        (k) Company car/Car allowance/Mileage.      8


In its notification to Datatilsynet, “Argon recognises that the Involved Data, being salary and
benefits information, is subject to a greater degree of sensitivity on the part of the employees.”9
However, Argon considered that the steps it took after it discovered the incident mitigated the
                                    10
risks to the individuals concerned.

The timeline of the incident, and the steps taken by Argon in response to it, may be summarized
as follows:


    •   On 14 June 2021 at 20:24 UTC, Argon’s IT security team was alerted by the company’s
        US Senior Vice President of Human Resources of an oddity in his day-to-day activity,
                                                                            11
        namely that he appeared to be missing emails within his mailbox.


    •   Upon further investigation, Argon determined that it had been subject to a business
        email compromise, perpetrated through its                     platform by an unauthorized
        third party, most likely through a phishing email. Argon also determined that such a
        third party may have logged in to the relevant mailbox account on 21 May 2021 at 18:06

        UTC, and that the third party commenced substantive activity on that account on 25
        May 2021.  12


    •   Upon discovery of the incident, Argon’s Director of Global IT Security put in place
        several cyber security measures, which appear to have contained the incident on 14 June
        2021. 13


    •   Thereafter, on 15 June 2021, Argon reported the incident to the local FBI Cybercrime
        Unit in the United States.14






8
9Argon’s Notification, para. 2.4.
10bid., para. 2.6.
11Ibid., para. 3.1.
 Ibid., para. 1.1.
12Ibid., paras. 1.1-1.2.
13Ibid.
14Ibid., para. 4.4.



                                                                                                  3    •   Following containment of the incident, Argon commenced an internal investigation to
        determine the extent and nature of the incident. This led to the discovery—on 19 July
        2021—that the personal data of Argon’s European employees had been affected by the

        incident. In this regard, Argon’s notification to Datatilsynet states:

               further investigation […] completed by Argon and its cyber forensic expert on
               l9 July 2021, revealed that two files within the                connected to the

               Mailbox Account (the “Share Files”) were accessed by the Threat Actor, as
               detailed in the             logs. These Share Files included […] a spreadsheet
               containing the salary and benefits personal data of all 20 of Argon's European
               employees (including 16 employee located in EU/UK jurisdictions […]).      16


        The notification further states:

               Argon only became fixed with knowledge of the Share File relating to the

               personal data of the l6 EU/UK employees (and additional 4 Swiss employees)
               on 19 July 2021. 17


    •   After having realized that the incident had affected the personal data of individuals in
        several EU/EEA countries, Argon undertook an assessment of whether the incident was
        reportable under Article 33(1) GDPR. This assessment revealed that the incident was
        reportable, as Argon concluded that:


               (i) a qualifying personal data breach, (ii) involving personal data, (iii)
               connected to 16 UK (and EU) individuals including 1 Norwegian individual, (iv)
               that was not unlikely to result in a risk to the rights and freedoms of said
                                          18
               individuals, had occurred.

    •   Therefore, Argon submitted a personal data breach notification to Datatilsynet and

        several other European supervisory authorities on 24 September 2021.

In essence, 67 calendar days elapsed from the moment in which Argon become “fixed with
knowledge” that the incident had affected the personal data of individuals in the EU/EEA on

19 July 2021 until it notified Datatilsynet on 24 September 2021. Argon’s notification to
Datatilsynet explained this temporal gap as follows:

        Argon only became aware with a reasonable degree of certainty that, in all the

        circumstances of the Incident and the personal data involved […], the Incident may be
        reportable on 21 September 2021, upon receipt of related advice from its legal advisers,




15Ibid., para. 1.2.
16Ibid., para. 1.4 (emphasis added).
17Ibid., para. 1.7 (emphasis added).
18Ibid., page 1.
19Ibid., para. 1.7.




                                                                                               4        and coordination of legal counsel across the EU and UK jurisdictions in scope for the
                 20
        Incident.

Upon receipt of Argon’s notification, Datatilsynet sent Argon a request for further information
                      21
on 4 October 2021.       In particular, Datatilsynet asked Argon to describe the activities it
undertook between l9 July and 21 September 2021 in relation to the incident, and asked the
company to clarify why it claimed that it became aware that the incident was reportable only

on 21 September 2021.

On 28 October 2021, Argon answered Datatilsynet’s questions. In its letter to Datatilsynet,

Argonreiterateditsviewthatthecompanyacted“withoutunduedelay,tonotifythesupervisory
authorities within 72 hours […] by 24 September 2021”. It also described the steps it took in
relation to the incident in the period from 19 July to 21 September 202l, and provided further

updates and clarifications on the incident and related notifications it filed in Europe. It also
informed Datatilsynet that, on 20 October 2021, Argon proceeded to notify all of the data
subjects affected by the incident. 24


On 31 January 2022, Datatilsynet sent Argon an advance notification of its intention to issue
an administrative fine of NOK 2 500 000 (two million and five hundred thousand) against
                                                   25
Argon for having violated Article 33(1) GDPR.

On 22 February and 11 March 2022, Argon submitted written representations to Datatilsynet
                                                                                 26
regarding the contested violation and envisaged administrative fine.                In its written
representations, Argon essentially confirmed the factual elements it provided in the personal
databreachnotificationitsenttoDatatilsynetinSeptember2021,butaddedthat“Argon’sthird-

party forensic expert undertook a comprehensive forensic investigation from 1 July 2021 to 29
July 2021, when Argon received the full findings and conclusions of the investigation”.            27
However, as Argon never mentioned the date of 29 July 2021 in its personal data breach

notification (or in the response it sent us on 28 October 2021), Datatilsynet asked Argon to
confirm the correctness of such a date, and whether the reference to the date of 19 July 2021 in
the notification was correct. In its response, Argon confirmed the correctness of the information

provided in the personal data breach notification, but noted that “Argon considers that both
dates form part of the chronology, each forming part of the continuum of the full and
comprehensive forensic investigation Argon undertook with the assistance of a third-party
expert.”28 In essence, Argon confirmed the correctness of the information provided in the

personal data breach notification, which constitutes the primary evidence to be taken into
account for the purpose of the present case.


20Ibid., para. 1.7.
21See Datatilsynet’s letter to Argon dated 4 October 2021 (ref: 21/03126-3).
22See Argon’s letter to Datatilsynet dated 28 October 2021 (ref: 729172/129172) (hereinafter “Argon’s Response
to Datatilsynet”).
23Ibid., para. 3.3.
24
25Ibid. para. 7.1.
26See Datatilsynet’s letter to Argon dated 31 January 2022 (ref: 21/03126-6).
  See Argon’s letters to Datatilsynet dated 22 February and 11 March 2022.
27See Argon’s letter to Datatilsynet dated 22 February 2022, p. 9.
28See Argon’s letter to Datatilsynet dated 11 March 2022, p. 4.



                                                                                                   5The present decision takes account of Argon’s written representations. However, in our view,
Argon’s submissions do not warrant any significant changes in our assessment of the present
case, as outlined in further detail below.

    4. Legal Background

    4.1. Scope of Application of the GDPR


Under Article 2(1) GDPR, the Regulation:

    […] applies to the processing of personal data wholly or partly by automated means and to
    the processing other than by automated means of personal data which form part of a filing
    system or are intended to form part of a filing system.

Moreover, Article 3(1) GDPR provides that the Regulation:


    […] applies to the processing of personal data in the context of the activities of an
    establishment of a controller or a processor in the Union, regardless of whether the
    processing takes place in the Union or not.

    4.2. Definitions

The GDPR lays down the following definitions, which are relevant in the present case:


Pursuant to Article 4(1) GDPR:

    “personal data” means any information relating to an identified or identifiable natural
    person (“data subject”); an identifiable natural person is one who can be identified,
    directly or indirectly, in particular by reference to an identifier such as a name, an
    identification number, location data, an online identifier or to one or more factors specific

    to the physical, physiological, genetic, mental, economic, cultural or social identity of that
    natural person.

Pursuant to Article 4(2) GDPR:

    “processing” means any operation or set of operations which is performed on personal
    data or on sets of personal data, whether or not by automated means, such as collection,
    recording, organisation, structuring, storage, adaptation or alteration, retrieval,

    consultation, use, disclosure by transmission, dissemination or otherwise making available,
    alignment or combination, restriction, erasure or destruction.

Pursuant to Article 4(7) GDPR:

    “controller” means the natural or legal person, public authority, agency or other body
    which, alone or jointly with others, determines the purposes and means of the processing




                                                                                              6    of personal data; where the purposes and means of such processing are determined by
    Union or Member State law, the controller or the specific criteria for its nomination may
    be provided for by Union or Member State law.

Pursuant to Article 4(12) GDPR:

    “personal data breach” means a breach of security leading to the accidental or unlawful

    destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
    transmitted, stored or otherwise processed.

    4.3. Notification of a Personal Data Breach to the Competent Supervisory Authority

Article 33 GDPR sets out personal data breach notification requirements. In particular, Article
33(1) provides that:


    In the case of a personal data breach, the controller shall without undue delay and, where
    feasible, not later than 72 hours after having become aware of it, notify the personal data
    breach to the supervisory authority competent in accordance with Article 55, unless the
    personal data breach is unlikely to result in a risk to the rights and freedoms of natural
    persons. Where the notification to the supervisory authority is not made within 72 hours, it
    shall be accompanied by reasons for the delay.


Further, Article 33(4) reads:

    Where, and in so far as, it is not possible to provide the information at the same time, the
    information may be provided in phases without undue further delay.


    4.4. Competence, Tasks and Powers of Supervisory Authorities under the GDPR

Pursuant to Article 55(1) GDPR:

    Each supervisory authority shall be competent for the performance of the tasks assigned to
    and the exercise of the powers conferred on it in accordance with this Regulation on the
    territory of its own Member State.


Further, Article 56(1) GDPR reads as follows:

    Without prejudice to Article 55, the supervisory authority of the main establishment or of
    the single establishment of the controller or processor shall be competent to act as lead
    supervisory authority for the cross-border processing carried out by that controller or
    processor in accordance with the procedure provided in Article 60.


The term “main establishment” is defined in Article 4(16) GDPR as follows:

    “main establishment” means:





                                                                                               7        (a) as regards a controller with establishments in more than one Member State, the
            place of its central administration in the Union, unless the decisions on the purposes
            and means of the processing of personal data are taken in another establishment of
            the controller in the Union and the latter establishment has the power to have such
            decisions implemented, in which case the establishment having taken such decisions
            is to be considered to be the main establishment; […].


Pursuant to Article 58(2) GDPR:

        Each supervisory authority shall have all of the following corrective powers:

        (a)     to issue warnings to a controller or processor that intended processing
        operations are likely to infringe provisions of this Regulation;


        (b)     to issue reprimands to a controller or a processor where processing operations
        have infringed provisions of this Regulation;

        (c)     to order the controller or the processor to comply with the data subject's
        requests to exercise his or her rights pursuant to this Regulation;

        (d)     to order the controller or processor to bring processing operations into

        compliance with the provisions of this Regulation, where appropriate, in a specified
        manner and within a specified period;

        (e)     to order the controller to communicate a personal data breach to the data
        subject;


        (f)     to impose a temporary or definitive limitation including a ban on processing;

        (g)     toordertherectificationorerasureofpersonaldataorrestrictionofprocessing
        pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to
        whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

        (h)     to withdraw a certification or to order the certification body to withdraw a

        certification issued pursuant to Articles 42 and 43, or to order the certification body not
        to issue certification if the requirements for the certification are not or are no longer
        met;

        (i)     to impose an administrative fine pursuant to Article 83, in addition to, or
        instead of measures referred to in this paragraph, depending on the circumstances of
        each individual case;


        (j) to order the suspension of data flows to a recipient in a third country or to an
            international organisation.






