Personvernnemda (Norway) - 2022-03 (20/02375)
|Personvernnemnda (Norway) - 2022-03 (20/02375)|
|Relevant Law:||Article 5(2) GDPR|
Article 6(1)(f) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
|National Case Number/Name:||2022-03 (20/02375)|
|European Case Law Identifier:|
|Appeal from:||Datatilsynet (Norway)|
|Original Source:||Personvernnemnda (Privacy Appeals Board) (in Norwegian) (in Norwegian)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian Privacy Appeals Board agreed that an acquiring company assumes the prior controller's responsibility and upheld the DPA's decision to fine them about €12,000 for an unlawful credit rating in violation of Article 6(1) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
This case is an appeal of a decision by the Norwegian DPA, in which the Norwegian DPA fined a company (the controller) about €12,000 (NOK 125,000) for conducting an unlawful credit rating in breach of Article 6(1) GDPR, and required them to implement a policy for conducting credit ratings per Article 24 GDPR.
The controller disagreed with the DPA on the first part of the decision, pertaining to the fine, and asked the supervisory authority to reconsider its position. After the DPA had reviewed the case again, they found no grounds to change their decision and so, as per Norwegian procedures, referred the case to the Privacy Appeals Board.
The unlawful credit rating was conducted by the company's managing director, who was in conflict with the data subject in an inheritance dispute. In their comments to the Privacy Appeals Board, the company's attorneys claimed that the managing director had to be seen as a 'third party' and that the credit rating was lawful because he pursued a legitimate interest.
Holding[edit | edit source]
The Privacy Appeals Board reviewed the case and agreed, first, with the DPA in that an acquiring company also acquires the prior (acquired) company's controller's responsibilities, even if the breach occurred before the company was acquired.
Next, they noted that the relevant lawful basis of the processing in question (the credit rating) is Article 6(1)(f) GDPR, legitimate interests, and that it is the company who has the agreement with the credit rating agency and, thus, a legitimate interest in obtaining credit rating information. The Privacy Appeals Board noted that it is obvious that the managing director obtained credit rating information for use in the private inheritance dispute and not for the company's legitimate interests. They also concluded that the case is not related to a "third party" as defined in Article 4(10) GDPR and that this claim builds upon an obvious misinterpretation of the legal text.
The Privacy Appeals Board held that the managing director's use of the company's credit rating services for personal reasons are in obvious violation of the law. Consequently, the controller lacked a legal basis for the processing, in violation of Article 6(1) GDPR.
The Privacy Appeals Board agreed with the DPA that the violation was severe and that a fine was justified. They noted that the purposes for the credit rating is completely outside of the company's operations, solely for the managing director's personal agenda and with his intent. An aggravating factor is the fact that the managing director is in charge of the company and its operations and that he had not either implemented sufficient technical and organisational measures to prevent such breaches to personal data protection.
In conclusion, the Privacy Appeals Board upheld the DPA's decision in fining the company about €12,000 (NOK 125,000. They also noted that the level of the fine was not (at all) too high, as argued by the controller.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.