Datatilsynet (Norway) - 20/01896: Difference between revisions

From GDPRhub
m (Grammar correction)
Line 83: Line 83:


<pre>
<pre>
<!doctype html><html class="no-js" lang="no"><head><meta charset="utf-8" /><title>Gveik AS receives a fee | The Data Inspectorate </title><meta content="The Data Inspectorate demanded a fee p &amp; aring; 75 &amp; nbsp; 000 kroner fr &amp; aring; Gveik AS for &amp; aring; have carried out a credit assessment without legal reason." name="description" /><meta property="og:title" content="Gveik AS receives a fee" /><meta property="og:description" content="The Data Inspectorate demanded a fee p &amp; aring; 75 &amp; nbsp; 000 kroner fr &amp; aring; Gveik AS for &amp; aring; have carried out a credit assessment without legal reason." /><meta property="og:type" content="website" /><meta property="og:url" content="https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/gveik-as-far-gebyr-for-ulovleg-kredittvurdering/" /><meta property="og:image" content="https://www.datatilsynet.no/contentassets/c4e89c78222a40e09740b7ade6e8cfcf/kredittvurdering_1c.jpg" /><meta property="og:site_name" content="Datatilsynet" /><meta property="og:locale" content="nb_NO" /><meta name="twitter:card" content="summary" /><meta name="twitter:site" content="https://twitter.com/datatilsynet" /><link media="screen" rel="stylesheet" type="text/css" href="/Styles/main.css?bundle=637432963380000000" /><link media="print" rel="stylesheet" type="text/css" href="/Styles/print/print.css?bundle=637432963380000000" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="apple-touch-icon" sizes="57x57" href="/UI/Icons/apple-touch-icon-57x57.png"><link rel="apple-touch-icon" sizes="60x60" href="/UI/Icons/apple-touch-icon-60x60.png"><link rel="apple-touch-icon" sizes="72x72" href="/UI/Icons/apple-touch-icon-72x72.png"><link rel="apple-touch-icon" sizes="76x76" href="/UI/Icons/apple-touch-icon-76x76.png"><link rel="apple-touch-icon" sizes="114x114" href="/UI/Icons/apple-touch-icon-114x114.png"><link rel="apple-touch-icon" sizes="120x120" href="/UI/Icons/apple-touch-icon-120x120.png"><link rel="apple-touch-icon" sizes="144x144" href="/UI/Icons/apple-touch-icon-144x144.png"><link rel="apple-touch-icon" sizes="152x152" href="/UI/Icons/apple-touch-icon-152x152.png"><link rel="apple-touch-icon" sizes="180x180" href="/UI/Icons/apple-touch-icon-180x180.png"><link rel="icon" type="image/png" href="/UI/Icons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/UI/Icons/favicon-194x194.png" sizes="194x194"><link rel="icon" type="image/png" href="/UI/Icons/favicon-96x96.png" sizes="96x96"><link rel="icon" type="image/png" href="/UI/Icons/android-chrome-192x192.png" sizes="192x192"><link rel="icon" type="image/png" href="/UI/Icons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/UI/Icons/manifest.json"><link rel="shortcut icon" href="/UI/Icons/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/UI/Icons/mstile-144x144.png"><meta name="theme-color" content="#585858"><script>
Übersetzungstypen
    (function () {
Textübersetzung
        var docElement = document.documentElement;
Ausgangstext
        var className = docElement.className;
3471 / 5000
        className = className.replace(/\bno-js\b/, 'js');
Übersetzungsergebnisse
        docElement.className = className;
Decision on order and infringement fee - Credit assessment without legal basis
    }())
 
</script><meta name='EPi.ID' content='13967'></head><body class="articlePage"><div class="page-wrapper"><header class="main-header"> <a href="#skiplinktarget" class="skiplink">To main content</a><div class="main-header__sticky"><div class="main-header__wrapper"><h2 class="sr-only"> Logo and auxiliary tools</h2><nav class="main-header__top" aria-label="Navigasjon og søk"><div class="logo"> <a href="/"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="Til startsiden til Datatilsynet" title="Logo"></a></div><div class="right mobile-buttons"> <button type="button" class="button--search" data-toggle-search><span class="sr-only">Show / hide search</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
1 Introduction
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg><div class="mobile-modal"><div class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-search>Hide</button> </div><form method="get" action="/sok/" autocomplete="off" class="quickSearch"><div class="quick-search"><div class="quick-search__wrapper"><div class="quick-search__input-wrapper"> <label for="searchText" id="sok" class="quick-search__label">What are you looking for?</label> <input class="quick-search__text _jsAutoCompleteSearch" id="searchText" type="search" name="q" data-search-url="/sok/AutoComplete" /><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg> <button class="button--search" type="submit" value="Søk"><span class="sr-only">Search</span></button></div><div class="autocomplete-container"></div></div></div></form></div> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span class="label desktop-only" data-label>Menu</span></button><p class="sr-only"> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk">Show / hide menu</button></p> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span></span></button></div></nav><div class="main-header__bottom container"><h2 class="sr-only"> Main menu </h2><nav class="main-menu" id="main-menu" aria-label="Hovedmeny"><div class="container"><div class="utility-menu"><ul><li class="header-linklist__element"> <a href="/om-datatilsynet/">About the Data Inspectorate</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/presse/">For press / media inquiries</a></li><li class="header-linklist__element"> <a href="/en/" rel="alternate" hreflang="en">English</a> </li></ul></div><div class="main-menu__root"><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
We refer to our notice of decision on order and infringement fee of 26 June 2020.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-shield"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_1" data-toggle-sub-menu><span id="content_1-heading">Rights and duties</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_1" aria-labelledby="content_1-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/rettigheter-og-plikter/hva-er-personvern/">What is privacy?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personopplysninger/">What is personal information?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personvernprinsippene/">The privacy principles</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/den-registrertes-rettigheter/">The data subject&#39;s rights</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/virksomhetenes-plikter/">The companies&#39; duties</a> </li></ul></div></div></div><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
We requested any comments from you by 7 August 2020. We cannot see that you have submitted comments on the notification, and we therefore still find reason to make a decision.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-people"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_2" data-toggle-sub-menu><span id="content_2-heading">Privacy in various areas</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_2" aria-labelledby="content_2-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/korona/">Corona and privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/">Workplace privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/overvaking-og-sporing/">Monitoring and tracking</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/internett-og-apper/">Internet and apps</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/skole-barn-unge/">Children, young people and school</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/bil-og-transport/">Car and transport</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/politi-justis/">Police and justice</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/forskning-helse-og-velferd/">Research, health and welfare</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/kundehandtering-handel-og-medlemskap/">Customer management, trade and membership</a> </li></ul></div></div></div><div class="main-menu__tab selected"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
2. Decision on order and infringement fine
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-guide"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_3" data-toggle-sub-menu><span id="content_3-heading">Regulations and tools</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_3" aria-labelledby="content_3-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary up" href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/internasjonalt/">International work and cooperation</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sandkasse-for-kunstig-intelligens/">Sandbox for artificial intelligence</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/atferdsnorm/">Behavioral norms</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/rapporter-og-utredninger/">Reports and reports</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/konsesjon-og-melding/">Concession and notification</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sporsmal-svar/">Questions and answers</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordbok/">Dictionary (Norwegian - English)</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/personvernpodden/">Privacy Pod</a></li></ul></div></div></div></div><div  class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-menu>Close</button> </div></div></nav></div></div></div><div class="container full-width"><nav class="breadcrumbs" aria-label="Brødsmulesti"><ul><li><a href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a href="/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/">Key decisions</a></li><li> <a href="/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/">2021</a></li></ul></nav></div></header><script>
The Data Inspectorate makes the following decisions:
    document.consentCookie = '{"HaveRead":false,"FormCookies":false,"Expires":"\/Date(-62135596800000)\/"}';
 