                                                                                                 8    4.5. General Conditions for Imposing Administrative Fines

The general conditions for imposing administrative fines are laid down in Article 83 GDPR. In
particular, Article 83(1) provides that:

        Each supervisory authority shall ensure that the imposition of administrative fines
        pursuant to this Article in respect of infringements of this Regulation referred to in

        paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and
        dissuasive.

Further, Article 83(2) states:

        Administrative fines shall, depending on the circumstances of each individual case, be
        imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of

        Article 58(2). When deciding whether to impose an administrative fine and deciding on
        the amount of the administrative fine in each individual case due regard shall be given
        to the following:

        (a)     the nature, gravity and duration of the infringement taking into account the
        nature scope or purpose of the processing concerned as well as the number of data
        subjects affected and the level of damage suffered by them;


        (b)     the intentional or negligent character of the infringement;

        (c)     any action taken by the controller or processor to mitigate the damage suffered
        by data subjects;


        (d)     the degree of responsibility of the controller or processor taking into account
        technical and organisational measures implemented by them pursuant to Articles 25
        and 32;

        (e)     any relevant previous infringements by the controller or processor;

        (f)     the degree of cooperation with the supervisory authority, in order to remedy the

        infringement and mitigate the possible adverse effects of the infringement;

        (g)     the categories of personal data affected by the infringement;

        (h)     the manner in which the infringement became known to the supervisory
        authority, in particular whether, and if so to what extent, the controller or processor
        notified the infringement;


        (i)     where measures referred to in Article 58(2) have previously been ordered
        against the controller or processor concerned with regard to the same subject-matter,
        compliance with those measures;





                                                                                                  9        (j)     adherence to approved codes of conduct pursuant to Article 40 or approved
        certification mechanisms pursuant to Article 42; and

        (k)     any other aggravating or mitigating factor applicable to the circumstances of

        thecase,suchasfinancialbenefitsgained,orlossesavoided,directlyorindirectly,from
        the infringement.

Moreover, Article 83(4)(a) reads:


        Infringements of the following provisions shall, in accordance with paragraph 2, be
        subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking,
        up to 2 % of the total worldwide annual turnover of the preceding financial year,
        whichever is higher:


        (a)     the obligations of the controller and the processor pursuant to Articles 8, 11,
                25 to 39 and 42 and 43.



    4.6. EEA and Norwegian Law

The GDPR has been incorporated into Annex XI to the European Economic Area (“EEA”)

Agreement by means of Decision of the EEA Joint Committee No 154/2018 (“EEA Joint
Committee Decision”).   29

Article 1(b) of the EEA Joint Committee Decision provides that:


    […] the terms “Member State(s)” and “supervisory authorities” shall be understood to
    include, in addition to their meaning in the Regulation, the EFTA States and their
    supervisory authorities, respectively.


Further, Article 1(c) of the EEA Joint Committee Decision reads as follows:

    References to Union law or Union data protection provisions shall be understood as

    referring to the EEA Agreement or data protection provisions contained therein,
    respectively.

The Norwegian Personal Data Act incorporated the GDPR into Norwegian law. The Personal
                                                                         31
Data Act and the GDPR entered into force in Norway on 20 July 2018.





29 Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 amending Annex XI (Electronic
communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in
Article 101) to the EEA Agreement OJ [2018] L 183/23.
30Act No 38 of 15 June 2018 relating to the processing of personal data (“personopplysningsloven”).
31Ibid., § 32.




                                                                                               10    5. Datatilsynet’s Competence

In its notification to Datatilsynet, Argon stated:


        Argon has a global presence, with customer service, direct sales and manufacturing
        facilities in multiple jurisdictions, including but not limited to, Singapore, the US and
                                                           32
        Europe (France, Denmark, Norway, and others).

Thus,ArgonhasseveralestablishmentsintheEU/EEA,includinginNorway,andinthecontext
of the activities of these establishments it processes personal data, including personal data of

its European employees. Therefore, the GDPR applies to such data processing activities in
accordance with Article 3(1) GDPR. In this regard, Argon acknowledged that “Argon in the US
[i.e., Argon Medical Devices, Inc.] is the data controller with respect to the personal data
connected to this Incident”. 33


Argon has also indicated that:


        Argon’s European head office resides in Switzerland, and only its Swiss establishment
        enjoys a power of direction and control over its other EU/EEA establishments.
        Therefore, Argon does not have a main establishment in the EU/EEA for the purposes
        of Article 4(16) of the GDPR.  34


Consequently,thecooperationmechanismandproceduresetoutinArticles56(1)and60GDPR
do not apply in this case, as the existence of a “main establishment” in the EU/EEA is one of
                                                                                      35
the key conditions for the application of the so-called One-Stop-Shop mechanism. Therefore,
pursuant to Article 55(1) GDPR, we are competent to perform the tasks assigned to us and
exercise the powers conferred on us by the GDPR in relation to the personal data breach
notification that Argon submitted to Datatilsynet. This was not disputed by Argon in its written
                 36
representations.

It should be made clear that our competence is limited to safeguarding the data protection rights
of Norwegian data subjects and to ensuring compliance with the GDPR with respect to Norway.

Therefore, it is without prejudice to the competence of supervisory authorities in other
countries. Further, Datatilsynet is not bound by any decisions that other European supervisory
authorities may take regarding the personal data breach notifications that Argon submitted to

such authorities. Therefore, for the purposes of the present case, it is immaterial that the UK
Information Commissioner’s Office (“ICO”) decided to issue a closure letter after having
received essentially the same notification that was sent to Datatilsynet,     37 or that other EU
supervisory authorities have—at least thus far—decided to take no further action after having



32Argon’s Notification, page 1 (emphasis added).
33Ibid.
34Argon’s Response to Datatilsynet, para. 1.1.
35See Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020), pp. 961-
962.
36Cf. Argon’s letter to Datatilsynet dated 22 February 2022.
37See Argon’s Response to Datatilsynet, paras. 5.1-5.4.




                                                                                                11                               38
received Argon’s notification. Incidentally, however, it should be noted that a closure letter is
not per se evidence of compliance, as it is not issued further to a full investigation and may
simply reflect the enforcement priorities of a given authority. Moreover, the letter that the ICO
sent to Argon appears to refer only to Article 5(1)(f) UK GDPR, but does not seem to make any

reference to or comments on Article 33(1) UK GDPR, which is the equivalent provision of
Article 33(1) GDPR (i.e., the statutory provision at issue in the present case). Similarly, none
of the EU supervisory authorities that decided to take no further action after having received

Argon’s data breach notification40as expressly stated that Argon has complied with the deadline
set out in Article 33(1) GDPR.

    6. Datatilsynet’s Assessment


    6.1. Findings of an Infringement of Article 33(1) GDPR

        6.1.1. Introduction


As noted above in the Legal Background, Article 33 GDPR imposes personal data breach
notification obligations on controllers. Under Article 33(1), a controller that experiences a
personal data breach (within the meaning of Article 4(12) GDPR) must:


        notify the personal data breach to the supervisory authority competent in accordance
        with Article 55, unless the personal data breach is unlikely to result in a risk to the
        rights and freedoms of natural persons.


Concerning the timeframe of the notification, Article 33(1) GDPR stipulates that the controller
must notify the personal data breach:


        without undue delay and, where feasible, not later than 72 hours after having become
        aware of it.


The rationale behind such notification requirements is that, on the one hand, breach disclosure
requirements enable supervisory authorities to provide guidance on whether the affected
individuals should be notified of the breach and to adopt any other measures they may deem
appropriate to safeguard their rights and, on the other hand, they provide additional incentives
                                                                                  41
to operators to ensure adequate levels of security of their information systems.

The European Data Protection Board (“EDPB”) has emphasized this by stating that:


        […] breach notification should be seen as a tool enhancing compliance in relation to
        the protection of personal data. […]




38See Argon’s letter to Datatilsynet dated 22 February 2022, para. 7.4.
39See Argon’s Response to Datatilsynet, paras. 5.1-5.4.
40Cf. Argon’s letter to Datatilsynet dated 22 February 2022, para. 7.4.
41Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary (OUP 2020), p. 190.




                                                                                                12        Notifying the supervisory authority within the first 72 hours can allow the controller to

        make sure that decisions about notifying or not notifying individuals are correct.

        However, the purpose of notifying the supervisory authority is not solely to obtain
        guidance on whether to notify the affected individuals.  42


In this respect, Recital 85 GDPR notes that:

        A personal data breach may, if not addressed in an appropriate and timely manner,
        result in physical, material or non-material damage to natural persons such as loss of

        control over their personal data or limitation of their rights, discrimination, identity
        theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to
        reputation, loss of confidentiality of personal data protected by professional secrecy or
        any other significant economic or social disadvantage to the natural person concerned.

        Therefore, as soon as the controller becomes aware that a personal data breach has
        occurred, the controller should notify the personal data breach to the supervisory
        authority […]

Further, Recital 87 GDPR emphasizes that:


        […] Such notification may result in an intervention of the supervisory authority in
        accordance with its tasks and powers laid down in this Regulation.


In essence, as noted by the EDPB, “compliance with Articles 33(1) […] GDPR [is] central to
the overall functioning of the supervision and enforcement regime” under the GDPR.       43

Hence, the following assessment of Argon’s compliance with Article 33(1) GDPR should be

read and understood in light of the aforementioned key role that Article 33(1) plays within the
GDPR’s regulatory regime.

        6.1.2. Argon’s Reportable Personal Data Breach


In the present case, it is uncontested that Argon experienced a personal data breach within the
meaning of Article 4(12) GDPR and that such breach was reportable to Datatilsynet in
accordance with Article 33(1). Indeed, Argon decided to notify Datatilsynet, as it concluded
that:


        the Incident involved (i) a qualifying personal breach, (ii) involving personal data, (iii)
        connected to 16 UK (and EU) individuals including 1 Norwegian individual, (iv) that


42Article 29 Data Protection Working Party (WP29), Guidelines on Personal Data Breach Notification under
Regulation 2016/679 (WP250rev.01, as revised and adopted on 6 February 2018) (hereinafter “Personal Data
Breach Notification Guidelines”), p. 12. These guidelines have been endorsed by the EDPB. See EDPB,
Endorsement 1/2018 (adopted on 25 May 2018).
43EDPB, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding
Twitter International Company under Article 65(1)(a) GDPR (adopted on 09 November 2020) (hereinafter “EDPB
Decision 01/2020”), para. 193.




                                                                                                13        was not unlikely to result in a risk to the rights and freedoms of said individuals had
        occurred. 44


However, for the sake of completeness, Datatilsynet considers that the cyber security incident
experienced by Argon between May and July 2021 falls within the definition of “personal data
breach” in Article 4(12), as it consists in “a breach of security leading to the […] unauthorised

disclosure of, or access to, personal data transmitted, stored or otherwise processed” by
Argon. 45 In fact, as mentioned above in the Factual Background, the incident concerned an
unauthorized access to a spreadsheet containing personal data (e.g., salary and benefits of

employees) through the mailbox account of Argon’s US Senior Vice President of Human
Resources, most likely through a phishing email.

                                    46
As acknowledged by Argon itself, the personal data breach at hand is not unlikely to result in
a risk to the affected individuals’ rights and freedoms. This is also because it is not unlikely
that—as a result of the breach—Argon’s employees could suffer significant detriment due to
the disclosure of information about them, such as their salary and benefits, to unintended

recipients (e.g., identity theft or fraud), a disclosure that does not necessarily require the
exfiltration of the data. At any rate, even if Argon claims that the measures it took after the
breach significantly mitigate such risk, Argon was not able to exclude this risk promptly after

having become aware of the breach.

Consequently, the personal data breach at hand was reportable for the purposes of Article 33(1).


