Datatilsynet (Norway) - 20/02042: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=DT-20/02042...")
 
Line 52: Line 52:
The Norwegian DPA (Datatilsynet) notified Innovation Norway that they will be fined €95,000 for multiple credit ratings of the complaintant and his sole proprietorship, when they had no legal basis under Article 6(1)(f) GDPR for such prosessing. They have until January 25 2021 to contest the fine.  
The Norwegian DPA (Datatilsynet) notified Innovation Norway that they will be fined €95,000 for multiple credit ratings of the complaintant and his sole proprietorship, when they had no legal basis under Article 6(1)(f) GDPR for such prosessing. They have until January 25 2021 to contest the fine.  


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The complaintant was subjected to multiple credit ratings by Innovation Norway, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.  
The complaintant was subjected to multiple credit ratings by Innovation Norway, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.  


When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.
When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.


=== Dispute ===
===Dispute===
Did Innovation Norway have a legal basis for conducting credit rating(s) of the complaintant?
Did Innovation Norway have a legal basis for conducting credit rating(s) of the complaintant?


=== Holding ===
===Holding===
The DPA found that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question, that they hadn't followed up on their own internal policies and procedures and that they should have notified the DPA of the personal data breach cf. Article 33 GDPR.
The DPA found that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question, that they hadn't followed up on their own internal policies and procedures and that they should have notified the DPA of the personal data breach cf. Article 33 GDPR.


== Comment ==
==Comment==
The complaintant was subjected to a total of ten credit ratings; one on the complaintant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.
The complaintant was subjected to a total of ten credit ratings; one on the complaintant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.


The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.  
The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.  


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


<pre>
<pre>
<!doctype html><html class="no-js" lang="no"><head><meta charset="utf-8" /><title>Notification of infringement fee to Innovation Norway | The Data Inspectorate </title><meta content="The Norwegian Data Protection Authority has sent Innovation Norway a notice of infringement fines; 1 million kroner. The case concerns four credit assessments of an individual and his sole proprietorship without any basis for treatment." name="description" /><meta property="og:title" content="Notification of infringement fee to Innovation Norway" /><meta property="og:description" content="The Norwegian Data Protection Authority has sent Innovation Norway a notice of infringement fines; 1 million kroner. The case concerns four credit assessments of an individual and his sole proprietorship without any basis for treatment." /><meta property="og:type" content="website" /><meta property="og:url" content="https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/varsel-om-overtredelsesgebyr-til-innovasjon-norge/" /><meta property="og:image" content="https://www.datatilsynet.no/contentassets/004f43fe684445c29e4fc8393a9a714d/kredittsjekk2.jpg" /><meta property="og:site_name" content="Datatilsynet" /><meta property="og:locale" content="nb_NO" /><meta name="twitter:card" content="summary" /><meta name="twitter:site" content="https://twitter.com/datatilsynet" /><link media="screen" rel="stylesheet" type="text/css" href="/Styles/main.css?bundle=637432963380000000" /><link media="print" rel="stylesheet" type="text/css" href="/Styles/print/print.css?bundle=637432963380000000" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="apple-touch-icon" sizes="57x57" href="/UI/Icons/apple-touch-icon-57x57.png"><link rel="apple-touch-icon" sizes="60x60" href="/UI/Icons/apple-touch-icon-60x60.png"><link rel="apple-touch-icon" sizes="72x72" href="/UI/Icons/apple-touch-icon-72x72.png"><link rel="apple-touch-icon" sizes="76x76" href="/UI/Icons/apple-touch-icon-76x76.png"><link rel="apple-touch-icon" sizes="114x114" href="/UI/Icons/apple-touch-icon-114x114.png"><link rel="apple-touch-icon" sizes="120x120" href="/UI/Icons/apple-touch-icon-120x120.png"><link rel="apple-touch-icon" sizes="144x144" href="/UI/Icons/apple-touch-icon-144x144.png"><link rel="apple-touch-icon" sizes="152x152" href="/UI/Icons/apple-touch-icon-152x152.png"><link rel="apple-touch-icon" sizes="180x180" href="/UI/Icons/apple-touch-icon-180x180.png"><link rel="icon" type="image/png" href="/UI/Icons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/UI/Icons/favicon-194x194.png" sizes="194x194"><link rel="icon" type="image/png" href="/UI/Icons/favicon-96x96.png" sizes="96x96"><link rel="icon" type="image/png" href="/UI/Icons/android-chrome-192x192.png" sizes="192x192"><link rel="icon" type="image/png" href="/UI/Icons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/UI/Icons/manifest.json"><link rel="shortcut icon" href="/UI/Icons/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/UI/Icons/mstile-144x144.png"><meta name="theme-color" content="#585858"><script>
___PR RELEASE__
    (function () {
 
