Datatilsynet (Norway) - 20/01868

From GDPRhub
Revision as of 15:33, 10 December 2020 by Cp (talk | contribs) (Cp moved page Datatilsynet - 20/01868 to Datatilsynet - 20/01868 (PVN-2020-15) without leaving a redirect)
Datatilsynet - 20/01868-10
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(d) GDPR
Article 16 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 10.11.2020
Published:
Fine: None
Parties: Sbanken ASA
National Case Number/Name: 20/01868-10
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Personvernrådet (in NO)
Initial Contributor: n/a

The Norwegian Privacy Appeals Board (Personvernrådet) unanimously overturned the Norwegian DPA’s (Datatilsynet) decision and held that a name which contained an incorrect uppercase letter did not constitute incorrect personal data which needs to be rectified based on Article 16.

English Summary

Facts

A data subject who comes from the Netherlands moved to Norway and established a customer relationship with a bank (Sbanken ASA). For several years, the complainant has been in dialogue with the bank to correct the way they write his name. The bank writes his name in capital letters in "van" (Name Van Navnesen, instead of Name van Navnesen).

The bank stated that its processing systems retrieve customer information from the National Population Register. In the National Register, all names are written in capital letters and Sbanken has a program that automatically changes the spelling of names from uppercase to lowercase letters with the exception of the first letter which is written in capital letters: from "NAME VAN NAVNESEN" to "Name Van Navnesen". The reason for this choice is that most customers write all names with a capital letter in line with the Norwegian naming tradition.

As the data subject was unsuccessful in having his name spelled differently, he lodged a complaint with the Datatilsynet. The DPA held that Article 16 does not require a qualified degree of inaccuracy, and does not allow for a risk-based approach to when the data subject's rights can be asserted. The Datatilsynet also emphasised the objective nature of the personal data in question, and noted that such data (the same as age, address, personal name, or other information with an objective standard) shall be corrected by replacing it with information that is objectively correct. Furthermore, the DPA found the bank’s proposal, of correcting the complainant’s name in the online banking website but not in the bank's underlying systems, to be insufficient.

Dispute

Did the Datatilsynet arrive at a correct assessment as it ordered the bank to rectify the complainant’s name based on Articles 5(1)(d) and 16?

Holding

The PVN unanimously overturned the Datatilsynet’s decision. In building its arguments, the PVN recognized that in the Dutch passport the name was written with a lowercase letter (“van”). However, it then noted that it is normal to have differences between countries in spelling names, and gave examples of characters which do not even exist in all languages.

Other than the Datatilsynet, the PVN’s reasoning did not focus on the objective nature of the data, nor on it being objectively incorrect. Instead, the PVN relied on the principle of data accuracy and emphasised that the correctness of the data must be assessed in light of the processing purposes. As the purpose of the bank is to administer the customer relationship with the complainant, the PVN held that the current spelling of the name entails no danger of misidentification. Therefore, the PVN held that there is no incorrect personal data that can be required to be corrected in accordance with Article 16.

Comment

It would be interesting to see which positions will be taken by courts and DPAs in similar cases. Even in the present case, which was relatively straight-forward, one argument was that the rectification would involve unreasonable efforts for the bank. Therefore, it could be problematic if for more complex processing operations controllers can too easily claim that rectification would involve unreasonable efforts.

Furthermore, the Datatilsynet’s focus on the objective nature of the data seems pertinent but also raises questions on where the lines can be drawn. In particular, the DPA held that Article 16 does not require a qualified degree of inaccuracy, and does not allow for a risk-based approach to when the data subject's rights can be asserted. Especially in the context of more complex processing operations, achieving a high level of protection for data subjects would require a dialogue with controllers as to how the data subject is ‘seen’ or ‘labelled’ by the controller, along with effective mechanisms to rectify the data.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

PVN-2020-15 Spelling of personal names
The Data Inspectorate's reference: 
20/01868-10
Decision of the Privacy Board 10 November 2020 (Mari Bø Haugstad, Bjørnar Borvik, Gisle Hannemyr, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem)
The case concerns an appeal from Sbanken against the Data Inspectorate's decision of 18 May 2020, in which the Authority instructed Sbanken to correct the name Navn Van Navnesen to Navn van Navnesen in the bank's processing systems.

