Datatilsynet - DT-20/02147

From GDPRhub
Datatilsynet - DT-20/02147
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5 GDPR
Article 24(1) GDPR
Article 32(1)(b) GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 15.03.2021
Published: 24.03.2021
Fine: 50000 NOK
Parties: Alesund municipality
National Case Number/Name: DT-20/02147
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: The Norwegian DPA (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) fined a municipality €4,900 for requiring students to use the fitness app Strava in gym classes without conducting a risk assessment and a DPIA first, and for the lack of security routines, thus breaching Article 32(1)(b) cf. Article 5 GDPR, Article 35 and Article 24(1), respectively.

English Summary[edit | edit source]

Facts[edit | edit source]

Teachers at two junior high schools in Alesund municipality required their students to download the fitness app Strava for use in gym classes during the COVID-19 pandemic. The teachers used the app's tracking capabilities to validate that the students had conducted required exercises at home, for example bicycling a certain distance.

The teachers, schools, nor the municipality, conducted a risk assessment or a Data Protection Impact Assessment (DPIA) before deciding to use Strava in this way.

Dispute[edit | edit source]

Was this use of Strava a breach of the GDPR?

Holding[edit | edit source]

The DPA (Datatilsynet) held that the municipality had several breaches as per the GDPR: 1) For the lack of routines for technical and organisational security measures necessary to secure and demonstrate that the processing was in line with the GDPR, cf. Article 24(1). 2) For not having sufficient technical and organisational security measures in place to achive a level of protection suitable for ensuring confidentiality, integrity and robustness, and for not having conducted a risk assessment for the use of the app, cf. Article 32(1)(b), cf. Article 5. 3) For not conducting a Data Protection Impact Assessment (DPIA), cf. Article 35 (which the DPA assessed was necessary for this specific case).

For these breaches, the municipality was fined NOK 50 000,-.

Comment[edit | edit source]

The DPA notes that Strava Inc. usually is considered the controller for the personal data they process in the app. However, in this case they determine that the municipality is the controller, because the teachers/schools were the ones deciding on both the means and the purpose for processing the students' personal data.

Further Resources[edit | edit source]

Datatilsynets press release: https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/gebyr-til-alesund-kommune-for-bruk-av-strava/

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 ÅLESUND MUNICIPALITY
 PO Box 1521
 6025 ÅLESUND









Their reference Our reference Date
                        20 / 02147-6 KBK / - 15.03.2021



Decision on violation fee when using the training app Strava - Ålesund

municipality

1 Introduction
We refer to the submitted report of 5 May 2020 on breaches of personal data security by

use of the training app Strava, as well as a follow-up report of 30 June 2020. We also show
to a statement of 2 July 2020 from the Privacy Ombudsman in the Intermunicipal Archive Møre og
Romsdal IKS. As well as in response to notification of infringement fee of 16 December 2021.


Based on the information in the case, the Data Inspectorate believes that Ålesund Municipality has violated the rules
on the security of personal data in the Privacy Regulation (European Parliament and

Council Regulation (EU) 2016/679 of 27 April 2016).

    Ålesund Municipality is imposed pursuant to the Personal Data Act § 26 second paragraph, cf.

     Article 58 (2) (i) of the Privacy Regulation, cf. Article 83 (7), to pay a
     violation fee to the Treasury of 50,000 - fifty thousand - kroner


        • for not having implemented appropriate technical and organizational measures to achieve a
            level of security suitable for achieving lasting confidentiality, integrity and
            robustness in the treatment systems and services, cf. the Privacy Ordinance

            Article 32 (1) (b), cf. Article 5, and
        • for not having implemented appropriate technical and organizational measures to ensure and
            demonstrate that the treatment is carried out in accordance with this Regulation, cf.

            Article 24 no. 1 of the Privacy Ordinance, cf. section 26 first of the Personal Data Act
            paragraph, and
        • for not having assessed the consequences of the planned treatment

            the protection of personal data, cf. Article 35 of the Privacy Ordinance

The background and reasons for the decision follow below.