    document.disableConsentPopup = false;
Pursuant to Article 58 no. 2 letter of the Privacy Ordinance, Gveik AS, org. No. 917 337 772, to pay an infringement fee to the Treasury of NOK 75,000 - seventy-five thousand - for obtaining a credit assessment without a legal basis under Article 6 of the Privacy Ordinance, and non-compliance with the principle of liability in Article 5 (2) of the Privacy Ordinance.
</script><div class="cookie-consent" v-bind:class="{ open: showCookieConsent }" tabindex="-1" role="dialog" aria-label="Samtykke for bruk av informasjonskapsler"><h2> We use cookies</h2><div class="user-content"><p> Our websites use cookies. If they are not necessary for our website to work, they will not be stored on your device unless you agree to this. Read about which ones we use and how we manage them at the bottom of the website.</p></div><div class="cookie-consent-section"><h3> Required cookies</h3><div class="user-content"><p> These support core functionality related to security. We have considered these to be necessary, and they are therefore stored without prior consent.</p></div></div><div class="cookie-consent-section"><h3> Form functions</h3><div class="user-content"><p> These are necessary if you want to use the form on our website. The other functionality on the website is not affected if you do not consent. The choice you make here is valid for up to 90 days. </p></div><div class="on-off"><input type="checkbox" name="on-off" id="chk-cookie-form" class="on-off-checkbox" v-model="consentCookie.FormCookies"/> <label class="on-off-label" for="chk-cookie-form"><span class="sr-only">Form functions on / off</span><span class="on-off-inner"></span><span class="on-off-switch"></span></label></div></div><div class="cookie-consent-section"><h3> Web analytics</h3><div class="user-content"><p> We are considering using an analysis tool based on cookies, but as of today we do not have this.</p></div></div><div class="cookie-consent-section"><div class="user-content"><p> You can withdraw your consent at any time by selecting &quot;manage cookies&quot; at the bottom of our pages.</p></div> <button type="button" v-on:click="save($event)" class="button cookie-consent-save">Save my selection</button></div> <button type="button" v-on:click="save($event)" class="cookie-consent-close">Close</button> </div><main><span id="skiplinktarget" tabindex="-1"></span><div class="article"><div class="container"><div class="article__content"><h1> Gveik AS receives a fee</h1><div class="user-content ingress"><p> The Data Inspectorate demanded a fee of NOK 75,000 from Gveik AS for having carried out a credit assessment without legal reason. </p></div><div class="article__sidebar-main mobile-only"><div ><img alt="Gveik AS receives a fee" src="/contentassets/c4e89c78222a40e09740b7ade6e8cfcf/kredittvurdering_1c.jpg?width=400&amp;quality=80" /></div></div></div><div class="article__sidebar medium-up"><div class="article__sidebar-main no-margin"><div ><img alt="Gveik AS receives a fee" src="/contentassets/c4e89c78222a40e09740b7ade6e8cfcf/kredittvurdering_1c.jpg?width=400&amp;quality=80" /></div></div></div></div><div class="container"><div class="article__content"><div class="article__content-text"><div class="user-content"><p> A person without customer relationship or other affiliation with Gveik AS was informed via a copy of the letter that the company had made a credit assessment of itself. The person therefore complained to the Data Inspectorate.</p><h2> Credit rating for private purposes</h2><p> The Privacy Ordinance (GDPR) requires that all processing of personal data has a legal basis. When a business collects a credit rating, it collects details about the individual&#39;s personal finances. A credit rating is a result of personal information from many different sources. In certain cases, it will estimate that it is probable that a person will be able to pay for himself, and show any payment remarks, debt ratio and whether the person in question has pledged anything.<br /> <a href="/personvern-pa-ulike-omrader/kundehandtering-handel-og-medlemskap/kredittvurdering/">Read more about credit rating and privacy</a></p><p> In this case, the object of the credit assessment was private and entirely outside the business&#39;s business area. The Danish Data Protection Agency takes this type of abuse seriously and usually responds with a fee.</p><p> Gveik AS can appeal the decision before the appeal deadline.</p><h2> download</h2><p class="link-download"> <a href="/contentassets/c4e89c78222a40e09740b7ade6e8cfcf/vedtak-om-palegg-og-overtredelsesgebyr---gveik-as.pdf" target="_blank" rel="noopener">Decision on order and infringement fee to Gveik AS (pdf)</a></p></div></div></div><aside class="article__sidebar"><div class="article__sidebar-dates"><div ><span>Published:</span> <span>07.01.2021</span> </div></div></aside></div></div></main><footer class="main-footer"><div class="main-footer__wrapper"><div class="main-footer__upper"><div class="main-footer__content container"><div class="main-footer__content-column desktop-only" aria-hidden="true"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="The Data Inspectorate logo" class="main-footer__logo"></div><div class="main-footer__content-column"><p> The Data Inspectorate<br> PO Box 458 Center<br> 0105 Oslo</p><p> Org.nr 974 761 467</p><div class="user-content"><p> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></p></div><div > <a href="https://ext.mnm.as/s/2751/9366">Receive our newsletter</a></div><div class="main-footer__social"><div class="main-footer__social--twitter" > <a href="https://twitter.com/datatilsynet">The Data Inspectorate on twitter</a></div></div><div class="main-footer__personvernpodden_logo"> <a href="/regelverk-og-verktoy/personvernpodden/"><img src="/UI/personvernpodden-logo.svg" alt="The Privacy Podcast - A podcast from the Danish Data Protection Agency"></a></div></div><div class="main-footer__content-column"><ul class="clean-link-list"><li> <a href="/aktuelt/">Currently</a></li><li> <a href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a href="/regelverk-og-verktoy/sporsmal-svar/">Frequently Asked Questions</a></li><li> <a href="/om-datatilsynet/datatilsynets-personvernerklaring/">The Data Inspectorate&#39;s privacy statement</a></li><li> <a href="/om-datatilsynet/datatilsynets-cookie-erklaring/">The Danish Data Protection Agency&#39;s cookie statement</a></li><li> <a href="#" id="_jsManageCookies">Manage cookies</a> </li></ul></div></div></div><div class="main-footer__lower"><div class="main-footer__sponsors container"><p> Other sites</p> <a href="/om-datatilsynet/Andre-nettsteder/Personvernbloggen/"><img alt="The Privacy Blog" src="/globalassets/global/bilder/logoer/footer/personvernbloggennb.png?width=400&amp;quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Du-bestmmer/"><img alt="You decide" src="/globalassets/global/bilder/logoer/footer/dubestemmernb.png?width=400&amp;quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Slett-meg/"><img alt="slettmeg.no" src="/globalassets/global/bilder/logoer/footer/slettmegnb.png?width=400&amp;quality=80" /></a></div></div></div></footer></div><script src="/Scripts/libs/jquery/3.2.1.min.js"> </script><script src="/Scripts/libs/jquery/jquery-ui.min.js"> </script><script src="/Scripts/libs/svg4everybody.js"> </script><script src="/Scripts/libs/jquery.sticky-sidebar.min.js"> </script><script src="/Scripts/libs/vue.min.js"> </script><script src="/Scripts/global/common/jquery.aria.js"> </script><script> window.jQuery || document.write('<script src="/Scripts/libs/jquery/3.2.1.min.js"><\/script>') </script><script src="/Scripts/site.js?bundle=637432963380000000"></script><script src="/Scripts/global/common/jquery.unobtrusive-ajax.js" async defer></script><script>
 
