Datatilsynet (Norway) - 20/02147
|Datatilsynet - DT-20/02147|
|Relevant Law:||Article 5 GDPR|
Article 24(1) GDPR
Article 32(1)(b) GDPR
Article 35 GDPR
|National Case Number/Name:||DT-20/02147|
|European Case Law Identifier:||n/a|
|Original Source:||The Norwegian DPA (in NO)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA (Datatilsynet) fined a municipality €4,900 for requiring students to use the fitness app Strava in gym classes without conducting a risk assessment and a DPIA first, and for the lack of security routines, thus breaching Article 32(1)(b) cf. Article 5 GDPR, Article 35 and Article 24(1), respectively.
English Summary[edit | edit source]
Facts[edit | edit source]
Teachers at two junior high schools in Alesund municipality required their students to download the fitness app Strava for use in gym classes during the COVID-19 pandemic. The teachers used the app's tracking capabilities to validate that the students had conducted required exercises at home, for example bicycling a certain distance.
The teachers, schools, nor the municipality, conducted a risk assessment or a Data Protection Impact Assessment (DPIA) before deciding to use Strava in this way.
Dispute[edit | edit source]
Was this use of Strava a breach of the GDPR?
Holding[edit | edit source]
The DPA (Datatilsynet) held that the municipality had several breaches as per the GDPR: 1) For the lack of routines for technical and organisational security measures necessary to secure and demonstrate that the processing was in line with the GDPR, cf. Article 24(1). 2) For not having sufficient technical and organisational security measures in place to achive a level of protection suitable for ensuring confidentiality, integrity and robustness, and for not having conducted a risk assessment for the use of the app, cf. Article 32(1)(b), cf. Article 5. 3) For not conducting a Data Protection Impact Assessment (DPIA), cf. Article 35 (which the DPA assessed was necessary for this specific case).
For these breaches, the municipality was fined NOK 50 000,-.
Comment[edit | edit source]
The DPA notes that Strava Inc. usually is considered the controller for the personal data they process in the app. However, in this case they determine that the municipality is the controller, because the teachers/schools were the ones deciding on both the means and the purpose for processing the students' personal data.
Further Resources[edit | edit source]
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
ÅLESUND MUNICIPALITY PO Box 1521 6025 ÅLESUND Their reference Our reference Date 20 / 02147-6 KBK / - 15.03.2021 Decision on violation fee when using the training app Strava - Ålesund municipality 1 Introduction We refer to the submitted report of 5 May 2020 on breaches of personal data security by use of the training app Strava, as well as a follow-up report of 30 June 2020. We also show to a statement of 2 July 2020 from the Privacy Ombudsman in the Intermunicipal Archive Møre og Romsdal IKS. As well as in response to notification of infringement fee of 16 December 2021. Based on the information in the case, the Data Inspectorate believes that Ålesund Municipality has violated the rules on the security of personal data in the Privacy Regulation (European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016). Ålesund Municipality is imposed pursuant to the Personal Data Act § 26 second paragraph, cf. Article 58 (2) (i) of the Privacy Regulation, cf. Article 83 (7), to pay a violation fee to the Treasury of 50,000 - fifty thousand - kroner • for not having implemented appropriate technical and organizational measures to achieve a level of security suitable for achieving lasting confidentiality, integrity and robustness in the treatment systems and services, cf. the Privacy Ordinance Article 32 (1) (b), cf. Article 5, and • for not having implemented appropriate technical and organizational measures to ensure and demonstrate that the treatment is carried out in accordance with this Regulation, cf. Article 24 no. 1 of the Privacy Ordinance, cf. section 26 first of the Personal Data Act paragraph, and • for not having assessed the consequences of the planned treatment the protection of personal data, cf. Article 35 of the Privacy Ordinance The background and reasons for the decision follow below. Postal address: Office address: Telephone: Fax: Org.nr: Website: PO Box 458 Sentrum Tollbugt 322 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO2. The case On 5 May 2020, the Norwegian Data Protection Authority received a report of a breach of personal data security from Ålesund municipality. The municipality states that this applies to Kolvikbakken ungdomsskule and Vatne ungdomsskule. Teachers at these schools instructed students to download the Strava training app for use in gym classes. An open group was created per. class with names of students. The students were given assignments, e.g. å cycle a certain distance. The teachers used tracking using the app to check that everyone the students had completed the task. The school and the school management were informed of the breach personal data security 5 May 2020. The use of Strava arose in a situation where teachers had to go to great lengths to carry out proper teaching in a pandemic situation. The municipality still does not see this as an excuse for lack of systematic control over applications in school 3. The violation 3.1 The responsibility for processing Strava is a training app that logs training and allows users to analyze and compare theirs data with own or others' training logs. Strava Inc. stores the information as the app generates. This information will be considered personal information, as Strava Inc. in basically is responsible for processing. The person responsible for treatment is the one who «alone or together with others, determines the purpose and means of the treatment », cf. Article 4 (7) of the Privacy Regulation. Teachers at two schools in Ålesund municipality have ordered students to download Strava. Download of the app has been mandatory. The municipality acknowledges this in the report of 5 May 2020. In addition, the municipality has used the app's tracking function to check that all students have completed their task. The use of this tracking feature is considered a treatment of personal information about each individual student. In connection with this treatment we have added reason that it is the municipality, at the school, which is responsible for treatment. It's the school that has determined the purpose of this treatment, in that the school wanted to control that students completed the tasks assigned to them. The personal information is in the app in it private phone to students. It is also the school that has decided the means for the treatment, in that the school has chosen to use the training app Strava to realize the mentioned purpose. The teachers and the two schools must be identified with the municipality. By imposing the use of the training app Strava on the individual student's private mobile phone to treat personal information about the students' completion of training exercises, Ålesund municipality has fulfilled the conditions of the Privacy Regulation Article 4 No. 7, and will be considered as data controller for this processing of personal data. It follows from what has been said above that Ålesund municipality i.a. is responsible for the training app The penalty, and the processing of personal data that the app enables, is risk assessed, cf. Article 32, that the municipality has appropriate technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance with the Privacy Ordinance, cf. Article 24, and for assessment of the privacy implications under Article 35. 