Postal address: Office address: Telephone: Fax: Org.nr: Website:
PO Box 458 Sentrum Tollbugt 322 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no
0105 OSLO2. The case
On 5 May 2020, the Norwegian Data Protection Authority received a report of a breach of personal data security from
Ålesund municipality. The municipality states that this applies to Kolvikbakken ungdomsskule and
Vatne ungdomsskule.

Teachers at these schools instructed students to download the Strava training app for use in gym classes.
An open group was created per. class with names of students. The students were given assignments, e.g. å

cycle a certain distance. The teachers used tracking using the app to check that everyone
the students had completed the task. The school and the school management were informed of the breach
personal data security 5 May 2020.

The use of Strava arose in a situation where teachers had to go to great lengths to
carry out proper teaching in a pandemic situation. The municipality still does not see this

as an excuse for lack of systematic control over applications in school

3. The violation

3.1 The responsibility for processing
Strava is a training app that logs training and allows users to analyze and compare theirs
data with own or others' training logs. Strava Inc. stores the information as the app

generates. This information will be considered personal information, as Strava Inc. in
basically is responsible for processing. The person responsible for treatment is the one who «alone or
together with others, determines the purpose and means of the treatment », cf.
Article 4 (7) of the Privacy Regulation.

Teachers at two schools in Ålesund municipality have ordered students to download Strava. Download of
the app has been mandatory. The municipality acknowledges this in the report of 5 May 2020.

In addition, the municipality has used the app's tracking function to check that all students have completed
their task. The use of this tracking feature is considered a treatment of
personal information about each individual student. In connection with this treatment we have added
reason that it is the municipality, at the school, which is responsible for treatment. It's the school that
has determined the purpose of this treatment, in that the school wanted to control that students
completed the tasks assigned to them. The personal information is in the app in it
private phone to students. It is also the school that has decided the means for the treatment,

in that the school has chosen to use the training app Strava to realize the mentioned purpose.
The teachers and the two schools must be identified with the municipality. By imposing the use of
the training app Strava on the individual student's private mobile phone to treat
personal information about the students' completion of training exercises, Ålesund municipality has
fulfilled the conditions of the Privacy Regulation Article 4 No. 7, and will be considered as
data controller for this processing of personal data.


It follows from what has been said above that Ålesund municipality i.a. is responsible for the training app
The penalty, and the processing of personal data that the app enables, is risk assessed, cf.
Article 32, that the municipality has appropriate technical and organizational measures to ensure and demonstrate that
the processing is carried out in accordance with the Privacy Ordinance, cf. Article 24, and for assessment
of the privacy implications under Article 35.




                                                                                             23.2 Inadequate routines
The municipality states that no routine has been established for the acquisition of apps. This has
been pointed out by the information security manager without such routines having been established. These
the routines shall make it clear that the personal data is processed in a lawful, fair and open manner

way with respect to the data subject, that they are collected for specific, expressly stated and
justified purposes, that they are adequate, relevant and limited to what is necessary for
the purposes for which they are processed and that they are treated in a way that ensures adequate security
for the personal data. Lack of routines has meant that a great risk has arisen
students' rights and freedoms. By not having established routines for technical and organizational
measures to ensure and demonstrate that the treatment is carried out in accordance with this Regulation, this is a
violation of Article 24 (1).


3.3 Inadequate safety during treatment
The training app Strava has been used without a risk assessment having been carried out. By
not having carried out a risk assessment, the municipality has not taken into account the
and severity of the risk to the rights and freedoms of natural persons. This will be one
violation of the Privacy Regulation Article 32 No. 1 letter b, which requires the establishment of a
level of security suitable for ensuring lasting confidentiality, integrity and robustness in

treatment systems and services.