        var docElement = document.documentElement;
Notification of infringement fee to Innovation Norway
        var className = docElement.className;
 
        className = className.replace(/\bno-js\b/, 'js');
The Norwegian Data Protection Authority has sent Innovation Norway a notice of infringement fines of NOK 1 million. The case concerns four credit of an individual and his sole proprietorship without any basis for assessments treatment .
        docElement.className = className;
Notification of infringement fee to Innovation Norway
    }())
 
</script><meta name='EPi.ID' content='13952'></head><body class="articlePage"><div class="page-wrapper"><header class="main-header"> <a href="#skiplinktarget" class="skiplink">To main content</a><div class="main-header__sticky"><div class="main-header__wrapper"><h2 class="sr-only"> Logo and auxiliary tools</h2><nav class="main-header__top" aria-label="Navigasjon og søk"><div class="logo"> <a href="/"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="Til startsiden til Datatilsynet" title="Logo"></a></div><div class="right mobile-buttons"> <button type="button" class="button--search" data-toggle-search><span class="sr-only">Show / hide search</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
- Innovation Norway has not been able to point to a customer relationship, or a connection to complainants and his company, that could justify these credit assessments, says senior adviser Ida Småge Breidablikk.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg><div class="mobile-modal"><div class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-search>Hide</button> </div><form method="get" action="/sok/" autocomplete="off" class="quickSearch"><div class="quick-search"><div class="quick-search__wrapper"><div class="quick-search__input-wrapper"> <label for="searchText" id="sok" class="quick-search__label">What are you looking for?</label> <input class="quick-search__text _jsAutoCompleteSearch" id="searchText" type="search" name="q" data-search-url="/sok/AutoComplete" /><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg> <button class="button--search" type="submit" value="Søk"><span class="sr-only">Search</span></button></div><div class="autocomplete-container"></div></div></div></form></div> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span class="label desktop-only" data-label>Menu</span></button><p class="sr-only"> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk">Show / hide menu</button></p> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span></span></button></div></nav><div class="main-header__bottom container"><h2 class="sr-only"> Main menu </h2><nav class="main-menu" id="main-menu" aria-label="Hovedmeny"><div class="container"><div class="utility-menu"><ul><li class="header-linklist__element"> <a href="/om-datatilsynet/">About the Data Inspectorate</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/presse/">For press / media inquiries</a></li><li class="header-linklist__element"> <a href="/en/" rel="alternate" hreflang="en">English</a> </li></ul></div><div class="main-menu__root"><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
Innovation Norway has agreed that they did not have a treatment basis for the four credit assessments. The credit assessments took place over a period of 3 months.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-shield"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_1" data-toggle-sub-menu><span id="content_1-heading">Rights and duties</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
Must have a valid treatment basis
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_1" aria-labelledby="content_1-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/rettigheter-og-plikter/hva-er-personvern/">What is privacy?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personopplysninger/">What is personal information?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personvernprinsippene/">The privacy principles</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/den-registrertes-rettigheter/">The data subject&#39;s rights</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/virksomhetenes-plikter/">The companies&#39; duties</a> </li></ul></div></div></div><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-people"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_2" data-toggle-sub-menu><span id="content_2-heading">Privacy in various areas</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person or sole proprietorship will pay a claim. A credit assessment will also show details about the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_2" aria-labelledby="content_2-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/korona/">Corona and privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/">Workplace privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/overvaking-og-sporing/">Monitoring and tracking</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/internett-og-apper/">Internet and apps</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/skole-barn-unge/">Children, young people and school</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/bil-og-transport/">Car and transport</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/politi-justis/">Police and justice</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/forskning-helse-og-velferd/">Research, health and welfare</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/kundehandtering-handel-og-medlemskap/">Customer management, trade and membership</a> </li></ul></div></div></div><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
 
