PVN - PVN-2021-07

From GDPRhub
PVN - PVN-2021-07
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 57(1)(f) GDPR
Article 77(2) GDPR
Section 2(1)(b) PAA
Section 2(1)(c) PAA
Section § 28(1) PAA
Decided: 22.06.2021
Published:
Parties:
National Case Number/Name: PVN-2021-07
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
20/01830-6
Appeal to: Not appealed
Original Language(s): Norwegian
Original Source: Personvernnemnda (in Norwegian)
Initial Contributor: Rose

The Norwegian Privacy Appeal Board (Personvernnemnda) ruled that a complainant had the right to appeal a decision by the Norwegian DPA in which it dismissed their case without investigation. The DPA has an obligation to assess whether the relevant processing violates data protection rules and must properly inform the data subject of the outcome of this assessment.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject lodged a complaint with the the Norwegian DPA (Datatilsynet) stating that they had been subject to an unauthorized credit rating. An employee of the credit rating agency has indeed triggered a credit check on the complainant to contact them in private matter. However, the data was not disclosed to other parties.

Therefore, the DPA found it unlikely that data protection legislation had been violated and decided not to investigate the case further. The complainant, however, was neither informed of the closure of the case nor of their right to appeal by the DPA, but only after asking for the status of the investigation and performing own online research.

The complainant therefore appealed the DPA's decision to dismiss the case, which was rejected and submitted to the Norwegian Privacy Appeal Board by the DPA.

Holding[edit | edit source]

The Appeal Board decided that according to national law a party is granted the right to appeal to an individual decision. The DPAs decision to terminate the case without deciding whether the complainant's personal data has been processed unlawfully must be regarded as a decision that is decisive for the complainants individual rights, granting them the right to appeal according to section 28(1), 2(1)(a)(b) Public Administration Act.

Furthermore, the Board pointed to the data subject’s right to receive information on the outcome of the complaint under Article 77(2) GDPR and Article 57(1)(f) GDPR.

