Datatilsynet (Norway) - DT-20/01790 PVN-2021-09 & PVN-2021-15

From GDPRhub
Datatilsynet (Norway) - DT-20/01790 PVN-2021-09 & PVN-2021-15
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Decided: 31.08.2021
Published: 31.08.2021
Fine: None
Parties: Coop Finnmark SA
National Case Number/Name: DT-20/01790 PVN-2021-09 & PVN-2021-15
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: The Norwegian Privacy Appeals Board (Personvernnemnda) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board reduced a fine for unlawful disclosure of personal data from a surveillance footage from €40,340 (NOK 400,000) to 0,- as they disagreed with the DPA's assessment and due to their long case processing time.

English Summary[edit | edit source]

Facts[edit | edit source]

This case is an appeal of the decision DT-20/01790 by the Norwegian DPA (Datatilsynet), in which it fined a store approximately €40,340 (NOK 400,000) for the unlawful disclosure of personal data from a surveillance footage, thus breaching Article 5(1)(a) GDPR and Article 6.

The complainant argued that the size of the administrative fine imposed, was too high and therefore appealed the DPA's decision. After reviewing the complaint, the DPA decided to uphold it, and the case was therefore was submitted to the Privacy Appeals Board (Personvernnemnda) for consideration.

Personvernnemnda (PVN) agreed with the DPA that the infringement in question was correctly defined as a breach of Article 5(1)(a) GDPR and Article 6(1)(f).

However, the PVN did not agree that the infringement was as serious as interpreted by the DPA, quoting specifically the short duration of the footage (3 seconds), that it did not show any faces or the theft itself, did not concern any personal data as per Article 9 GDPR or Article 10 and was deleted after a few days.

The PVN noted that forwarding the footage and the fact that it involves children, are aggravating circumstances, however there was no evidence that the data subjects were harmed in any way.

Holding[edit | edit source]

After an overall assessment, the PVN concluded (under doubt) that an administrative fine for such a violation should be around €5042 (NOK 50,000), however they also removed the fine entirely due to the DPA's long case processing time (over two years).

Following the PVN's decision, the complainant submitted a claim for coverage of their legal costs related to this case. The PVN agreed and awarded the complainant €6959 (NOK 69,000), cf. PVN-2021-15.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision of the Privacy Board 31 August 2021 (Mari Bø Haugstad, Bjørnar Borvik, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin)
The case concerns a complaint about the Data Inspectorate's imposition of an infringement fee of NOK 400,000 for having disclosed personal data collected by camera surveillance in violation of Article 6 and Article 5, paragraph 1, letter a of the Privacy Ordinance.
Background to the case
On April 4, 2019, the camera surveillance in the Coop store in X captured an incident that the store manager perceived as theft in the self-service checkout. The store manager used his private mobile phone and filmed / copied approx. three seconds from the footage from the store's surveillance camera. The recording that was filmed shows neither the person who commits the theft nor the theft itself, but shows one of the other boys in the same entourage. The purpose of the recording was to identify one of the children who did not commit the crime, but who was with the boy who was the suspect. No face is shown, but one can see the hair, clothing and footwear. The store manager sent the film clip of the boy to another store employee in the Coop system with questions about whether this was her son. The store employee answered the question in the negative, and then forwarded the film clip to his son, who in turn forwarded it. In this way, the film clip reached the person or persons depicted on the recording. The film clip was later deleted and was not seen by either the Data Inspectorate or the Privacy Board. The description of the content is therefore based on the information provided in the complaint.
Coop wrote a non-conformance report on the incident on 10 April 2019, which was sent to the Norwegian Data Protection Authority. The store manager also contacted affected parties, apologized for the incident and asked them to delete the filming. He also apologized directly to the people who were filmed.
Coop reported the theft to the police and the camera footage was then handed over to them.
After receiving a non-conformance report, the Data Inspectorate requested Coop on 8 October 2019, which was given on 21 October 2019.
The Data Inspectorate notified Coop on 28 February 2020 that the Authority would make such a decision:
«Pursuant to the Personal Data Act § 1, cf. the Privacy Ordinance Article 58 no. 2 letter i, cf. Article 83, Coop [in county Y], org.nr. […], To pay an infringement fee to the Treasury of 400,000 - four hundred thousand - kroner for having disclosed personal data in violation of the Privacy Ordinance Article 6, and 5 No. 1 letter a. "
In Coop's comments on the notification on 25 March 2020, the company acknowledged that the incident constituted a breach of the rules of the Personal Data Act, but stated that the fee of NOK 400,000 was too severe a reaction.