Background to the case
Navn van Navnesen (A) has a customer relationship with Sbanken ASA. He has for several years been in dialogue with the bank to correct the way they write his name. The bank writes his name in capital letters in "van" (Name Van Navnesen, instead of Name van Navnesen). When the bank rejected the request for correction in the bank's processing systems on the grounds that the spelling did not represent incorrect personal information, A brought the case before the Norwegian Data Protection Authority on 12 December 2018.

The inquiry was inadvertently processed by the Norwegian Data Protection Authority for one year. In a letter dated 21 November 2019, the Norwegian Data Protection Authority asked Sbanken for a statement. The bank explained its view in a letter dated 21 November 2019 and maintained that the data subject cannot demand correction under Article 16 of the Privacy Ordinance.

Sbanken states that the bank's processing systems retrieve customer information from the National Population Register. In the National Register, all names are written in capital letters and Sbanken has a program that automatically changes the spelling of names from uppercase to lowercase letters with the exception of the first letter which is written in capital letters: from "NAME VAN NAVNESEN" to "Name Van Navnesen". The reason for this choice is that most customers write all names with a capital letter in line with the Norwegian naming tradition.

The Data Inspectorate notified Sbanken on 22 January 2020 that the Authority would order the bank to correct the name in the bank's processing systems. The Bank submitted comments on the forecast on 10 February 2020. It also submitted comments on 20 February 2020.

The Norwegian Data Protection Authority made the following decision on 18 May 2020:

"Pursuant to Article 58 (2) (g) of the Privacy Ordinance, cf. Article 16 of the Privacy Ordinance, we order Sbanken to direct the complainants' personal names in their processing systems to the correct" Navn van Navnesen "."

At the request of Sbanken, the Data Inspectorate decided to extend the appeal period and gave the decision, if an appeal was lodged within the deadline, suspensive effect until the appeal case had been decided.

Sbanken submitted a timely complaint on 27 July 2020. In the complaint, Sbanken maintained that A was not entitled to correction, but nevertheless offered correction in the form of an intermediate solution where A was given the opportunity to correct the name in the online bank so that it would appear in line with his wish, but that the spelling was not changed in the bank's underlying systems that are not available to customers. Sbanken asked the Data Inspectorate for feedback on whether this was an acceptable form of correction because a change as proposed would entail a need for system changes that would not be initiated if this solution was not accepted. The bank also requested that complaints be submitted to the proposal. If the proposed solution was not accepted, Sbanken requested that the complaint be processed.

The Norwegian Data Protection Authority submitted the complaint, including the proposed solution for rectification, to A. He stated that he accepted the proposed solution provided that it was determined that the bank had a duty to rectify and therefore would follow it up in the event of any subsequent deviations.

The Data Inspectorate considered the complaint and found no reason to change its decision. In the Authority's assessment, the proposed solution did not satisfy the requirements for correction of incorrect personal data in Article 16 of the Privacy Ordinance. The bank submitted comments in a letter on 20 October 2020. At the same time, they requested the right to attend and speak during the tribunal's processing of the case. The tribunal considers the submitted documentation sufficient to take a position on the case and rejected the request in a letter to Sbanken on 26 October 2020.

The case was discussed at the tribunal's meeting on 10 November 2020. The Privacy Board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Gisle Hannemyr, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg and Hans Marius Tessem. Secretariat leader Anette Klem Funderud was also present.

The Data Inspectorate's decision in outline
The right to deletion follows from Article 16 of the Privacy Ordinance and stipulates that the data subject shall have the right to have "incorrect personal data" about himself corrected by the data controller without undue delay. According to its wording, the provision does not require a qualified degree of inaccuracy, and does not allow for a risk-based approach to when the data subject's rights can be asserted.