    Datatilsynet.GlossaryHighlightedWords = 'adressemekling;akseptkriterium;algoritmer;artikkel 29-gruppen;atferdsnorm;autentisering;automatisk målesystem;avidentifisert personopplysning;avindeksere;avvik;behandling av personopplysningar;behandling av personopplysninger;behandlingsansvarleg;behandlingsansvarlig;behandlingsgrunnlag;berlingruppen;big data;biometri;bransjenorm;databehandlar;databehandlaravtale;databehandler;databehandleravtale;datakommunikasjon;dataminimering;datanettverk;dataportabilitet;den registrerte;dpia;ekstern datakommunikasjon;eksternt nettverk;european data protection board;filsluse;forhåndsdrøftelse;formålsbestemthet;forordning;fødselsnummer;gdpr;helseopplysning;humant biologisk materiale;informasjonssamfunnstjeneste;informasjonssikkerhet;informasjonstryggleik;innebygd personvern;integritet;intern sone;internkontroll;ip-adresse;konfidensialitet;konfigurasjon;konsesjon;konsesjonsplikt;kontrolltiltak;kredittopplysning;kredittsjekk;kredittvurdering;kryptering;meldeplikt;nettsky;nettverkssone;personnummer;personopplysning;personprofil;personregister;personvernforordningen;personvernfremjande teknologi;personvernfremmende teknologi;personvernkonsekvens;personvernombod;personvernombud;personvernrådet;profiler;profilering;pseudonymisering;radiofrekvensidentifikasjon;reidentifisering;rfid;risiko;samtykke;schengen informasjonssystem;sensitive personopplysninger;sikker sone;sikkerhetskopiering;sikkerhetsrevisjon;sikkerhetsstrategi;sporing;stordata;særlige kategorier;teknisk sikkerhetsbarriere;tilgangskontroll;tilgangsstyring;tilgjengelighet;tilsyn;tjenstlig behov;vurdere personvernkonsekvenser;ødeleggende programvare;';
2. Pursuant to Article 58 no. 2 letter d of the Privacy Ordinance, Gveik AS is ordered to establish internal control and routines for credit assessments (cf. Article 24 of the Privacy Ordinance), as this was lacking at the time of the control.
    Datatilsynet.HasGlossary = true;
 
</script><script type="text/javascript" src="/Scripts/find/find.js"></script><script type="text/javascript">
The fulfillment deadline for decisions on infringement fines is four weeks from the decision is final, cf. the Personal Data Act § 27. This means four weeks after the appeal deadline has expired.
if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}
 
</script></body></html>
The deadline for completing the orders is 11 January 2021. By this deadline, you must send us a written confirmation that the order has been completed.
 
This is an individual decision that can be appealed in accordance with the rules of the Public Administration Act, cf. the Public Administration Act § 28. The deadline for appealing is three weeks after this letter has been received.
 
The Privacy Board is the appeal body, but any appeal must be sent to the Data Inspectorate. A complaint will not normally have a suspensive effect.
 
As part of the case, you have the right to familiarize yourself with the case documents in accordance with the Public Administration Act §§ 18-19.
 
3. The actual background of the case
 
The Data Inspectorate received a complaint dated 29 March 2019 that Gveik AS had performed and credit assessment of [edited] (hereinafter "complaints") without any objective need. The complaint was sent from [edited].
 
Complainants did not have a contractual or customer relationship with Gveik AS that could provide a legal basis for the credit assessment.
 
[edited]
 
Gveik AS writes in its statement dated 29 September 2019 on the credit assessment was carried out by a representative of Gveik AS by mistake. The representative was [edited] and did not represent Gveik AS in this case.
 
The credit assessment was performed in connection with [edited]. Gveik AS 'representative looked up complaints on the internet, and discovered that she had a sole proprietorship. The representative next sought complaints in Gveik AS 'system, and found complaints with the sole proprietorship. The representative was in the process of making a credit assessment, but was informed that complaints would be informed if [edited] proceeded, as this was a sole proprietorship. The representative pressed "cancel" on the mobile, and closed the page. In retrospect, it has turned out that the credit assessment was nevertheless carried out.
 
Gveik AS writes that this is unfortunate, and that it can be easy to press incorrectly on the mobile phone, as the key options "cancel" and "continue" are placed close together.
 
Gveik AS has no written routines for credit assessment, and since credit assessment can be carried out for new customers and customers who want more services. The routines for credit assessment are clearly stated on the page where credit assessments are carried out, and are regulated in the contract with the credit information business.
 
[edited]
 
4. Legal background
 
4.1. Legal basis for obtaining a credit rating
 
Obtaining credit information about individuals and sole proprietorships ("the registered persons") constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 no. 2 and the Personal Data Act § 1.
 
Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis.
 
When an undertaking is to obtain credit information about the data subject without the consent or credit assessment is strictly necessary for the implementation of an agreement with the data subject, Article 6 (1) (f) is the most appropriate basis for processing.
 
Article 6, paragraph 1, letter f requires that the collection of credit information is "necessary" in order to safeguard a "legitimate interest" which, after a balance of interests, outweighs the interests of the individual's privacy.
 