23.2 Inadequate routines The municipality states that no routine has been established for the acquisition of apps. This has been pointed out by the information security manager without such routines having been established. These the routines shall make it clear that the personal data is processed in a lawful, fair and open manner way with respect to the data subject, that they are collected for specific, expressly stated and justified purposes, that they are adequate, relevant and limited to what is necessary for the purposes for which they are processed and that they are treated in a way that ensures adequate security for the personal data. Lack of routines has meant that a great risk has arisen students' rights and freedoms. By not having established routines for technical and organizational measures to ensure and demonstrate that the treatment is carried out in accordance with this Regulation, this is a violation of Article 24 (1). 3.3 Inadequate safety during treatment The training app Strava has been used without a risk assessment having been carried out. By not having carried out a risk assessment, the municipality has not taken into account the and severity of the risk to the rights and freedoms of natural persons. This will be one violation of the Privacy Regulation Article 32 No. 1 letter b, which requires the establishment of a level of security suitable for ensuring lasting confidentiality, integrity and robustness in treatment systems and services. 3.4 Inadequate assessment of the privacy consequences Ålesund Municipality has not carried out an assessment of the privacy consequences after Article 35 of the Privacy Ordinance. Lack of assessment will then be regarded as a violation of Article 35 of the Privacy Ordinance. Reference is made here to the Data Inspectorate's website with a list for which treatment activities always trigger a requirement for a DPIA to be carried out, see https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/vurder- privacy implications / privacy-impact assessment / when-you-carry-one- privacy-impact assessment / The Data Inspectorate considers that the use of the training app Strava will entail treatment activities such as requires the implementation of a DPIA. Use of the training app entails i.a. that it is treated location data about the students. In addition, special categories of personal information, as long as the students themselves have provided information about this in the app. Use of The training app will also involve the processing of personal data by systematically monitor efficiency and skills. The purpose of the training app has been to see about the students has completed the exercises. However, one can also measure the skills against others. 4. Assessment of the Privacy Ordinance's rules on infringement fines In the Personal Data Act § 26 second paragraph, it is stipulated that the Data Inspectorate may impose public authorities and bodies infringement fines under the rules of the Privacy Regulation Article 58, cf. Article 83 no. 7. It is stated here that «without prejudice to the authority of the supervisory authorities to adopt corrective measures in accordance with Article 58 (2), each Member State may provide 3 rules on when and to what extent public authorities and bodies are established in the said Member State may be fined '. The right to impose infringement fines shall be a tool to ensure effective compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as punishment under Article 6 of the European Convention on Human Rights (ECHR). The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required offense in order to impose a fee. The case and the question of imposing infringement fines are assessed on the basis of this evidentiary requirement. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMK). For companies, the debt assessment is unique. Section 46 (1) of the Public Administration Act states: "When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual has shown guilt ». In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that‘ none individual has shown guilt ’is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ». Article 83 provides in principle that the imposition of an infringement fine depends on a discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure that the imposition of infringement fines in each individual case is effective is reasonable relation to the violation and acts as a deterrent. In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following moments: a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the act concerned, as well as the number of data subjects affected, and the extent of the damage they have suffered The breach of personal data security includes the school's order for students to download the training app Strava without a risk assessment or assessment of the privacy implications of using it. The breach of personal data security has meant that the data subject has lost control of information about oneself, and whether others have seen information about the person. By 4se on selected routes, especially start and end points, you will also be able to deduce where the student lives. This is especially problematic if someone has a secret address. The Data Inspectorate takes a serious view of the fact that the municipality has not had control over which apps which can be downloaded and used by the school. b) whether the infringement was committed intentionally or negligently The breach of personal data security has meant that the data subject has lost control of information about himself in that the choice of Strava was not voluntary. Such an event can get major privacy consequences for the person concerned, in that the information may become known to third parties. The case indicates routine failure in the municipality. It can be stated that there is none routine in the municipality over which apps are to be used under the auspices of the school. It is thus also not clear routines in connection with downloading apps, i.a. that these must be risk assessed before they are used. The incident is serious, and the absence of routines must be described as grossly negligent. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects The municipality has been in contact with those affected and informed about the incident. d) the degree of responsibility of the data controller or data processor, taking into account to the technical and organizational measures they have implemented in accordance with Article 25 and 32 It can be stated that the responsibility for the breach of personal data security lies with Ålesund municipality. Reference is made here to point 3. e) any relevant previous violations committed by the data controller or the data processor No previously relevant infringements can be identified. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it This is not relevant in the case. g) the categories of personal data affected by the infringement This applies to information about the student using the training app Strava, and contains information about name, grade level and location. The municipality states in the report that a part information (eg health) requires consent before it is stored. 5h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement The Norwegian Data Protection Authority gained knowledge about this through reported breaches personal data security 5 May 2020. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with No measures have previously been taken against Ålesund municipality with regard to same subject matter. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 Violation of behavioral norms has not been a topic in the deviation. k) any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement The Data Inspectorate views positively that Ålesund municipality quickly took action when the breach occurred personal data security was discovered and the deviation was reported to the Norwegian Data Protection Authority. The municipality has also implemented measures to prevent similar offenses in the future. The Data Inspectorate has not established that Ålesund municipality has had financial benefits, or avoided direct or indirect losses as a result of the infringement. The Norwegian Data Protection Authority has also not taken into account Ålesund municipality's financial capacity. 5. Overall assessment However, it is serious that the municipality requires students to download the training app Strava to the student's private mobile, without the app having been risk assessed and not assessed the privacy implications of using the app. In the Data Inspectorate's assessment, the case is important in principle. Ålesund municipality should have been equipped to meet the requirements for personal data security when using apps. In this regard, can a decision on infringement fines provides an important signal effect. After an overall assessment, where the Data Inspectorate has also taken into account the situation the municipality was in, the Data Inspectorate has come to the conclusion that Ålesund municipality should be imposed a infringement fine. 66. Amount of the fee In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that «As a starting point, the same rules for infringement fines shall apply public bodies as for private, as this is the scheme under current Personal Data Act. » The ministry further writes that they have noted the concern as some public consultation bodies have expressed, but the Ministry assumes that within the rules of Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement of administrative fees, there is room for considerable consideration with regard to the size of fee. The Ministry states that «[t] he run limits in Article 83 of the Regulation state maximum limits for the calculation of administrative fees, while no one has been set minimum limits. " With regard to the size of the fee, the same factors shall apply as when assessing whether the fee shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond the specific case, at the same time as the size of the fee must be in a reasonable proportion to the infringement and the activity, cf. art. 83 No. 1. We have particularly noted that the breach of personal data security is a result of that the municipality has not had control over downloading apps, and as a result has not implemented appropriate measures to achieve a level of safety appropriate to the risk. Furthermore, we have looked at the general expectation that citizens should be able to have that municipal bodies follow the rules given. We believe that the signal effect of this case and the general preventive considerations are clear. The It is important that such incidents do not occur, and that all public bodies that process them citizens' personal data and information about vulnerable people must be their own responsibility consciously. After an overall assessment of the case, and then especially with regard to the seriousness of the violation and the legislation's requirement that the imposition of infringement fines in each individual case shall be effective, proportionate and dissuasive, we have come to the conclusion of an infringement charge NOK 50,000 is considered correct. 7. Concluding remarks We encourage Ålesund Municipality to give its opinion on the notice, both in terms of our notice on the imposition of infringement fines. The deadline for comments is 16 October 2020.28 The Norwegian Data Protection Authority will take a final position in the case only after the response deadline has expired. 78. Recovery of infringement fines The infringement fee is due for payment four weeks after the decision is final, cf. the Personal Data Act (2018) § 27. The decision is a coercive basis for disbursement. Recovery of the claim will be implemented by the Central Government Collection Agency. 9. Right of appeal You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22. 10. Transparency and publicity You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform that all documents are in principle public, cf. the Public Access to Information Act § 3, but emphasizes at the same time that safety documentation is as a general rule exempt from public access, cf. the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2. If you have any questions, you can contact caseworker Knut B. Kaspersen .. With best regards Bjørn Erik Thon director Knut Brede Kaspersen legal director The document is electronically approved and therefore has no handwritten signatures 8