Objectively incorrect personal information shall be corrected by replacing it with information that is objectively correct, see Chapter III in the «updated version of the Privacy Ordinance, legal commentary», December 2019, Skullerud et al. Objective personal information is, for example, the data subject's age, address, personal name or other information with an objective standard. When assessing the accuracy of such information under Article 16, objective variables such as the data subject's year of birth, registered address or name of birth will be decisive.

If the data controller disagrees with the request for rectification, the person in question has the burden of proving that the information is correct, cf. the commentary, Chapter III, Section 16.

The Data Inspectorate has received several documents from van Navnesen, including a Dutch passport and a marriage certificate showing the surname's objectively correct spelling. The bank's spelling deviates from the objectively correct spelling it has documented, and the conditions for demanding correction in accordance with Article 16 of the Privacy Ordinance are met.

The principle of accuracy in the Privacy Ordinance, Article 5, paragraph 1, letter d, does not limit A's right to rectification, but stipulates the data controller's independent duty to, on his own initiative, review and ensure the accuracy of information in his processing system. The obligation applies regardless of whether the data controller has been contacted with a request for correction from the registered person.

"Reasonable measures" in Article 5 (1) (d) shall ensure that maintenance work is not disproportionately burdensome in view of the purpose of the treatment. When the data subject contacts the data controller and demands correction of incorrect personal data, this requires somewhat more of the data controller than the general maintenance obligation according to Article 5 no. 1 letter d. This is supported in the preparatory work, see Prop. 56 LS (2017-2018) where the Ministry states the following in section 10.3.5:

"The Ministry has noted Telia Norge AS 'view that rectification can in some cases be very resource-intensive, and that there may be a need for a narrow exception rule for these situations. In the Ministry's assessment, no such exceptional rules should be laid down until the rights have taken effect in practice.

Such an understanding is also based on the Danish and British data supervisory authorities' guidance on the right to redress.

The bank believes that an order for correction will be very labor-intensive because it means that the bank must review its entire customer database to check whether they use the correct spelling for all customers with surnames that contain lowercase letters such as "van Navnesen". An order to correct a data subject's personal data does not imply a general order for the bank to review its processing systems and look for incorrect spelling as the bank states.

The bank's proposal to correct A's name in the online bank, but not in the bank's underlying systems, is not in line with the Privacy Ordinance. Article 16 of the Privacy Regulation does not distinguish between correction in systems that are visible to the data subject and not. When a breach of the data subject's rights has been established and it has been determined that he has the right to correct his personal data in the bank's systems, the Data Inspectorate cannot see that the Privacy Ordinance allows for such a solution as the bank proposes.

A view of the case in outline
His name is Navn van Navnesen, and he is registered as "NAVN VAN NAVNESEN" in the National Register. The bank manipulates the data the bank receives from the National Register, and writes his name incorrectly "Navn Van Navnesen". He wants the bank to correct the name and use the correct spelling.

The bank believes that the name is registered correctly and refers to the order and the letters. Most people agree that it is wrong to write, for example, "SiljE eriksen" or "Ole martin Moe", and then the same must apply to "Navn Van Navnesen", as this spelling is not correct either. The bank spreads the incorrect use of subcontractors' IT systems.

The bank points to high costs for rectification. It is Sbanken that has chosen to use uppercase and lowercase letters, and can easily relate to what is in the National Register (only uppercase letters for all customers) and thereby avoid the whole problem.

The bank's proposal for a solution to correct his name in the correct spelling in the online bank is OK for him, provided that the bank acknowledges its duty to correct under the Privacy Ordinance.

The bank's view of the case in outline
The case falls outside the objective scope of the Privacy Ordinance because the use of a uppercase or lowercase initial in the prefix "van" does not constitute "personal information" about the data subject, cf. Article 4 no.

The prefix "van" is generic for both uppercase and lowercase letters, and is not specific to the data subject's identity. A purely visual design of a letter is not a relationship that relates to an identified or identifiable natural person. The registered person can be identified regardless of whether "van" is written in upper or lower case. It is the combination of the first name in front, and the last name behind the prefix, which are the identifying elements for the natural person. The use of uppercase or lowercase letters is also irrelevant to how the prefix is ​​read and pronounced.

