Datatilsynet - 20/02225
|Datatilsynet - 20/02291|
|Relevant Law:||Article 5(2) GDPR|
Article 6(1)(f) GDPR
Article 24 GDPR
|National Case Number/Name:||20/02291|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (~€9,700) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) and 5(1)(a) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24.
English Summary[edit | edit source]
Facts[edit | edit source]
The company Aquateknikk AS credit rated an individual and his business, despite having no customer relationship or any other affiliation with either. According to the complainant, the credit rating was conducted because he operates a competing business.
Aquateknikk stated that the credit rating of the complainant personally was a mistake, as the intended target of the credit rating was the complainant's business. However, the DPA found from their credit rating logs from Bisnode, the credit rating bureau, that Aquateknikk had credit rated the complainant's company first and then the complainant personally, "indicating that the action was intentional". The DPA commented that they don't believe Aquateknikk's explanation and noted that the credit rating seems to have been conducted due to "nosiness".
Dispute[edit | edit source]
Did Aquateknikk have legal grounds for processing the personal data of the complainant for a credit rating, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit ratings in their business?
Holding[edit | edit source]
No, Aquateknikk did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 100,000.
They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA.
Comment[edit | edit source]
The company was initially notified of a NOK 300,000 fine. Due to the COVID-19 pandemic, however, the company argued that their financial situation had worsened and such a major fine would be very detrimental and, possibly, lead to bankruptcy. After reviewing the preliminary 2020 financial results of the company, the DPA reduced the fine to NOK 100,000, stating that this would be sufficiently "effective, proportionate and dissuasive" as per Article 83(1).
In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine.
It's also worth noting that the lawyer representing Aquateknikk argued that Article 6(1)(e), "processing is necessary for the performance of a task carried out in the public interest", could be a valid legal basis for processing personal data in credit ratings, however this was firmly rejected by the DPA, stating that the company doesn't have a "public interest", nor an additional legal basis as required by this legal grounds (letter e).
While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4).
Further Resources[edit | edit source]
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Page 1 AQUATEKNIKK AS Tjemslandshagen 26 4360 VARHAUG Offl. § 13 cf. Popplyl. § 24 (1) 2. pkt. Their reference Our reference Date 20 / 02225-6 Decision on order and infringement fee - Credit assessment without legal action basis - Aquateknikk AS 1 Introduction We refer to our notice of decision of 3 June 2020. We received Aquateknikk AS ("Aquateknikk") his comments on the notice on 1 September 2020 from lawyer in main organization Virke. Our comments on the comments follow below. 2. Decision on order The Data Inspectorate adopts the following order: Pursuant to Article 58 (2) (i) of the Privacy Ordinance, the following is imposed Aquateknikk AS, org. No. 919 766 751, to pay an infringement fee to the Treasury NOK 100,000 for having obtained credit information without a legal basis, cf. Article 6 (1) (f) of the Privacy Regulation. 2. Pursuant to the Privacy Ordinance art. 58 no. 2 letter d is imposed on Aquateknikk AS to improve its internal control over credit assessment, cf. the Privacy Ordinance Article 24, as this is deficient. Our legal basis for issuing orders is Article 58 (2) of the Privacy Ordinance. The background and reasons for the decision follow below. The deadline for implementing the orders is stated in section 8 of the decision. Postal address: Office address: Telephone: Fax: Company No: Website: PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO 01/04/21 Page 2 3. Details of the facts of the case In your reply of 1 September, you admit to having credit-rated complaints illegal, and explain that this was «An inconsiderate mistake that was made in connection with a completely ordinary and legitimate credit check of the company where the person in question is both owner, chairman of the board and CEO.". Furthermore, you explain the credit rating with the following: «It probably quickly made me think that the financial conditions of such a key person for the business is relevant in a business assessment of another player in the same industry ». Furthermore, you have several comments on both the assessment of the imposition and the size of the notification the violation fee of 300,000 kroner. You state, among other things, that the business has reduced turnover as a result of the corona pandemic, and that an infringement charge of this magnitude will have very negative consequences for companies and involves the risk of bankruptcy. You have attached a preliminary annual accounts for 2019, and also points out that a fee of NOK 300,000 will amount to more than 2.5% of the company's expected turnover in 2020. In addition, you have referred to practice from the