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-guide"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_3" data-toggle-sub-menu><span id="content_3-heading">Regulations and tools</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships. It is part of the case that the complainant's limited company has also been credit-rated six times. However, this is not covered by the privacy regulations, and the Data Inspectorate cannot sanction this.
        xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_3" aria-labelledby="content_3-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/internasjonalt/">International work and cooperation</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sandkasse-for-kunstig-intelligens/">Sandbox for artificial intelligence</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/atferdsnorm/">Behavioral norms</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/rapporter-og-utredninger/">Reports and reports</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/konsesjon-og-melding/">Concession and notification</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sporsmal-svar/">Questions and answers</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordbok/">Dictionary (Norwegian - English)</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/personvernpodden/">Privacy Pod</a></li></ul></div></div></div></div><div  class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-menu>Close</button> </div></div></nav></div></div></div><div class="container full-width"><nav class="breadcrumbs" aria-label="Brødsmulesti"><ul><li><a href="/aktuelt/aktuelle-nyheter-2021/">Current news 2021</a></li></ul></nav></div></header><script>
Experienced offensive
    document.consentCookie = '{"HaveRead":false,"FormCookies":false,"Expires":"\/Date(-62135596800000)\/"}';
 
    document.disableConsentPopup = false;
- Credit information about sole proprietorships also says something about the owner's personal finances. It is private information that can not be collected by other companies unless it is objectively justified, says legal senior adviser Ida Småge Breidablikk. We understand that complaints react when he has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, she concludes.
</script><div class="cookie-consent" v-bind:class="{ open: showCookieConsent }" tabindex="-1" role="dialog" aria-label="Samtykke for bruk av informasjonskapsler"><h2> We use cookies</h2><div class="user-content"><p> Our websites use cookies. If they are not necessary for our website to work, they will not be stored on your device unless you agree to this. Read about which ones we use and how we manage them at the bottom of the website.</p></div><div class="cookie-consent-section"><h3> Required cookies</h3><div class="user-content"><p> These support core functionality related to security. We have considered these to be necessary, and they are therefore stored without prior consent.</p></div></div><div class="cookie-consent-section"><h3> Form functions</h3><div class="user-content"><p> These are necessary if you want to use the form on our website. The other functionality on the website is not affected if you do not consent. The choice you make here is valid for up to 90 days. </p></div><div class="on-off"><input type="checkbox" name="on-off" id="chk-cookie-form" class="on-off-checkbox" v-model="consentCookie.FormCookies"/> <label class="on-off-label" for="chk-cookie-form"><span class="sr-only">Form functions on / off</span><span class="on-off-inner"></span><span class="on-off-switch"></span></label></div></div><div class="cookie-consent-section"><h3> Web analytics</h3><div class="user-content"><p> We are considering using an analysis tool based on cookies, but as of today we do not have this.</p></div></div><div class="cookie-consent-section"><div class="user-content"><p> You can withdraw your consent at any time by selecting &quot;manage cookies&quot; at the bottom of our pages.</p></div> <button type="button" v-on:click="save($event)" class="button cookie-consent-save">Save my selection</button></div> <button type="button" v-on:click="save($event)" class="cookie-consent-close">Close</button> </div><main><span id="skiplinktarget" tabindex="-1"></span><div class="article"><div class="container"><div class="article__content"><h1> Notification of infringement fee to Innovation Norway</h1><div class="user-content ingress"><p> The Norwegian Data Protection Authority has sent Innovation Norway a notice of infringement fines of NOK 1 million. The case concerns four credit assessments of an individual and his sole proprietorship without any basis for treatment. </p></div><div class="article__sidebar-main mobile-only"><div ><img alt="Notification of infringement fee to Innovation Norway" src="/contentassets/004f43fe684445c29e4fc8393a9a714d/kredittsjekk2.jpg?width=400&amp;quality=80" /></div></div></div><div class="article__sidebar medium-up"><div class="article__sidebar-main no-margin"><div ><img alt="Notification of infringement fee to Innovation Norway" src="/contentassets/004f43fe684445c29e4fc8393a9a714d/kredittsjekk2.jpg?width=400&amp;quality=80" /></div></div></div></div><div class="container"><div class="article__content"><div class="article__content-text"><div class="user-content"><p> - Innovation Norway has not been able to point to a customer relationship, or a connection to complainants and his company, that could justify these credit assessments, says senior adviser Ida Småge Breidablikk.</p><p> Innovation Norway has agreed that they did not have a treatment basis for the four credit assessments. The credit assessments took place over a period of 3 months.