The case was therefore returned to the DPA for an assessment on the merits of the case.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision of the Privacy Board 22 June 2021 (Mari Bø Haugstad, Bjørnar Borvik, Line Coll, Hans Marius Graasvold, Hans Marius Tessem, Morten Goodwin)
The case concerns a complaint from A on the Data Inspectorate's decision of 1 March 2021, where the Authority rejected her complaint due to a lack of right of appeal.
Background to the case
A received a copy of the letter from the credit information agency Bisnode AS on 6 September 2019 with information that X AS had tried to make a credit assessment of her. As a credit block on A had been registered, a credit assessment was not carried out and X AS was informed that the credit block had to be lifted before a credit assessment could be carried out.
A approached the Norwegian Data Protection Authority in a letter on 6 October 2019 and reported on what she believes is an illegal credit assessment of her.
At the Data Inspectorate's request on 16 June 2020, X AS stated in a letter to the Authority on 26 June 2020 that A has no customer relationship with the company. X AS stated that it was not the company that carried out the search at Bisnode AS, but that it was an employee of the company who had used the credit information service to find A's postal address with a view to contacting A in a private matter. X AS therefore believed that a credit assessment was neither made nor attempted. X AS also did not report the incident as a deviation to the audit.
On the basis that the statement from X AS, the Authority decided to close the case. The Norwegian Data Protection Authority assumed that X AS 'attempt to credit A was stopped by the credit block, and that the company had not processed credit information about her. In a letter to X AS on 27 November 2020, the Authority pointed out the company's obligations under the Privacy Ordinance, including the requirement for a legal basis for the collection of personal data. A was not informed of the Data Inspectorate's investigations and conclusion of the case.
A contacted the Authority on 20 January 2021 and requested status in the case. The audit sent A the letter closing the case.
A appealed the Data Inspectorate's decision to close the case by e-mail on 20 January 2021 and letter on 9 February 2021.
The Norwegian Data Protection Authority assumed that the Authority's letter to X AS of 27 November 2020, pointing out the duty, does not constitute an individual decision and that A has no right of appeal. The Data Inspectorate assumed that A also has no right of appeal against the Data Inspectorate's decision to close the case. The Norwegian Data Protection Authority made the following decision on 1 March 2021:
"The appeal is rejected, cf. the Public Administration Act § 33 second paragraph."
A submitted a timely appeal against the Data Inspectorate's decision in a letter dated 16 March 2021.
The Data Inspectorate assessed the complaint, but found no reason to change its decision. The case was sent to the Privacy Board on 29 April 2021. A was informed of the case in a letter from the board on 6 May 2021, and was given the opportunity to comment. No further comments have been submitted.
The case was discussed at the tribunal's meeting on 22 June 2021. The Privacy Committee had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Line Coll, Hans Marius Graasvold, Hans Marius Tessem and Morten Goodwin. Secretariat leader Anette Klem Funderud was also present.
The Data Inspectorate's assessment in outline
Point of duty - right of appeal
The Data Inspectorate refers to the Public Administration Act § 28 first paragraph which stipulates that an individual decision may be appealed by a «party or other with a legal appeal interest», and to § 2 first paragraph letter b, cf. letter a which stipulates that an individual decision is a «decision made in the exercise of public authority "and which" determines the rights or obligations of one or more specific persons ".
The Norwegian Data Protection Authority then states that the Authority's letter to X AS on 27 November 2020, pointing out the duty and closing the case, is not an individual decision pursuant to section 2 of the Public Administration Act, which gives the right to appeal under the Public Administration Act. Pointing out the duty means that the administration points out which rights or duties arise directly from law or regulations. The audit points out that the Public Administration Law Committee in NOU 2019: 5 concludes that the reaction form «pointing out duty» is not a decision, cf. the law department's statement 25.02.1998 (Case number: 1998/554 E).
Decision to close the case
The Data Inspectorate concludes that A also has no right of appeal against the Data Inspectorate's decision to close the case after pointing out the company's obligations.
The Data Inspectorate points out that they receive a very high number of complaints. Pursuant to Article 57 (1) (f) of the Privacy Ordinance, the Data Inspectorate shall process complaints lodged by a data subject or a body, organization or association in accordance with Article 80, and examine, to the extent appropriate, the subject matter of the complaint and inform the complainant. about the course and outcome of the investigation within a reasonable time, especially if there is a need for further investigation or coordination with another supervisory authority.
Based on a discretionary appropriateness assessment, the Data Inspectorate chooses which cases the Authority sees a need to conduct further investigations in and assesses whether the Authority proceeds with investigations based on how likely it is that there is a breach and how serious a possible breach of privacy regulations will be.
The Data Inspectorate reviewed A's complaint and the documents she sent, and assessed that no circumstances had been described that provided a basis for further investigations other than obtaining a statement from X AS.
The Data Inspectorate considered it unlikely that the privacy rules had been violated in the case, and that the nature of a possible breach indicated that the Data Inspectorate would hardly provide corrective measures pursuant to Article 58 (2) of the Privacy Ordinance.
The audit concluded that the conditions for the right of appeal in the Public Administration Act § 28 first paragraph are not met and that the appeal shall be rejected, cf. the Public Administration Act § 33 second paragraph, third sentence.
In the transmission of the case to the tribunal on 1 March 2021, the Authority states that a decision not to conduct further investigations into a case does not determine the complainant's rights or obligations. In its reasoning, the Data Inspectorate refers to the Privacy Board's decision in case PVN-2020-07, where the board rejected a complaint in a case concerning a choice of reaction in the event of an established breach of personal data security.
A view of the matter in brief
X AS has carried out an illegal credit check of her. When a credit check has been completed, the person in question receives a copy of the letter, as she has received in this case.
She has no affiliation with X AS, and the company therefore had no objective reason to search for her credit information with Bisnode AS. It is against the law to use the credit information service to obtain a postal address.