The legitimate interest must be legal, clearly defined in advance, real and objectively justified in the business. Which interests meet this depends on an assessment where, among other things, what benefits the company achieves with the treatment, how important the interest is for the company, or whether the treatment has a public interest or safeguards non-profit interests that benefit more are relevant factors.
 
Furthermore, the treatment in question must be "necessary" for purposes related to the legitimate interest. This means that the company must consider whether it can achieve its purpose in a way that better safeguards privacy. One must therefore choose the treatment that is least invasive.
 
Thereafter, the business must make a balance of interests to determine whether the individual's privacy outweighs the business' legitimate interest. The type of information that is relevant to process, for example whether obtaining the relevant information may be perceived as offensive, and what expectations the individual has for the processing of the personal data, are relevant factors in the balancing of interests.
 
The now repealed Personal Data Regulations § 4-31 contained an additional condition that credit information could only be obtained unless the company had a "factual need" for the credit information. The regulations § 4-3¹ are continued in accordance with the regulations on transitional rules on the processing of personal data § 4.²
 
However, the Privacy Ordinance does not provide national room for maneuver for special regulation of the collection of credit information. We therefore believe that the requirement for "factual need" does not constitute an additional condition to Article 6, paragraph 1, letter f. letter f. We therefore believe that previous administrative practice regarding the requirement of objective need is still relevant when assessing Article 6 no. 1 letter f. 4.2. Internal control
 
Pursuant to Article 24 of the Privacy Regulation, companies must be able to demonstrate that they process personal data in accordance with the law. If it is in a reasonable relation to the processing activities, the company must implement appropriate guidelines for the protection of personal data.
 
Credit rating is an intrusive treatment against privacy. Therefore, the company must in principle be able to document internal routines or processes, so-called internal control, which meet the requirement for a processing basis for credit assessment.
 
The routines must describe when and how credit information is to be obtained, deletion routines and how access is to be provided. Furthermore, the company must have routines for handling deviations.
 
5. The Data Inspectorate's assessment
 
5.1. Duty to internal control and justification for orders
 
According to the report, one of the reasons why Gveik AS lacks written routines is that credit assessments were only made by new customers and by customers who suddenly had many services.
 
However, Gveik AS is obliged to assess whether there is a legal basis for a credit assessment, regardless of whether it concerns a company, a sole proprietorship, or an individual.
 
When assessing the credit of individuals and sole proprietorships, there must be a legal basis in accordance with Article 6 of the Privacy Ordinance. The company is responsible for ensuring that the processing has a legal basis, cf. of companies, it is important to be aware that credit assessments of sole proprietorships will constitute a processing of personal data.
 
According to the report, Gveik AS uses a representative who is given access to perform credit assessments, despite the fact that Gveik AS has not been registered with any employees after the Data Inspectorate's investigations. As Gveik AS has stated the case, the representative does not appear to have been aware of the regulations. This suggests that Gveik AS must establish written routines for credit assessments.
 
As Gveik AS uses a representative who is given access to perform credit assessments on behalf of the company, it is important that the individual representative is familiar with the rules for credit assessment. In the Data Inspectorate's assessment, the establishment of routines could therefore have a preventive effect against unlawful credit assessments being carried out later. Taking further into account that credit assessment is an intrusive measure against privacy, we believe Gveik AS must establish internal control and routines for credit assessments in accordance with the Privacy Ordinance Article 24. The Norwegian Data Protection Authority has the competence to order the data controller to ensure that processing activities take place in accordance with the Privacy Ordinance, cf. the Privacy Ordinance Article 58 no. 2 letter d. This is the background for the order to prepare routines for credit assessment. Gveik AS must prepare routines that ensure that credit assessments only take place when the requirements in the Privacy Ordinance are met.
 
5.2. Legal basis for obtaining the credit rating
 
Based on the information in the case, the Data Inspectorate assumes that there was no contractual relationship between the complainant and Gveik AS, and that the complainant did not consent to the credit assessment.
 
The relevant legal basis is the Privacy Ordinance, Article 6 (1) (f). According to the provision, obtaining credit information may be lawful if it is "necessary" for purposes related to "legitimate interests", and the interest outweighs the complainant's privacy considerations.
 
The credit assessment was carried out on the basis of [edited] The credit assessment is therefore characterized by curiosity, which will not constitute a "justified" interest. We also understand Gveik AS so that the credit assessment should not have been carried out.
 
Furthermore, Gveik AS, through their representative, has obtained credit information about an individual without any kind of customer relationship, contact or other connection to their business. The legitimate interest must be objectively justified in the business, and in our case the collection took place for a purpose completely outside the business' operations. Complainants had no expectation that the company would process her credit information, and it was not foreseeable for complainants at the time of collection that Gveik AS would process her credit information.
 
In our opinion, there was no "justified interest" in the credit assessment.
 
It is therefore not necessary for the Data Inspectorate to assess whether the credit assessments were "necessary" for the purpose and whether the company's legitimate interest exceeded the considerations for the complainant's privacy. The conclusion is that Gveik AS lacked a basis for processing the credit assessment pursuant to Article 6. 5.3. General information on infringement fines The Data Inspectorate has the competence to impose infringement fines in accordance with the Privacy Ordinance, Article 58, paragraph 2, letter i. In accordance with the Supreme Court's case law (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as penalties in accordance with Article 6 of the European Convention on Human Rights. The case and the question of imposing an infringement fee have been assessed on the basis of this evidentiary requirement. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. An administrative sanction means a negative reaction that can be imposed by an administrative body, which is directed at a violation of law, regulation or individual decision, and which is regarded as a punishment under the European Convention on Human Rights (ECHR). For companies, the debt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction may be imposed even if no individual has shown guilt. Prop. 62 L (2015-2016) page 199 states about § 46: The wording that ‘no individual has shown guilt’ is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore basically objective. 5.4. Our assessment of whether an infringement fee should be imposed
 
In this case, it has been documented that Gveik AS carried out a credit assessment of complaints, and we believe that there is a clear overriding probability that this collection lacked a legal basis.
 
In assessing whether to impose an infringement fine, we shall take into account the elements set out in Article 83 (2). weight.
 
Here we will assess the relevant aspects on an ongoing basis.
 
a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the treatment concerned and the number of data subjects affected, and the extent of the damage they have suffered;
 
The principle of legality in Article 5 (1) of the Privacy Regulation and the requirement for a basis for processing in Article 6 is one of the basic requirements for the processing of personal data.
 
Credit information is a type of personal information that is particularly worthy of protection. This also applies to information about sole proprietorships as the owner is directly identified with the company and is directly linked to the owner's personal finances.
 
A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person will pay a claim. A credit rating will also show details about individuals' personal finances, including any payment remarks, voluntary mortgages and debt ratio. This is private information that private individuals have an expectation that is not obtained by companies unless it is objectively justified in their relationship with them. The violations are therefore serious, and indicate that an infringement fee is imposed.
 