Swedish and the the Danish Data Protection Authority, as well as previous practice from the Privacy Board. You have also made current remarks related to the Data Inspectorate's right to impose an infringement fee for violations of the Privacy Regulation Articles 5 and 6. Finally, you write: «Aquateknikk AS takes this matter very seriously, and has implemented measures to avoid similar violations should be able to happen again. The notified fee in combination with the COVID-19 pandemic nevertheless involves great uncertainty regarding the company's opportunities to survive in it immediate future. The individual preventive considerations that can normally justify a punitive response is thus absent in this case. As mentioned above, in our opinion it exists rather no general preventive considerations that indicate such a severe reaction ». 4. Legal basis for obtaining credit information Obtaining credit information on individuals and sole proprietorships ("the registered") constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and the Personal Data Act § 1. Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis. When a company must obtain credit information about the registered person without it being available consent, or the credit rating is strictly necessary to carry out an agreement with it registered, Article 6 (1) (f) is the most relevant legal basis. Article 6 (1) (f) requires that the collection of credit information is "necessary" to: safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration 2 Page 3 individual privacy. The legitimate interest must be legal, clearly defined in advance, real and objectively justified in business. Which interests meet this depends on an assessment there, among other things what benefits the company achieves with the treatment, how important the interest is for the company, or whether the treatment has a public interest or safeguards non-profit interests which benefit more are relevant moments. Furthermore, the treatment in question must be "necessary" for purposes related to the beneficiary interests. That is, the business must consider whether it can achieve the purpose in a way that better safeguards privacy. One must therefore choose the treatment that is least invasive. Then the business must make a balance of interests to decide whether the individual Privacy outweighs the business' legitimate interest. What type of information it is relevant to process, for example whether obtaining the relevant information can perceived as offensive, and what expectations the individual has for the treatment of the personal data, are relevant factors in the balancing of interests. The now repealed Personal Data Regulations § 4-31 contained an additional condition that Credit information could only be obtained unless the business had a "factual need" for it credit information. Section 4-3 of the regulations is continued in accordance with the regulations on transitional rules on the processing of personal data § 42. However, the Privacy Ordinance does not provide national room for maneuver for special regulation of the collection of credit information. We therefore believe that the requirement for "factual need" does not constitute an additional condition to the article 6 No. 1 letter f. However, the assessment of whether the business has a "factual need" pursuant to section 4-3 of the regulations is close connection with the assessment pursuant to Article 6, paragraph 1, letter f. We therefore believe that earlier administrative practice regarding the requirement of objective need is still relevant when assessing Article 6 (1) letter f. 5. On the duty of internal control According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to demonstrate that they process personal data in accordance with the law. If it stands in a reasonable relation to the treatment activities, the company shall implement appropriate guidelines for the protection of personal information. Credit assessment is an intrusive processing of personal data and constitutes a significant violation of individual privacy. Companies must therefore be able to document their internal routines or processes (internal control), which meets the requirement for a legal basis for credit assessment. 1 Personal Data Regulations of 15 December 2000 no. 1265. 2 Transitional rules on the processing of personal data of 15 June 2018 no. 877. 3 Page 4 The routines must describe when and how credit information is to be obtained and how access is to be provided. and shall ensure that credit assessments are not obtained without the requirement of a legal basis being met. Further the company must have routines for non-conformance handling. 