Personvernnemnda (Norway) - PVN-2023-08
| Personvernnemnda - PVN-2023-08 | |
|---|---|
 | |
| Court: | Personvernnemnda (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 77 GDPR |
| Decided: | |
| Published: | 10.10.2023 |
| Parties: | |
| National Case Number/Name: | PVN-2023-08 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | Norwegian |
| Original Source: | PVN-2023-08 (in Norwegian) |
| Initial Contributor: | sh |
The Norwegian Data Appeals Board (Personvernnemnda) upheld the DPA’s decision to not follow up a tip-off about an unlawful disclosure of personal data.
English Summary
Facts
Several organisations (all joint controllers) contacted the Norwegian National Archives to deposit client files. The client files contained personal data about clients, their family and relatives. No written agreement was entered into between the joint controllers and the National Archives. From December 2017 to January 2018 these controllers went bankrupt in quick succession. The same insolvency administrator was appointed for each controllers. The adminstrator visited to the National Archives in January 2018 to retrieve relevant documents.
The complainant, Mr A, in this case believed that there had been an illegal disclosure of personal data from the National Archives to the administrator. Mr A filed the complaint in his capacity as one of the controller’s former chairman, and as a notification from him personally.
Following receipt of the complaint, the Norwegian DPA focused on two main elements. First, it concluded that the National Archives should be considered a data processor. The DPA pointed out that the lack of a written agreement between the data controller and the data processor represented a breach of Article 28(3) of the GDPR. The Data Protection Authority found it sufficient to point out the breach, without imposing any sanctions on the data controller's or the data processor. Second, with specific regard to what had been raised by the complainant, namely the disclosure of archive material from the Norwegian National Archives to the administrator, the DPA found it unlikely that such disclosures ever happened.
On December 9 2022 the Norwegian DPA decided not to follow up on the notification received from Mr A about unlawful disclosure of personal data from the Norwegian National Archives (data processor).
Holding
The Appeals Board upheld the DPA’s decision.
The Board stated that the notification cannot be considered a complaint under Article 77 of the GDPR. Given that Mr A’s data was not included in the archives, he is not complaining as a data subject. The Board therefore, considers the complaint to be a tip-off. For such a notification it is left to the discretion of the DPA as to whether to open a case or not against the controller. Moreover, even if the DPA would choose to open a case, it would be the data controller, or the data processor who would be considered a party and not the notifier (Mr A).
The Data Inspectorate's decision to open a supervisory case or not is not an individual decision that determines someone's rights or obligations under the Norwegian Public Administration Act. It is therefore also not a decision that gives a right of appeal. The DPA's decision not to follow up the notification further does not constitute an individual decision that can be appealed, and the complaint by Mr A to the Board was dismissed.
While not relevant to the case, the Board went further to establish the discretionary rights of the DPA. Not all inquiries alleging unlawful processing of someone's personal data entail an obligation for the DPA to process the case pursuant to Article 77. It follows from Article 57(1)(a) GDPR that the Data Protection Authority shall, "supervise and enforce the application of this Regulation". The Data Protection Authority's duty to investigate under the Regulation applies "to the extent appropriate", cf. Article 57(1)(f). This means that the Authority has some discretion to assess whether it is necessary to conduct further investigations in each individual case and which investigations are appropriate.
