Personvernnemda (Norway) - 2022-03 (20/02375)

From GDPRhub
Personvernnemnda (Norway) - 2022-03 (20/02375)
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Decided: 21.06.2022
Published: 21.06.2022
Parties: Redacted version
National Case Number/Name: 2022-03 (20/02375)
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
20/02375
Appeal to: Unknown
Original Language(s): Norwegian
Original Source: Personvernnemnda (Privacy Appeals Board) (in Norwegian) (in Norwegian)
Initial Contributor: Rie Aleksandra Walle

The Norwegian Privacy Appeals Board agreed that an acquiring company assumes the prior controller's responsibility and upheld the DPA's decision to fine them about €12,000 for an unlawful credit rating in violation of Article 6(1) GDPR.

English Summary

Facts

This case is an appeal of a decision by the Norwegian DPA, in which the Norwegian DPA fined a company (the controller) about €12,000 (NOK 125,000) for conducting an unlawful credit rating in breach of Article 6(1) GDPR, and required them to implement a policy for conducting credit ratings per Article 24 GDPR.

The controller disagreed with the DPA on the first part of the decision, pertaining to the fine, and asked the supervisory authority to reconsider its position. After the DPA had reviewed the case again, they found no grounds to change their decision and so, as per Norwegian procedures, referred the case to the Privacy Appeals Board.

The unlawful credit rating was conducted by the company's managing director, who was in conflict with the data subject in an inheritance dispute. In their comments to the Privacy Appeals Board, the company's attorneys claimed that the managing director had to be seen as a 'third party' and that the credit rating was lawful because he pursued a legitimate interest.

Holding

The Privacy Appeals Board reviewed the case and agreed, first, with the DPA in that an acquiring company also acquires the prior (acquired) company's controller's responsibilities, even if the breach occurred before the company was acquired.

Next, they noted that the relevant lawful basis of the processing in question (the credit rating) is Article 6(1)(f) GDPR, legitimate interests, and that it is the company who has the agreement with the credit rating agency and, thus, a legitimate interest in obtaining credit rating information. The Privacy Appeals Board noted that it is obvious that the managing director obtained credit rating information for use in the private inheritance dispute and not for the company's legitimate interests. They also concluded that the case is not related to a "third party" as defined in Article 4(10) GDPR and that this claim builds upon an obvious misinterpretation of the legal text.

The Privacy Appeals Board held that the managing director's use of the company's credit rating services for personal reasons are in obvious violation of the law. Consequently, the controller lacked a legal basis for the processing, in violation of Article 6(1) GDPR.

The Privacy Appeals Board agreed with the DPA that the violation was severe and that a fine was justified. They noted that the purposes for the credit rating is completely outside of the company's operations, solely for the managing director's personal agenda and with his intent. An aggravating factor is the fact that the managing director is in charge of the company and its operations and that he had not either implemented sufficient technical and organisational measures to prevent such breaches to personal data protection.