6. The Data Inspectorate's assessment 6.1. The duty to have written routines for the processing of personal data ("internal control") Aquateknikk did not have internal control when the credit assessment took place, but has prepared a routine 18. October 2019 and sent this to the Danish Data Protection Agency. In our notice, we assessed that the submitted routine was deficient. The routine does not contain a description of the requirement for a legal basis Article 6 of the Privacy Regulation. It also does not specify who can obtain it credit information on, in addition to the fact that only "new customers and existing customers" are to be credit assessed and that this should never be private individuals. You have not submitted new routines in your comments for notification of decisions. A written routine, or internal control, pursuant to Article 24 (2) of the Privacy Regulation shall be a work tools for management and employees in a company to ensure and document compliance with the Privacy Regulation. In order for the routine for obtaining credit assessments to fulfill this, the company must make it visible the requirements of the Privacy Ordinance for the processing of personal data, including the relevant information legal basis for credit assessments of sole proprietorships and natural persons. Internal control should also provide examples of when credit rating will be legal in the business to ensure and demonstrate that their processing of credit information takes place in accordance with the Privacy Ordinance, cf. Article 24 no. 1 and 2. Improvement of the routines may have a preventive effect against unlawful implementation credit ratings. The Norwegian Data Protection Authority has the competence to order the data controller to ensure that the processing activities take place in accordance with the provisions of the Privacy Ordinance, cf. Article 58 (2) (d) of the Privacy Regulation. This is the background for the order to prepare routines for credit assessment. Aquateknikk must prepare a written routine that ensures that credit assessments of sole proprietorships and natural persons only take place when the requirements of the Privacy Ordinance are met. We also refer to our assessment of the submitted routine in section 5.1 of the notification of decision. You will find information and guidance on the legal bases on our websites https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/behandlingsgrunnlag/. 4 Page 5 6.2. Legal basis for obtaining credit information 6.2.1. Choice of legal basis In your comments on the notification of decisions, you argue that Article 6 (1) of the Privacy Regulation letter e "necessary to perform a task in the public interest" may be a relevant legal basis for obtaining credit information. Furthermore, you write that «The Data Inspectorate has not opened for this in the notice, but instead stated that the balancing of interests pursuant to Article 6 f) is the only relevant one legal basis, without further justification. ». In order for a data controller to be able to use letter e as a basis for processing, it is required the Privacy Ordinance that there is a supplementary national legal basis that regulates the task the data controller performs in the public interest. In the preparatory work for a new Credit Information Act3 , the Ministry assumes that credit information companies perform a task in the public interest, and that The Credit Information Act will constitute a supplementary national legal basis, cf. the Privacy Ordinance Article 6 (1) (e) and Article 6 (3).4 Our assessment is that Aquateknikk neither performs a task in the public interest, nor has one supplementary national legal basis that can authorize the contested credit assessment in the case. In our case, Aquateknikk has not obtained consent from complainants, nor was the credit rating necessary for the implementation of an agreement on complaints, cf. Article 6 (1) (b). Article 6 (1) letter f «balancing of interests» is therefore the relevant legal basis for the credit assessment in the case. 6.2.2. Assessment of the Privacy Regulation, Article 6, paragraph 1, letter f - «balancing of interests» The question is whether Aquateknikk had a legal basis in the Privacy Ordinance Article 6 No. 1 letter f for obtaining the complainant's credit information. The first condition that must be met for the processing of the complainant's credit information to be it is legal that Aquateknikk had a "legitimate interest" in obtaining the information. The requirement of "legitimate interest" is to a large extent a continuation of the same requirement in the previous one the Personal Data Act of 2000 § 8 first paragraph, letter f. Proposition 47 of the Privacy Ordinance states that in assessing whether an interest is justified, among other things, the data subject's expectations based on the relationship between it shall be taken into account data controller and the data subject. Emphasis should also be placed on whether it is on the time of collection was foreseeable for the data subjects that the information would be processed for it current purpose. 3 LOV-2019-12-20-109. 4 Prop.139 L (2018-2019) point 3.3.1. 5 Page 6 In the statement and comments to the notice, you acknowledge that you have personally assessed credit complaints at a error, and that the intention was to credit rating his corporation. Aquateknikk has obtained credit information about an individual without any kind of customer relationship, supplier relationship or other connection to their business. Complaints drive a competitor business, and had no expectation that Aquateknikk would treat his personal credit information, nor was it foreseeable for him that the company would collect this. In our opinion, Aquateknikk did not have a legitimate interest in obtaining complaints credit information. We do not consider it appropriate to assess the requirement of "necessity", as our assessment is that the business did not have a legitimate interest in carrying out