On 22 December 2020, the Norwegian Data Protection Authority made a decision on an infringement fee of NOK 400,000 in line with the notice issued.
Coop appealed on 28 January 2021 in a timely manner to the Data Inspectorate's decision. The complaint only applies to the amount of the infringement fee.
The Data Inspectorate maintained its assessment of the size of the infringement fee and forwarded the case to the Privacy Board on 3 May 2021. Coop was informed of the case in a letter from the board on 6 May 2021, and was given the opportunity to comment. Coop commented in a letter dated May 19, 2021.
The case was considered at the tribunal's meeting on 31 August 2021. The Privacy Board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem and Morten Goodwin. Secretariat leader Anette Klem Funderud was also present.
The Data Inspectorate's decision in brief
The Data Inspectorate first explains the fact on which the Authority's decision is based. The fact description is based on the store's own account of the course of events in the deviation report and in the statement to the Norwegian Data Protection Authority.
Thereafter, the Data Inspectorate generally explains the legal principles in the Personal Data Act and the Privacy Ordinance and justifies in particular why regulations for camera surveillance in business are not relevant for the processing of personal data that takes place in this case. It is pointed out that the special rules on camera surveillance in enterprises are placed in the Working Environment Act, Chapter 9, which deals with the employer's right to implement control measures in its enterprise. Regulations on camera surveillance in working conditions are issued on the basis of the Working Environment Act § 9-6.
The Norwegian Data Protection Authority states that there has been a processing of personal data that falls within the scope of the Personal Data Act and the Privacy Ordinance, cf. the Personal Data Act § 2 and the Privacy Ordinance Article 2. There has been a processing of personal data in two paragraphs; first when the store manager filmed the original camera footage with his private mobile phone, and then when he forwarded the footage. These two operations have been treated together and the audit assumes that the purpose of the treatment was to identify the person depicted in order to solve a possible criminal act.
Assessment of treatment basis
Even if the company does not state that it has a basis for processing, and has itself reported the processing of personal data as a deviation to the Data Inspectorate, the Data Inspectorate makes an independent assessment of whether there is a processing basis for the processing in Article 6 (1) (f).
The law's requirement that the processing must be necessary for purposes related to the data controller's legitimate interest, means that the interest pursued by the data controller must be legal and actually justified in the business. The Danish Data Protection Agency first discusses whether the current processing is necessary for purposes related to the data controller's legitimate interest. The audit points out that it is in the shop's interest to uncover who has committed thefts in the business, but points out that on the other hand it is not necessary to hand over the recordings to outsiders, in that the theft can be solved and the persons identified by reporting the relationship to the police. In any case, the Authority's assessment is that the data subject's right to privacy outweighs the company's interest in this case. In this assessment, the Norwegian Data Protection Authority has placed decisive emphasis on the fact that it is children's personal data that has been processed, cf. the Privacy Ordinance's point 38.
Furthermore, the Data Inspectorate refers to the Privacy Council's "Guidelines 3/2019 on processing of personal data through video devices" section 35. The Authority points out that persons staying in the store have a reasonable expectation that they will be filmed, but that they have no reasonable expectation of that such recordings are handed over to outsiders other than the police. The audit points out that the potential for harm when disclosing personal information between mobile phones is large in that the information can spread quickly.
In its decision, the Authority concludes that the processing involves an illegal processing of personal data. The disclosure entailed a deviation from the company's internal routines for camera surveillance and the processing lacks a basis for processing in the Privacy Ordinance, Article 6, No. 1, letter f.
Infringement fee
The Danish Data Protection Agency considers that Coop must be fined for the infringement. In assessing whether a fee should be charged and in determining it, the Data Inspectorate takes as its point of departure the elements in the Privacy Ordinance Article 83 no. 2 letters a to k. to highlight factors that are to be given special weight.
With reference to Article 83 no. 2 letter a «The nature, severity and duration of the infringement […]», the Data Inspectorate concludes that this is a serious infringement. The violation constitutes a violation of basic requirements of legality in a processing. Great emphasis has been placed on the violation affecting children, who have been given special protection in the privacy regulations. It has been pointed out that the extradition itself is suitable for leading to serious consequences, which is more harmful for children than for adults.