Furthermore, the Data Inspectorate is of the opinion that the company's action had an intrusive effect on complaints, considering that the infringement occurred on the basis of [edited] without connection to Gveik AS.
 
In the mitigating direction, the fact that an illegal credit rating will not be a breach over a longer period pulls. On the other hand, the damage has already occurred and it cannot be reversed after the personal data has been obtained illegally.
 
Gveik AS 'representative is said to have tried to interrupt the credit assessment, and closed the page before [edited] before becoming acquainted with the content of the credit assessment. The Data Inspectorate has no grounds for doubting this information. It therefore pulls in a somewhat mitigating direction that Gveik AS should not have become more familiar with the content of the credit assessment.
 
b) whether the infringement was committed intentionally or negligently
 
Gveik AS writes that the credit assessment was carried out by accident, as Gveik AS 'representative tried to cancel the operation. This points in the direction that Gveik AS did not carry out the wrongful credit assessment intentionally.
 
However, a credit assessment was carried out in a negligent manner. As the representative had to use Gveik AS 'access, we believe the representative must have known that obtaining a credit rating should be linked to the company's needs, and not his own curiosity. In our opinion, this is something Gveik AS could have averted by having routines for credit assessment, by communicating the routines to any representatives who should have access, and by having access control to ensure that only those with objective needs have access to the system.
 
c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects;
 
Gveik AS has not stated that measures have been taken to limit the damage suffered by the registered person.
 
(d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32;
 
The Data Inspectorate emphasizes that Gveik AS lacks technical and organizational measures to ensure and demonstrate that collection of credit assessments is carried out in accordance with the Privacy Ordinance. See Article 24 on the responsibilities of the controller.
 
Gveik AS has also written that the person who performed the credit assessment was a representative, despite the fact that the company does not have registered employees. It can therefore be questioned whether Gveik AS has sufficient access control in its systems, cf. Article 32. The case is not sufficiently informed for us to emphasize any lack of access control.
 
However, we draw Gveik AS 'attention to the fact that Article 32 sets out an obligation to have sufficient personal data security in its solutions, in accordance with a risk assessment. This includes a requirement for confidentiality, so that the company must ensure that only those with objective and service needs have access to personal information.
 
e) any previous violations committed by the data controller or data processor
 
The Norwegian Data Protection Authority is not aware of any previous violations.
 
(f) the degree of cooperation with the supervisory authority in order to remedy the infringement and reduce the possible negative effects of it;
 
Gveik AS apologizes for the incident, and has helped to inform the case. We believe it is mitigating that Gveik AS has apologized for the incident and acknowledged that it was incorrect, as this facilitates the Data Inspectorate's case processing. Beyond this, we will not emphasize cooperation considerations. According to guidelines from the Article 29 Working Party, adopted by the Privacy Council ("EDPB"), it is not appropriate to place mitigating emphasis on co-operation which is in any case
 
required by the Privacy Ordinance.³
 
g) the categories of personal data affected by the infringement
 
Special categories of personal data (sensitive personal data) are not affected by the violation in our case. However, information on salary, debt and creditworthiness is information that has a special need for protection due to its private nature. This argues for the imposition of infringement fines.
 
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the data controller or data processor has notified the infringement;
 
The Norwegian Data Protection Authority does not find this aspect relevant.
 
(i) if the measures referred to in Article 58 (2) have previously been taken against the data controller or data controller concerned in respect of the same subject matter, that such measures are complied with;
 
The Norwegian Data Protection Authority is not aware that measures have previously been taken against the company with regard to the same subject matter.
 
(j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42;
 
The Norwegian Data Protection Authority does not find this aspect relevant.
 
k) and any other aggravating or mitigating factor in the case, e.g. financial benefits obtained, or losses avoided, directly or indirectly, as a result of the infringement
 
The Data Inspectorate cannot see that Gveik AS has obtained any benefits as a result of the violation.
 
Based on the assessment above, the Data Inspectorate concludes that an infringement fee should be imposed. The next question is the size of the fee.
 
5.5. The amount of the infringement fee
 
In determining the fee, the points in section 5.4 above shall be given weight, cf. Article 83 (2).
 
The violations occurred after the Privacy Ordinance came into force on 20 July 2018. According to the previous regulations, the fine level was NOK 75,000 for cases concerning credit information. See for example PVN-2015-14 Viken Finance, PVN-2016-07 Synchronous Media, PVN-2016-09 Codex lawyer, PVN-2017-01 Hereid Hus and PVN-2017-02 Bertram Bil.
 
The Privacy Ordinance stipulates a higher ceiling for the calculation of infringement fines than that which applied under the Personal Data Act of 2000.
 
It follows from Article 83 (1) of the Privacy Ordinance that the infringement fee shall be determined concretely so that in each individual case it is effective, is in a reasonable proportion to the infringement and has a deterrent effect.
 
The main purpose of the infringement fee is contraception, ie that the risk of being charged a fee shall have a deterrent effect and contribute to increased compliance with the regulations.⁴
 
By Bergseng Skullerud et al., 2019, the commentary to the Privacy Ordinance, page 347, it appears:
 
Contraceptive considerations dictate that the fee for an offense must be set so high that it is actually perceived as an evil by the offender. This means that the offender's financial ability should be important in the assessment, so that the fee becomes higher the stronger the offender's carrying capacity. […] When assessing the financial sustainability of an enterprise, it may be relevant to look at the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5.
 
And further:
 
The consideration of ensuring an individual assessment in each individual case indicates that the supervisory authorities should avoid establishing standardized fee rates. This applies even if national law allows for standardized rates, cf. the Public Administration Act § 43.
 
The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business.
 
Article 83 (5) of the Privacy Regulation sets a higher maximum amount for a fee when the case concerns violations of the basic principles for the processing of personal data in accordance with Articles 5 and 6 of the Privacy Regulation.
 
In our case, Gveik AS lacked a basis for processing credit information on complaints (the principle of legality).
 
Otherwise, the factors we have pointed out in section 5.4 above argue for a fee of a certain size. In an aggravating direction, we place special emphasis on the fact that the credit assessment is characterized by curiosity, and that the company lacked technical and organizational measures for compliance with the privacy regulations (the principle of liability). Lack of guidelines for who and when credit assessments can be carried out has facilitated the misuse of the company's assets.
 
In a mitigating direction, we emphasize that the company has acknowledged that the credit assessment should not have been carried out, and that the credit assessment should have been interrupted.
 
We also emphasize the company's finances. According to publicly available documents, Gveik AS is registered with a turnover of NOK 49,000 in 2017, and an annual profit of NOK -46,000. The business is registered with equity of NOK 80,000 and a very good solvency. Since we sent the notice, Gveik AS 'accounts for 2019 have become publicly available. According to the accounts from 2019, operating revenues were NOK 0, and the annual result NOK -30,000.
 