the credit assessment. We will nevertheless say something brief about the third condition in Article 6, paragraph 1, letter f. This is the specific one the balance of interests between the company's interest in processing personal data and it data subjects' privacy interests. Credit information is a type of personal information that is particularly worthy of protection. One Credit rating is the result of compiling personal information from many different sources, and shows a number that indicates the probability that a person will pay a claim. A credit rating will too show details about individuals' personal finances, including any payment remarks, volunteers mortgages and debt ratio. This is private information that individuals have an expectation of not obtained by companies unless it is objectively justified in their relationship with them. Private individuals should therefore enjoy special protection against obtaining credit information. Consideration of the complainant's right to privacy weighs heavily in the processing of this type of personal data, and significantly heavier than the company's need to obtain credit information about an individual without any connection to their business. The conclusion is after this that Aquateknikk had no legal basis under Article 6, paragraph 1, letter f to obtain the complainant's credit information. 7. Infringement fee 7.1. General information about infringement fines Infringement fees are a tool to ensure effective compliance and enforcement of the personal data regulations. We believe it is necessary to react to the violation, cf. Article 83 of the Privacy Regulation. In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that the infringement fee is to be regarded as a punishment under Article 6 of the European Convention on Human Rights clear overriding probability of offenses in order to impose a fee. The case and the question of to impose infringement fines is assessed on the basis of this evidentiary requirement. 6 Page 7 In this connection, reference is made to Chapter IX of the Public Administration Act on administrative sanctions. With a administrative sanction means a negative reaction that can be imposed by an administrative body, which corrects against a committed violation of law, regulation or individual decision, and which is considered a punishment under the European Convention on Human Rights (ECHR). For companies, the guilt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction is imposed even if no individual has shown guilt. In Prop. 62 L (2015-2016) page 199 it is stated about § 46: The wording that 'no individual has shown guilt' is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore as a starting point objectively. Aquateknikk has made a number of comments on the Data Inspectorate's right to impose infringement fine for breach of the Privacy Regulation Article 5 (2) and (6) (f). In addition have you submitted comments on the assessment of whether an infringement fee should be imposed, as well the assessment of the size of the fee. Their comments do not change our assessment that an infringement fee should be imposed, but are significant for the measurement of the fee size. We will comment on the comments below. 7.2. The Data Inspectorate's right to impose infringement fines for breaches of the Privacy Ordinance Articles 5 and 6 In the notes to the notified infringement fee, write the following: «On the basis of Article 6 of the ECHR, in our opinion, it will hardly be permissible to use the provisions alone as a basis for imposing penalties, as the Data Inspectorate proposes in the notification. As far as we can see, the Data Inspectorate has not formulated a clear rule of action for imposing a fee our case, neither as regards a breach of the principle of liability in Article 5 nor the principle of legality in Article 6. Nor is there a distinction between these two acts in themselves sentencing. " The Personal Data Act of 2018 is intended to continue the Data Inspectorate's competence to impose infringement fee for violation of the Personal Data Act of 2000. After the old According to the Personal Data Act, data controllers could be fined for violating section 2 of the Act. 8 letter f, see section 46 of the Act. Section 8 letter f largely corresponds to Article 6 no. 1 of the Privacy Ordinance letter f, which also regulates "balancing of interests" as a legal basis for processing personal information. 7 Page 8 In the preparatory work for the Personal Data Act of 2018, the Ministry has clearly stated that it shall be possible to impose infringement fines on infringers of Articles 5 and 6, as well as those other articles listed in Article 83.5 The Privacy Board has also in recent practice confirmed that the person responsible for processing can be assigned infringement fine for violation of the Privacy Regulation Article 6 No. 1 letter f.6 On the basis of this, we find it clear that Aquateknikk can be fined for violating Article 5 (2) and Article 6 of the Privacy Regulation. 