The seriousness of the incident increases in that the processing represents a violation of the company's internal guidelines for the disclosure of personal information from camera surveillance.
It is also reprehensible that the store manager used his private mobile phone to film the recordings, which he then shared further. Private mobile phones are often associated with cloud-based storage services, which can cause files to be stored on multiple devices. The person who owns the phone will therefore more easily be able to lose track of where the file is located.
With reference to Article 83, paragraph 2, letter b "Whether the infringement was committed intentionally or negligently", the Authority notes that it is not a condition for the imposition of an infringement charge that there is a subjective fault on the part of the infringer. The audit refers to the Public Administration Act § 46 and Prop. 62 L (2015-2016) page 199 and assumes that the responsibility is in principle objective, but that it is important for the audit's assessment of how reprehensible the action is.
The Data Inspectorate states that the action that led to the breach in this case is clearly reprehensible. The treatment was performed by a person in a leading position, through a conscious action, and not as a result of an accident. The company can not be heard that there was a legal error. Legal error is not excusable unless the legal error is negligent, which in the Authority's view is not in this case. According to the routines, a store manager has the leading responsibility for compliance with the regulations, which includes both the Personal Data Act and the internal routines in the business.
In the Authority's assessment, it appears to be a clear consequence that a shared film clip will be shared further, especially if the purpose of the original sharing is to identify persons.
It cannot be concluded that there is intent with regard to the illegality of the act or the consequences of the act. Based on the objective evidence that can be deduced from the actions, the Data Inspectorate believes that in any case gross negligence has been shown by a leading person in the business. This roughness pulls in an aggravating direction.
With reference to Article 83, paragraph 2, letter c "Any measures taken by the data controller or data processor to limit the damage suffered by the data subjects", the Authority assumes in a mitigating direction that the company took important and required measures after the deviation. All known people involved were contacted and asked to delete any recordings, and the store manager called all affected parties and apologized for the inconvenience.
With reference to Article 83 (2) (g) "Category of information concerned", the Authority notes that it is irrelevant whether the face is displayed or not, or whether there are other factors, such as clothing, that make it possible to identify individuals. The crucial thing is that the person is identifiable.
With reference to Article 83, paragraph 2, letter h "In what way did the supervisory authority become aware of the infringement, in particular if and to what extent has the data controller or data processor notified of the infringement", the Authority states that according to the guidelines a company cannot be considered mitigating complies with its obligations under the regulation to report non-conformities, cf. the Article 29 Group's guidelines in 17 / EN WP 253 p. 14. The fact that non-conformities are reported therefore does not speak in a mitigating or aggravating direction.
The cases Coop refers to from the supervisory authorities in Sweden and Germany deal with very different facts compared to this case. Infringement fees are justified in specific circumstances in the individual case and, in the Authority's assessment, cannot be given weight when determining the fee in the present case.
When measuring the size of the fee, emphasis shall be placed on the same assessment factors that have been reviewed above. The Authority therefore refers to these assessments. The infringement fee shall be effective, be in a reasonable proportion to the infringement and have a deterrent effect. The fee should be experienced as an evil. This means that the supervisory authority must make a concrete, discretionary assessment in each individual case.
The Norwegian Data Protection Authority emphasizes that the disclosure concerns children's personal data, which should enjoy particularly strong protection. There is also talk of a violation as a result of a negligent act, performed by a person in a leading position. It is the responsibility of the company, and the person acting on behalf of the company, to familiarize themselves with the rules for camera surveillance, including the rules for extradition. The financial capacity of the business will also be important, although it is not relevant to take advantage of the range in the amount of the infringement fee that follows from Article 83. no. 5. Coop's financial situation is in a special position. In order for the fee to be perceived as an evil, so that the preventive considerations behind the infringement fee as a form of reaction are safeguarded, the fee must be higher than what has previously been the case in cases with a similar fact.
After a review of the various factors, the Data Inspectorate concludes that Coop will be fined NOK 400,000. The Authority considers that a fee of this magnitude will be sufficiently effective, be in a reasonable proportion to the infringement and act as a deterrent, cf. the Privacy Ordinance, Article 83 no. 1.