In conclusion, the Privacy Appeals Board upheld the DPA's decision in fining the company about €12,000 (NOK 125,000. They also noted that the level of the fine was not (at all) too high, as argued by the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision of the Privacy Board 21 June 2022 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin, Malin Tønseth)
The case concerns an appeal from X AS against the Data Inspectorate's decision of 21 September 2021 on the imposition of an infringement fee of NOK 125,000 for having carried out a credit assessment without a legal basis.
Background to the case
A received a copy of the letter from the credit information agency Experian AS stating that X AS had carried out a credit assessment of her on 27 August 2019.
A wrote to the Norwegian Data Protection Authority on 18 September 2019 and reported what she perceived as an illegal credit check from X AS. She stated that she has never had any business relationship with X AS.
The Data Inspectorate wrote to X AS and asked for a statement. The general manager of X AS, B, explained in a letter on 29 April 2020 that he carried out the credit check of A in connection with a private inheritance dispute. B is the son of A's deceased husband and there is a dispute about the inheritance settlement after him. B did a credit check of A to see if she would be able to get a loan to take over the house, as she wishes. He used the company's subscription to credit information services in that connection.
The Data Inspectorate notified 21 December 2020 X AS, org.nr. […], On orders to establish internal control and routines for credit assessment, as well as the imposition of an infringement fee of NOK 175,000 for obtaining credit information without a legal basis and for non-compliance with the liability principle, cf. No. 2.
X AS issued its statement on the notification on 11 January 2021, and had, among other things, objections to the basis and size of the notified infringement fee.
The Norwegian Data Protection Authority made the following decision on 21 September 2021:
«1. Pursuant to the Privacy Ordinance, Article 58 no. 2, letter i, we impose [X AS, org.nr. …], An infringement fee to the Treasury of NOK 125,000 for having obtained credit information without a legal basis, cf. the Privacy Ordinance Article 6 no. 1.
2. Pursuant to the Privacy Ordinance art. 58 no. 2 letter d, X AS is ordered to prepare written routines for credit assessment, cf. Article 24 of the Privacy Ordinance, as the company did not have this at the time of the inspection. "
X AS appealed in a timely manner on item 1 of the decision (imposition of a fee) on 4 October 2021. The company submitted additional comments to the appeal on 15 October 2021. The company has complied with the order in item 2 of the decision by sending it to the Data Inspectorate on 6 January 2022.
The Norwegian Data Protection Authority assessed the complaint, but found no basis for changing its decision. The case was sent to the Privacy Board on 4 February 2022. The parties were informed of the case in a letter from the board on 7 February 2022 and were given the opportunity to comment. Neither party has commented.
The case was discussed at the board's meeting on 20 June 2022. The privacy committee had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin and Malin Tønseth. Secretariat leader Anette Klem Funderud was also present.
The Data Inspectorate's assessment in outline
Responsible for processing
The credit assessment was carried out by the general manager of X AS via the company's access to the credit information company Experian. It is therefore X AS that is responsible for processing the credit assessment, cf. the Privacy Board's decisions in PVN-2017-02 and PVN-2020-21 which support the Authority's placement of processing responsibility.
After the credit assessment was completed, the company has merged with another company.
The Data Inspectorate assumes that the acquiring company (X AS, corporate identity number […]) has taken over the transferring company's (X AS, corporate identity number […])'s assets, rights and obligations, including the transferring company's processing responsibility. for the processing of personal data in the company. X AS, org.nr. […], Is thus responsible for processing the transferring company's credit rating of A and the decision on the order and infringement fee is directed at X AS, org.nr. […].
Processing basis for obtaining credit information
The relevant processing basis for X AS 'collection of credit information about A is the Privacy Ordinance Article 6 No. 1 letter f (necessary for purposes related to the legitimate interests pursued by the data controller or a third party).
The Norwegian Data Protection Authority then assesses whether the conditions in Article 6, paragraph 1, letter f, are met, and assumes that X AS does not have a legitimate interest in obtaining A's credit information. The legitimate interest must be justified by the company's objective needs and interest. When the requirement of "legitimate interest" is not met, the collection will not be "necessary" either. The credit assessment was carried out on the basis of a private inheritance dispute between the general manager and A. The Authority points out that there is no customer relationship between the company and A. X AS is engaged in the processing of metal and plastic materials and the acquisition is not objectively justified in the business, but has happened for a purpose completely outside the company's operations. A had no expectation that the company would process her credit information, and it was not foreseeable for her at the time of collection, cf. the ordinance's point 47. purpose was obviously in violation of the law.
X AS cannot be heard in its allegation that the company assessed the credit on behalf of a third party and its legitimate interest. The audit points out that the company has stated that the general manager is both the company, at the same time as they state that the general manager is a third party on whose behalf the company has assessed credit.
The Data Inspectorate concludes that X AS did not have a legal basis in Article 6 no. 1 letter f to obtain A's credit information.
Infringement fee