In the event that a visual design of a single letter constitutes "personal information", the duty to correct does not apply. The use of uppercase or lowercase initials does not constitute "incorrect" personal data under Article 16 of the Privacy Regulation.

A natural linguistic understanding of what constitutes "incorrect personal information" indicates that the information is incorrect if it is misleading with regard to factual circumstances. Such a literal interpretation strongly suggests that different visual design of a capital letter in a prefix is ​​not misleading with regard to the actual identification of the data subject.

Whether a data controller is obliged to correct personal data must be interpreted in the light of Article 5 (1) (d), which means that whether a personal data is considered incorrect must be assessed in the light of the purpose of the processing, cf. Ireland Data Protection Commission (DPC).

The Ministry's statement in Prop. 56 LS (2017-2018) section 10.3.5 related to consultation input from Telia Norge AS requesting a narrow exception rule from the duty to rectify, is not transferable to fact in this case.

The purpose of Sbanken's processing of Navn van Navnesen's personal data is to administer the customer relationship in the bank. The bank achieves this purpose by the current spelling of the data subject's name.

The principle of correctness and the provision on reasonableness apply to any processing of personal data, cf. Article 5, also to the processing of personal data pursuant to Article 16. This interpretation of Article 16 is based on, among others, Pellerud, et al., In the Privacy Ordinance, Legislative Commentary, and Öman, Data Protection Ordinance (GDPR) etc. A comment, Norsteds Juridik AB, 2019, page 329.

There is no statutory obligation to distinguish between uppercase and lowercase letters when processing personal names and prefixes. The technical solution in question is therefore neither incorrect nor illegal.

Information in passports or marriage certificates is not a final decision for the use of uppercase and lowercase letters in names that Sbanken is obliged to follow. The closest we come to a standard in Norway is the National Register's registration, where all personal names are registered in block letters. When A accepts that the name is written only in capital letters, it shows that he is open to several alternatives and that there is not just one alternative that is correct.

The use of a capital letter for the prefix is ​​in line with Norwegian naming tradition, and the use of a capital letter for the prefix clearly differs from misspellings and omissions of characters or letters.

If the Privacy Board nevertheless considers the choice of letter size as incorrect information, it is stated that correction in all back systems is not considered a reasonable measure.

Sbanken does not have control over how suppliers and partners write customer names. Correction in line with the Data Inspectorate's decision will involve a very comprehensive, time-consuming and costly change to the bank's systems and integration solutions.

It would be contrary to the principle of taking "reasonable measures" in the Privacy Ordinance, Article 5, paragraph 1, letter d, if a change is to be required in any registration, even those that have no practical significance for the data subject. There is no reasonable relationship between the effort required by the bank and the privacy disadvantage it may be that there is a different letter size than desired in the prefix. Imposing corrections in such situations will also impose large costs on society in that those responsible for other IT systems may be required to make corresponding changes.

Correcting the prefix from uppercase to lowercase in all back systems is disproportionately burdensome and highly unreasonable, even in light of the fact that the data subject's fundamental right to privacy is safeguarded by the current technical solution of the current spelling.

The Privacy Board's assessment
It follows from section 2 of the Personal Data Act and Article 2 (2) of the Privacy Ordinance that the Act and the regulation apply to the processing of personal data. Personal data is defined in Article 4 (1) of the Regulation as follows:

"Any information about an identified or identifiable natural person (" the data subject "); an identifiable natural person is a person who can be directly or indirectly identified, in particular by means of an identifier, e.g. a name, identification number, location information, a network identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of said natural person. "

The tribunal agrees with the Norwegian Data Protection Authority that personal names fall under the term «personal data» and thus also fall within the factual scope of the Personal Data Act and the ordinance.

The question for the tribunal is whether a name written in a different way than the holder of the name wants the name written, or written in a different way than the name is written in the country where the name originates, represents an incorrect personal information that can be demanded corrected by article 16.