Low turnover and a negative annual result constitute mitigating circumstances. At the same time, the seagull fee is set so high that it is effective and achieves a sufficient deterrent effect. After an overall assessment of the elements in the case that we have reviewed above and the seriousness of the violation, we have come to the conclusion that a violation fee of NOK 75,000 is considered correct.
 
6. Publicity, transparency and duty of confidentiality
 
We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3. If you believe there is a basis for exempting all or parts of the document from public access, we ask you to justify this.
 
The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal circumstances. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and the Public Administration Act § 13. As a party to the case, you may nevertheless be made aware of such information by the Data Inspectorate, cf. the Public Administration Act § 13 b first paragraph no. , cf. the Public Administration Act § 18.
 
We point out that you have a duty of confidentiality regarding information you receive from the Data Inspectorate about the complainant's identity, personal circumstances and other identifying information, and that you can only use this information to the extent necessary to safeguard your interests in this case, cf. Public Administration Act § 13 b second paragraph. We also point out that breaches of this duty of confidentiality can be punished according to the Penal Code § 209.
 
With best regards
</pre>
</pre>

Revision as of 09:00, 7 April 2021

Datatilsynet - DT-20/01896
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 07.12.2020
Published: 07.01.2021
Fine: 75000 NOK
Parties: Gveik AS
National Case Number/Name: DT-20/01896
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) fined Gveik AS NOK 75,000 (€7,200) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) GDPR and for not adhering to the accountability principle as per Article 5(2). The DPA also requires that the company implement internal controls of their credit rating process as per Article 24.

English Summary

Facts

A representative acting on behalf of Gveik AS conducted a credit rating on the complainant's sole proprietorship, despite the latter having no customer relationship or any other affiliation with either the representative or the company. The representative claimed that the credit rating was conducted by mistake and that they had tried to cancel it, unsuccessfully. The DPA noted that the credit rating seems to have been conducted due to "nosiness".

Gveik AS didn't have written routines for credit ratings, because these are only conducted for new customers and customers that "request many new services".

Dispute

Did Gveik AS have legal grounds for processing the personal data of the complainant for a credit scoring, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit scoring in their business?

Holding

No, Gveik AS did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 75,000.

They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA.

The DPA also noted that Gveik AS likely didn't have sufficient technical and organizational security measures, but didn't find strong enough evidence to add further penalties for this.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Übersetzungstypen
Textübersetzung
Ausgangstext
3471 / 5000
Übersetzungsergebnisse
Decision on order and infringement fee - Credit assessment without legal basis

1 Introduction

We refer to our notice of decision on order and infringement fee of 26 June 2020.

We requested any comments from you by 7 August 2020. We cannot see that you have submitted comments on the notification, and we therefore still find reason to make a decision.

2. Decision on order and infringement fine

The Data Inspectorate makes the following decisions:

Pursuant to Article 58 no. 2 letter of the Privacy Ordinance, Gveik AS, org. No. 917 337 772, to pay an infringement fee to the Treasury of NOK 75,000 - seventy-five thousand - for obtaining a credit assessment without a legal basis under Article 6 of the Privacy Ordinance, and non-compliance with the principle of liability in Article 5 (2) of the Privacy Ordinance.

2. Pursuant to Article 58 no. 2 letter d of the Privacy Ordinance, Gveik AS is ordered to establish internal control and routines for credit assessments (cf. Article 24 of the Privacy Ordinance), as this was lacking at the time of the control.

The fulfillment deadline for decisions on infringement fines is four weeks from the decision is final, cf. the Personal Data Act § 27. This means four weeks after the appeal deadline has expired.

The deadline for completing the orders is 11 January 2021. By this deadline, you must send us a written confirmation that the order has been completed.

This is an individual decision that can be appealed in accordance with the rules of the Public Administration Act, cf. the Public Administration Act § 28. The deadline for appealing is three weeks after this letter has been received.

The Privacy Board is the appeal body, but any appeal must be sent to the Data Inspectorate. A complaint will not normally have a suspensive effect.

As part of the case, you have the right to familiarize yourself with the case documents in accordance with the Public Administration Act §§ 18-19.

3. The actual background of the case

The Data Inspectorate received a complaint dated 29 March 2019 that Gveik AS had performed and credit assessment of [edited] (hereinafter "complaints") without any objective need. The complaint was sent from [edited].

Complainants did not have a contractual or customer relationship with Gveik AS that could provide a legal basis for the credit assessment.

[edited]

Gveik AS writes in its statement dated 29 September 2019 on the credit assessment was carried out by a representative of Gveik AS by mistake. The representative was [edited] and did not represent Gveik AS in this case.

The credit assessment was performed in connection with [edited]. Gveik AS 'representative looked up complaints on the internet, and discovered that she had a sole proprietorship. The representative next sought complaints in Gveik AS 'system, and found complaints with the sole proprietorship. The representative was in the process of making a credit assessment, but was informed that complaints would be informed if [edited] proceeded, as this was a sole proprietorship. The representative pressed "cancel" on the mobile, and closed the page. In retrospect, it has turned out that the credit assessment was nevertheless carried out.

Gveik AS writes that this is unfortunate, and that it can be easy to press incorrectly on the mobile phone, as the key options "cancel" and "continue" are placed close together.

Gveik AS has no written routines for credit assessment, and since credit assessment can be carried out for new customers and customers who want more services. The routines for credit assessment are clearly stated on the page where credit assessments are carried out, and are regulated in the contract with the credit information business.

[edited] 

4. Legal background

4.1. Legal basis for obtaining a credit rating

Obtaining credit information about individuals and sole proprietorships ("the registered persons") constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 no. 2 and the Personal Data Act § 1.

Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis.

When an undertaking is to obtain credit information about the data subject without the consent or credit assessment is strictly necessary for the implementation of an agreement with the data subject, Article 6 (1) (f) is the most appropriate basis for processing.

Article 6, paragraph 1, letter f requires that the collection of credit information is "necessary" in order to safeguard a "legitimate interest" which, after a balance of interests, outweighs the interests of the individual's privacy.

The legitimate interest must be legal, clearly defined in advance, real and objectively justified in the business. Which interests meet this depends on an assessment where, among other things, what benefits the company achieves with the treatment, how important the interest is for the company, or whether the treatment has a public interest or safeguards non-profit interests that benefit more are relevant factors.

Furthermore, the treatment in question must be "necessary" for purposes related to the legitimate interest. This means that the company must consider whether it can achieve its purpose in a way that better safeguards privacy. One must therefore choose the treatment that is least invasive.

Thereafter, the business must make a balance of interests to determine whether the individual's privacy outweighs the business' legitimate interest. The type of information that is relevant to process, for example whether obtaining the relevant information may be perceived as offensive, and what expectations the individual has for the processing of the personal data, are relevant factors in the balancing of interests.