3.4 Inadequate assessment of the privacy consequences
Ålesund Municipality has not carried out an assessment of the privacy consequences after
Article 35 of the Privacy Ordinance. Lack of assessment will then be regarded as a violation of
Article 35 of the Privacy Ordinance. Reference is made here to the Data Inspectorate's website with a list

for which treatment activities always trigger a requirement for a DPIA to be carried out, see
https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/vurder-
privacy implications / privacy-impact assessment / when-you-carry-one-
privacy-impact assessment /

The Data Inspectorate considers that the use of the training app Strava will entail treatment activities such as
requires the implementation of a DPIA. Use of the training app entails i.a. that it is treated

location data about the students. In addition, special categories of
personal information, as long as the students themselves have provided information about this in the app. Use of
The training app will also involve the processing of personal data by systematically
monitor efficiency and skills. The purpose of the training app has been to see about the students
has completed the exercises. However, one can also measure the skills against others.


4. Assessment of the Privacy Ordinance's rules on infringement fines
In the Personal Data Act § 26 second paragraph, it is stipulated that the Data Inspectorate may impose public

authorities and bodies infringement fines under the rules of the Privacy Regulation Article
58, cf. Article 83 no. 7. It is stated here that «without prejudice to the authority of the supervisory authorities
to adopt corrective measures in accordance with Article 58 (2), each Member State may provide




                                                                                                3 rules on when and to what extent public authorities and bodies are established in the said
Member State may be fined '.

The right to impose infringement fines shall be a tool to ensure effective
compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as
punishment under Article 6 of the European Convention on Human Rights (ECHR).


The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.

In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual

decision, which is considered a punishment under the European Convention on Human Rights
(EMK).

For companies, the debt assessment is unique. Section 46 (1) of the Public Administration Act states:

       "When it is stipulated by law that an administrative sanction may be imposed on an enterprise,
       the sanction can be imposed even if no individual has shown guilt ».


In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that‘ none
individual has shown guilt ’is taken from the section on corporate punishment in the Penal Code § 27
first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ».

Article 83 provides in principle that the imposition of an infringement fine depends on a

discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting
moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure
that the imposition of infringement fines in each individual case is effective is reasonable
relation to the violation and acts as a deterrent.

In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
moments:


a) the nature, severity and duration of the infringement, taking into account
    the nature, extent or purpose of the act concerned, as well as the number of data subjects affected,
    and the extent of the damage they have suffered

The breach of personal data security includes the school's order for students to download
the training app Strava without a risk assessment or assessment of

the privacy implications of using it.

The breach of personal data security has meant that the data subject has lost control of
information about oneself, and whether others have seen information about the person. By





                                                                                               4se on selected routes, especially start and end points, you will also be able to deduce where the student lives.
This is especially problematic if someone has a secret address.

The Data Inspectorate takes a serious view of the fact that the municipality has not had control over which apps
which can be downloaded and used by the school.

b) whether the infringement was committed intentionally or negligently


The breach of personal data security has meant that the data subject has lost control of
information about himself in that the choice of Strava was not voluntary. Such an event can get
major privacy consequences for the person concerned, in that the information may become known to
third parties. The case indicates routine failure in the municipality. It can be stated that there is none
routine in the municipality over which apps are to be used under the auspices of the school. It is thus also
not clear routines in connection with downloading apps, i.a. that these must be risk assessed

before they are used.

The incident is serious, and the absence of routines must be described as grossly negligent.

c) any measures taken by the data controller or data processor to
    limit the damage suffered by the data subjects


The municipality has been in contact with those affected and informed about the incident.

d) the degree of responsibility of the data controller or data processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and
    32


It can be stated that the responsibility for the breach of personal data security lies with Ålesund
municipality. Reference is made here to point 3.

e) any relevant previous violations committed by the data controller or
    the data processor

No previously relevant infringements can be identified.


f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
    possible negative effects of it

This is not relevant in the case.

g) the categories of personal data affected by the infringement


This applies to information about the student using the training app Strava, and contains
information about name, grade level and location. The municipality states in the report that a part
information (eg health) requires consent before it is stored.





                                                                                               5h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
    possibly to what extent the data controller or data processor has
    notified of the infringement

The Norwegian Data Protection Authority gained knowledge about this through reported breaches
personal data security 5 May 2020.