Coop's view of the case in brief
Coop does not deny that the facts of the case mean that there is a breach of the Personal Data Act and the Privacy Ordinance. The imposed infringement fee of NOK 400,000 is an overly severe reaction, and the size of the fee is not in a reasonable proportion to the infringement. The Norwegian Data Protection Authority has not placed sufficient emphasis on the mitigating circumstances in the case.
Imposition of fee
This is not a serious violation and the Norwegian Data Protection Authority has placed too much emphasis on the risk of spread and the extent of the damage that could potentially have occurred.
It is clear that the video clip itself is of very limited duration (approx. 3 seconds). The video clip does not show the person who commits the crime (theft) or the crime itself. The scope of people is very limited (a total of four people). The delivery of the video clip was a one-off case and it cannot be documented that this individual case has caused any damage. The fact that the scope of persons is very limited and that it is a one-off case illustrates that this is an isolated incident, and not an expression of more systematic breaches or lack of internal guidelines in the company. It is pointed out that in Coop, camera surveillance takes place on a large scale in light of the number of stores and opening hours. This is the first time such a discrepancy has occurred.
Whether the infringement was committed intentionally or negligently is a factor that will be relevant in the assessment of whether an infringement fee is to be imposed and in determining the amount of the fee. The Norwegian Data Protection Authority sets the threshold for intent far too low when it is established that the act was carried out through "a deliberate act, and not as a result of an accident". Even if the action was not the result of an accident, one cannot automatically conclude that it is a question of intent. The action was deliberate, but the extradition was due to the fact that the relevant store manager had not familiarized himself with existing guidelines. The deliberate act only included extradition to a person within Coop. In light of the objective evidence related to the actions in the specific case, it cannot be established that the relevant store manager has acted with intent.
Coop took important and required measures following the deviation, including all known parties involved being contacted and asked to delete any recordings, and in the decision, the Data Inspectorate has given its assent that this speaks in a mitigating direction.
In its report, the company has shown that Coop has established routines to prevent precisely such deviations as the one that has occurred. Internal routines have been reviewed in meetings with all store managers, and these have undergone training that is directly relevant to the type of violation that exists. Only store managers and other senior staff have access to the camera footage in the stores. The degree of responsibility of the data controller, in the form of which technical and organizational measures have been implemented in accordance with Articles 25 and 32, is a factor that the Data Inspectorate "shall take due account of". The Norwegian Data Protection Authority cannot choose to disregard this because in their opinion it is difficult to establish that this is related to the violation. In accordance with the Privacy Council's guidelines, the Data Inspectorate must ask itself whether Coop did what could reasonably be expected, given the nature, purpose and extent of the specific processing, seen in light of the obligations imposed on them by the Privacy Ordinance. Coop believes that this question must be answered in the affirmative in the light of the conditions pointed out above. In Coop's view, the established GDPR routines in Coop are a mitigating circumstance that must be given weight in the overall assessment.
This is a first-time offense even though Coop conducts camera surveillance on a large scale. This shows that Coop has sufficient routines and loyally follows the privacy regulations, which should have a mitigating effect in the overall assessment.
The category of information concerned shall also be taken into account. These were not immediately identifiable persons and the report also did not contain any suspicion that the person in question was involved in theft. The category of personal data that is affected thus constitutes a mitigating circumstance.
It is maintained that the fact that Coop itself notified the Danish Data Protection Agency must have a mitigating effect. Strict sanctioning practices can weaken trust between the supervisory authorities and the data controllers, and in the worst case result in deviations and breaches not being reported as intended, as the data controllers will not benefit from reporting deviations if the probability of the Data Inspectorate becoming aware of the matter is low.
Coop does not deny that children have stronger protection under the Privacy Ordinance. However, none of those involved in this case is under 15 years of age. Children under the age of 15 are given particularly strong protection.
Assessment of the size of the fee
The supervisory authorities' sanctions practices must be harmonized across the EU / EEA Member States. The practice of supervisory authorities in other Member States is relevant in assessing the amount of the fee. The Data Inspectorate in Sweden has in DI-2019-2221 and DI-2018-22737 settled on a lower fee level. The same applies to the German supervisory authority in LfDI: Baden-Württemberg.
In the Privacy Board's decision PVN-2019-09, a picture from camera surveillance was published on Facebook. The publication had consequences for the person depicted and his family. The company had no guidelines, training, control or other measures to ensure that the processing of recordings from camera surveillance was legal. The fee was set at NOK 50,000. Publishing on Facebook cannot be compared to sending a message to one person within the company as is the case in the present case. Even if the message was forwarded, the message chain could be traced to identified persons. The fact that the store manager was able to gain control of personal information relatively quickly illustrates this. Publishing on Facebook, on the other hand, will quickly reach hundreds of unidentified people who make it almost impossible to gain control. In our case, the admission reached a very limited number of people and it can not be documented that the incident caused any harm to those affected. In contrast to the data controller in PVN-2019-09, Coop has established internal guidelines for the processing of personal data, including guidelines that directly concern camera surveillance.
The fee in PVN-2019-09 was determined with reference to PVN-2017-16, which also applied to publication on Facebook. In this decision, the Norwegian Data Protection Authority assumed that the images were suitable for identifying an individual. Furthermore, the company lacked internal control which clarified the question of the legality of the division and which ensured compliance with the Personal Data Act before camera surveillance was installed. Despite the fact that this business had a turnover of almost 31,000,000 kroner and that there were several aggravating circumstances in view of our case, the infringement fee is at the same level as PVN-2019-09.
The Norwegian Data Protection Authority has placed too much emphasis on the fee being a deterrent, and has not taken sufficient account of the fact that the fee in each individual case must also be in a reasonable proportion to the violation. The level in this case differs greatly from the Authority's practice in what they themselves refer to as similar cases.
The Privacy Board's assessment
The tribunal agrees with the Data Inspectorate, and assumes that Coop's disclosure of personal information collected using the store's fitted camera equipment represents a violation of the Privacy Ordinance Article 5 and Article 6 No. 1 letter f. This part of the Data Inspectorate's decision is not appealed either.
The question for the tribunal is whether, pursuant to Article 83 no. 5 of the Privacy Ordinance, cf. Article 83. no. 2, an infringement fee shall be imposed for the act, and if a fee is to be charged, the amount of the fee shall be.
It follows from Article 83 (1) that the imposition of infringement fines in each individual case must be effective, proportionate and dissuasive. Both when assessing whether a fee is to be charged and when measuring the fee, the factors in the Privacy Ordinance Article 83 no. 2 letters a to k shall be taken into account.
For this assessment, it is important to look at the nature, severity and duration of the infringement, cf. Article 83 no. 2 letter a. It follows from the provision that the nature, scope or purpose of the act concerned must be taken into account, as well as the number of registered affected and the extent of the damage they have suffered. In this case, the violation consisted of the store manager filming with his private mobile phone approx. 3 seconds from the original camera footage from the store and forwarded the film clip to an employee of the store, who in turn forwarded it. The tribunal assumes that the recording shows two of the boys who were in the shop, but that it does not show either the boy who the shop believes commits the theft or the theft itself. No face is shown, but you can see the hair, clothing and footwear, so that those who are filmed can be identified by people who either know them or were there with them.
The purpose of the recording was to identify one of the children who did not commit the crime, but who was with the boy who was suspected, in order to also identify the person who was suspected of theft.
Neither the content nor the duration of the recording indicates that the illegal treatment is particularly serious. This is not information covered by Article 9 or Article 10, the recording shows only two people (two more people are involved in their presence without being filmed) and the recording has a very short duration.
The acts that represent the violations of the Personal Data Act in this case are the store manager's filming and later forwarding of a sequence of the recording from the store's camera surveillance system. The tribunal assumes that the store manager acts on behalf of the person responsible for processing, and that the person responsible for processing consequently has an independent responsibility for such actions.
By forwarding the recording to someone else's mobile phone, the store manager, and thus also the data controller, loses control of the recording and its further use. In the tribunal's assessment, this makes the action more serious. For the sake of order, the tribunal will emphasize that it is not the use of a cloud-based storage service that is problematic, but that the camera recording is stored on a medium other than the camera surveillance equipment, over which the person responsible for processing thus has no control.
It is aggravating that it concerns the admission of persons who are children, cf. Article 6 no. 1 letter f, who mentions children separately. Point 38 of the Regulation also states that children's personal data on a general basis deserve special protection, as children may be less aware of current risks, consequences and guarantees, as well as of the rights they have with regard to the processing of personal data.
The people in the film clip were aged 15 to 16 years. The Privacy Ordinance does not contain a definition of who is to be regarded as a child within the meaning of the ordinance. The Commission's original proposal for a new Privacy Regulation defined children as persons under the age of 18, see the Commission's proposal for Article 4 (18), but the definition is not found in the adopted Regulation. However, the Ministry has assumed that a person is no longer a child within the meaning of the regulation when he or she has reached the age of 18. This is in accordance with the starting point in the UN Convention on the Rights of the Child on 20 November 1989, Article 1, which applies as Norwegian law, cf. the Human Rights Act § 2 no. 4, cf. Prop. 56 LS (2017–2018) page 95. The Tribunal agrees with complaints that the moment weighs heavier the younger children it is about. Compared with adults, it is nevertheless the case that 15-16-year-olds are also given extra protection under the regulation.
At the same time, there is no information that the illegal processing of personal data has resulted in the registered boys suffering any damage and the tribunal assumes that the film recording in question was deleted by those who had received it after a few days.
Following a review of these matters, the Tribunal does not agree with the Norwegian Data Protection Authority that this is a gross violation of the Privacy Ordinance, as the Authority bases its decision in section 4.5.2.
Pursuant to Article 83 (2) (b), further emphasis shall be placed on whether the infringement was committed intentionally or negligently. Regarding the guilt claim, the Data Inspectorate writes:
"It is not a condition for the imposition of an infringement fee that there is subjective guilt on the part of the infringer. In this context, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. An administrative sanction means a negative reaction that can be imposed by an administrative body, which is directed at a violation of law, regulation or individual decision, and which is regarded as a punishment under the European Convention on Human Rights (ECHR).
For companies, the guilt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: "When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction may be imposed even if no individual has shown guilt."
Prop. 62 L (2015-2016) page 199 states about § 46: «The wording that‘ no individual has shown guilt ’is taken from the section on corporate punishment in the Penal Code § 27 and shall be understood in the same way. The responsibility is therefore basically objective ».
This is based on a misunderstanding of applicable law. In HR-2021-797-A, the Supreme Court has ruled that the objective responsibility for corporate punishment that follows from the wording of the Penal Code § 27, is not compatible with the concept of punishment in Article 6 (2) and Article 7 of the ECHR, as now stipulated in case law of the European Court of Human Rights (ECHR). Infringement fees under the Personal Data Act are to be regarded as an administrative sanction that has the character of a penalty pursuant to Article 6 of the ECHR. . General negligence is sufficient. Ignorance of legal rules does not exempt from punishment when ignorance is negligent, cf. the Penal Code § 26. The same applies to the imposition of administrative sanctions that have the character of punishment.
There is no doubt that the store manager's filming the camera footage on his own mobile phone and forwarding this footage to another store employee represents an intentional act. Although the store manager did not consider the forwarding to be probable, he has at least shown negligence for this action as well. The fact that he was not aware at this time that this represented an illegal processing of information does not absolve him from liability (cf. above), and the guilt claim is thus fulfilled. In the tribunal's assessment, however, this does not mean that the violation is to be regarded as serious.
The tribunal agrees with the Norwegian Data Protection Authority that emphasis should be placed in a mitigating direction on all known parties involved being contacted shortly after the incident (five days) and asked to delete any recordings, cf. Article 83 no. 2 letter c.
Pursuant to Article 83 (2) (h) of the Privacy Regulation, due account shall be taken in each individual case:
"The manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or data processor has notified the infringement."
The Data Inspectorate has assumed that it cannot be considered mitigating that an enterprise complies with its obligations under the ordinance to report deviations, and has referred to the Article 29 group's statement in 17 / EN WP 253 p. 14 (the tribunal assumes that it is intended to refer to page 15). The tribunal does not agree with the Data Inspectorate's assessment on this point. It follows directly from the wording of the regulation that this is a matter that must be duly taken into account. As pointed out by the Privacy Board in previous decisions, the Privacy Council's guidelines, like the Article 29 group's statement, have limited value as a source of law, but provide useful guidance as an expression of administrative practice in the audits in the EU and EEA.
The tribunal's interpretation of Article 83 letter h is also in line with the general criminal law principle in Norwegian law that notification and self-reporting shall be given weight in determining the reaction. However, the specific emphasis will depend, among other things, on how serious the violation is, and also the probability that the violation would have been discovered by the supervisory authority anyway. In this case, the tribunal believes that it must be emphasized in a mitigating direction that the data controller himself quickly uncovered the illegal processing, immediately implemented measures to avoid or minimize the damage by contacting all those involved, and reported the incident to the Data Inspectorate. Both general preventive and individual preventive considerations dictate that these factors be given weight in the assessment pursuant to Article 83.