The now repealed Personal Data Regulations § 4-31 contained an additional condition that credit information could only be obtained unless the company had a "factual need" for the credit information. The regulations § 4-3¹ are continued in accordance with the regulations on transitional rules on the processing of personal data § 4.²

However, the Privacy Ordinance does not provide national room for maneuver for special regulation of the collection of credit information. We therefore believe that the requirement for "factual need" does not constitute an additional condition to Article 6, paragraph 1, letter f. letter f. We therefore believe that previous administrative practice regarding the requirement of objective need is still relevant when assessing Article 6 no. 1 letter f. 4.2. Internal control

Pursuant to Article 24 of the Privacy Regulation, companies must be able to demonstrate that they process personal data in accordance with the law. If it is in a reasonable relation to the processing activities, the company must implement appropriate guidelines for the protection of personal data.

Credit rating is an intrusive treatment against privacy. Therefore, the company must in principle be able to document internal routines or processes, so-called internal control, which meet the requirement for a processing basis for credit assessment.

The routines must describe when and how credit information is to be obtained, deletion routines and how access is to be provided. Furthermore, the company must have routines for handling deviations.

5. The Data Inspectorate's assessment

5.1. Duty to internal control and justification for orders

According to the report, one of the reasons why Gveik AS lacks written routines is that credit assessments were only made by new customers and by customers who suddenly had many services.

However, Gveik AS is obliged to assess whether there is a legal basis for a credit assessment, regardless of whether it concerns a company, a sole proprietorship, or an individual.

When assessing the credit of individuals and sole proprietorships, there must be a legal basis in accordance with Article 6 of the Privacy Ordinance. The company is responsible for ensuring that the processing has a legal basis, cf. of companies, it is important to be aware that credit assessments of sole proprietorships will constitute a processing of personal data.

According to the report, Gveik AS uses a representative who is given access to perform credit assessments, despite the fact that Gveik AS has not been registered with any employees after the Data Inspectorate's investigations. As Gveik AS has stated the case, the representative does not appear to have been aware of the regulations. This suggests that Gveik AS must establish written routines for credit assessments.

As Gveik AS uses a representative who is given access to perform credit assessments on behalf of the company, it is important that the individual representative is familiar with the rules for credit assessment. In the Data Inspectorate's assessment, the establishment of routines could therefore have a preventive effect against unlawful credit assessments being carried out later. Taking further into account that credit assessment is an intrusive measure against privacy, we believe Gveik AS must establish internal control and routines for credit assessments in accordance with the Privacy Ordinance Article 24. The Norwegian Data Protection Authority has the competence to order the data controller to ensure that processing activities take place in accordance with the Privacy Ordinance, cf. the Privacy Ordinance Article 58 no. 2 letter d. This is the background for the order to prepare routines for credit assessment. Gveik AS must prepare routines that ensure that credit assessments only take place when the requirements in the Privacy Ordinance are met.

5.2. Legal basis for obtaining the credit rating

Based on the information in the case, the Data Inspectorate assumes that there was no contractual relationship between the complainant and Gveik AS, and that the complainant did not consent to the credit assessment.

The relevant legal basis is the Privacy Ordinance, Article 6 (1) (f). According to the provision, obtaining credit information may be lawful if it is "necessary" for purposes related to "legitimate interests", and the interest outweighs the complainant's privacy considerations.

The credit assessment was carried out on the basis of [edited] The credit assessment is therefore characterized by curiosity, which will not constitute a "justified" interest. We also understand Gveik AS so that the credit assessment should not have been carried out.

Furthermore, Gveik AS, through their representative, has obtained credit information about an individual without any kind of customer relationship, contact or other connection to their business. The legitimate interest must be objectively justified in the business, and in our case the collection took place for a purpose completely outside the business' operations. Complainants had no expectation that the company would process her credit information, and it was not foreseeable for complainants at the time of collection that Gveik AS would process her credit information.

In our opinion, there was no "justified interest" in the credit assessment.

It is therefore not necessary for the Data Inspectorate to assess whether the credit assessments were "necessary" for the purpose and whether the company's legitimate interest exceeded the considerations for the complainant's privacy. The conclusion is that Gveik AS lacked a basis for processing the credit assessment pursuant to Article 6. 5.3. General information on infringement fines The Data Inspectorate has the competence to impose infringement fines in accordance with the Privacy Ordinance, Article 58, paragraph 2, letter i. In accordance with the Supreme Court's case law (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as penalties in accordance with Article 6 of the European Convention on Human Rights. The case and the question of imposing an infringement fee have been assessed on the basis of this evidentiary requirement. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. An administrative sanction means a negative reaction that can be imposed by an administrative body, which is directed at a violation of law, regulation or individual decision, and which is regarded as a punishment under the European Convention on Human Rights (ECHR). For companies, the debt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction may be imposed even if no individual has shown guilt. Prop. 62 L (2015-2016) page 199 states about § 46: The wording that ‘no individual has shown guilt’ is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore basically objective. 5.4. Our assessment of whether an infringement fee should be imposed

In this case, it has been documented that Gveik AS carried out a credit assessment of complaints, and we believe that there is a clear overriding probability that this collection lacked a legal basis.

In assessing whether to impose an infringement fine, we shall take into account the elements set out in Article 83 (2). weight.

Here we will assess the relevant aspects on an ongoing basis.

a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the treatment concerned and the number of data subjects affected, and the extent of the damage they have suffered;

The principle of legality in Article 5 (1) of the Privacy Regulation and the requirement for a basis for processing in Article 6 is one of the basic requirements for the processing of personal data.

Credit information is a type of personal information that is particularly worthy of protection. This also applies to information about sole proprietorships as the owner is directly identified with the company and is directly linked to the owner's personal finances.

A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person will pay a claim. A credit rating will also show details about individuals' personal finances, including any payment remarks, voluntary mortgages and debt ratio. This is private information that private individuals have an expectation that is not obtained by companies unless it is objectively justified in their relationship with them. The violations are therefore serious, and indicate that an infringement fee is imposed.

Furthermore, the Data Inspectorate is of the opinion that the company's action had an intrusive effect on complaints, considering that the infringement occurred on the basis of [edited] without connection to Gveik AS.

In the mitigating direction, the fact that an illegal credit rating will not be a breach over a longer period pulls. On the other hand, the damage has already occurred and it cannot be reversed after the personal data has been obtained illegally.

Gveik AS 'representative is said to have tried to interrupt the credit assessment, and closed the page before [edited] before becoming acquainted with the content of the credit assessment. The Data Inspectorate has no grounds for doubting this information. It therefore pulls in a somewhat mitigating direction that Gveik AS should not have become more familiar with the content of the credit assessment.

b) whether the infringement was committed intentionally or negligently

Gveik AS writes that the credit assessment was carried out by accident, as Gveik AS 'representative tried to cancel the operation. This points in the direction that Gveik AS did not carry out the wrongful credit assessment intentionally.

