Datatilsynet (Norway) - 20/02225

From GDPRhub
Revision as of 07:28, 22 January 2021 by Riealeksandra (talk | contribs) (Updated with DPA decision)
Datatilsynet - 20/02291
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 100000 NOK
Parties: n/a
National Case Number/Name: 20/02291
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (~€9,700) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) and 5(1)(a) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24.

English Summary

Facts

The company Aquateknikk AS credit rated an individual and his business, despite having no customer relationship or any other affiliation with either. According to the complainant, the credit rating was conducted because he operates a competing business.

Aquateknikk stated that the credit rating of the complainant personally was a mistake, as the intended target of the credit rating was the complainant's business. However, the DPA found from their credit rating logs from Bisnode, the credit rating bureau, that Aquateknikk had credit rated the complainant's company first and then the complainant personally, "indicating that the action was intentional". The DPA commented that they don't believe Aquateknikk's explanation and noted that the credit rating seems to have been conducted due to "nosiness".

Dispute

Did Aquateknikk have legal grounds for processing the personal data of the complainant for a credit rating, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit ratings in their business?

Holding

No, Aquateknikk did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 100,000.

They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA.

Comment

The company was initially notified of a NOK 300,000 fine. Due to the COVID-19 pandemic, however, the company argued that their financial situation had worsened and such a major fine would be very detrimental and, possibly, lead to bankruptcy. After reviewing the preliminary 2020 financial results of the company, the DPA reduced the fine to NOK 100,000, stating that this would be sufficiently "effective, proportionate and dissuasive" as per Article 83(1).

In addition to a breach of Article 6(1)(f), the lack of organisational measures pursuant to Article 5(2) was weighted when concluding on the size of the fine.

While it was not done in this particular case, Norwegian implementation of the GDPR also allows for fining controllers based on breaches of Article 24, unlike the GDPR cf. personopplysningsloven § 26. Personopplysningsloven § 26 refers to Article 83(4).

Further Resources

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-gebyr-aquateknikk/

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/aquateknikk-as-far-gebyr/

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

https://www.datatilsynet.no/contentassets/c5f433a97050467497810b9e891d5b83/vedtak-om-palegg-og-overtredelsesgebyr---aquateknikk-as.pdf