Comment
At the end, this case follows similar logic to a UK Court case (Court Of Appeal (Civil Division) - 2023 EWCA Civ 1141). In that case, the court decided that the DPA is not obligated to reach a decision on every complaint in light of Art 57(1)(f) UK GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The Norwegian Privacy Board's decision on 10 October 2023 (Mari Bø Haugstad, Gunn Elin Lode, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Malin Tønseth) The case concerns a complaint from A about the Norwegian Data Protection Authority's decision on 9 December 2022 not to follow up on a received notification about illegal disclosure of personal data from the National Archives as data processor. Background of the case The Romani People's/Taters Cultural Foundation (the Foundation) was established in 2004 as a financial support scheme to promote the preservation and development of the Romani people's/Taters' culture, language and history. The foundation established the Guidance Service in 2012. The Guidance Service provided legal aid and legal guidance to people who applied for legal remuneration from the state. The guidance service was transferred from the Foundation to the Romani Folkets/Taters Center (the Center) in 2014. The guidance service was then completely separated as a separate organization on 23 August 2017. In November 2017, the Ministry of Municipal Modernization rejected an application from the Guidance Service for funding. The guidance service then contacted the National Archives to deposit (not hand over) client folders. The client folders contained personal information about the clients and their family and relatives. The guidance service deposited documents with the National Archives from January 2018. The Foundation (the Foundation of the Romani People's/Taters' Culture Fund) and the Center (the Center for the Romani People's/Taters' Center) also deposited documents with the National Archives. No written agreement was entered into between the data controllers and the National Archives. In December 2017, the Center went bankrupt, and in January 2018 the Foundation went bankrupt. The same trustee was appointed for both estates. In connection with the estate processing, a representative of the estate manager was sent to the National Archives in January 2018 to collect relevant documents. The complainant in this case believes that there has been an illegal release of personal data from the Norwegian Archives to the trustee's representative. The Danish Data Protection Authority has previously, following a request from the Guidance Service on behalf of a registered person, carried out investigations related to the Swedish Archives' processing of information deposited with the Swedish Archives from the Guidance Service. The Danish Data Protection Authority concluded in a decision on 7 December 2022 that the Swedish Archives was to be considered a data processor for the Guidance Service when the Guidance Service deposited archive material with the Swedish Archives. The Norwegian Data Protection Authority pointed out that the lack of a written agreement between the data controller and the data processor represented a breach of the Personal Protection Regulation Article 28 no. 3. The Norwegian Data Protection Authority found it sufficient to point out the breach, without imposing any reaction on the data controller or the data processor. When it came to the handing over of archival material from the National Archives to trustees when the Foundation and the Center went bankrupt, the Norwegian Data Protection Authority did not find it probable that the client files belonging to the Guidance Service had been handed over. This part of the decision was appealed to the Personal Protection Board by the data subject. The Privacy Board upheld the Data Protection Authority's decision (PVN-2023-07). On 28 January 2022, the Norwegian Data Protection Authority received a "Notice of a serious breach of the Personal Data Act - Archives". The notice came from the Foundation for the Romani People's/Taters' Culture Fund c/o the Guidance Service and was signed by A. The notice dealt with the illegal release of the Foundation's archive from the National Archives to the Foundation's administrator for the bankruptcy estate in January 2018. After the Norwegian Data Protection Authority made a decision on 7 December 2022 in the case concerning the Guidance Service's client files and the National Archives (see above), the Norwegian Data Protection Authority also closed this case on 9 December 2022. The Norwegian Data Protection Authority assumed that the cases were comparable and did not find it appropriate to carry out further investigations in the complaint from the Foundation/A. On 4 January 2022, A called for the status of the case he had notified about (illegal release of sensitive personal data from the archive of the Stiftelsen romanifolket/taters culture fund). He emphasized in the inquiry that his notice was both sent by him as former chairman of the board of the Stiftelsen Romanifolket/Taters culture fund, and as a notice from him personally. The Norwegian Data Protection Authority forwarded the case to the Personal Data Protection Board on 19 April 2023. It appears in the letter of transmission that the Norwegian Data Protection Authority maintains its decision not to take the complaint into consideration. The Authority regards that decision as a single decision that can be appealed, but