The Data Inspectorate assumes that the credit assessment, which was carried out by the general manager on behalf of the company, was a deliberate and willful act and that the claim for guilt (general negligence) has been met, cf. HR-2021-797A. Ignorance of the rules is not excusable, cf. the Penal Code § 26.
When assessing whether a fee should be charged and when measuring, the Data Inspectorate has taken into account the elements in the Privacy Ordinance, Article 83, paragraph 2, letters a to k.
The Data Inspectorate came to the conclusion that X AS should be fined a certain amount. The company did not have a processing basis for obtaining the credit information (the principle of legality), and lacked technical and organizational measures for compliance with the privacy regulations (the principle of liability). The Authority points out that credit information is a type of personal information that is particularly worthy of protection due to the private nature of the information, and that the illegal collection cannot be reversed, the damage has already occurred. The Privacy Ordinance presupposes that compliance with the regulations is particularly anchored in the management of a company, cf. Article 5 no. 2. With reference to PVN-2020-21, the Authority therefore assumes that the violation is serious.
The fact that X AS has contributed to the information in the case by responding to the Data Inspectorate's requirements for a report, cannot be given weight in a mitigating direction when determining the fee. It appears directly from Article 58 no. 1 that the Data Inspectorate has the authority to order a data controller to provide all the information it needs to be able to perform its tasks. The same is based on the Privacy Council's (EDBP) guidelines for determining and measuring infringement fines.
In advance notice pursuant to section 16 of the Public Administration Act, the Data Inspectorate notified a fee of NOK 175,000 for the violation in question. The audit referred to PVN-2020-21 where the tribunal stated that an infringement fee of NOK 150,000 for an illegal credit assessment of a sole proprietorship "in any case is not too high". With reference to the Privacy Board's practice, the Data Inspectorate reduced the fee to NOK 125,000 due to long case processing time. It had then been approx. 10 months since the audit notified X AS of the fee and one and a half years since the audit contacted X AS for the first time with a request to explain the case.
In making the assessment, the Authority emphasized the company's finances, the personal data that are affected and that the violations were committed by the general manager, cf. Article 83 no. 000 kroner, an annual profit of 3,191 000 kroner, and that the company is registered with very good solvency.
The Data Inspectorate considered, after a discretionary overall assessment, that a fee of NOK 125,000 would be sufficiently effective, be in a reasonable proportion to the violation and act as a deterrent, cf. the Privacy Ordinance, Article 83 no. 1.
X AS 'view of the case in brief
Collection of credit information
It was the company's general manager (B) who conducted a credit search on A using the credit search service Experian. X AS had then already committed itself in accordance with the Personal Data Act in the contract with Experian AS, which states that credit checks can only take place for "objective reasons", cf. the Personal Data Regulations § 4-3. This was the general manager aware of. Only the general manager has access to the credit search service.
The credit search carried out by the general manager was lawful, in line with the balance test and the terms of the Act, cf. the Privacy Ordinance, Article 6, No. 1, letter f.
It is clear from the wording that limiting the assessment exclusively to the "person responsible for processing" is not a sufficient assessment. The Norwegian Data Protection Authority has not made a sufficient assessment of the "third party" in Article 6, paragraph 1, letter f. It is necessary to assess more broadly in order to establish a violation of letter f. . Article 6 contains several independent (non-cumulative) legal bases.
In this case, there was a) legitimate interest, it was b) necessary to pursue this interest and c) the data subject's rights did not take precedence. The law does not preclude extradition to third parties, in this case the general manager himself. A third party pursued a legitimate interest in a lawsuit with the data subject when he used the company's credit search service. A third party was legally allowed to request a credit check. This indicates that no fee should be charged.
Wessel-Aas / Ødegård, Privacy - publication and processing of personal data (2018), page 152 et seq. pursue a legitimate interest.
The state is obliged to make a specific assessment, cf. the European Court of Justice's decision in the Beyer judgment, C-582/14 premise 62. Furthermore, reference is made to PVN-2017-02 with a similar case, but where the person in question lacked a legitimate purpose.
The Data Inspectorate has referred to the data subject's expectations and only reproduced point 47, without applying it to the facts of the case. There is one owner and a general manager who make up the management of the same company. The data subject was well aware of the link between the company and the person, which is documented via the review she submitted. It is therefore proven that this was not the case that the data subject misunderstood or could misunderstand. The fact in PVN-2020-21, to which the Authority refers, differs from the present case and is therefore not directly relevant.
Response determination - infringement fine
In the alternative, it is stated that the reaction is too severe. The fee is not in reasonable proportion to the nature of the infringement.
In any calculation of the fee, special emphasis must be placed on:
The advance warning from the Data Inspectorate was a charge in the ECHR's sense, cf. Ot. prp. 62L (2015-2016). An open and full collaboration should have a conciliatory effect, cf. Penal Code § 78 letter f.
The company accepts an order to improve routines and does not appeal it. The audit has thus already had an effect.
The violation applies to a single credit check of only one natural person.
No lasting character.
It took place in connection with an ordinary and basically completely legitimate credit check of a person / counterparty in a lawsuit.