This is further supported by the EDPB’s Guidelines on Examples regarding Data Breach
Notification, which describe as reportable—both to the competent supervisory authority and to
the affected data subjects—an incident in which an attacker gained access to information on the

salary of several employees of a company by exfiltrating emails from that company’s mailbox
accounts. The latter scenario is not identical but is highly comparable to the present case. The
main difference is that in the present case employees’ personal data were accessed—but do not

appeartobeexfiltrated—by the unauthorizedthirdparty.Thisdifferenceis,however,irrelevant
for present purposes, as the definition of “personal data breach” in Article 4(12) GDPR also
covers “unauthorised […] access to, personal data”. Instead, the example provided in the
Guidelines presents numerous significant similarities to the present case: in both cases, the

attacker altered the rules within the mailbox account of a company; the attacker was probably


44Argon’s Response to Datatilsynet, para. 3.2(e). See also Argon’s letter to Datatilsynet dated 22 February 2022,
para. 4.13.
45Cf. Art. 4(12) GDPR.
46Argon’s Response to Datatilsynet, para. 3.2(e) (stating that Argon concluded in September 2021 that the breach

47as not unlikely to result in a risk to the rights and freedoms of said individuals had occurred”).
48Contrary to what Argon seems to suggest. See Argon’s letter to Datatilsynet dated 22 February 2022, p. 14-15.
49Ibid.
  EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification of the European Data Protection
Board (Adopted on 14 December 2021, Version 2.0) (hereinafter “EDPB Guidelines on Examples regarding Data
BreachNotification”),page32.Itshouldbenotedthatafirstversionoftheseguidelineswasadoptedandpublished
in January 2021(hence, before the Argon’s personal data breach), and that such first version of the guidelines
included the same example cited above. See EDPB, Guidelines 01/2021 on Examples regarding Data Breach
Notification, Adopted on 14 January 2021, Version 1.0, page 31.



                                                                                                  14not aiming at collecting personal data, but created a forged invoice, by way of social
engineering, in order to facilitate a misdirected payment; the attacker gained access to
employees’ personal data, such as name and salary.   50


        6.1.3. Moment at Which Argon Became Aware of the Personal Data Breach

Under Article 33(1) GDPR, a controller must report a personal data breach “without undue

delay and, where feasible, not later than 72 hours after having become aware of it” (emphasis
added).

Thus, to assess whether a controller has complied with its reporting obligations under Article

33(1), it must first be assessed whether and when the controller has “become aware” of a
“personal data breach”, as this is the moment when the statutory 72 hours deadline starts to run.

Contrary to what Argon seems to suggest, the timeframe for notification under Article 33(1)

commences from when the controller “become[s] aware” that a “personal data personal breach”
has taken place, and not from when the controller has a reasonable certainty that the breach is
not unlikely to result in a risk to the rights and freedoms of natural persons. In other words, the
deadline starts to run when the controller becomes aware of a “personal data breach”, and not

when the controller becomes aware that the personal data breach in question is notifiable in
accordance with Article 33(1) GDPR. As noted by the EDPB, the likely risks for individuals
should be determined during the 72 hours after the controller has “became aware” of the
personal data breach:


        Once the controller has become aware, a notifiable breach must be notified without
        undue delay, and where feasible, not later than 72 hours. During this period, the

        controller should assess the likely risk to individuals in order to determine whether the
        requirement for notification has been triggered, as well as the action(s) needed to
        address the breach. (emphasis added)


This clearly emerges also from the wording of Article 33(1): “not later than 72 hours after
having become aware of it” (emphasis added), “it” being the “personal data breach” mentioned
in the opening sentence of Article 33(1) and defined in Article 4(12) GDPR.


In essence, the statutory 72 hours deadline starts to run when the controller has a reasonable
degree of certainty that an incident falling within the definition of “personal data breach” in


50Ibid. Cf. Argon’s Notification, pp. 2 and 3.
51See Argon’s Response to Datatilsynet, para. 3.2(e) (stating: “This investigative process and outcomes based
response strategy concluded on 21 September 2021, allowing Argon to conclude, in light of forensic findings and
legal analyses, that the Incident involved (i) a qualifying personal breach, (ii) involving personal data, (iii)
connected to 16 UK (and EU) individuals including 1 Norwegian individual, (iv) that was not unlikely to result in
a risk to the rights and freedoms of said individuals had occurred. Prior to this date, Argon did not consider that it
did not possess the requisite degree of reasonable certainty in relation to the Incident” (emphasis added)). See also
Argon’s letter to Datatilsynet dated 22 February 2022 (stating: “Argon remains of the view that it only became
fixed with knowledge that the Incident affected UK/EU individuals that were subject to the GDPR satisfying the
threshold for notification under Article 33 on 21 September 2021”(emphasis added)).
52Personal Data Breach Notification Guidelines, p. 11.




                                                                                                15Article 4(12) GDPR has taken place. This knowledge materializes when the controller becomes
aware of the existence of a breach that meets all of the constituent elements of the definition in
Article 4(12) GDPR. In other words, the 72 hours deadline starts to run when the controller
becomes aware that:


        •   A “breach of security” has taken place;


        •   Such a breach of security has led to the “unauthorised disclosure of, or access to”
            data transmitted, stored or otherwise processed (or one of the other kinds of security
            breaches mentioned in Article 4(12)); and


        •   Such a breach of security has affected “personal data”.

This is further supported by the EDPB’s Guidelines on Personal Data Breach Notification,

which state that:

        a controller should be regarded as having become ‘aware’ when that controller has a
        reasonable degree of certainty that a security incident has occurred that has led to
                                            54
        personal data being compromised. (emphasis added)

Argonbecameawareofalloftheseelementsatleaston19July2021.Thisisbecause,according
to the notification it submitted to Datatilsynet on 24 September 2021:


    •   “On 14 June 2021 […] Argon determined it had been subject to a business email
        compromise, perpetrated through its                     platform by an unauthorised third
                                  55
        party” (emphasis added). Thus, on 14 June 2021, Argon had specific knowledge that
        a “breach of security” had taken place, even though at the time it did not know the exact
        implications of that breach.


    •   “further investigation […] completed by Argon and its cyber forensic expert on l9 July
        2021, revealed that two files within the              connected to the Mailbox Account
        (the ‘Share Files’) were accessed by the Threat Actor” (emphasis added). Therefore,
        on 19 July 2021, Argon had specific knowledge that the identified security incident had

        led to the “unauthorised disclosure of, or access to” data transmitted, stored or otherwise
        processed by the company. This qualifies the breach as a “confidentiality breach”.    57


    •   On the same date (i.e., on 19 July 2021), Argon became aware that the above “Share
        Files included (i) a spreadsheet containing the salary and benefits personal data of all


53To be covered by the Article 4(12) definition, a breach must have three key attributes: (1) it must concern a
violation of “security measures” (2) leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, data (3) which qualify as “personal data”. See Kuner et al, The EU General Data
Protection Regulation (GDPR): A Commentary (OUP 2020), p. 191.
54Personal Data Breach Notification Guidelines, pp. 10-11.
55Argon’s Notification, para. 1.1.
56Ibid., para. 1.4.
57Personal Data Breach Notification Guidelines, p. 7.




                                                                                                16                                                                 58
        20 of Argon’s European employees” (emphasis added). Thus, on 19 July 2021, Argon
        had specific knowledge that the breach had affected “personal data” of individuals in
        Europe,includinginNorway. Indeed,Argonexpresslystatedinitspersonaldatabreach
        notification that Argon “became fixed with knowledge of the Share File relating to the

        personal dat59of the l6 EU/UK employees (and additional 4 Swiss employees) on 19
        July 2021”.

In light of the above, the deadline for Argon’s notification to Datatilsynet under Article 33(1)
GDPR started to run at least from 19 July 2021.


It bears emphasizing that the issue of controller “awareness”, and its role in terms of defining
the timeframe within which notification is required to take place, must be understood in the
context of the broader obligation on a controller to ensure that it has appropriate measures in

place to facilitate such “awareness”. This requirement is reflected in Recital 87 GDPR, which
states that:

        It should be ascertained whether all appropriate technical and organizational measures

        have been implemented to establish immediately whether a personal data breach has
        taken place and to inform promptly the supervisory authority and the data subject […]
        (emphasis added)


This is underlined also in the EDPB’s Guidelines on Personal Data Breach Notification, which
state that:

        the GDPR requires the controller to implement all appropriate technical protection and

        organisationalmeasurestoestablishimmediatelywhetherabreachhastakenplaceand
        to inform promptly the supervisory authority and the data subjects. It also states that
        the fact that the notification was made without undue delay should be established taking
        into account in particular the nature and gravity of the breach and its consequences

        and adverse effects for the data subject. This puts an obligation on the controller to
        ensure that they will be ‘aware’ of any breaches in a timely manner so that they can
        take appropriate action. (emphasis added)


The Guidelines further state that:

        After first being informed of a potential breach […] or when it has itself detected a
        security incident, the controller may undertake a short period of investigation in order

        to establish whether or not a breach has in fact occurred. During this period of
        investigation the controller may not be regarded as being “aware”. However, it is
        expected that the initial investigation should begin as soon as possible and establish
        withareasonabledegreeofcertaintywhetherabreachhastakenplace;amoredetailed
                                      61
        investigation can then follow. (emphasis added)

58Argon’s Notification, para. 1.4.
59Ibid., para. 1.7.
60Personal Data Breach Notification Guidelines, p. 11.
61Ibid.




                                                                                               17The EDPB placed particular emphasis on the fact that the initial investigation must be “short”

in its Decision 01/2020 where it stated:

        the GDPR puts an obligation on the controller to ensure that they will be “aware” of
        any breaches in a timely manner so that they can take appropriate action” and explain
        that “the controller may undertake a short period of investigation in order to establish

        whether or not a breach has in fact occurred. During this period of investigation the
        controller may not be regarded as being “aware””. (emphasis in the original)

Having regard to the above, it is clear that the controller’s notification obligation in Article

33(1) GDPR must be understood within the context of its broader obligations under the GDPR,
and specifically, the controller’s overarching responsibility to ensure that there is compliance
with the principles of data protection, as encompassed in the accountability obligation under
Article 5(2) GDPR.


In this respect, it should be underlined that it took Argon over a month to “become aware”
(withinthemeaningofArticle33(1)GDPR)ofthepersonaldatabreachatissue.Thisisbecause
it took the company over a month—i.e., from 14 June 2021 to 19 July 2021—to determine
whether personal data had been affected by the security incident at issue. This may not be
regarded as a “short period of investigation”, and is indicative of the fact that Argon did not

have or followed appropriate technical and organizational measures to establish immediately
whether a personal data breach had taken place, as required by the GDPR.

A fortiori, even if one would accept Argon’s arguments regarding its awareness of the

reportable breach on 21 September 2021, the period of investigation of over three months,
between 14 June and 21 September 2021, may not be regarded as a “short period of
investigation” that the EDPB Guidelines consider to be physiological, and during which the
controller may not be regarded as being “aware”.   63


In short, Argon ought to have been “aware” of the personal data breach at hand even before 19
July 2021, which worsens the nature and seriousness of any subsequent delays. This is not to
say that the measures that Argon took to contain the incident and to limit its impact are to be
criticized; the only matter that the present decision addresses and that is reproached to Argon
in this case is its lack of sufficient responsiveness to ensure its prompt compliance with its

notification obligations under the GDPR.

In its written representations, Argon insisted that in July 2021 it was not “aware” of the personal
data breach at issue, due to the fact that at that time its internal findings were still being verified
by its external forensic and legal advisors and a full organizational and legal review of the
                           64
incident was still ongoing. According to Argon, it only become “aware” of the personal data
breach on 21 September 2021, upon receipt of a legal advice on the relevant incident from its


62
63EDPB Decision 01/2020, para. 190.
64Personal Data Breach Notification Guidelines, p. 11.
  See Argon’s letter to Datatilsynet dated 22 February 2022, pp. 7-12.



