Stavanger Arbeiderparti – Complaint Upheld (Norway, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Norwegian Data Protection Authority upheld a complaint against Stavanger Arbeiderparti for using email addresses from parents without proper justification. This matters because it shows that even if data is obtained legally, it must be used appropriately. The authority found that the party did not have a valid reason for processing the data.
What happened
Stavanger Arbeiderparti used email addresses of parents for political advertising without a valid legal basis.
Who was affected
Parents of children in kindergartens who received unsolicited emails from Stavanger Arbeiderparti.
What the authority found
The authority ruled that Stavanger Arbeiderparti lacked a valid legal basis for processing the email addresses, violating GDPR requirements.
Why this matters
This case underscores the importance of having a clear and valid reason for using personal data, even when it is legally obtained. Organizations must ensure their data processing practices are transparent and justifiable.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 20 August 2023, several parents of children in kindergartens received an email from the majority parties of a municipality. After receiving this email, several data subjects filed a complaint with the DPA. The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (Offentleglova). The controller firstly argued that it processed this data for political advertising purposes in accordance with Article 6(1)(e) GDPR. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on Article 6(1)(f) GDPR. Finally, the controller noted that it had used a processor to send the emails. First of all, the DPA believed that the municipality rightfully disclosed the addresses, since the Freedom of Information Act provides for an appropriate legal basis for this processing. Secondly, the DPA investigated who was the controller in the case at hand. Since the Stavanger Labour Party stated that it processed data also on behalf of the other majority parties, the DPA assumed that this entity was the controller. Thirdly, the DPA analysed the legal basis. The DPA pointed out that the controller has failed to provide documentation about whether a legitimate interest assessment had been carried out. However, the DPA further noted that it is clear that this processing had some negative consequences on data subjects, since the DPA received several complaints. According to the DPA, this shows that this processing operation was not foreseeable for data subjects. Furthermore, the DPA pointed out that, even though the data was lawfully disclosed by the municipality, it was then used for a purpose outside the scope of the Freedom of Information Act. In every case, the DPA found that this processing was lacking of legal basis since the controller failed to demonstrate its assessment. Fourthly, the DPA re
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Stavanger Arbeiderparti in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Stavanger Arbeiderparti - Norway (2024). Retrieved from cookiefines.eu
Last updated: