Stavanger Arbeiderparti – Complaint Upheld (Norway, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 20 August 2023, several parents of children in kindergartens received an email from the majority parties of a municipality. After receiving this email, several data subjects filed a complaint with the DPA. The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (Offentleglova). The controller firstly argued that it processed this data for political advertising purposes in accordance with Article 6(1)(e) GDPR. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on Article 6(1)(f) GDPR. Finally, the controller noted that it had used a processor to send the emails. First of all, the DPA believed that the municipality rightfully disclosed the addresses, since the Freedom of Information Act provides for an appropriate legal basis for this processing. Secondly, the DPA investigated who was the controller in the case at hand. Since the Stavanger Labour Party stated that it processed data also on behalf of the other majority parties, the DPA assumed that this entity was the controller. Thirdly, the DPA analysed the legal basis. The DPA pointed out that the controller has failed to provide documentation about whether a legitimate interest assessment had been carried out. However, the DPA further noted that it is clear that this processing had some negative consequences on data subjects, since the DPA received several complaints. According to the DPA, this shows that this processing operation was not foreseeable for data subjects. Furthermore, the DPA pointed out that, even though the data was lawfully disclosed by the municipality, it was then used for a purpose outside the scope of the Freedom of Information Act. In every case, the DPA found that this processing was lacking of legal basis since the controller failed to demonstrate its assessment. Fourthly, the DPA re
GDPR Articles Cited
National Law Articles
On 20 August 2023, several parents of children in kindergartens received an email from the majority parties of a municipality. After receiving this email, several data subjects filed a complaint with the DPA. The investigation opened by the DPA showed that the email addresses were disclosed to the controller by the municipality pursuant to the Norwegian Act relating to the right of access to documents in public administration (Offentleglova). The controller firstly argued that it processed this data for political advertising purposes in accordance with Article 6(1)(e) GDPR. Since this legal basis was not accepted by the DPA, the controller then argued it could rely on Article 6(1)(f) GDPR. Finally, the controller noted that it had used a processor to send the emails. First of all, the DPA believed that the municipality rightfully disclosed the addresses, since the Freedom of Information Act provides for an appropriate legal basis for this processing. Secondly, the DPA investigated who was the controller in the case at hand. Since the Stavanger Labour Party stated that it processed data also on behalf of the other majority parties, the DPA assumed that this entity was the controller. Thirdly, the DPA analysed the legal basis. The DPA pointed out that the controller has failed to provide documentation about whether a legitimate interest assessment had been carried out. However, the DPA further noted that it is clear that this processing had some negative consequences on data subjects, since the DPA received several complaints. According to the DPA, this shows that this processing operation was not foreseeable for data subjects. Furthermore, the DPA pointed out that, even though the data was lawfully disclosed by the municipality, it was then used for a purpose outside the scope of the Freedom of Information Act. In every case, the DPA found that this processing was lacking of legal basis since the controller failed to demonstrate its assessment. Fourthly, the DPA re
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Stavanger Arbeiderparti in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Stavanger Arbeiderparti - Norway (2024). Retrieved from cookiefines.eu
Last updated: