Mowi ASA – Violation Found (Norway, 2022)

In April 2021, a data subject in Germany owning shares in the company Mowi ASA (controller) was notified by his bank that the controller had requested his personal data. After two unsuccessful attempts at getting information about this processing from the controller, the data subject lodged a complaint with the Norwegian DPA Datatilsynet, which initiated an investigation and contacted the controller. The controller acknowledged that it had not responded to the data subject’s access request because the emails had ended up in the spam filter. It also confirmed that it did not provide information on the processing in question, directly to shareholders or in their privacy policy, but claimed it relied on the exceptions set out in Article 14(5)(a) and Article 14(5)(c) GDPR. The DPA rejected the controller's views as it argued that the exceptions in Article 14(5) GDPR should be interpreted and applied narrowly and it is not sufficient to “assume” that a data subject has received the information required under Article 14 GDPR, as the controller did in this case. In addition, the DPA found the controller's privacy policy to be incomplete and misleading. The controller did not raise any arguments to contest the DPA's conclusions and informed the DPA that it was in the process of updating their privacy policy, internal documentation and routines. The DPA held that the controller had violated Article 14 GDPR and ordered it to take measures to ensure that data subjects, including shareholders whose personal data are processed pursuant to [https://lovdata.no/dokument/NL/lov/1997-06-13-45 the Norwegian Public Limited Liability Companies Act], are provided with all of the information required by Article 14 GDPR, including by amending its privacy policy as necessary. The controller was also ordered to inform the DPA about its measures taken within four weeks.