(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
    data controller or data processor with respect to the same subject matter, that
    the said measures are complied with

No measures have previously been taken against Ålesund municipality with regard to
same subject matter.


(j) compliance with approved standards of conduct in accordance with Article 40 or approved
    certification mechanisms in accordance with Article 42

Violation of behavioral norms has not been a topic in the deviation.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits
    which have been obtained, or losses which have been avoided, directly or indirectly, as a result of

    the infringement

The Data Inspectorate views positively that Ålesund municipality quickly took action when the breach occurred
personal data security was discovered and the deviation was reported to the Norwegian Data Protection Authority.
The municipality has also implemented measures to prevent similar offenses in the future.


The Data Inspectorate has not established that Ålesund municipality has had financial benefits, or
avoided direct or indirect losses as a result of the infringement.

The Norwegian Data Protection Authority has also not taken into account Ålesund municipality's financial capacity.

5. Overall assessment
However, it is serious that the municipality requires students to download the training app Strava to

the student's private mobile, without the app having been risk assessed and not assessed
the privacy implications of using the app.

In the Data Inspectorate's assessment, the case is important in principle. Ålesund municipality should have been equipped
to meet the requirements for personal data security when using apps. In this regard, can
a decision on infringement fines provides an important signal effect.


After an overall assessment, where the Data Inspectorate has also taken into account the situation the municipality
was in, the Data Inspectorate has come to the conclusion that Ålesund municipality should be imposed a
infringement fine.






                                                                                              66. Amount of the fee

In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that

        «As a starting point, the same rules for infringement fines shall apply
        public bodies as for private, as this is the scheme under current
        Personal Data Act. »


The ministry further writes that they have noted the concern as some public
consultation bodies have expressed, but the Ministry assumes that within the rules of
Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement
of administrative fees, there is room for considerable consideration with regard to the size of
fee. The Ministry states that «[t] he run limits in Article 83 of the Regulation state
maximum limits for the calculation of administrative fees, while no one has been set

minimum limits. "

With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the infringement and the activity, cf. art. 83 No. 1.


We have particularly noted that the breach of personal data security is a result of that
the municipality has not had control over downloading apps, and as a result has not
implemented appropriate measures to achieve a level of safety appropriate to the risk.
Furthermore, we have looked at the general expectation that citizens should be able to have that municipal
bodies follow the rules given.


We believe that the signal effect of this case and the general preventive considerations are clear. The
It is important that such incidents do not occur, and that all public bodies that process them
citizens' personal data and information about vulnerable people must be their own
responsibility consciously.

After an overall assessment of the case, and then especially with regard to the seriousness of the violation and
the legislation's requirement that the imposition of infringement fines in each individual case shall be

effective, proportionate and dissuasive, we have come to the conclusion of an infringement charge
NOK 50,000 is considered correct.

7. Concluding remarks
We encourage Ålesund Municipality to give its opinion on the notice, both in terms of our notice
on the imposition of infringement fines. The deadline for comments is 16 October 2020.28


The Norwegian Data Protection Authority will take a final position in the case only after the response deadline has expired.








                                                                                                78. Recovery of infringement fines
The infringement fee is due for payment four weeks after the decision is final, cf.
the Personal Data Act (2018) § 27. The decision is a coercive basis for disbursement. Recovery of
the claim will be implemented by the Central Government Collection Agency.

9. Right of appeal
You can appeal the decision. Any complaint must be sent to us within three weeks after this

the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision,
we send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22.

10. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
that all documents are in principle public, cf. the Public Access to Information Act § 3, but
emphasizes at the same time that safety documentation is as a general rule exempt from public access, cf.

the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.

If you have any questions, you can contact caseworker Knut B. Kaspersen ..



With best regards



Bjørn Erik Thon
director
                                                                 Knut Brede Kaspersen
                                                                 legal director





The document is electronically approved and therefore has no handwritten signatures




















                                                                                              8