                                                                                               18                        65
external legal advisers. This argument should be rejected. As noted above, for a controller to
be considered “aware” of a personal data breach under Article 33(1) GDPR, it is sufficient that
the controller has a reasonable degree of certainty that a security incident has occurred and that
the latter has led to personal data being compromised; the controller neither needs to be aware

of the full extent or consequences of the incident nor of its legal implications. In this regard it
isworthnotingthatignoranceoftheapplicablenotificationdutiesisnoexcuse. Thus,Argon’s6
argumentthatinJuly2021“itwasnotawareofthecontextofthedocumentandtheapplicability
                                                                                     67
of the GDPR to the particular processing activities engaged by the Incident”            should be
rejected too. Indeed, it is part of the controller’s accountability obligations to know whether a
processingiscoveredbytheGDPR,alsoinlightoftherequirementssetoutinArticle30GDPR.
GDPR applicability is not something to be explored only after the occurrence of a data breach.

To determine whether and when Argon became aware of the personal data breach at issue in
the present case, it is sufficient to determine whether and when the company become aware of
all of the factual elements listed in the definition of “personal data breach” in Article 4(12)
GDPR. Whether at the time the company was aware of these factual elements the company was

also aware of its legal obligations under the GDPR, as well as of the possible risks that may
result from the incident, is irrelevant to determine whether the company was “aware” of the
personal data breach within the meaning of Article 33(1) GDPR.


As explained above, Argon’s data breach notification to Datatilsynet states that an investigation
“completed by Argon and its cyber forensic expert on l9 July 2021, revealed that two files […]
(the ‘Share Files’) were accessed by the Threat Actor” and that Argon “became fixed with
knowledge of the Share File relating to the personal data of the l6 EU/UK employees (and
                                                     68
additional 4 Swiss employees) on 19 July 2021”. This is sufficient to conclude that Argon
was “aware” of the personal data breach at least on 19 July 2021; the fact that at that time the
company had yet to receive a legal advice on the incident and its obligations under the GDPR

from its external legal advisers is irrelevant to determine whether Argon could be regarded as
being “aware” of the breach at that time. In this respect, it should be restated that the statutory
deadline for reporting a breach is triggered under Article 33(1) when a controller “becomes
aware” of a personal data breach, and not when the controller concludes—after a legal and risk

assessment—that the breach at hand is notifiable under the GDPR. The 72 hours timeframe set
outinArticle 33(1)is specifically envisagedto allow thecontrollerto makesuchanassessment.
Consequently, Argon’s following argument should be rejected:


        [in July 2021] Argon did not have the requisite awareness of a personal data breach as
        it did not have a reasonable degree of certainty that “Argon’s employees could suffer
        significant detriment due to the disclosure of information about them, such as their
        salary and benefits, to unintended recipients (e.g., identity theft or fraud)”.69


65Ibid., paras. 5.1 and 5.3.
66The fact that a controller failed to submit a personal data breach notification in a timely manner under the GDPR
gives rise per se to an infringement of Article 33(1) GDPR, whether or not the controller was aware of the
obligation imposed by that provision or that the GDPR applied to its processing activities (ignorantia legis non
excusat). See by analogy Opinion of Advocate General Tizzano in Case C-551/03 P, General Motors BV (formerly
General Motors Nederland BV) and Opel Nederland BV v Commission of the European Communities, para. 77.
67Argon’s letter to Datatilsynet dated 22 February 2022, p. 9.
68Argon’s Notification, paras. 1.4. and 1.7 (emphasis added).
69Argon’s letter to Datatilsynet dated 22 February 2022, pp. 14-15.




                                                                                                19For completeness purposes, it should be noted that the interpretation of Article 33(1) GDPR
that Argon seems to embrace—according to which the deadline for a notification under Article
33(1) would be triggered only once the controller has had time to fully investigate the nature
and extent of a security incident—is at odds with the objectives of Article 33(1)—as outlined
above (see section 6.1.1)—and negates the very purpose of data breach notifications. This is
because the interpretation proposed by Argon would transform such notifications into a mere

formal exercise and would render them essentially meaningless. Indeed, this interpretation
would basically leave the controller free to decide the timeframe for investigating and reporting
the breach. In practice, if one would follow this approach, the timeframe for reporting (and
potentially even the obligation to report at all) would depend on whether the controller decides
to undertake a full investigation and on the pace with which such investigation is conducted.
Moreover, a notification received by a supervisory authority several months after an incident
was first detected would hinder any timely and meaningful intervention from its part to

safeguard the rights of data subjects.

        6.1.4. Argon’s Late Notification to Datatilsynet

Having established that Argon became aware of the personal data breach at least on 19 July
2021, it must be determined whether Argon’s notification has taken place within the timeframe
set out in Article 33(1), which requires that a notification be submitted “without undue delay

and, where feasible, not later than 72 hours after having become aware of it”.

In the context of Datatilsynet’s inquiry, Argon expressed the following views on its alleged
compliance with the timeframe set out in Article 33(1):

        […] In light of the role of the SVP of HR, Argon was focused on ensuring its

        investigation was full and accurate in order to identify all personal data connected to
        EU and UK individuals that may have been in scope for the Incident. As such Argon
        worked with its third-party cyber forensic expert to investigate the Incident and
        establish the extent to which any personal data was involved. This investigation also
        involved undertaking additional technical analysis and internal risk identification to
        ensure that all possibilities were explored by both Argon and its third-party cyber
        forensic expert, to ensure a methodical and full risk assessment process was completed.

        This investigation was completed on 21 September 2021.

        While Argon’s investigation was able to confirm that the Share Files (containing EU
        and UK employee personal data) were accessed, it was unable to confirm the extent to
        whichthebroaderemailswithintheMailboxAccountwere,infact,accessed.Therefore,
        out of an abundance of caution, Argon conducted an organisational and legal review
        of the Mailbox Account to understand the full scope of the personal data involved so

        that regulators and individuals were notified fully of their involvement in the Incident,
        as required. Once this was completed, Argon worked with legal counsel and its cyber
        forensicexpertstoproperlyunderstandthenatureoftheimpacttothesubsetofpersonal
        data so Argon could determine the appropriate next steps and enable full and accurate
        notifications to be prepared and effected. This necessarily took some time.




                                                                                             20        The processes […] involved multiple rounds of interviews, discussions and
        collaborative sessions at each stage to determine the personal data categories in scope,
        the context in which the US SVP of HR was processing the personal data (including

        whether this was in fact connected to the EU/UK establishments) and the likely degree
        of sensitivity attaching to each category. This diligent and comprehensive process was
        designed to ensure Argon could answer all queries from regulators and employees
        following notification and, in particular, so as not to cause undue concern to the
        individuals impacted by the Incident.


        This investigative process and outcomes based response strategy concluded on 21
        September 2021, allowing Argon to conclude, in light of forensic findings and legal
        analyses, that the Incident involved (i) a qualifying personal breach, (ii) involving
        personal data, (iii) connected to 16 UK (and EU) individuals including 1 Norwegian
        individual, (iv) that was not unlikely to result in a risk to the rights and freedoms of said

        individuals had occurred. Prior to this date, Argon did not consider that it did not
        possess the requisite degree of reasonable certainty in relation to the Incident.

        Therefore, Argon acted proportionately and without undue delay, to notify the
        supervisory authorities within 72 hours of this confirmation, by 24 September 2021,
        pursuant to Article 33 of the GDPR. 70


While it is appropriate for controllers to conduct an extensive investigation after any data
breach, the notification requirement in Article 33(1) is intended to ensure that supervisory
authorities are informed of the breach shortly after an initial assessment of the breach, and not
after a very lengthy and extensive investigation, like the one conducted by Argon.


Recital 85 GDPR expresses this in the following terms:

        as soon as the controller becomes aware that a personal data breach has occurred, the
        controller should notify the personal data breach to the supervisory authority […]
        (emphasis added)


Recital 87 GDPR further emphasizes this, as it states that controllers are required:

        to establish immediately whether a personal data breach has taken place and to inform
        promptly the supervisory. (emphasis added)


In this respect, the EDPB not only stressed that:

        After first being informed of a potential breach […] or when it has itself detected a
        security incident, the controller may undertake a short period of investigation in order




70
  Argon’s Response to Datatilsynet, para. 3.2.



                                                                                             21        to establish whether or not a b71ach has in fact occurred. […] a more detailed
        investigation can then follow. (emphasis added)

It also opined that:


        The breach should be notified when the controller is of the opinion that it is likely to
        result in a risk to the rights and freedoms of the data subject. Controllers should make
        this assessment at the time they become aware of the breach. The controller should not
        wait for a detailed forensic examination and (early) mitigation steps before assessing

        whether or not the data breach is likely to result in a risk and thus should be notified.

        […]



        Gathering exact information on the unauthorized access is key for determining the risk
        level and preventing a new or continued attack. […] When uncertain about the specifics
        of the illegitimate access, the worse scenario should be considered and the risk should
                                  72
        be assessed accordingly. (emphasis added)

In essence, as noted by the EDPB:


        Itshould[…]beclearthataftermakinganinitialnotification,acontrollercouldupdate
        thesupervisoryauthorityifafollow-upinvestigationuncoversevidencethatthesecurity
        incident was contained and no breach actually occurred.     73


This is expressly envisaged by Article 33(4) GDPR, which provides that:

        Where, and in so far as, it is not possible to provide the information at the same time,
        the information may be provided in phases without undue further delay.


The wording and normative structure of Article 33 itself indicate that as a general rule a
controller must notify all personal data breaches it becomes aware of “without undue delay”
and “not later than 72 hours”. However, the second part of the Article introduces an exception

to this general rule (“unless the personal data breach is unlikely to result in a risk to the rights
and freedoms of natural persons”). Thus, if the controller is unable to confirm within the 72
hours timeframe that such an exception applies (and hence that a notification is not necessary),
it must proceed with the notification, without prejudice to the possibility of submitting a follow-

up notification to inform the authority—after a more thorough analysis—that no risks for data
subjects have been identified or no personal data breach actually occurred. In the words of the
EDPB:


71Personal Data Breach Notification Guidelines, p. 11.
72EDPB Guidelines on Examples regarding Data Breach Notification, paras. 9 and 30. The same statements were
also included in the version of the guidelines adopted and published in January 2021 (i.e., before Argon’s breach).
See Guidelines 01/2021 on Examples regarding Data Breach Notification, Adopted on 14 January 2021, Version
1.0, paras. 9 and 30.
73Personal Data Breach Notification Guidelines, p. 16.




                                                                                                22        Once the controller has become aware, a notifiable breach must be notified without

        undue delay, and where feasible, not later than 72 hours. During this period, the
        controller should assess the likely risk to individuals in order to determine whether the
        requirement for notification has been triggered.


        […]

        after making an initial notification, a controller could update the supervisory authority

        if a follow-up investigation uncovers evidence that the security incident was contained
        and no breach actually occurred.   74


In light of the above, given that on 19 July 2021 Argon had sufficient elements to conclude,
with a reasonable degree of certainty, that a personal data breach (within the meaning of Article
4(12)) had taken place, Argon could and should have submitted an initial notification “without
undue delay” from that date. Such an initial notification would have been without prejudice to

the possibility of submitting a follow-up notification at a later stage (potentially and
theoretically even to inform Datatilsynet that, after a further extensive investigation, Argon
determined that no personal data had been affected by the breach). In this respect, it should be
                                             75
noted that—as Argon rightly pointed out —the EDPB recommends that controllers try to
identify “the root cause of the issue”. However, it also stresses that “the notification does not
need to be postponed until the risk and impact surrounding the breach has been fully assessed,

since the full risk assessment can happen in parallel to notification, and the77nformation thus
gained may be provided to the SA in phases without undue further delay”.

It should also be stressed that—given that the GDPR envisages and allows notification in
                                                                        78
phases—a controller does not need to provide “full … notifications” and be able to “answer
all queries from regulators”  79 immediately after having detected a breach. In other words,
contrary to what Argon suggests, the obligation to notify a personal data breach under the

GDPR is not triggered only after the controller has had time to “to fully investigate the Incident
and apply the applicable GDPR risk analysis [to determine] that a personal data breach was
reportable in all the circumstances”.  80Moreover, as noted above, one of the purposes of the
notification process is specifically to enable supervisory authorities to advise controllers on

whether and how to communicate with the individuals affected by the breach. Thus, the key
considerations that appear to have led Argon to delay the notification were misplaced. As noted
above, Argon stated that the extensive process it designed and implemented after the breach:






74
75Personal Data Breach Notification Guidelines, pp. 11 and 16.
  See Argon’s letter to Datatilsynet dated 22 February 2022, pp. 16-17.
76EDPB Guidelines on Examples regarding Data Breach Notification, para. 8.
77Ibid.
78Cf. Argon’s Response to Datatilsynet, para. 3.2(c).
79Ibid. cf. para. 3.2(d).
80See Argon’s letter to Datatilsynet dated 22 February 2022, p. 12.



                                                                                                23        was designed to ensure Argon could answer all queries from regulators and employees
        following notification and, in particular, so as not to cause undue concern to the
        individuals impacted by the lncident. 81


As mentioned above, the standard statutory timeframe for notification under Article 33(1) is
“where feasible, not later than 72 hours” after becoming aware of the personal data breach.
Datatilsynet sees no practical reasons or evidence why a notification within 72 hours was not
“feasible” in the present case, as confirmed by the fact that Argon notified the local FBI
Cybercrime Unit in the US already on 15 June 2021—only one day after it first detected the

incident—even though we understand that such a notification is voluntary under U.S. law.
Moreover, Argon’s notification to Datatilsynet was not accompanied by reasons for the delay
as Article 33(1) requires for notifications that are submitted after the 72 hours deadline.


Consequently, Argon’s notification should have taken place “not later than 72 hours” after 19
July 2021. Hence, it should have taken place not later than Thursday 22 July 2021,           82 in
particular as Argon could not confirm within that date that the breach was unlikely to result in
a risk to the rights and freedoms of natural persons. Instead, Argon notified Datatilsynet on 24

September 2021, over two months outside the 72 hours timeframe set out in Article 33(1).

For completeness purposes, it should be noted that, in the present case, notifying more than two
months after becoming aware of the personal data breach would be an undue delay also in light

of the features of the breach experienced by Argon. In this regard, Recital 87 states that:

        Thefactthatthenotificationwasmadewithoutunduedelayshouldbeestablishedtaking
        into account in particular the nature and gravity of the personal data breach and its

        consequences and adverse effects for the data subject.

The personal data breach at hand affected personal data that could be used to commit actions
leading to both material (e.g. financial loss) and non-material damage (e.g. identity theft or
                                                                     83
fraud), or could be used to facilitate other attacks (e.g. phishing). Thus, potentially, it could
haveseriousconsequencesandadverseeffectsfordatasubjects,althoughnosucheffectsappear
to have materialized to date. In any event, the assessment of the timeliness of the notification
should be made taking into account the information that was available to the controller at the

time when it became aware of the personal data breach, and in the course of the initial
investigation that took place in the first few days after the controller became aware of the
breach. Therefore, Argon’s argument that it did not violate Article 33(1) because in hindsight
and to date “the timing of its Initial Notification has not led to any detriment to the data
          84
subjects”   should be rejected. However, this element should be taken into account when
deciding whether to impose an administrative fine and when deciding on the amount of the
administrative fine for Argon’s violation of Article 33(1) (see section 7.1.1 below).



81Argon’s Response to Datatilsynet, para. 3.2(d).
82See Regulation of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits
OJ [1971] L 124/1.
83See by analogy EDPB Guidelines on Examples regarding Data Breach Notification, page 32.
84See Argon’s letter to Datatilsynet dated 22 February 2022, p. 12.




                                                                                                24Argon’s argument that it did not violate Article 33(1) GDPR because “Datatilsynet’s ability to
provide guidance and protect the interests of data subjects has not been impaired through the
actions of Argon in submitting its Initial Notification”  85should be rejected as well. First, as
Datatilsynet was not promptly informed of the breach upon its discovery (contrary to the FBI

in the US), it was objectively impossible for Datatilsynet to provide any guidance in the first
criticaldaysafterthebreach.Secondly,whetherDatatilsynettookanymeasures—orcouldhave
taken any measure—in relation to the breach after it received Argon’s notification is immaterial

to the assessment of whether Argon submitted the notification “without undue delay”.

A 64-day delay is a very considerable delay, which is hardly justifiable under any
circumstances. It is especially unjustifiable in the circumstances of the present case where the

controller did not notify the breach promptly, despite the fact that it was aware—at least as of
19 July 2021—that the attacker had “accessed” personal data “subject to a greater degree of
sensitivity” such as salary and benefits personal data, and that at that point Argon was unable
to confirm the extent to which the broader emails within the affected mailbox account had in

fact been accessed. Thus, at that point in time, the worse scenario should have been considered
andtherisksshouldhavebeassessedaccordingly, includingintermsofnotificationmeasures.

Argon’s delay is further aggravated by the fact that it took the company over one month to

confirm that personal data had been affected by the breach. As a consequence, over three
months have elapsed from the time the security incident was first detected by Argon in June
2021 to the moment when Argon submitted its notification to Datatilsynet in September 2021.


Having regard to the above, Datatilsynet has concluded that Argon notified the personal data
breach with a very considerable and unjustified delay, and thus failed to notify the personal data
breach to Datatilsynet “without undue delay”, as stipulated by Article 33(1) GDPR.


Significantly, such a long delay is also indicative of the fact that, at the time of the incident,
Argon had not implemented or followed adequate technical and organizational measures to
establish immediately whether a personal data breach had taken place and to inform promptly

the competent supervisory authorities, as required by the GDPR (see further section 7.1.4.
below). This is not to say that Argon had no cybersecurity measures in place; the present
decision and case focus exclusively on the lack of measures to ensure that personal data
breaches (within the meaning of Article 4(12) GDPR) are promptly identified and notified in

accordance with the GDPR.

In its written representations, Argon argued that Datatilsynet failed to assess Argon’s
notification “against the WP250 Guidelines, in conjunction with the Notification Guidelines
                                   89
[i.e., EDPB Guidelines 01/2021]”, and that “[t]he interpretation of Article 33(1) of the GDPR,
as applied by Datatilsynet […] was not foreseen by Argon with reference to the available



85Ibid.
86Argon’s Notification, para. 1.4.
87Argon’s Notification, para. 2.6.
88EDPB Guidelines on Examples regarding Data Breach Notification, para. 30.
89Argon’s letter to Datatilsynet dated 22 February 2022, pp. 17-19.




                                                                                                25guidance, and seems country specific for Norway”. We take note of these arguments, but find
them untenable. Throughout the present decision, Datatilsynet has made extensive reference to

EDPB and WP29 guidance. Therefore, Datatilsynet’s interpretation of Article 33(1) reflects the
interpretation of that provision at European level, and is not specific for Norway. In this respect,
it should be recalled once again that it was the EDPB that stated in its guidance that “[o]nce the
controller has become aware, a notifiable breach must be notified without undue delay, and

wherefeasible,notlaterthan72hours.Duringthisperiod,thecontrollershouldassessthelikely
risk to individuals in order to determine whether the requirement for notification has been
triggered. […] after making an initial notification, a controller could update the supervisory

authorityifafollow-upinvestigationuncoversevidencethatthesecurityincidentwascontained
and no breach actually occurred.”   91


Thus, Argon’s view that, until it received external legal advice in September 2021, it was not
required to notify the breach to Datatilsynet as it was not “aware of with a reasonable degree of
certainty that the Incident was reportable based on the available guidance” is clearly at odds
with EDPB guidance. To the avoidance of doubts, it should be re-emphasized that the relevant

EDPB guidelines state that “a controller should be regarded as having become “aware” when
that controller has a reasonable degree of certainty that a security incident has occurred that has
led to personal data being compromised” , and not—as Argon would seem to suggest—when

the controller has concluded that the level of risk makes the breach reportable under Article
33(1) GDPR. The EDPB has made clear that it is within the 72 hours after such an awareness
that “the controller should assess the likely risk to individuals in order to determine whether the
                                                    93
requirement for notification has been triggered”. If after this short timeframe, the controller
is still “uncertain about the specifics of the illegitimate access, the worse scenario should be
considered and the risk should be assessed accordingly”,       94hence in these circumstances an
initial notification must be promptly submitted to the competent supervisory authority, without

prejudice to the possibility of updating “the supervisory authority if a follow-up investigation
uncovers evidence that the security incident was contained and no breach actually occurred.”       95
In short, Datatilsynet’s interpretation of Article 33(1) GDPR is fully in line with the position

on the notifications requirements under the GDPR that the EDPB/WP29 expressed in guidance
documents published before Argon’s security incident.










90
91Ibid., p. 24.
92Personal Data Breach Notification Guidelines, pp. 11 and 16.
93Ibid, pp. 10-11.
  Ibid., p. 11.
94EDPB Guidelines on Examples regarding Data Breach Notification, para. 30. The same statements was also
included in the version of the guidelines adopted and published in January 2021 (i.e., before Argon’s breach). See
Guidelines 01/2021 on Examples regarding Data Breach Notification, Adopted on 14 January 2021, Version 1.0,
para. 30.
95Personal Data Breach Notification Guidelines, p. 16.



                                                                                                  26    7. Administrative Fine

        7.1. Consideration of the Criteria in Article 83(2) in Deciding Whether to Impose
             an Administrative Fine and the Amount of the Fine


Under Article 58(2) GDPR, Datatilsynet has several corrective powers, including the power to
impose administrative fines for violations of the GDPR.

When deciding whether to impose an administrative fine and deciding on the amount of the

administrative fine, due regard must be given to the factors listed in Article 83(2)(a) to (k)
GDPR. The following sub-sections outline how Datatilsynet has given “due regard” to these
factors in the present case.


            7.1.1.      Nature, Duration and Gravity of the Infringement (Art. 83(2)(a))

With respect to the nature of Argon’s infringement, it should be noted that the infringement at
hand concerns a requirement that is “central to the overall functioning of the supervision and
                                         96
enforcement regime” under the GDPR. Therefore, we consider that, overall, the infringement
may be deemed to be moderately serious in nature in the present circumstances.

In respect of the duration of the infringement, the latter has had a considerable duration, as the

infringement consists in having notified Datatilsynet 64 days outside the 72 hours timeframe
set out in Article 33(1) GDPR, which is no trivial delay. Such a prolonged delay is also one of
the key elements to take into consideration in the analysis of the gravity of the infringement.


The gravity of the infringement should be assessed bearing in mind that the infringement in
question does not relate to the substantive matter or the causes of the personal data breach itself;
it only concerns a key procedural safeguard (i.e., the notification) that should be deployed in
case of a personal data breach. Nonetheless, the infringement should be seen against the

backdrop of the relevant personal data breach and underlying processing carried out by Argon.

Insofar as the breach suffered by Argon is concerned, the level of potential impact for the
affected individuals is significant. Even though the attacker was probably not specifically

aiming at collecting personal data, the attack was likely financially motivated (as it led to a
fraudulent payment), and the data accessed by the attacker could be used to commit actions
leading to both material (e.g., financial loss) and non-material damage (e.g., identity theft or
fraud), or could be used to facilitate other attacks (e.g., phishing). However, whilst it cannot

be ruled out that no data subjects will eventually be damaged as a result of the breach or delayed
notification, equally, there is currently no direct evidence of damage to them from the breach
itself or delayed notification, and Argon has taken several mitigating measures to limit the
risks that damages to data subjects will materialize in the future as a result of the breach (see

further section 7.1.3 below).

96EDPB Decision 01/2020, para. 193.
97Argon’s Notification, para. 1.5.
98See by analogy EDPB Guidelines on Examples regarding Data Breach Notification, page 32.
99Argon’s Notification, para. 3.4.




                                                                                                27In respect of the number of affected data subjects, the personal data breach affected a small
cohort of people, as all in all it affected 20 individuals in Europe, and only one individual in
Norway.  100The same number of individuals was equally affected by the delayed notification.