However, a credit assessment was carried out in a negligent manner. As the representative had to use Gveik AS 'access, we believe the representative must have known that obtaining a credit rating should be linked to the company's needs, and not his own curiosity. In our opinion, this is something Gveik AS could have averted by having routines for credit assessment, by communicating the routines to any representatives who should have access, and by having access control to ensure that only those with objective needs have access to the system.

c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects;

Gveik AS has not stated that measures have been taken to limit the damage suffered by the registered person.

(d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32;

The Data Inspectorate emphasizes that Gveik AS lacks technical and organizational measures to ensure and demonstrate that collection of credit assessments is carried out in accordance with the Privacy Ordinance. See Article 24 on the responsibilities of the controller.

Gveik AS has also written that the person who performed the credit assessment was a representative, despite the fact that the company does not have registered employees. It can therefore be questioned whether Gveik AS has sufficient access control in its systems, cf. Article 32. The case is not sufficiently informed for us to emphasize any lack of access control.

However, we draw Gveik AS 'attention to the fact that Article 32 sets out an obligation to have sufficient personal data security in its solutions, in accordance with a risk assessment. This includes a requirement for confidentiality, so that the company must ensure that only those with objective and service needs have access to personal information.

e) any previous violations committed by the data controller or data processor

The Norwegian Data Protection Authority is not aware of any previous violations.

(f) the degree of cooperation with the supervisory authority in order to remedy the infringement and reduce the possible negative effects of it;

Gveik AS apologizes for the incident, and has helped to inform the case. We believe it is mitigating that Gveik AS has apologized for the incident and acknowledged that it was incorrect, as this facilitates the Data Inspectorate's case processing. Beyond this, we will not emphasize cooperation considerations. According to guidelines from the Article 29 Working Party, adopted by the Privacy Council ("EDPB"), it is not appropriate to place mitigating emphasis on co-operation which is in any case

required by the Privacy Ordinance.³

g) the categories of personal data affected by the infringement

Special categories of personal data (sensitive personal data) are not affected by the violation in our case. However, information on salary, debt and creditworthiness is information that has a special need for protection due to its private nature. This argues for the imposition of infringement fines.

(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the data controller or data processor has notified the infringement;

The Norwegian Data Protection Authority does not find this aspect relevant.

(i) if the measures referred to in Article 58 (2) have previously been taken against the data controller or data controller concerned in respect of the same subject matter, that such measures are complied with;

The Norwegian Data Protection Authority is not aware that measures have previously been taken against the company with regard to the same subject matter.

(j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42;

The Norwegian Data Protection Authority does not find this aspect relevant.

k) and any other aggravating or mitigating factor in the case, e.g. financial benefits obtained, or losses avoided, directly or indirectly, as a result of the infringement

The Data Inspectorate cannot see that Gveik AS has obtained any benefits as a result of the violation.

Based on the assessment above, the Data Inspectorate concludes that an infringement fee should be imposed. The next question is the size of the fee.

5.5. The amount of the infringement fee

In determining the fee, the points in section 5.4 above shall be given weight, cf. Article 83 (2).

The violations occurred after the Privacy Ordinance came into force on 20 July 2018. According to the previous regulations, the fine level was NOK 75,000 for cases concerning credit information. See for example PVN-2015-14 Viken Finance, PVN-2016-07 Synchronous Media, PVN-2016-09 Codex lawyer, PVN-2017-01 Hereid Hus and PVN-2017-02 Bertram Bil.

The Privacy Ordinance stipulates a higher ceiling for the calculation of infringement fines than that which applied under the Personal Data Act of 2000.

It follows from Article 83 (1) of the Privacy Ordinance that the infringement fee shall be determined concretely so that in each individual case it is effective, is in a reasonable proportion to the infringement and has a deterrent effect.

The main purpose of the infringement fee is contraception, ie that the risk of being charged a fee shall have a deterrent effect and contribute to increased compliance with the regulations.⁴

By Bergseng Skullerud et al., 2019, the commentary to the Privacy Ordinance, page 347, it appears:

Contraceptive considerations dictate that the fee for an offense must be set so high that it is actually perceived as an evil by the offender. This means that the offender's financial ability should be important in the assessment, so that the fee becomes higher the stronger the offender's carrying capacity. […] When assessing the financial sustainability of an enterprise, it may be relevant to look at the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5.

And further:

The consideration of ensuring an individual assessment in each individual case indicates that the supervisory authorities should avoid establishing standardized fee rates. This applies even if national law allows for standardized rates, cf. the Public Administration Act § 43.

The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business.

Article 83 (5) of the Privacy Regulation sets a higher maximum amount for a fee when the case concerns violations of the basic principles for the processing of personal data in accordance with Articles 5 and 6 of the Privacy Regulation.

In our case, Gveik AS lacked a basis for processing credit information on complaints (the principle of legality).

Otherwise, the factors we have pointed out in section 5.4 above argue for a fee of a certain size. In an aggravating direction, we place special emphasis on the fact that the credit assessment is characterized by curiosity, and that the company lacked technical and organizational measures for compliance with the privacy regulations (the principle of liability). Lack of guidelines for who and when credit assessments can be carried out has facilitated the misuse of the company's assets.

In a mitigating direction, we emphasize that the company has acknowledged that the credit assessment should not have been carried out, and that the credit assessment should have been interrupted.

We also emphasize the company's finances. According to publicly available documents, Gveik AS is registered with a turnover of NOK 49,000 in 2017, and an annual profit of NOK -46,000. The business is registered with equity of NOK 80,000 and a very good solvency. Since we sent the notice, Gveik AS 'accounts for 2019 have become publicly available. According to the accounts from 2019, operating revenues were NOK 0, and the annual result NOK -30,000.

Low turnover and a negative annual result constitute mitigating circumstances. At the same time, the seagull fee is set so high that it is effective and achieves a sufficient deterrent effect. After an overall assessment of the elements in the case that we have reviewed above and the seriousness of the violation, we have come to the conclusion that a violation fee of NOK 75,000 is considered correct.

6. Publicity, transparency and duty of confidentiality

We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3. If you believe there is a basis for exempting all or parts of the document from public access, we ask you to justify this.

The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal circumstances. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and the Public Administration Act § 13. As a party to the case, you may nevertheless be made aware of such information by the Data Inspectorate, cf. the Public Administration Act § 13 b first paragraph no. , cf. the Public Administration Act § 18.

We point out that you have a duty of confidentiality regarding information you receive from the Data Inspectorate about the complainant's identity, personal circumstances and other identifying information, and that you can only use this information to the extent necessary to safeguard your interests in this case, cf. Public Administration Act § 13 b second paragraph. We also point out that breaches of this duty of confidentiality can be punished according to the Penal Code § 209.

With best regards