There is no intent, in the sense of not an intentional violation of the Privacy Policy.
The credit check was not the result of either curiosity or binocular mentality but had a completely legitimate explanation.
The credit check has not caused any demonstrable financial loss for the person in question.
In the event of a conviction, the violation has the character of being a person's incorrect assessment of the legal basis and the fact that the contracts entered into provided sufficient guidance. The person does not have this as a specific field even if he leads the company.
The company has not violated the privacy rules before.
Neither the company nor the private individual obtained any financial benefits as a result of the search.
The company understands why the audit takes the matter seriously. Something similar will not happen again.
A view of the matter in brief
She feels harassed by B who has assessed her credit personally.
She has never had anything to do with X AS as a private person.
The credit rating must be considered snooping and revenge, as she and B are in an inheritance dispute. They live in a small village. Now the gossip will go about her low income. This has hit her hard.
The Privacy Board's assessment
The case concerns the question of whether X AS had a legal basis for assessing credit A. If the credit assessment was illegal, whether an infringement fee shall be imposed pursuant to Article 83 no. 5, cf. Article 83 no. 2, and if a fee shall be imposed, how large the fee must be.
In its appeal on 4 October 2021, X AS requested a suspensive effect of the decision.
It follows from the Personal Data Act § 27 first paragraph that the fulfillment deadline for a decision on infringement fees is four weeks from the decision is final. The provision differs from the Public Administration Act § 44 fifth paragraph which links the fulfillment deadline for infringement fees to when the decision was made, cf. Prop. 56 LS (2017-2018) chapter 38. There is therefore no need to assess questions of suspensive effect.
Responsible for processing
The relevant credit assessment was carried out by the general manager of X AS via the company's agreement with and access to the credit information company Experian. It is the company that is responsible for the processing of personal data obtained via the credit information company, cf. the Privacy Ordinance Article 4 No. 7 and which is responsible for the processing of personal data in a lawful manner, cf. Article 5 No. 1 letter a and No. 2. Corresponding location of treatment responsibility is based on PVN-2017-02 and PVN-2020-21.
The credit assessment was carried out before the company merged with another company. The Tribunal agrees with the Data Inspectorate's assessment that the acquiring company (X AS, corporate identity number […]) has taken over the transferring company's (X AS, corporate identity number […]) obligations, including the processing responsibility for the processing of personal data in the transferring company, cf. the Companies Act § 13-2.
Processing basis for obtaining credit information
Collection of credit information about persons is a processing of personal data that must have a legal basis to be legal, cf. the Privacy Ordinance Article 6 no. 1. The Privacy Ordinance Article 6 no. . The relevant processing basis for obtaining credit information in this case is Article 6, paragraph 1, letter f.
Basis for processing pursuant to the Privacy Ordinance Article 6 No. 1 letter f requires that three cumulative conditions are met. First, there must be a legitimate interest, usually with the controller, possibly with a third party. In assessing whether there is a legitimate interest, consideration shall be given to whether the data subject can reasonably expect that the personal data will be used for the purpose in question, etc. cf. point 47 of the ordinance, which states, among other things:
«[…] It can e.g. there is such a legitimate interest when there is a relevant and appropriate relationship between the registered person and the data controller, e.g. if the data subject is a customer of the data controller or in his or her service. A legitimate interest in all cases requires a careful assessment, including whether a data subject at the time of and in connection with the collection of personal data can reasonably expect that these will be processed for the said purpose […]. "
Under Article 6 (1) (f), there is a requirement that the processing of personal data is necessary "for purposes related to the legitimate interests", and thirdly, a balance of interests must be struck between the data subject's interest in privacy on the one hand and the legitimate interest of the data controller / third party in processing the personal data of the other.
The law's requirement that the processing (collection of credit information) must be necessary for purposes related to the data controller's legitimate interest, means that the interest safeguarded by the data controller must be legal and effectively justified.
It also follows from the transitional rules on the processing of personal data § 4 that regulations of 15 December 2000 no. 1265 on the processing of personal data chapter 4 on credit information activities still apply (replaced by the new Credit Information Act-2019-12-20-109 1 July 2022). It follows from section 4-3 of the regulations that credit information can only be given to those who have a factual need for it.
The company X AS has an agreement with the credit information company Experian AS on online access to credit information about companies and persons X AS has a factual need to obtain credit information about. X AS is engaged in the processing of metal and plastic materials and has no customer relationship with A. It is obvious that the general manager's collection of credit information about A for use in a private inheritance dispute is not objectively justified in the company's activities. The tribunal has based similar considerations on PVN-2017-02 and PVN-2020-21.
X AS is not allowed to use its online access to the credit information company Experian AS to obtain credit information about A on the basis of the general manager's private inheritance dispute. As general manager, B is identified with the company that is responsible for processing and the case does not raise an issue related to third party interest, cf. Article 4 no. 10. That the company claims to have access based on third party interest is based on an obvious misunderstanding of the rules.