Whilethelasttwoelementsattenuatetoacertainextentthegravityoftheinfringement,acentral
element of the analysis of the gravity of the infringement should be whether the nature and
scope of the infringement are indicative of broader compliance issues. In this regard,
Datatilsynet considers that a multinational company operating in the healthcare sector, like

Argon,shouldhavesufficientproceduresandroutinesinplacetoenablethecompanytocomply
with the duty of notification under Article 33(1) GDPR. A delay of the magnitude mentioned
above, which was not due to an occasional oversight—as Argon claims that its internal
“guidelines were followed to the best of Argon’s ability in relation to this Incident”     10—is

indicative of a failure to put in place adequate procedures and routines to ensure compliance
with the notification requirements under the GDPR, which is a significant compliance issue that
enhances the gravity of the infringement (see further section 7.1.4. below). In this regard, it
should be emphasized once again that what is reproached to Argon in this case is only the lack

of adequate procedures and routines to ensure a timely notification of a personal data breach
under the GDPR, and not the failure to put in place other kinds of cybersecurity measures.

Having considered the above, and taking into account all of the aforementioned aggravating

and mitigating elements in their complexity, Datatilsynet considers the infringement to be
moderately grave. This factor should be weighed accordingly in the present case.

In its written representations, Argon argued that greater regard should be had under the criterion

at Article 83(2)(a) to “the number of data subjects affected and the level of damaged suffered
by them”.  102Argon also claimed that only if adverse effects “do materialize […] should
corrective responses or sanctions be employed by the supervisory authority”.    103 We take note
of these arguments. However, we note that both of the factors that Argon pointed to were taken

into account by Datatilsynet, and that this was done to a sufficient extent. Indeed, the fine
imposed by Datatilsynet in the present case is only 2.5 % of the maximum applicable fine also
in light of these factors (see section 7.3 below). Moreover, we note that the damage suffered by
data subjects is only one of the factors to be assessed when deciding whether to impose an

administrative fine under Article 83 GDPR. Thus, it is not the case that the mere fact that a
violation of the GDPR has not resulted in a material or non-material damage for data subjects
entails in itself that no administrative fine may be issued. In this respect, it should be noted that
fines for violations of Article 33(1) GDPR have been issued even in cases scrutinized by the

EDPB where “there was no direct evidence of damage to [data subjects] arising from the
delayed notification”.104



100Ibid., paras. 1.4, 2.4 and 2.5.
101Argon’s Response to Datatilsynet, para. 4.1.
102See Argon’s letter to Datatilsynet dated 22 February 2022, p. 22.
103Ibid., p. 20.
10EDPB,Decision01/2020onthedisputearisenonthedraftdecisionoftheIrishSupervisoryAuthorityregarding
Twitter International Company under Article 65(1)(a) GDPR, Adopted on 09 November 2020, paras. 150 and 186.




                                                                                               28            7.1.2.      Intentional or Negligent Character of the Infringement (Art.
                 83(2)(b))


In respect of the criterion at Article 83(2)(b), the EDPB found that:

        In general, “intent” includes both knowledge and wilfulness in relation to the

        characteristics of an offence, whereas “unintentional” means that there was no
        intention to cause the infringement although the controller/processor breached the duty
        of care which is required in the law. 105


Further to our inquiry, we see no evidence of an intentional infringement on Argon’s part.
However, in our view, the infringement arose due to negligence on the part of Argon, insofar
as the company failed to implement and follow appropriate technical and organizational
measures to establish immediately whether a personal data breach has taken place and to inform

promptly the competent supervisory authorities, thus disregarding its duty of care (see section
7.1.4. below).


It bears emphasizing that—since June 2021—several of the top executives of Argon, including
its US Senior Vice President of Human Resources and Director of Global IT Security,        106have
been involved in the management of the breach. Therefore, it may be concluded that the
company’s failure to notify the breach on time may also be attributed to the fact that these

executives acted negligently in connection with the breach, as they disregarded their duty of
care to ensuring compliance with a legal obligation under the GDPR.     107


Overall, this factor should be weighed moderately against Argon in the present case.

In its written representations, Argon argued that neither the company nor its top executives
acted negligently. 108In this respect, Argon noted that it “does not consider that taking the time

to comprehensively investigate and assess the nature and scope of the Incident, before
concluding that Article 33 and 34 GDPR notifications were required, automatically constitutes
negligence on the part of Argon as a business or with respect to the top executives. Argon’s
management promptly sought advice from US and UK/EU counsel as the investigation
                                                               109
developed, and did not disregard their duty at any time”.          Moreover, Argon argued that
“negligencemustbeprovedwithclearpreponderanceofprobability”.            110Datatilsynettakesnote
of these arguments, but we maintain our view that the infringement arose due to negligence on

the part of Argon. This is because Article 33(1) GDPR imposed a duty on Argon—and as a
result on its top executives too—to ensure that the personal data breach at issue in the present

105
   WP29, Guidelines on the application and setting of administrative fines for the purposes of the Regulation
2016/679 (WP 253, Adopted on 3 October 2017) (hereinafter “Guidelines on Administrative Fines”, p. 12. These
guidelines have been endorsed by the EDPB. See EDPB, Endorsement 1/2018 (adopted on 25 May 2018).
106See Argon’s Notification, paras. 1.1-1.2.
107See Section 46 of the Public Administration Act (‘forvaltningsloven’). It should be noted that, under the Public
Administration Act, the negligence requirement can be met by both anonymous and cumulative errors. See Prop.
81 L (2021–2022).
108See Argon’s letter to Datatilsynet dated 22 February 2022, pp. 23-25.
109Ibid., p. 24.
110Ibid.




                                                                                                29case was notified without undue delay and, where feasible, not later than 72 hours after having
become aware of it. This duty was clearly breached in this case, as despite the fact that the

company and some of its top executives were aware of the breach at least as of June 2021 (a
fact acknowledged by Argon itself),       111 the breach was notified to Datatilsynet only in
September 2021, and this was not due to an occasional oversight, given that Argon claims that

its internal “guidelines were followed to the best of Argon’s ability in relation to this
Incident”. 112Seeking legal advice from external counsel is not sufficient to respect such a duty,
and whether or not the company or its top executives were aware of the obligation imposed by

Article 33(1) GDPR at the time they became aware of the breach, or that that obligation applied
to the breach at hand, is irrelevant in this respect (ignorantia legis non excusat).   113Moreover,
it should be noted that legal advice given by a lawyer cannot, in any event, form the basis of a

legitimate expectation on the part of an undertaking that its conduct does not infringe Article
33 GDPR or will not give rise to the imposition of a fine.    114 Therefore, an undertaking which
has infringed that provision may not escape imposition of a fine where the infringement has

resulted from that undertaking erring as to the lawfulness of its conduct on account of the terms
of legal advice given by a lawyer.  115



            7.1.3.      Action Taken by the Controller to Mitigate the Damage Suffered
                  by Data Subjects (Art. 83(2)(c))


Argon has taken several specific remedial actions in order to mitigate risks of damage to the
data subjects affected by the breach. For example, after the incident, Argon
                                                                                 .116Argon has also

notified the individuals affected by the breach on 20 October 2021, and offered them 12 months
of complimentary credit (and/or identity) monitoring services,       117 although it did it only in
October 2021, after the opening of Datatilsynet’s inquiry. However, Argon claims that

preparations for notifications to data subjects were already in progress whilst the notifications
to the European supervisory authorities were being drafted and submitted.        118 Further, Argon
offered a session to the involved individuals and gave them the opportunity to ask questions
                    119
about the incident.    All in all, this goes to the credit of Argon and should be weighed in favor
of the company in the present case.








111See Argon’s Notification, paras. 1.1-1.2.
112Argon’s Response to Datatilsynet, para. 4.1.
113See by analogy Opinion of Advocate General Tizzano in Case C-551/03 P, General Motors BV (formerly

114eral Motors Nederland BV) and Opel Nederland BV v Commission of the European Communities, para. 77.
115See by analogy judgment in Case C-681/11, Schenker and Others, para. 41.
116Ibid, para. 43.
   See Argon’s Notification, para. 4.2.
117Argon’s Response to Datatilsynet, para. 7.1.
118See Argon’s letter to Datatilsynet dated 22 February 2022, p. 25.
119Argon’s Response to Datatilsynet, para. 7.3.



                                                                                                   30            7.1.4.     Degree of Responsibility of the Controller Taking Into Account the

                 Technical and Organizational Measures Implemented Pursuant to the
                 GDPR (Art. 83(2)(d))

As noted above, the GDPR imposes a requirement on controllers to have appropriate technical

and organizational measures to establish immediately whether a personal data breach has taken
place and to inform promptly the competent supervisory authorities.

In the context of Datatilsynet’s inquiry, Argon claimed that:


        Argon implemented a global information security programme in the fourth quarter of
        the 2020 financial year, which was designed to provide an overall risk-based approach
        to cyber security, to align with global security frameworks and ensure compliance with
        the GDPR. This includes the lnformation Security Policy, enacted on 12 January 2021.

        Section 13 of this policy outlines the releva120guidelines to Argon staff regarding
        information security incident management.

Argon did not produce such Information Security Policy to Datatilsynet. However, it stated that
Argon’s internal “guidelines were followed to the best of Argon's ability in relation to this
          121
lncident.”    This is in itself indicative of the fact that Argon’s internal policies were not
adequate to enable the company to comply with its obligations under Article 33(1), if following
the internal policies led to a considerable delay in the notification to Datatilsynet. Again, it
should be emphasized that what is reproached to Argon in this case is only the lack of adequate

procedures and routines to ensure a timely notification of a personal data breach under the
GDPR, and not the failure to put in place other kinds of cybersecurity measures. Thus, any other
measures that Argon may have taken pursuant to Article 25 and 32 GDPR are essentially
immaterial for the purposes of the present case. 122


The company’s account of how it handled the breach at hand and how it would handle breaches
generally reveals some of the possible root causes of the inadequacy of Argon’s measures. For
instance, the company seems to rely systematically and extensively on external consultants to
determine whether a personal data breach should be reported in Europe, as it states that:


        Once any potential personal data is identified, Argon engages and seeks advice from
        legal counsel in all potentially affected jurisdictions to understand whether the incident
        is likely to meet respective thresholds and to ensure legal and regulatory compliance
                                                       123
        for the purposes of any potential notification.

While companies are entitled to seek legal advice as they see fit, this compliance model would
generally slow down the reporting process, in particular if it is not accompanied by clear

instructions to the external advisors on the timeframe for their assessment, which should
necessarily be shorter than 72 hours to enable Argon to meet the Article 33(1) deadline. In any

120Ibid., para. 4.1.
121Ibid.
122Cf. See Argon’s letter to Datatilsynet dated 22 February 2022, pp. 3-11.
123Argon’s Response to Datatilsynet, para. 4.4.




                                                                                                31event, the controller bears the burden of ensuring and demonstrating the adequacy of its
technical and organizational measures to meet its obligations under the GDPR,                 124 and is

ultimately responsible for any non-compliance or delays caused by the external consultants it
uses.


Moreover, the Data Protection Officer (“DPO) that Argon involved in the management of the
breach and the related notification process does not appear to have the necessary functional
independence to carry out that role, as he simultaneously acted as Argon’s Director of Global
             125
IT Security.      In this regard, it should be noted that that the tasks and duties of a Director of
IT Security are generally incompatible with those of a DPO under Article 38(6) GDPR,             126 as a
Director of IT Security would normally be significantly involved in “determining the objectives

and methods of processing personal data” with respect to the development and deployment of
cybersecurity measures    127and would thus not have the sufficient “functional independence” to
carry out “the review of those objectives and methods […] independently”.           128 While Argon’s

compliance with Articles 37-39 GDPR falls outside the scope of the present case, these
elements further confirm Argon’s failure to ensure that all of the necessary organizational
measures were in place in order to properly handle the personal data breach notification at issue
in the present case. 129


Accordingly, we consider that Argon carries a moderate to high level of responsibility in this
context.


