An interesting case occurred before a while in Norway, when the authority competent for personal data protection was subject to complaint for infringement of the EU General Data Protection Regulation 2016/679 (“GDPR”).
Complaint
According to the complaint, which was decided by the third, i.e., impartial body, upon the decision of the competent ministry, the infringement of GDPR provisions was perpetrated in relation to the manner of keeping, i.e., administering of the website of the respective authority, in terms of the following GDPR articles:
- Article 6(1), since in this particular case the competent authority based personal data processing – in relation to visits and searches on the subject website – on Article 6(1)(f) of GDPR, under which the processing is necessary for the purposes of legitimate interests pursued by a controller or by a third party, whereas second paragraph of Article 6(1) explicitly stipulates that the basis of processing established by 6(1)(f) of GDPR shall not apply to processing carried out by public authorities in performance of their tasks;
- Article 13(1)(d), since the privacy notice contained on the said website did not specify the previously mentioned legitimate interest;
- Article 5(1)(b), given that there was no appropriate notice on the purpose of the processing concerned;
- Article 57(2), as the responsible authority disabled the electronic submission of complaints, and made the process of finding the information about possible ways of complaint submission unnecessarily complicated; and
- Article 77, for the reason that the responsible authority requested from complainants to refer to a controller regarding an infringement of personal data prior to addressing to the said authority.
Decision
In accordance with the decision enacted in the stated procedure, it was established that the competent authority infringed the above stated provisions of Article 13(1)(d) and 77 of GDPR, since:
- It failed to specify legitimate interest under which the processing is necessary; and
- It requested from complainants to refer to a controller of personal data in relation to their complaints for personal data violation prior to addressing to the authority.
As regards other statements of the complaint, i.e., infringement of other provisions of GDPR that it refers to, no liability of the competent authority was established.
Since the specification of the legitimate interest was done during the very procedure, and thus partially aligned operations of the authority with relevant GDPR provisions, the party deciding upon the complaint established that it expected other irregularities to be eliminated by undertaking of appropriate measures as well.
Finally, it is important to note the part of the rationale of the subject decision, pursuant to which “(…) the only personal data used upon the stated processing is IP address, which is considered anonymous information, available only to few persons, wherefore the risk in this sense is minimal to the extent in which it enables the prevailing of legitimate interest of processor over the rights and freedoms of data subjects“.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.
By Lara Maksimovic, Senior Associate, PR Legal
