Datatilsynet (Norway) - 22/00049-13
Norway's Datatilsynet fines company NOK 20M for invalid consent and data misuse.
Summary
Norway's Data Protection Authority (Datatilsynet) has imposed a NOK 20,000,000 fine on a company for multiple GDPR violations. The violations include invalid customer club consent, processing children's data without proper verification, using data for customer matching with advertising platforms without consent, and failing to properly handle data subject rights requests. The DPA cited intentional infringements and the involvement of children's data as aggravating factors.
Full text
Help Datatilsynet (Norway) - 22/00049-13: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:54, 17 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators83 editsTag: Visual edit← Older edit Latest revision as of 08:42, 17 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators83 editsTag: Visual edit Line 90: Line 90: === Holding ====== Holding === '''Invalid customer club consent''' The DPA held that the controller violated [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], read together with [[Article 4 GDPR#11|Article 4(11) GDPR]], because the customer club consent was not valid.The DPA held that the controller violated [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], read together with [[Article 4 GDPR#11|Article 4(11) GDPR]], because the customer club consent was not valid. Line 97: Line 99: Third, the consent was not informed. The information provided to customers before consent was mainly focused on discounts and benefits. The DPA found that the controller did not clearly explain, before consent was given, that the customer club involved personalised marketing, profiling and analysis, nor the consequences of such processing. The DPA also noted that the information depended largely on individual store employees, which created a significant compliance risk.Third, the consent was not informed. The information provided to customers before consent was mainly focused on discounts and benefits. The DPA found that the controller did not clearly explain, before consent was given, that the customer club involved personalised marketing, profiling and analysis, nor the consequences of such processing. The DPA also noted that the information depended largely on individual store employees, which created a significant compliance risk. '''Processing of children's personal data''' The DPA further held that the seriousness of this infringement was increased by the fact that children’s personal data was also processed. The customer club was open to customers from the age of 15 at the time of the inspection, but the controller did not register age and had no mechanism to verify that customers met the age requirement.The DPA further held that the seriousness of this infringement was increased by the fact that children’s personal data was also processed. The customer club was open to customers from the age of 15 at the time of the inspection, but the controller did not register age and had no mechanism to verify that customers met the age requirement. '''Customer match and compatibility assessment''' Regarding customer match, the DPA held that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 6 GDPR#4|Article 6(4) GDPR]]. The controller used personal data originally collected for the customer club for a new advertising-related purpose. The DPA considered that customers who consented to joining a customer club to receive discounts and benefits could not reasonably expect their data to later be used for customer matching with advertising platforms, especially where this involved sharing data with third parties. Therefore, [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] could not serve as a valid legal basis. The controller also failed to assess whether the new purpose was compatible with the original purpose, as required by [[Article 6 GDPR#4|Article 6(4) GDPR]].Regarding customer match, the DPA held that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 6 GDPR#4|Article 6(4) GDPR]]. The controller used personal data originally collected for the customer club for a new advertising-related purpose. The DPA considered that customers who consented to joining a customer club to receive discounts and benefits could not reasonably expect their data to later be used for customer matching with advertising platforms, especially where this involved sharing data with third parties. Therefore, [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] could not serve as a valid legal basis. The controller also failed to assess whether the new purpose was compatible with the original purpose, as required by [[Article 6 GDPR#4|Article 6(4) GDPR]]. '''Offline conversions and accountability''' Regarding offline conversions, the DPA held that the controller violated [[Article 5 GDPR#2|Article 5(2) GDPR]], read together with [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The DPA did not decide whether [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] could in principle be used for offline conversions. Instead, it found that the controller had failed to demonstrate that the processing was lawful. Its legitimate interest assessment was too brief and omitted key elements, including the number of data subjects affected, categories of personal data, possible processing of children’s data, reasonable expectations of the data subjects and potential negative consequences of sharing data with Google and Facebook.Regarding offline conversions, the DPA held that the controller violated [[Article 5 GDPR#2|Article 5(2) GDPR]], read together with [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The DPA did not decide whether [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] could in principle be used for offline conversions. Instead, it found that the controller had failed to demonstrate that the processing was lawful. Its legitimate interest assessment was too brief and omitted key elements, including the number of data subjects affected, categories of personal data, possible processing of children’s data, reasonable expectations of the data subjects and potential negative consequences of sharing data with Google and Facebook. '''Data subject rights requests''' Regarding rights requests, the DPA held that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]]. A rectification request concerning an email address was not, in itself, complex. The controller could not automatically extend the one-month deadline for all such requests. Any extension had to be based on a specific assessment of the number and complexity of the requests. The DPA also found that some requests were not handled even within the extended three-month deadline.Regarding rights requests, the DPA held that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]]. A rectification request concerning an email address was not, in itself, complex. The controller could not automatically extend the one-month deadline for all such requests. Any extension had to be based on a specific assessment of the number and complexity of the requests. The DPA also found that some requests were not handled even within the extended three-month deadline. '''Administrative fine and mitigating factors''' The DPA imposed an administrative fine of NOK 20,000,000 under [[Article 58 GDPR#2i|Article 58(2)(i) GDPR]]. It considered that the infringements concerned core GDPR principles and affected many data subjects, including children. The DPA also considered the infringements intentional, since the controller had consciously chosen the relevant customer club structure and marketing tools, and had been aware of risks linked to the consent model.The DPA imposed an administrative fine of NOK 20,000,000 under [[Article 58 GDPR#2i|Article 58(2)(i) GDPR]]. It considered that the infringements concerned core GDPR principles and affected many data subjects, including children. The DPA also considered the infringements intentional, since the controller had consciously chosen the relevant customer club structure and marketing tools, and had been aware of risks linked to the consent model. Latest revision as of 08:42, 17 June 2026 Datatilsynet - 22/00049-13 Authority: Datatilsynet (Norway) Jurisdiction: Norway Relevant Law: Article 4(11) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 6(4) GDPR Type: Investigation Outcome
Indicators of Compromise
- domain — google.com
- domain — facebook.com