</p><h2> Must have a valid treatment basis</h2><p> A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person or sole proprietorship will pay a claim. A credit assessment will also show details about the company&#39;s finances, such as any payment remarks, voluntary mortgages and debt ratio.</p><p> Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner&#39;s personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships. It is part of the case that the complainant&#39;s limited company has also been credit-rated six times. However, this is not covered by the privacy regulations, and the Data Inspectorate cannot sanction this.</p><h2> Experienced offensive</h2><p> - Credit information about sole proprietorships also says something about the owner&#39;s personal finances. It is private information that can not be collected by other companies unless it is objectively justified, says legal senior adviser Ida Småge Breidablikk. We understand that complaints react when he has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, she concludes.</p><p> Innovation Norway has been given a deadline of 25 January to submit comments on the notification.</p><h2> download</h2><p> <a href="/contentassets/004f43fe684445c29e4fc8393a9a714d/varsel-om-overtredelsesgebyr---innovasjon-norge.pdf" target="_blank" rel="noopener">Notification of infringement fee to Innovation Norway (pdf)</a></p></div></div></div><aside class="article__sidebar"><h3> Contact person </h3><div><div><div class="person-contact-card"><div class="person-contact-card__inner"><div class="person-contact-card__image"><div class="profile-image"><div class="image-block Standard "><figure ><img alt="" src="/globalassets/global/bilder/ansatte-dt/ida.jpg?width=200&amp;quality=80" /></figure></div></div></div><div class="person-contact-card__info"><div><h2 class="person-contact-card__info-name"> Ida Småge Breidablikk</h2><p class="person-contact-card__info-title"> Legal senior advisor</p></div><dl class="person-contact-card__info-list"><dt class="describe"> Office: </dt><dd class="define"><span data-e="FEC09FD1C2DEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEF4F3CEC9DEC7C8DEC7CDDECCCCDEC9CAD5DEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEDEF4F3C0DCCEC9C7C8C7CDCCCCC9CAD5C4929B8ADCC3989B8C96DEDCDCC38D8D9F929DDE9FC2"></span></dd><dt class="describe"> Email: </dt><dd class="define"><span data-e="380659170418181818181818181818181818181818181818181818181832355756164C5D56414B54514C594C595C785A4B51181818181818181818181818181818181818181818181818181818183235061A5756164C5D56414B54514C594C595C785A4B5102574C545159551A055E5D4A50181A1A054B4B59545B185904"></span></dd></dl></div></div></div></div></div><div class="article__sidebar-dates"><div > <span>Published:</span> <span>04.01.2021</span> </div></div></aside></div></div></main><footer class="main-footer"><div class="main-footer__wrapper"><div class="main-footer__upper"><div class="main-footer__content container"><div class="main-footer__content-column desktop-only" aria-hidden="true"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="The Data Inspectorate logo" class="main-footer__logo"></div><div class="main-footer__content-column"><p> The Data Inspectorate<br> PO Box 458 Center<br> 0105 Oslo</p><p> Org.nr 974 761 467</p><div class="user-content"><p> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></p></div><div > <a href="https://ext.mnm.as/s/2751/9366">Receive our newsletter</a></div><div class="main-footer__social"><div class="main-footer__social--twitter" > <a href="https://twitter.com/datatilsynet">The Data Inspectorate on twitter</a></div></div><div class="main-footer__personvernpodden_logo"> <a href="/regelverk-og-verktoy/personvernpodden/"><img src="/UI/personvernpodden-logo.svg" alt="The Privacy Podcast - A podcast from the Danish Data Protection Agency"></a></div></div><div class="main-footer__content-column"><ul class="clean-link-list"><li> <a href="/aktuelt/">Currently</a></li><li> <a href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a href="/regelverk-og-verktoy/sporsmal-svar/">Frequently Asked Questions</a></li><li> <a href="/om-datatilsynet/datatilsynets-personvernerklaring/">The Data Inspectorate&#39;s privacy statement</a></li><li> <a href="/om-datatilsynet/datatilsynets-cookie-erklaring/">The Danish Data Protection Agency&#39;s cookie statement</a></li><li> <a href="#" id="_jsManageCookies">Manage cookies</a> </li></ul></div></div></div><div class="main-footer__lower"><div class="main-footer__sponsors container"><p> Other sites</p> <a href="/om-datatilsynet/Andre-nettsteder/Personvernbloggen/"><img alt="The Privacy Blog" src="/globalassets/global/bilder/logoer/footer/personvernbloggennb.png?width=400&amp;quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Du-bestmmer/"><img alt="You decide" src="/globalassets/global/bilder/logoer/footer/dubestemmernb.png?width=400&amp;quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Slett-meg/"><img alt="slettmeg.no" src="/globalassets/global/bilder/logoer/footer/slettmegnb.png?width=400&amp;quality=80" /></a></div></div></div></footer></div><script src="/Scripts/libs/jquery/3.2.1.min.js"> </script><script src="/Scripts/libs/jquery/jquery-ui.min.js"> </script><script src="/Scripts/libs/svg4everybody.js"> </script><script src="/Scripts/libs/jquery.sticky-sidebar.min.js"> </script><script src="/Scripts/libs/vue.min.js"> </script><script src="/Scripts/global/common/jquery.aria.js"> </script><script> window.jQuery || document.write('<script src="/Scripts/libs/jquery/3.2.1.min.js"><\/script>') </script><script src="/Scripts/site.js?bundle=637432963380000000"></script><script src="/Scripts/global/common/jquery.unobtrusive-ajax.js" async defer></script><script>
 
    Datatilsynet.GlossaryHighlightedWords = 'adressemekling;akseptkriterium;algoritmer;artikkel 29-gruppen;atferdsnorm;autentisering;automatisk målesystem;avidentifisert personopplysning;avindeksere;avvik;behandling av personopplysningar;behandling av personopplysninger;behandlingsansvarleg;behandlingsansvarlig;behandlingsgrunnlag;berlingruppen;big data;biometri;bransjenorm;databehandlar;databehandlaravtale;databehandler;databehandleravtale;datakommunikasjon;dataminimering;datanettverk;dataportabilitet;den registrerte;dpia;ekstern datakommunikasjon;eksternt nettverk;european data protection board;filsluse;forhåndsdrøftelse;formålsbestemthet;forordning;fødselsnummer;gdpr;helseopplysning;humant biologisk materiale;informasjonssamfunnstjeneste;informasjonssikkerhet;informasjonstryggleik;innebygd personvern;integritet;intern sone;internkontroll;ip-adresse;konfidensialitet;konfigurasjon;konsesjon;konsesjonsplikt;kontrolltiltak;kredittopplysning;kredittsjekk;kredittvurdering;kryptering;meldeplikt;nettsky;nettverkssone;personnummer;personopplysning;personprofil;personregister;personvernforordningen;personvernfremjande teknologi;personvernfremmende teknologi;personvernkonsekvens;personvernombod;personvernombud;personvernrådet;profiler;profilering;pseudonymisering;radiofrekvensidentifikasjon;reidentifisering;rfid;risiko;samtykke;schengen informasjonssystem;sensitive personopplysninger;sikker sone;sikkerhetskopiering;sikkerhetsrevisjon;sikkerhetsstrategi;sporing;stordata;særlige kategorier;teknisk sikkerhetsbarriere;tilgangskontroll;tilgangsstyring;tilgjengelighet;tilsyn;tjenstlig behov;vurdere personvernkonsekvenser;ødeleggende programvare;';
Innovation Norway has been given a deadline of 25 January to submit comments on the notification.
    Datatilsynet.HasGlossary = true;
</script><script type="text/javascript" src="/Scripts/find/find.js"></script><script type="text/javascript">
if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}
</script><script>(function(){function i(n){var t=n.charCodeAt(0);return(t>=65?t-7:t)-48}function e(n){for(var r=new String,u=i(n.substr(0,1))*16+i(n.substr(1,1)),t=n.length-2;t>1;t-=2)r+=String.fromCharCode(i(n.substr(t,1))*16+i(n.substr(t+1,1))^u);return r}var t=document.querySelectorAll("[data-e]"),n,u,r,f;if(t.length)for(n=0;n<t.length;n++)u=e(t[n].getAttribute("data-e")),r=document.createElement("div"),r.innerHTML=u,f=r.firstChild,t[n].parentNode.insertBefore(f,t[n]),t[n].parentNode.removeChild(t[n])})();</script></body></html>
</pre>
</pre>

Revision as of 08:44, 5 January 2021

Datatilsynet - DT-20/02042
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(f) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.01.2021
Published: 04.01.2021
Fine: 1000000 NOK
Parties: Complaintant (data subject - anonymized)
Innovation Norge
Innovation Norway
National Case Number/Name: DT-20/02042
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) notified Innovation Norway that they will be fined €95,000 for multiple credit ratings of the complaintant and his sole proprietorship, when they had no legal basis under Article 6(1)(f) GDPR for such prosessing. They have until January 25 2021 to contest the fine.

English Summary

Facts

The complaintant was subjected to multiple credit ratings by Innovation Norway, despite having no customer relationship or any other affiliation with the latter. Nine credit ratings were conducted by one single employee, and it's unclear why the employee had the need to conduct these. One credit rating was conducted by a different employee, however this was due to a misunderstanding when investigating the other credit ratings.

When contacted by the DPA, Innovation Norway admitted they had no legal basis for this processing. They had routines for how to manage credit ratings, however this was found to be too generic, outdated and not adhered to. Innovation Norway had decided not to notify the DPA of the personal data breach, as they didn't consider the incident to have triggered this requirement as per Article 33 GDPR.

Dispute

Did Innovation Norway have a legal basis for conducting credit rating(s) of the complaintant?

Holding

The DPA found that Innovation Norway did not have a legal basis as per Article 6(1)(f) GDPR to conduct the credit ratings in question, that they hadn't followed up on their own internal policies and procedures and that they should have notified the DPA of the personal data breach cf. Article 33 GDPR.

Comment

The complaintant was subjected to a total of ten credit ratings; one on the complaintant personally, three on his sole proprietorship and four on his limited company. The latter ones were not considered as a breach of the GDPR, as limited companies in Norway are not considered personal data. Sole proprietorships, however, are considered to be personal data, as several decisions by the Norwegian DPA demonstrates.

The DPA highlighted that two credit ratings were conducted late at night; one on a Saturday at 10 PM and one on a Friday around midnight.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

___PR RELEASE__

Notification of infringement fee to Innovation Norway

The Norwegian Data Protection Authority has sent Innovation Norway a notice of infringement fines of NOK 1 million. The case concerns four credit of an individual and his sole proprietorship without any basis for assessments treatment .
Notification of infringement fee to Innovation Norway

- Innovation Norway has not been able to point to a customer relationship, or a connection to complainants and his company, that could justify these credit assessments, says senior adviser Ida Småge Breidablikk.

Innovation Norway has agreed that they did not have a treatment basis for the four credit assessments. The credit assessments took place over a period of 3 months.
Must have a valid treatment basis

A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person or sole proprietorship will pay a claim. A credit assessment will also show details about the company's finances, such as any payment remarks, voluntary mortgages and debt ratio.

Credit information about a sole proprietorship is also personal information, as the owner is directly identified with the company and this is directly linked to the owner's personal finances. This means that one must have a treatment basis for credit rating of sole proprietorships. It is part of the case that the complainant's limited company has also been credit-rated six times. However, this is not covered by the privacy regulations, and the Data Inspectorate cannot sanction this.
Experienced offensive

- Credit information about sole proprietorships also says something about the owner's personal finances. It is private information that can not be collected by other companies unless it is objectively justified, says legal senior adviser Ida Småge Breidablikk. We understand that complaints react when he has been credit-rated several times, and that this is perceived as offensive. We take such cases seriously, and usually react with infringement fines to this type of offense, she concludes.

Innovation Norway has been given a deadline of 25 January to submit comments on the notification.