She experiences the incident as a serious violation of privacy. That she had filed a credit block and that credit information was not disclosed constitutes a pure coincidence.
X AS will not state who in the company rated her, but she has reason to believe that it is the current cohabitant of her former cohabitant, with whom she has children. The person in question is employed by X AS.
The Norwegian Data Protection Authority did not provide her with information on the right to appeal, and the Authority's case officer could not answer whether she could appeal the Authority's decision or not. During a quick search on the internet, she found information about her right to appeal the Data Inspectorate's decision.
She complains about the Data Inspectorate's decision to reject the case. The Data Inspectorate downplays the incident, which is unfortunate and sends the wrong signal to how companies and employees can abuse their access to credit ratings.
The Privacy Board's assessment
The Data Inspectorate has rejected A's complaint. The Data Inspectorate's decision on rejection is regarded as an individual decision, cf. the Public Administration Act § 2 third paragraph. The tribunal shall assess the Data Inspectorate's rejection decision, and not take a position on whether X AS carried out an illegal credit assessment of A.
The Data Inspectorate closed the case with X AS in a letter to X AS on 27 November 2020, in which the Authority pointed out the company's obligations when obtaining credit assessments. The Tribunal agrees with the Norwegian Data Protection Authority that the letter to X AS of 27 November 2020, pointing out the duty in itself, is not an individual decision because the letter is not «a decision made in the exercise of public authority and which generally or specifically determines rights or obligations to private persons », cf. the Public Administration Act § 2 first paragraph letters a and b. Neither the person to whom the letter is addressed nor others will have a right of appeal under the Public Administration Act over this letter.
The question for the tribunal is whether the Data Inspectorate can choose to close a case like this in this way, or whether A has its own party rights which means that she can demand that the Data Inspectorate process the case and decide whether her personal data has been processed illegally.
Section 2, first paragraph, letter e of the Public Administration Act defines the concept of party as «person to whom a decision is addressed or to whom the case otherwise directly applies». The term includes both individuals and legal persons (companies, associations, etc.). There can be no doubt that X AS has processed personal information about A in its contact with Bisnode AS. Even though no decision has been made against A, there is no doubt that the case "directly applies" to her and that she must be considered a party to the case that she has brought before the Norwegian Data Protection Authority.
After A received the copy of the copy from Bisnode AS on 6 September 2019 with information that X AS had tried to make a credit assessment of her, AX AS complained to the Data Inspectorate on 6 October 2019. A thereby exercised his right to complain to a supervisory authority. pursuant to Article 77 of the Privacy Ordinance, cf. Article 141 of the Regulation. to "shall inform the complainant of the course of the complaint processing process and the outcome of the complaint". It also follows from the Public Administration Act § 11 a that the administrative body shall prepare and decide the case without undue delay.
The Data Inspectorate's tasks follow from Article 57 of the Privacy Ordinance. According to the provision, the Data Inspectorate shall process a complaint submitted by a data subject and investigate, to the extent appropriate, the subject of the complaint and inform the complainant of the course and outcome of the investigation within a reasonable time, cf. Article 57 (1) (f).
After A complained to the Data Inspectorate in September 2019, the Data Inspectorate did not inform A of the complaint processing process or the outcome of the complaint, neither when X AS reported the case in June 2020, nor when the Data Inspectorate closed the case by letter to X AS on 27 November 2020. A was first informed about the case and received the letter from the audit to X AS when she herself contacted the audit on 20 January 2021 and requested status in the case.
The tribunal has in its practice assumed that a data subject who has his personal data processed by a data controller is to be regarded as a party in a case where the Data Inspectorate assesses whether the data controller has processed the personal data of the data subject in accordance with the law. The Privacy Board has further assumed that the Data Inspectorate's decision that the data controller's processing of personal data about the data subject is not illegal and in violation of the Personal Data Act, is a decision that determines the rights and obligations of the data subject and thus an individual decision that can be appealed. Such a legal understanding follows from unambiguous practice from the Privacy Board, including PVN-2018-10, PVN-2019-05, PVN-2019-12 and PVN-2020-24. The Data Inspectorate closed these cases after a brief assessment of the merits, and the registrant in each case appealed the Data Inspectorate's decision to close to the tribunal. The tribunal came to the conclusion that the Data Inspectorate's decision to close the case was justifiable and within the framework of the law. There was no doubt that the registrant in these cases had the right to appeal against the Data Inspectorate's decision to close the case. It is difficult to see why it should be different in a case where the Data Inspectorate fails to take a position on whether there has been a breach of the Privacy Ordinance.
In the tribunal's assessment, the Data Inspectorate's decision to close a case without taking a position on whether the complainant's personal data has been processed illegally must be regarded as a decision that determines A's rights, and is thus an individual decision giving her the right to appeal, cf. paragraph letters a and b and § 28 first paragraph.
The conditions for processing A's complaint are met. The Norwegian Data Protection Authority must make a material assessment of the case and decide whether X AS has processed A's personal data without having a valid basis for processing, and if they do not, assess whether corrective measures should be decided, cf. the Privacy Ordinance, Article 58 no. 2.
In PVN-2020-07, the tribunal has assumed that the Data Inspectorate's choice of reaction towards the data controllers was not a decision aimed at the data subjects and thus also not decisive for their rights and obligations. However, this is something other than the right to be assessed whether personal data about oneself has been processed illegally.
A has been upheld in his complaint.
Conclusion
The conditions for processing A's complaint are met. The case is sent to the Norwegian Data Protection Authority for a reality assessment.
The decision is unanimous.
Oslo, 22 June 2021
Mari Bø Haugstad
Manager