7.3. Assessment of whether an infringement fee is to be imposed When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Norwegian Data Protection Authority may impose infringement fee after a discretionary overall assessment, but the listed factors add up guidelines on the exercise of discretion by highlighting aspects that are to be given special weight. (a) the nature, gravity and duration of the infringement, taking into account it; the nature, extent or purpose of the treatment concerned and the number of data subjects affected; and the extent of the damage they have suffered The principle of legality in the Privacy Ordinance Article 5 No. 1 and the requirement for a basis for processing in Article 6 is one of the basic requirements that must be met when an enterprise processes personal information. Credit information is a type of personal information that is particularly worthy of protection, and which Private individuals have an expectation that is not obtained by companies unless it is factual justified in their relationship to them. The violation is therefore serious, and indicates that it is imposed infringement fine. Complainants have never had cooperation or other forms of agreements with Aquateknikk, but operate on the other hand a competing business. The collection of credit information is characterized by curiosity, as the company has obtained credit information first about the complainant's company, and then to Conduct a credit rating of him personally at five minute intervals. b) whether the infringement was committed intentionally or negligently Aquateknikk acknowledges in its statement on 30 September 2019 that it was , responsible for , which performed the credit assessment of complaints. Furthermore, Aquateknikk writes that had received instructions from the general manager that the complainant's company was a company they were considering ordering goods from and that it should therefore be credit assessed as a potential supplier. It is unclear whether the instruction was to credit assess complaints in person or whether the instruction was to credit rating company, but that complaints were checked personally by a misunderstanding. Regardless of whether 5 Prop. 56.L (2017-2018) point 20.3.1. 6 PVN-2019-09. 8 Page 9 the instruction went on the complainant's business or him person we emphasize that is the business primarily responsible for . He should therefore check if the business had legal basis for credit assessment of the owner of a limited liability company personally, since it was the limited liability company Aquateknikk considered buying goods from. Instead, Bisnode's consumption log shows that first rated the corporation and then complain in person. This indicates that the action has been deliberate. Regardless of whether the instruction from the general manager was based on a credit assessment of complaints in person or whether this happened in the event of a misunderstanding, we assume that the company has shown negligence in obtaining of credit information about complaints in person. This pulls in an aggravating direction. c) any measures taken by the data controller or data processor to limit the damage which the data subjects have suffered It appears from the complainants' correspondence with Aquateknikk that, when asked by the complainants, they stated that they had accidentally credit-rated him instead of his company and claim to have "interrupted" the search for his credit information when they became aware of this error. Furthermore, the company informs by e-mail to complains that they have deleted the credit information they obtained about him. We do not trust the company's explanation that they "interrupted the search" as stated in Bisnodes log that Aquateknikk has first credit-assessed the complainant's business and then the complainant personally. (d) the degree of responsibility of the controller or processor, taking into account those technical and organizational measures they have implemented in accordance with Articles 25 and 32 We emphasize that the violations were committed by in the business, as the Privacy Ordinance presupposes that compliance with the regulations is particularly anchored in the management of an enterprise, cf. Article 5 (2). We also emphasize that the credit assessment according to Aquateknikk's report was carried out in compliance with the company's practice of credit rating all potential customers and suppliers. Further we emphasize that Aquateknikk had a lack of awareness of the regulations, as well as neither technical or organizational measures in the form of routines to ensure that the company's employees know the regulations for obtaining credit information. e) any previous violations committed by the data controller or data processor The Norwegian Data Protection Authority does not know whether there have been previous violations. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce the possible negative effects of it, The company apologizes for the incident and has shown a willingness to contribute to the information of the case and to learn from it the event by creating routines for credit ratings. These are moments that pull in mitigating direction. 9 Page 10 On the other hand, through the documentation from Bisnode, we have become aware that the company does not has stated that a credit assessment was first made of the complainant's company, and then the complainant personally. This pulls in an aggravating direction. g) the categories of personal data affected by the infringement Special categories of personal data (sensitive personal data) are not affected by the infringement in our case. However, information on salary, debt and creditworthiness is information such as have a special need for protection due to their private nature. (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, in which the degree to which the controller or data processor has notified the infringement We were notified of the breach of complaints. The company did not even report the infringement, and did not disclose the collection of credit information about the complainant's company. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that said measures complied with We do not know that measures have previously been taken against the company with regard to the same case subject. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 We do not find this aspect relevant. k) and any other aggravating or mitigating factor in the case, e.g. economic benefits that are achieved, or losses that have been avoided, directly or indirectly, as a result of the violation Access to competing companies' finances can constitute such an advantage or aggravating factor as letter k mentions. However, the Data Inspectorate does not find it documented in the case that Aquateknikk has achieved this such an advantage in obtaining credit information about complaints. Aquateknikk's remarks Aquateknikk has made several comments on our assessment of whether an infringement fee should be imposed, as well as the amount of the notified fee. In our assessment of whether an infringement fine should be imposed, you state that the breach should sanctioned with a milder form of reaction than a fee on the basis of the company's financial situation. You justify this further with a reference to a number of cases from the Danish the Data Protection Authority, which is sanctioned with "serious criticism", as well as a number of cases from the Swedish the Data Protection Authority, which is sanctioned with lower infringement fees than in our case and with others affected. 10 Page 11 Our assessment of the comments The Data Inspectorate and the Privacy Board's practice is that obtaining credit information without legal action basis is sanctioned with infringement fines.7 Credit information is a type of personal information that is particularly worthy of protection, and which Private individuals have an expectation that is not obtained by companies unless it is factual justified in their relationship to them. The violation is therefore serious, and indicates that it is imposed infringement fine. Complainants have never had cooperation or other forms of agreements with Aquateknikk, but operate on the other hand a competing business. In cases not covered by the cooperation mechanism in Article 56 of the Privacy Regulation, it states the national supervisory authority is free to discretion on the imposition and measurement of infringement fines within the framework of Article 58 (1) (f), cf. Article 83. The decisions you refer to from the Swedish and Danish data protection authorities do not deal with obtaining credit ratings, and has no relevant fact for the present case. We consider therefore the cases to have limited relevance and transfer value for the Data Inspectorate's assessment of infringement fine. On the basis of this, we maintain our assessment that an infringement fee should be imposed. We also refer to our justification for why an infringement fee should be imposed in section 6.1 of the notice, and Clause 7.3 of the decision. 7.4. Assessment of the size of the fee When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account the elements of the Privacy Regulation Article 83 No. 2 letter a) to k). The Norwegian Data Protection Authority may impose infringement fee after a discretionary overall assessment, but the listed factors add up guidelines on the exercise of discretion by highlighting aspects that are to be given special weight. When measuring the size of the fee, emphasis shall be placed on the same assessment factors as in the question of whether a fee should be imposed. We therefore refer to the assessments of the seriousness of the case in section 6.1 of the notice, and the assessment of whether a fee should be imposed in section 7.3 of this decision. Aquateknikk's remarks You have written a list of the remarks you have to our assessment of whether the infringement fee should imposed, and the measurement of the size of the fee: - The violation applies to a single credit check of only one natural person. - It was not of a lasting nature. 7 See bla. PVN-2019-15 and PVN-2017-02. 11 Page 12 - It happened in connection with a general and completely legitimate credit check of the company where it the person in question is the owner, chairman of the board and general manager. - It has not caused any financial loss to the person in question. - It has not provided access to sensitive personal information. - The violation has the character of being a personal, reckless miss in a system that does it quick and easy for the user to credit check both businesses and individuals. - Our client has not violated the privacy rules before. - Our client has not obtained any financial benefits as a result of the violation. - Our client is in danger of going bankrupt as a result of the COVID-19 pandemic and the announced fee. Our assessment of the comments The violation fee must be effective, be in a reasonable proportion to the violation and work deterrent. This means that the supervisory authority must make a concrete, discretionary assessment in each case. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the size of the fee must be in a reasonable proportion to the infringement and the business, cf. Article 83 (1). It follows from Article 83 (5) (a) that infringements of the fundamental principles of treatment in the Privacy Regulation, including Articles 5, 6, 7 and 9, shall be sanctioned by higher violation fee than other violations of the Privacy Ordinance. Obtaining credit information about an individual or sole proprietorship without basis for processing constitutes a violation of the basic principle of legality in Article 5 (1) (a) of the Privacy Ordinance. This is personal data of a very private person character, which the data subject has a high expectation of not obtaining unless it is factual based on their relationship with a data controller. These are weighty moments that speak for one fee of a certain size. We place aggravating emphasis on the fact that the violation in our case was committed by a person responsible for in the business, as the principle of liability in the Privacy Regulation Article 5 No. 2 presupposes a strong anchoring of the regulations in the treatment manager's management. As we have explained in section 7.2 of the decision, the guilt claim for enterprises is objective, and it is therefore required not that individuals in the business have acted intentionally or negligently for the Data Inspectorate to be able to impose infringement fines. Pursuant to Article 83 (2) (b) of the Privacy Regulation, the supervisory authority may nevertheless emphasize whether the infringement was committed intentionally or negligently. Aquateknikk acknowledges in its statement on 30 September 2019 that it was , responsible for , which performed the credit assessment of complaints. Furthermore, Aquateknikk writes that had received instructions from the general manager that the complainant's company was a company they were considering ordering goods from and that it should therefore be credit assessed as a potential supplier. 12 Page 13 You write in your comments to the notice that the credit assessment of complaints personally took place as a result of a misunderstanding between daily and responsible for , and that it was all «… An inconsiderate mistake that was made in connection with a completely ordinary and legitimate credit check of the company where the person in question is both owner, chairman of the board and CEO. In a hectic everyday life, it is probably easy to think that the financial The relationship of such a key person to the business is relevant in a business assessment of another player in the same industry. " It is unclear whether the instruction from the general manager was to credit assess complaints in person or about the instruction was to credit the company so that complaints were checked personally in case of a misunderstanding. Independent whether the instruction went to the complainant's business or him as an individual, we emphasize that is the company's main responsible for . He should therefore check on the business had a legal basis for credit rating the owner of a corporation personally, as it were the limited company Aquateknikk considered buying goods from. Instead, Bisnode's consumption log shows that first assessed the corporation and then complain personally. In accordance with the requirement of diligence, companies must familiarize themselves with which legislation applies area, and organize the business in accordance with the framework that follows from the relevant regulations. The principle of accountability in the Privacy Ordinance presupposes a strong anchoring of the regulations in the company's management, and the same must apply to key people for procurement that relate to purchases on credit. In view of this, the offense in our case must be described as negligent, and we emphasize this in an aggravating direction in the calculation of the fee. If the company's management had familiarized itself with the regulations and prepared better routines for the business is our assessment that the risk of illegal collection of credit information could have been reduced. We emphasize in an aggravating direction that the company's management has not been involved place satisfactory organizational measures in the form of routines to comply with the regulations, cf. Article 83 (2) (d) of the Privacy Regulation. You write in your comments that the Data Inspectorate confuses credit checks of physical and legal persons, and that we thereby emphasize matters that are outside our area of authority in the assessment of the gravity of the infringement. You justify this with the fact that we have emphasized that the business «regularly credit checks companies in the form of 'customers', 'potential customers' and suppliers. ", and that we have emphasized this in an aggravating direction. You further state that: "Contrary to what one may get the impression of in the Data Inspectorate's notice, a credit check is a hero legitimate and necessary tool to ensure an efficient and well-functioning business community. That our client has not had written routines for credit checks of companies, and that such credit checks may have been done to some extent, is not relevant in a case involving a credit check by one natural person. " According to Aquateknikk's consumption log at Bisnode, the company has credit-rated several natural persons than limited companies in the period from December 2018 to January 2020. Our assessment is that this shows that the business regularly processes credit information about natural persons and therefore should have established routines that ensure that the credit assessments take place within the framework of the Privacy Ordinance. 