also points out that the notice from A is not to be considered a complaint under the Personal Protection Regulation Article 77 which the Norwegian Data Protection Authority is obliged to process. In a letter to the tribunal on 27 April 2023, the Norwegian Data Protection Authority writes, after a new assessment, that there is no complaint from a registered person and that it is up to the Norwegian Data Protection Authority to assess how the Norwegian Data Protection Authority processes a notification received. Such a decision is not a single decision and cannot be appealed. The inspectorate asks the tribunal to consider rejecting the case. The guidance service for Romani people/Tatars has received a copy of the letter. The guidance service for the Romani people/Taters v/ A was informed about the case in a letter from the tribunal on 2 May 2023, and was given the opportunity to make comments. The tribunal has not received any comments. The case was dealt with at the board's meeting on 10 October 2023. The privacy board had the following composition: Mari Bø Haugstad (chair), Gunn Elin Lode, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin and Malin Tønseth. Secretariat manager Anette Klem Funderud was also present. The Norwegian Privacy Board's assessment It follows from Article 77 of the Personal Data Protection Regulation that any data subject shall have the right to complain to a supervisory authority if the data subject considers that the processing of personal data concerning him/her is in breach of the Data Protection Regulation. In this case, the complaint to the Norwegian Data Protection Authority has been sent by A. According to A, he is making the complaint both on behalf of the Stiftelsen Romanifolkets/Taters kulturfond (which has been discontinued and deleted from the unit register) and personally. There is, however, no specific information in the complaint about which information about A personally was included in the Foundation's archive material and which of these he believes was illegally handed over to the trustees. It is therefore not natural to understand the submitted notification as a complaint from a registered person, but rather as a tip to the Norwegian Data Protection Authority that there has been a breach of the Personal Data Act. Such a notification may result in the Norwegian Data Protection Authority opening a supervisory case and requesting an explanation from the data controller, or it may end with the Norwegian Data Protection Authority dropping the case. If the supervisory authority opens a supervisory case and makes an order, it will be the data controller, possibly the data processor who has processed information on behalf of the data controller, who is to be considered a party, not the whistleblower. The Norwegian Data Protection Authority's decision to open a supervisory case or not is not a single decision that is decisive for someone's rights or duties, cf. Norwegian Public Administration Act section 2 first paragraph letter b. It is therefore not a decision that gives the right to appeal either. Based on the information available in this case, it is most likely to see the complaint from A as a notice of illegal processing of personal data from the Foundation's archive deposited with the National Archives. The Norwegian Data Protection Authority's decision not to follow up the notice further does not constitute an individual decision that can be appealed, and the appeal to the tribunal must be rejected. Although it is not of importance for the tribunal's decision in this case, the tribunal will point out that not all inquiries with allegations of illegal processing of someone's personal data entail an obligation for the Norwegian Data Protection Authority to process the case in accordance with Article 77. It follows from the Personal Protection Regulation Article 57 no. 1 letter a that the Norwegian Data Protection Authority must, among other things, "supervise and enforce the application of this regulation". The Danish Data Protection Authority's duty to investigate under the regulation applies "to the extent that it is appropriate", cf. Article 57 no. 1 letter f. This means that the Danish Data Protection Authority itself has the authority to some extent to assess whether it is necessary to carry out further investigations in the individual case and which investigations are appropriate. In particular, it must apply to alleged breaches of the Personal Data Act that date back, have been terminated (not ongoing) and where the data controller (in this case the Foundation) has been dissolved and deleted from the unit register and no longer has a legal representative. If an investigation in this case were to reveal an illegal processing of personal data, the right to impose a violation fee would be out of date according to Section 28 of the Personal Data Act. If there has been illegal processing of personal data at the National Archives as a data processor, it would also be natural to involve the controller and his responsibility for the creation and arrangement of the archive. When the foundation has ceased to exist and no longer has a legal representative, this becomes impossible. In such a case, the complainant will, in the tribunal's assessment, not have a current interest in having his complaint processed. The complaint has not been successful. The decision is unanimous. Conclusion The appeal is rejected. Oslo, 10 October 2023 Mari Bø Haugstad Manager
