GDPR decisions – January 2021

Holst, Advokater | View firm profile

Norwegian company fined EUR 95,000 for insufficient basis for processing

Innovation Norway carried out four credit ratings of a one-man business, which the owner of the business complained about to the Norwegian data protection authority. The credit ratings were made over a 3-month period. Innovation Norway was not able to identify any customer relation or connection to the owner or his business justifying said credit ratings, and therefore the Norwegian DPA decided that there was no basis for processing. The DPA issued a fine amounting to approx EUR 95,000 (NOK 1 million).

Credit ratings are the result of a collection of personal data from many sources showing a figure indicating the probability of a person or a one-man business paying a claim. Hence, a credit rating will also show details of the financial situation of a business, such as payment remarks, charges and debt ratio.

Credit ratings about a one-man business should also be considered personal data since the owner is directly identified with the business and are therefore directly linked to the owner’s personal finances. This means that it is an issue of personal data processing when carrying out credit ratings of a one-man business, which is why there must be a basis for processing.

Read the whole decision here (in Norwegian):—innovasjon-norge.pdf

Fine of EUR 10.4 million issued for illegal tv-monitoring of employees

The German data protection agency of Lower Saxen (“LfD Niedersachsen”) has imposed a fine of EUR 10.4 million on electronics distributor

The company had video monitored its employees for at least two years without having any lawful basis for doing so. Among others, the cameras had taped workplaces, sales areas, store rooms and free spaces.

The company argued that the purpose of the installed cameras was to prevent and investigate criminal acts and to trace the flow of goods in the storerooms. Meanwhile, LfD Niedersachen was of the opinion that the company should have used less severe ways of preventing theft, including e.g. bag checks when employees left the company premises. LfD Niedersachen stated that video monitoring for revealing criminal acts is only legal if there are grounds for reasonable suspicion against certain individuals; if this is the case, it can be permitted to monitor such individuals with cameras for a limited while. However, at the video monitoring was neither limited nor for a limited time nor for particular individuals. Furthermore, in many cases the recordings were saved for 60 days which is a lot longer than what LfD Niedersachen found necessary.

Until now, the fine against is the highest fine issued by LfD Niedersachsen under the GDPR.

Please see the whole press release here (in German):


Fine for transferring bank clients’ personal data within the banking group

The Spanish data protection agency (“AEPD”) has imposed a EUR 6 million fine on Caixabank S.A for violating articles 6, 13 and 14 of the GDPR.

The bank’s clients were to accept new personal data policies allowing the bank (the data controller) to transfer the clients’ personal data to all businesses within the Caixabank group. The clients (the data subjects) were not given the option of specifically not consenting to such transfer. If they disagreed about the transfer of their data they were to complain to each business of the group.

AEPD concluded that the bank had violated its obligation to provide information as set out in articles 13 and 14 of the GDPR, since the information that was given to the clients according to the GDPR was not consistent, contained imprecise terminology and did not provide adequate information about the type of personal data being processed, nor the type of processing. Furthermore, there was no information about the data subjects’ rights, nor a consistent way of informing about the the data controller’s contact details.

Hence, the bank had processed its clients’ data beyond what it had authority to do in relation to legitimate interests, and the consents obtained did not comply with the requirements for a valid personal data consent. Hence, AEPD consequentially concluded that the data were illegally transferred to businesses of the Caixabank group and such constituted a violation of article 6 of the GDPR.

Read the whole decision here (in Spanish).

Norwegian DPA imposes a EUR 38,600 fine on retail operation Coop Finnmark SA

In April 2019, the Norwegian data protection agency received a notification from Coop Finnmark SA about a data breach. With a mobile phone, a shop manager had recorded a screen showing recordings from a camera in the shop. The video showed two or three boys aged 15 or 16 years stealing goods from the shop. The video did not disclose the faces of the individuals, however, it was possible to see and tell the boys apart by looking at their clothes, hair and shoes.

The shop manager sent the recording from his phone to someone he assumed was the mother of one of the boys. He asked the recipient whether the person in the picture was her son. The woman replied in the negative and subsequently sent the video on to her son. Her son then shared the video, and at some time the video reached the boys in the video. Later, the video was handed over to the police.

After the incident, the shop manager contacted the company’s HR manager, and an inhouse report was made from which it appeared that the shop manager had approached both parties and apologised for the incident. He also requested for the video to be deleted from all devices.

The DPA found that Coop Finnmark SA did not have any legal basis for sharing the video and also took into account the fact that the case was extremely serious seeing the recordings showed children who according to the GDPR require extra protection.

Read the whole decision here (in Norwegian).


Henrik Christian Strand, Associated Partner
M, +45 3010 2186

Pernille Kristensen, Attorney
M, +45 3010 2224


More from Holst, Advokater