13 Page 14 This is the background for our order to improve their internal control, as well as for us to emphasize aggravating direction on the lack of written routines pursuant to Article 24 in the assessment of whether it should be imposed infringement fee, and in the assessment of the amount of the fee, cf. the Privacy Ordinance Article 83 No. 2 letter d. Furthermore, you refer to the Privacy Board's decision PVN-2019-15 as an argument that the fee in the the present case should be dismissed. The case concerned an infringement fee of NOK 75,000 illegal collection of credit information and was processed in accordance with the Personal Data Act of 2000. The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that an infringement fee shall be determined concretely so that in each individual case it is effective, is in a reasonable relation to the violation and acts as a deterrent. The main purpose of the infringement fee is contraception, ie that the risk of being charged a fee shall have a deterrent effect and thereby contribute to increased compliance with the regulations.8 By Skullerud et al. (2019), page 347, it appears: Contraceptive considerations dictate that the fee for a violation must be set so high that this is in fact perceived as an evil by the offender. This means that the offender's financial capacity should have significance in the measurement, so that the fee becomes higher the stronger the carrying capacity of the offender hair. […] When assessing the financial viability of an enterprise, it may be relevant to look at the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5. And further: The consideration of ensuring an individual assessment in each individual case dictates that the supervisory authorities should avoid establishing standardized fee rates. This applies even if national law allows for it standardized rates, cf. the Public Administration Act § 43. The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business. This case is a violation of the basic principles of treatment in the Privacy Ordinance, which basically calls for a fee of a certain size. It warned the amount of 300,000 kroner is measured to act as a deterrent and preventive for the illegal the processing of credit information, looking at the latest available accounting figures about the business from 2018. The company's finances are relevant in the assessment of what will constitute a preventive and deterrent infringement fine. Aquateknikk has made several comments about the company's finances, especially related to it ongoing social situation as a result of the corona pandemic. You write in the comments their that the business has experienced a very negative economic growth, and has attached preliminary 8 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019). 14 Page 15 accounting figures from 2020. The accounting figures show an estimated turnover for 2020 of approx. 12 million NOK, and that the preliminary turnover as of 31.07.20 is approx. 8.4 million kroner. Due to the challenging financial situation the business is in due to The corona pandemic is our assessment that a lower fee could have the preventive and deterrent effect the effect Article 83 presupposes. After an overall assessment of the seriousness of the case and their comments about the company financial situation, we have come to the conclusion that the final fee will be set at NOK 100,000. This constitutes about. 1% of the company's estimated turnover in 2020, and is in our opinion sufficient deterrent, effective, and proportionate to the unlawful treatment of personal information that has occurred in the case. For the other assessment of the size of the fee, we refer to the notification of decisions, sections 6.1 and 6.2, as well as Clause 7.3 of the decision. 8. Right of appeal and further proceedings You can appeal the decision. Any complaint must be sent to us within three weeks after this letter is received (cf. the Public Administration Act §§ 28 and 29). If we uphold our decision, we will send the case on to the Privacy Board for complaint handling. If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act. The deadline for implementing section 2 of the internal control order is 4 weeks after the expiry of the appeal deadline. If you do not appeal the order point 2, you must send us one within this deadline written confirmation, as well as documentation, that the order for internal control has been implemented. 9. Transparency and publicity You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform you about that all the documents are in principle public (cf. the Public Access to Information Act § 3.) If you think so is a basis for exempting all or part of the document from public access, we ask you to justify this. The document is electronically approved and therefore has no handwritten signatures