The tribunal bases its assessment on the fact that the correct way of writing A's name in the Netherlands where he comes from is with a small initial in the van, cf. submitted copy of the Dutch passport and marriage certificate where the spelling appears.

In our case, the question of the use of capital V in the prefix "van" represents incorrect personal information. Similar questions can arise, not only when choosing between uppercase or lowercase letters, but also when using different alphabetic and diacritical marks. It is therefore, as the tribunal sees it, necessary to take a somewhat broader perspective when assessing what constitutes incorrect personal information than just looking at what is the correct spelling in the name's country of origin.

To give an example of how names are spelled differently in different countries, one can look at how the former head of state of the Soviet Union, Mikhail Gorbachev, is rendered in different ways in Wikipedia: Russian: "Mikhail Sergeyevich Gorbachev", English: Mikhail Sergeyevich Gorbach », Norwegian« Mikhail Sergeyevich Gorbachev », Swedish« Mikhail Sergeyevich Gorbachev », Danish« Mikhail Sergeyevich Gorbachev », Finnish« Mihail Sergeyevich Gorbachev », German« Mikhail Sergeyevich Gorbachev », French« Mikhail Sergeyevich Gorbachev and Gorbachev . The tribunal assumes that the differences are due to different transcription standards for different languages, without it being possible for that reason to say that some of them constitute incorrect personal information. Similarly, many Norwegians who have the letters æ, ø and å in their name will experience that the letters change to ae, oe and aa in, for example, international airlines' customer registers. Nor should this, in the tribunal's assessment, be regarded as a processing of incorrect personal data.

The examples given here show that different countries have different rules for how personal names are written. There is no evidence that the adoption of EU Privacy Regulation 679/2016 of 27 April 2016, was also intended to introduce common European rules for the spelling of names in the sense that the holder of a name (the registered person) can demand that the name be written in the same way as in the country of origin of the name in order not to constitute incorrect information. It also means that one must be careful in defining an objectively correct way of writing a name.

Norwegian name law is based on the fact that Norway has a first name and surname, as well as possibly a middle name. There are no rules in the law on prefixes such as «von», «van», «de» or the like, but it is considered as part of the surname that you can choose whether you want to include or not, cf. circular from the Justice and the Ministry of Police G-2002-20 On a new name law, point. 3.5.9. It is therefore not the prefix "van" that is specific to the data subject's identity and the choice between lowercase or uppercase letters has no bearing on the actual identification of the data subject. Even though the Language Council states on its pages that this type of prefix in the name "normally always [has] a small initial letter", this does not mean that using a capital letter processes incorrect personal information.

The tribunal assumes that a person responsible for processing must in principle be able to choose whether he or she will use capital letters when registering personal names. If Sbanken had used the name as they receive it from the National Register, with only capital letters, this is obviously not incorrect information that can be demanded to be corrected. The tribunal assumes that this would also be the case for a data controller who for one reason or another wrote all names in only lowercase letters. Even if, according to Norwegian spelling rules, this would be the wrong way to write names, as the tribunal sees it, there would be no incorrect personal information. Similarly, for example, a typing error in a processing manager that led to a name being registered in a capital letter in the middle of the name (for example, "Ola NorDmann"),

It is a basic principle that the accuracy of personal data must be assessed in light of the purpose for which they are processed, cf. Article 5 no. 1 letter d. The purpose of Sbanken's processing of the data subject's name is to administer the customer relationship in the bank. The bank achieves this purpose by the current spelling of the data subject's name and the use of uppercase or lowercase letters entails no danger of misidentification. There is then no incorrect personal information that can be required to be corrected in accordance with the Privacy Ordinance.

The bank has been upheld in its complaint.

Conclusion
The Data Inspectorate's decision is reversed so that Sbanken is not ordered to change the spelling of A's name in its processing systems.

The decision is unanimous.

 

 

Oslo, 10 November 2020

Mari Bø Haugstad

Manager