             7.1.5.      Relevant Previous Infringements by the Controller (Art. 83(2)(e))


The criterion at Article 83(2)(i) is not applicable in the present case, as Argon has not been
sanctioned for similar or otherwise “relevant” infringements in the past.


             7.1.6.      Degree of Cooperation with the Supervisory Authority (Art.
                  83(2)(f))


124See Articles 5(2) and 24 GDPR.
125See Argon’s letter to Datatilsynet dated 22 February 2022, p. 26.
126
   WP29, Guidelines on Data Protection Officers (‘DPOs’) (WP 243 rev.01, adopted on 13 December 2016, as
127t Revised and Adopted on 5 April 2017) (hereinafter “DPO Guidelines”), p. 16.
   In the present case, it should be noted that Argon’s Director of IT Security was in “charge to design, develop
and deploy an Information Security and Compliance Programme at Argon” and that “Argon’s Director of IT
Security formed part of [a] key leadership team and ensured that all information was made available to the
investigating teams, whilst continuing to progress Argon’s global information security and compliance
programme”. See Argon’s letter to Datatilsynet dated 22 February 2022, pp. 6 and 8. Therefore, due to their role
within the company, Argon’s Director of IT Security was inevitably involved in determining the objectives and
methods of processing personal data in the context of developing and deploying Argon’s information security and
compliance programme.
128CJEU, Case C‑453/21, X-FAB Dresden GmbH & Co. KG v FC, paras. 44 and 45.
129
   In this regard, it should be noted that “the DPO should play an key role in assisting the prevention of or
preparation for a breach by providing advice and monitoring compliance, as well as during a breach (i.e. when
notifying the supervisory authority), and during any subsequent investigation by the supervisory authority. In this
light, WP29 recommends that the DPO is promptly informed about the existence of a breach and is involved
throughout the breach management and notification process”. See DPO Guidelines, p. 28. These guidelines have
been endorsed by the EDPB. See EDPB, Endorsement 1/2018 (adopted on 25 May 2018).



                                                                                                      32Argon has provided a timely response to Datatilsynet’s request for further information.           130
However, Argon’s cooperation did not go beyond what was required by law. Thus, in our view,

this factor should be weighed neither in favor nor against Argon. As noted by the EDPB with
respect to Article 83(2)(f): “it would not be appropriate to give additional regard to cooperation
that is already required by law”. 131


In its written representations, Argon argued that its cooperation with Datatilsynet should be
considered a mitigating factor and not a neutral element. We take note of this argument, but
find it unconvincing. As noted by the EDPB, “it must be reiterated that a general obligation to

cooperate is incumbent on the controller […] pursuant to Article 31 GDPR, and that lack of
cooperation may lead to the application of the fine provided for in Article 83(4)(a) GDPR. It
should therefore be considered that the ordinary duty of cooperation is mandatory and should
therefore be considered neutral (and not a mitigating factor)”.   132



            7.1.7.      Categories of Personal Data Affected by the Infringement (Art.

                  83(2)(g))

The breach at issue in the present case did not affect any special categories of personal data
(within the meaning of Article 9 GDPR). However, it did affect data such as salary and benefit

information which are—as acknowledged by Argon itself—“subject to a greater degree of
sensitivity”133 on the part of the individuals affected. Even if the attacker was probably not
aiming at collecting personal data, the data accessed by the attacker could potentially be used

to commit actions leading to both material (e.g., financial loss) and non-material dam134 (e.g.,
identity theft or fraud), or could be used to facilitate other attacks (e.g. phishing).  Hence, the
categories of data affected warranted a prompt response from Argon, not only in terms of
remedial actions but also in terms of data breach notifications. This element should be weighed

against Argon in the present case.

With respect to the data affected by the incident, “Argon recognises [in its written
representations that] there may attach a greater degree of sensitivity if disclosed to colleagues”

but it “did not consider that this information places the involved individuals at a high risk of
identity theft and fraud, or phishing” also in light of the mitigating measures the company put
in place.135We take note of this statement, but find it immaterial for the purposes of assessing

the criterion at Article 83(2)(g), as the latter provision only demands that due regard should be
given to the “the categories of personal data affected by the infringement”—which in the
present case and according to Argon itself concern data “subject to a greater degree of




130See the Factual Background above.
131Guidelines on Administrative Fines, p. 14.
132EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 1.0, Adopted
on 12 May 2022 Para. 96.
133Argon’s Notification, para. 2.6.
134EDPB Guidelines on Examples regarding Data Breach Notification, page 32.
135See Argon’s letter to Datatilsynet dated 22 February 2022, p. 26.




                                                                                                  33            136
sensitivity”  —and not the level of risk for data subjects (which was assessed under Article
83(2)(a) in section 7.1.1 above). In any event, for completeness purposes, we note that to
establish an infringement of Article 33(1) GDPR, the relevant level of risk is the one perceived
or perceivable when the notification was due, and that Argon notified Datatilsynet because it

concluded that the incident 137s not unlikely to result in a risk to the rights and freedoms of
[the affected] individuals”.


            7.1.8.     Manner in Which the Infringement Became Known to the

                 Supervisory Authority (Art. 83(2)(h))

The infringement contested in the present case—which concerns a failure to notify on time, and
notafailuretonotifyassuch—becameknowntoDatatilsynetafteracarefulscrutinyofArgon’s

very lengthy and detailed notification. Such a notification did not inform Datatilsynet of the
delay. On the contrary, its introductory statement was misleading in that it said that “Argon
only became aware [of a personal data breach within the meaning of the GDPR] on 21
September 2021”,   138 and thus a superficial reading of the notification could have led the

authority to believe that the notification was submitted on time three days later, on 24
September 2021. Therefore, the infringement became known to Datatilsynet only after and due
to a careful assessment of the notification and the inquiry that followed it. This factor should
be weighed against Argon.


While the infringement contested in this case is not a failure to notify as such or a violation of
the broader security requirements set out by the GDPR, for completeness purposes, it should
be made clear that, as indicated by the EDPB:


        The controller has an obligation according to the Regulation to notify the supervisory
        authority about personal data breaches. Where the controller merely fulfils this
        obligation, compliance with the obligation cannot be interpreted as an attenuating/
                          139
        mitigating factor.

In its written representations, Argon argued that the manner in which Datatilsynet became
aware of the infringement should not be weighed against Argon, as its notification was not

intended to deceive supervisory authorities and simply reflected its understanding of the
timeline of the breach at the time of the notification.40We take note of this argument, but find
it unconvincing. In the present case, there is no evidence of an intentional infringement on
Argon’s part (see section 7.1.2 above), and Datatilsynet has no ground to conclude that the

notification was intentionally misleading. However, the negligent conduct of the controller that
ultimately triggered the opening of an inquiry “may also be considered by the supervisory
authority to merit a more serious penalty”, including where the controller “acted carelessly
without […] notifying all of the details of the infringement due to a failure to adequately assess


136Argon’s Notification, para. 2.6.
137Argon’s Notification, page 1.
138Ibid.
139Guidelines on Administrative Fines, p. 15.
140See Argon’s letter to Datatilsynet dated 22 February 2022, p. 27.




                                                                                                34                                 141
the extent of the infringement”.     This is the factor that Datatilsynet considers to be relevant
under Article 83(2)(h) in the present case, as Argon acted carelessly by providing inaccurate
and misleading details on the personal data breach at issue in the present case in its notification
to Datatilsynet, namely the fact that “Argon only became aware [of a personal data breach
                                                              142
within the meaning of the GDPR] on 21 September 2021”.

In its written representations, Argon also claimed that Datatilsynet’s approach with respect to

the criterion at Article 83(2)(h) in the present case would be at odds with the approach that
Datatilsynet followed in a prior case where – according to Argon – Datatilsynet did not treat as
an aggravating factor the fact that “the Oslo Municipality admitted that their breach
notifications were misleading”.  143 This claim is simply inaccurate, as Datatilsynet expressly

stated that that fact played a role in its assessment of whether a fine had to be imposed on the
Oslo Municipality (which eventually occurred in that case).   144

            7.1.9.      Compliance with Corrective Measures Previously Ordered Against

                 the Controller with Regard to the Same Subject-Matter (Art. 83(2)(i))

The criterion at Article 83(2)(i) is not applicable in this case, as no measures referred to in
Article 58(2) GDPR have previously been ordered against Argon by Datatilsynet.


            7.1.10.     Adherence to Approved Codes of Conduct or Certification
                 Mechanisms (Art. 83(2)(j))


ThecriterionatArticle83(2)(j) is notapplicable inthiscase,asArgondoesnotappeartoadhere
to any approved codes of conduct pursuant to Article 40 GDPR or approved certification
mechanisms pursuant to Article 42 GDPR.


            7.1.11.     Any Other Aggravating or Mitigating Factor (Art. 83(2)(k))

Another aggravating factor is the fact that—as outlined above—Argon not only notified the

breach to Datatilsynet with a considerable delay from the moment when it became aware of the
personal data breach (i.e., at least on 19 July 2021); it also took Argon over a month to find out
that personal data had been compromised after it first detected the security incident. This factor
should be weighed against Argon in the present case.


In its written representations, Argon argued that “the timeline for the forensic investigation
should not be considered an aggravating factor in the circumstances”.     145We take note of this
argument, but we find it unconvincing. Although the GDPR required Argon to implement all




141Guidelines on Administrative Fines, p. 15.
142Argon’s Notification, page 1.
143See Argon’s letter to Datatilsynet dated 22 February 2022, p. 28.
144See Vedtak om overtredelsesgebyr (ref: 18/02579-13/KBK), p. 10 (stating in Norwegian: “Oslo kommune
innrømmer da også at avviksmeldingene var misvisende. Dette vil ha betydning i vår vurdering om
overtredelsesgebyr skal ilegges” (emphasis added)).
145See Argon’s letter to Datatilsynet dated 22 February 2022, p. 29.




                                                                                                35appropriate technical protection and organisational measures to “establish immediately”           146

whether a breach has taken place and to inform promptly the supervisory authority and the data
subjects, Argon took measures to assess whether personal data were affected by the incident
only in July 2021, 147 even though it was aware of the incident since 14 June 2021.    148


Argon also submitted that the fact that Argon gained no financial benefits due to the violation
of Article 33(1) “should in itself be seen as a mitigating factor”.   149 This argument should be

rejected. In this regard, it suffices to note that, under EU/EEA law, it is well established that the
benefits obtained from an infringement are among the factors that may be taken into account in
order to determine the amount of the fine, but there is no obligation to ensure that the fine is

directly proportional to the benefits achieved by that undertaking or that it does not exceed
those benefits. 150Therefore, the absence of financial benefits may be regarded as a neutral
factor, as the aim of Article 83(2)(k) is to ensure that the sanction applied is effective,
                                                        151
proportionate and dissuasive in each individual case.

        7.2. Conclusion with Regard to Whether to Impose an Administrative Fine


Having had due regard to the factors under Article 83(2), in our view, the infringement that has
been identified warrant the imposition of an administrative fine in the circumstances of this

case.

Despite the limited number of individuals affected by the data breach at issue and the measures

taken by Argon to contain the consequences of the breach, the considerable duration of the
delayandArgon’sapproachtowardstheinterpretationofitsdatabreachnotificationobligations
under the GDPR are indicative of broader compliance flaws within the company, which—if not

remedied—could result in serious consequences in the event of future breaches. In
Datatilsynet’s view, the imposition of an administrative fine is therefore warranted to produce
a genuine deterrent effect, and dissuade Argon—as well as companies in general—from

committing similar infringements in the future. Indeed, enforcement efforts must generate152
sufficient pressure to make non‑compliance economically unattractive in practice.            This is
particularly salient with regard to data breach notification obligations, as companies appear to

have often a tendency not to re153t data breaches to regulators, or to be otherwise opaque about
the breaches they experience.


146
147See Recital 87 GDPR (emphasis added).
148See Argon’s Notification, para. 1.4.
   Ibid., para. 1.1.
149See Argon’s letter to Datatilsynet dated 22 February 2022, p. 29.
150See judgment in Case T-406/09, Donau Chemie AG v European Commission, para. 258; EDPB, Binding
Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Meta
Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, para. 219.
151See EDPB, Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory
Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, para. 216.
152
   See Opinion of Advocate General Geelhoed in Case C-304/02, Commission v. France, delivered on 29 April
1534, para. 39.
   For example, a survey conducted among 597 companies in 33 European countries revealed that only 23% of
breaches are reported to European regulators. See Catch-22: Digital Transformation And Its Impact On
Cybersecurity – RSM (2019).



                                                                                                  36In its written representations, Argon claimed that the imposition of an administrative finewould
be at odds with Datatilsynet’s administrative practice in similar cases, and hence with the
                                                                154
principle of administrative consistency and equal treatment.       In this respect, Argon referred
to a prior case in which Datatilsynet imposed a reprimand—instead of an administrative fine—
against a company that failed to comply with Article 33(1) GDPR.         155 The latter case (Case

20/02137, Telenor Norge AS, hereinafter “Telenor case”) is, however, not comparable to the
present one:

    •   In the Telenor case there was no evidence that a personal data breach had actually taken
                                                                                 156
        place (but it could not be excluded in the circumstances of that case),     whereas in the
        present case Argon’s internal investigation revealed that employees’ personal data
        “were accessed by the Threat Actor”.   157


    •   In the Telenor case there was no evidence of any specific data subject being affected by
        the breach and lack of notification, whereas the present case concerns the data of several
        identified employees, including an employee in Norway.


    •   In the Telenor case Datatilsynet identified a violation of Article 33(1) as a result of an
        own volition inquiry it opened, in light of press reports, shortly after the likely

        occurrence of a breach in November 2019 (i.e., within a matter of a few weeks from
        when the deadline for submitting a notification under Article 33(1) started to run),
        whereas in the present case Argon’s notification was submitted and the violation of
        Article 33(1) was identified several months after the expiry of such deadline.


    •   In the Telenor case the violation of Article 33(1) was due to a failure to notify in
        circumstances where the controller had been unable to exclude that an authorized third

        party had access to personal data being processed by the controller, whereas in the
        present case Argon’s failed to timely notify Datatilsynet even though its internal
        investigation revealed that certain personal data of its European employees “were
                                        158
        accessed by the Threat Actor”.

    •   The Telenor case did not concern data “subject to a greater degree of sensitivity”   159like
        the present case.





154
155See Argon’s letter to Datatilsynet dated 22 February 2022, p. 23.
156Ibid. See too Argon’s letter to Datatilsynet dated 11 March 2022.
   See Datatilsynet’s Vedtak om irettesettelse - Informasjonssikkerhet knyttet til talepostkasse (Doc. No.
20/02137-2), p. 10 (stating (in Norwegian): “Datatilsynet mener derfor at det forelå en rimelig grad av sikkerhet
for at det var skjedd et brudd da Telenor ble kjent med sårbarheten i november 2019, og brukerlogger for kun én
måned var gjenstand for analyser. Datatilsynet mener altså at det forelå et meldepliktig brudd på
personopplysningssikkerheten selv om det ikke kan konstateres med sikkerhet at sårbarheten faktisk ble utnyttet”).
157Argon’s Notification, paras. 1.4 and 1.7.
158Ibid.
159Ibid, para. 2.6.




                                                                                                 37    •   In the Telenor case the relevant company had already been fined NOK 1 500 000 (one

        million five hundred thousand) by a different authority (NKOM) in connection with the
        same incident prior to the completion of Datatilsynet’s inquiry, and although such a fine
        was not issued for a violation of Article 33(1) GDPR, it was taken into account by

        Datatilsynet when assessing whether it was appropriate to issue another administrative
        fine or a reprimand.

It should be noted that other European supervisory authorities have imposed administrative

fines to companies that failed to notify a personal data breach within the deadline imposed by
Article 33(1), even in cases where the delays were significantly smaller than in the present case
(e.g., a 22-day delay, and a 2-day delay in the context of the winter holidays).         160 It bears

emphasizing that virtually all European supervisory authorities have been involved in such
previous cases through the procedure set out in Article 60 GDPR. Thus, there was essentially
unanimous agreement among European supervisory authorities that an administrative fine was

warranted in such cases. Moreover, the multiple examples of cases in which European
supervisory authorities have issued fines for violations of Article 33(1) given by Argon itself
show that this kind of violations have frequently been deemed to warrant the imposition of an
                     161
administrative fine.    Finally, it should be noted that Datatilsynet has already issued fines in
circumstances where a violation of the GDPR affected a single data subject in Norway.        162

        7.3. Calculation of the Amount of the Administrative Fine


Having had due regard to the factors under Article 83(1) and (2), we find an administrative fine
of NOK 2 500 000 (two million five hundred thousand) to be appropriate in the circumstances

of this case. This is for the reasons outlined below.

In terms of the requirement under Article 83(1) to ensure that the imposition of the fine in the

circumstances of this case is effective, proportionate and dissuasive, the financial position of
Argon must be taken into account. The financial position of Argon is also relevant to determine
the maximum fine applicable in the present case.


Argon’s total annual turnover appeared to be in excess of $ 215 million (i.e., approximately
NOK 1 900 000 000) in 2020,       163and increased by approximately 20% in 2021.        164Thus, the

160
    See Dutch Data Protection Authority, Decision Against Booking.com B.V of 10 December 2020
<https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/besluit_boete_bookiIrishf>Data
Protection Commission (“DPC”), Decision Against Twitter International Company of 9 December 2020 (DPC
Case   Reference:  IN-19-1-1)   <https://edpb.europa.eu/sites/default/files/decisions/final_decision_-_in-19-1-
1_9.12.2020.pdf>.  The   DPC’s    decision  has   been   confirmed   in  the  Dublin   Circuit  Court
<https://www.dataprotection.ie/en/news-media/press-releases/confirmation-fine-twitter-international-company>.
161Cf. Argon’s letter to Datatilsynet dated 22 February 2022, pp. 20-23.
162See e.g. Case 20/01874, Basaren Drift AS; Case 20/02220, Flisleggingsfirma AS; Case 20/02375, Ultra-

163hnology AS.
   This is according to the 2020 Annual Results of the Wego Group to which Argon belongs. See Wego, Investor
Presentation:           2020            Annual             Results           (March             2021)
<http://en.weigaogroup.com/upload/202103/30/202103301927500480.pdf> (stating: “In FY2020 Argon recorded
total sales RMB1,370m”).
164This is according to the 2021 Annual Results of the Wego Group to which Argon belongs. See Wego, Investor
Presentation:           2020            Annual             Results           (March             2022)



                                                                                                   38maximum fine applicable in the present case is 10 000 000 EUR (i.e., around 100 000 000
NOK), as the latter amount is higher than 2% of the company’s total annual turnover, and

Article 83(4)(a) provides that infringements of Article 33 shall be subject to “administrative
fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide
annual turnover of the preceding financial year, whichever is higher” (emphasis added).


Having considered the above, a fine of NOK 2 500 000 (two million five hundred thousand)
seems appropriate, as it represents approximately 2.5% of the maximum applicable fine and sits
within the lower end of the spectrum of possible fines. Therefore, such a fine is commensurate

with the seriousness of the infringement for which it is imposed, taking into account all of the
aggravating and mitigating factors outlined above (see sections 7.1.1 to 7.1.11).


Such a fine would represent approximately 0.1% of Argon’s annual turnover for 2020 (or a
smaller percentage if one considers the turnover for 2021). Therefore, it would have some
significance to the company relative to its revenue—which is essential to ensure its dissuasive
effect—without being disproportionate relative to the company’s financial position and the

infringement viewed as a whole.

In its written submissions, Argon claimed that the amount of the fine indicated above is

disproportionately high and that it would not be in line with the existing administrative practice
across the EU/EEA regarding administrative fines for violations of Article 33(1),       165 although
the company did not provide the exact references of the specific cases that would support the
             166
lattercla167    Inthisregard,wereiteratethatthesettingofafineisnotanarithmeticallyprecise       168
exercise,    and supervisory authorities have a certain margin of discretion in this respect.      In
any event, the examples given by Argon in its written submissions focus primarily on the
numeric value of the fines imposed, but do not show how each of the amounts relate to the
                                              169
economic size of the recipient of the fine.      The size of the undertaking concerned is one of
the key elements that should be taken into account in the calculation of the amount of the fine
in order to ensure its dissuasive nature.    170 Taking into consideration the resources of the

undertaking in question is indeed justified by the impact sought on the undertaking concerned,
in order to ensure that the fine has sufficient deterrent effect, given that the fine must not be



<http://en.weigaogroup.com/upload/202208/22/202208221507029683.pdf> (stating: “Argon‘s revenue increased
by 20.8% based on fixed exchange rate”).
165See Argon’ letter to Datatilsynet dated 22 February 2022, pp. 20-23.
166Argon referred to a number of fines issued for violations of Article 33(1) GDPR by various European
supervisory authorities, but without providing any case number or reference.
167See, inter alia, Case T-425/18, Altice Europe NV v Commission, para. 362; Case T‑11/06, Romana Tabacchi v
Commission, para. 266. See too EDPB, Decision 01/2022 on the dispute arisen on the draft decision of the French

168ervisory Authority regarding Accor SA under Article 65(1)(a) GDPR, adopted on 15 June 2022, para. 74.
   See, inter alia, Case T-192/06, Caffaro Srl v Commission, para. 38. See too EDPB, Decision 01/2022 on the
dispute arisen on thedraft decision of the French Supervisory Authority regarding Accor SA under Article 65(1)(a)
GDPR, adopted on 15 June 2022, para. 74.
169Cf. Argon’ letter to Datatilsynet dated 22 February 2022, pp. 20-23.
170EDPB, Decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding
WhatsApp Ireland under Article 65(1)(a) GDPR, paras. 405-412; EDPB, Decision 01/2022 on the dispute arisen
on the draft decision of the French Supervisory Authority regarding Accor SA under Article 65(1)(a) GDPR,
adopted on 15 June 2022, para. 76.



                                                                                                   39negligible in the light, particularly, of its financial capacity. In this respect, it suffices to note
that in a case concerning violations of the GDPR that the Norwegian Privacy Appeals Board

(Personvernnemda)didnotconsidertooserious,Personvernnemdadeemedafineequalto0,9%
of the annual turnover of the preceding financial year to be adequate.        172 Moreover, other
European supervisory authorities have imposed fines for violations of Article 33(1) GDPR that
are even higher—relative to the turnover of the relevant controller—than the one imposed in

the present case. For instance, the Finnish supervisory authority imposed a fine of 145 600 EUR
for an infringement of Article 33(1) GDPR, equal to approximately 1% of the annual turnover
of the preceding financial year of the relevant controller. 173


    8. Right of Appeal


An appeal may be lodged against this decision by sending us a written complaint within three
weeks after having received the present decision.    174If we decide to uphold our decision after
having received such a written complaint, we will transfer the case to Personvernnemnda, our
appeal body. 175



Kind regards


Jørgen Skorstad
Director, Legal Department



                                                                       Luca Tosoni
                                                                       Specialist Director


This letter has electronic approval and is therefore not signed

Copy to:        ADVOKATFIRMAET RÆDER AS













171
   Case C‑408/12 P, YKK and Others v Commission, para 85; Case C-413/08 P, Lafarge v European Commission,
para.104andthecaselawcitedtherein.SeetooEDPB,Decision01/2022onthedisputearisenonthedraftdecision
of the French Supervisory Authority regarding Accor SA under Article 65(1)(a) GDPR, adopted on 15 June 2022,
para. 76.
172See PVN-2021-13.
173See Case 1150/161/2021.
174See Sections 28 and 29 of the Norwegian Public Administration Act.
175See Section 22 of the Norwegian Personal Data Act.



                                                                                                 40