On this basis, the tribunal has assessed whether a reprimand pursuant to Article 58 no. 2 letter b, cf. 83 no. 2 would have been a sufficient reaction. Nevertheless, the tribunal has, with some doubt, come to the conclusion that the illegal processing of personal data in this case in principle indicates that an infringement fee is imposed. The fixed fee is still set too high. This is because the tribunal believes that it is not a serious violation as the Data Inspectorate has assumed, and that the Data Inspectorate has not sufficiently taken into account the mitigating factors the tribunal believes must be taken into account in the assessment.
The tribunal will emphasize that in the assessment, it must be emphasized that Coop had the necessary internal guidelines in place at the time of the incident in question, which enabled a quick reaction when the breach was discovered and remedial measures were implemented.
Complainants have referred to PVN-2019-09 where the data controller was charged a fee of NOK 50,000 for having published a picture on his Facebook page from recordings made during camera surveillance. The picture that showed a person was supplemented with the following text «Who is this? Night to Saturday at 04.52, this tuft stole our Christmas decorations. He brought with him a like-minded motivator in a black suit and brown shoes. Tips are wanted as these types should possibly be confirmed by the law's long arm .. ». The tribunal ruled that it was not a minor breach of the law and pointed out in particular that the photo was published on Facebook and it was emphasized in an aggravating direction that the company lacked guidelines, training, control or other organizational measures to ensure that personal information collected by camera surveillance is done legally.
There is no doubt that the violation in PVN-2019-09 is clearly more serious than in this case, and that the mitigating circumstances that apply in our case are absent in the 2019 case. In PVN-2019-09, the tribunal maintained the Data Inspectorate's imposed fee of NOK 50,000. However, the Norwegian Data Protection Authority had assessed the case in accordance with the old law (Personal Data Act 2000), while the tribunal believed that it should be assessed in accordance with the new law, cf. section 33 of the Personal Data Act.
The tribunal assumes that the Privacy Ordinance provides for a higher fee level than that which applied under the Personal Data Act from 2000, and that this level was not yet established at the time the Data Inspectorate and the Privacy Board made their decisions in PVN-2019-09. This indicates that the case is not directly comparable in terms of the size of the fee.
After an overall assessment, the Privacy Board has come to the conclusion that the fee for the violation in this case, according to the level that follows from the Privacy Ordinance, should be around NOK 50,000.
In the tribunal's assessment, however, in the final determination of the size of the fee, emphasis must be placed on the long case processing time at the Data Inspectorate. Coop itself reported the incident in question on 10 April 2019, a few days after it had taken place. It then took six months before the Data Inspectorate asked the company for a statement. After receiving this, it took approx. four months before the Data Inspectorate sent notification of the decision, and then another ten months from the notification was sent to the decision, identical to the notification, was made on 22 December 2020. After Coop appealed the decision, another three months passed before the case was received by the tribunal. May 3, 2021. The case processing by the tribunal has since taken three and a half months. Since the violation took place, it has now, in August 2021, been a total of 2 years and 4 months.
The tribunal recalls that the Authority has a duty to account for its assessment of the significance of the case processing time for the sanction issue. The Tribunal refers to PVN-2021-03 with further reference to the Civil Ombudsman's (formerly the Civil Ombudsman's) decision of 17 August 2012 in case 2011/2718 and NOU 2003: 15 «From fine to improvement» section 5.7.11 (page 102). This has not been done in this case.
In the tribunal's assessment, the total case processing time at the audit has been unacceptably long, considering that the case is neither particularly factual nor legally complex. The person or undertaking at risk of criminal or sanction-equivalent sanctions has a protected interest in having this matter clarified within a reasonable time, and the administrative body is obliged - with the resources made available - to arrange its business in such a way that this interest is safeguarded.
Following an overall assessment, the Privacy Board has come to the conclusion that the infringement fee should be waived due to the long case processing time.
Following this, Coop is upheld in its appeal in that the fee imposed lapses.
Conclusion
The Data Inspectorate's decision to impose a fee is reversed by the fee lapse.
The decision is unanimous.


Oslo, 31 August 2021
Mari Bø Haugstad
Manager