Datatilsynet - 20/02254 (PVN-2020-12)

From GDPRhub
Revision as of 08:13, 23 October 2020 by RieAleksandra (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name= 20/02254-1...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 20/02254-1 (20/00768)/TSM
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 57(1)(a) GDPR
Article 57(1)(f) GDPR
Article 58(1) GDPR
Article 5(3) ePrivacy Directive 2002/58/EC
Public Administration Act § 14
The Electronic Communications Act § 2(7)(b)
Type: Complaint
Outcome: Rejected
Decided: 07.09.2020
Published: 07.09.2020
Fine: None
Parties: OpenX Software Ltd., OpenX Ltd. og OpenX Technologies, Inc.
Privacy Appeals Board
National Case Number/Name: 20/02254-1 (20/00768)/TSM
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Personvernnemda (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board (Personvernrådet) rejected OpenX' complaint and upheld the Norwegian data protection authority's (Datatilsynet) request for information as submitted to OpenX on 21 February 2020.

English Summary


The Norwegian Consumer Council (Forbrukerrådet) filed three complaints against the gay/bi dating app Grindr and five adtech companies that received personal data through the app. Subsequently, Datatilsynet sent a request for more information from one of the adtech companies; OpenX.

OpenX refused to respond on the basis that Datatilsynet don't have legal grounds to impose such a request on them, because, in their opinion, the issue relates to the Electronic Communications Act § 2(7)(b) (cf. Article 5(3) ePrivacy Directive 2002/58/EC), where the Norwegian Communications Authority is the right supervisory authority (and not Datatilsynet), and filed a complaint to the Privacy Appeals Board.


Do Datatilsynet have the legal grounds (as a supervisory authority) to impose a request for information on OpenX?


The Privacy Appeals Board rejected OpenX's complaint as they concluded that Datatilsynet have legal grounds to impose such requests as per Article 58(1) GDPR.


Note that this decision doesn't revolve around the initial complaints submitted by the Norwegian Consumer Council (Forbrukerrådet) or Datatilsynet view on the matters of the complaints. This matter is solely about Datatilsynet's legal grounds to impose a request for information from a data controller, data processor or their representative.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.