The general manager's use of the service from Experian AS for private purposes is obviously in violation of the law. Whether A understood who in X AS had obtained information about her and why, is completely irrelevant.
The tribunal agrees with the Norwegian Data Protection Authority that the credit assessment entails a violation of A's privacy rights. The tribunal agrees with the Authority's assessment and concludes in the same way as the Authority that there was no legal basis for assessing credit A.
When the company has no objective need to obtain the credit information, it also has no justified interest in the processing, cf. Article 6 no. 1 letter f. It is then not necessary for the tribunal to assess the other conditions of the provision, as all conditions must be met. to satisfy the law's requirements for treatment basis.
In the event of a breach of the Privacy Ordinance, the Data Inspectorate may decide on corrective measures pursuant to Article 58 (2). of the decision is not appealed.
In addition, the Data Inspectorate has imposed an infringement fee in accordance with Article 58, paragraph 2, letter i, cf. Article 83. It is the imposition of an infringement fee that has been brought before the tribunal.
Imposition of infringement fine
Pursuant to Article 58 (2), letter i, cf. Article 83, the person responsible for processing may be charged an infringement fee. In assessing whether a fee is to be imposed and in determining the fee, the factors in Article 83 (2) (a) to (k) of the Privacy Regulation shall be taken into account in each individual case. It follows from Article 83 (1) that the supervisory authority shall ensure that the imposition of infringement fines is effective, is proportionate to the infringement and has a deterrent effect.
The tribunal agrees with the Danish Data Protection Agency that an infringement fee must be imposed. For its assessment, the tribunal has emphasized the following factors:
This is a serious violation of the Privacy Ordinance. The principle of legality in Article 5 (1) and the requirement for a basis for processing in Article 6 represent basic requirements for the processing of personal data. These are broken. Private individuals have an expectation that companies do not obtain credit information about them without this being justified in a legitimate interest in the company as a result of a real customer relationship. In this case, the collection of credit information has taken place for a purpose completely outside the company's business area and for the general manager's personal use outside the business. He has no doubt acted intentionally. An error about the rules of law is not excusable, cf. the principle in the Penal Code § 26.
The tribunal agrees with the Norwegian Data Protection Authority that it must be emphasized in an aggravating direction that the violation was committed by the general manager of the company, and that the company, under his daily management, had not implemented sufficient organizational measures to prevent such breaches of personal data security. It is stated that the company has now prepared routines which have been sent to the Norwegian Data Protection Authority. The allegations in this case nevertheless indicate that the company management has a long way to go to understand the rules.
Although the information obtained does not belong to the group of particular categories of information in Article 9, credit information about individuals represents information of a private nature that the individual may have reason to wish to remain private. This, too, is therefore a factor in an aggravating direction.
Article 83 (2) (f) states that emphasis shall be placed on the degree of cooperation with the supervisory authority in order to remedy the infringement and reduce its possible negative effects. The tribunal agrees with the Data Inspectorate's assessment that the company's report on the case to the Data Inspectorate cannot be given weight in a mitigating direction. Although the company has developed new routines for credit assessments to improve information security, in line with the Authority's order, it does not reduce the seriousness of the illegal information gathering. The data controller has a statutory duty to provide all the information the supervisory authority needs to perform its tasks, cf. the Privacy Ordinance Article 58 no. 1 and the Personal Data Act § 23.
With regard to measuring the size of the fee, the Data Inspectorate has in the decision pointed out that the company, according to publicly available documents in 2019, is registered with a turnover of NOK 20,158,000, and an annual profit of NOK 3,191,000. good solidity. The company has not provided the tribunal with information about the company's finances or changes in this.
After this, the company's finances are not a factor that indicates any reduction in the fee set by the Norwegian Data Protection Authority.
The Data Inspectorate originally assumed a fee of NOK 175,000, but reduced this to NOK 125,000 due to the long case processing time. The illegal information gathering took place in August 2019, the case was brought before the Data Inspectorate in September 2019 and notification of a decision was sent in December 2020. The final decision was not made until September 2021. After a timely appeal, the case was sent to the tribunal in January 2022. agrees with the Data Inspectorate that the long case processing time must be taken into account when determining the fee, cf. Article 83 no. 2 letter k.
The tribunal agrees with the Norwegian Data Protection Authority that the calculation of the fee must be based on the company's finances. The Data Inspectorate's starting point of NOK 175,000 is then at least not too high. The tribunal agrees that the long case processing time indicates a reduction in the fee.
The size of the infringement fee is then set at NOK 125,000 in line with the Data Inspectorate's decision.
X AS does not uphold the complaint.
Conclusion
The Data Inspectorate's decision to impose an infringement fee of NOK 125,000 on X AS is upheld.
The decision is unanimous.
Hamar, June 21, 2022
Mari Bø Haugstad
Manager