Failure to inform shareholder breached the data protection rules

After having bought shares via his German bank in a Norwegian seafood company, a German shareholder was notified by the bank that the company requested his personal information.

As the purpose of the request for information was unclear to the shareholder, he wrote an e-mail to the company. One month later, he still had not received a reply and wrote again. After still not having received a response more than a month later, he complained to the Norwegian Data Protection Authority, which contacted the company. The company recognized that it had never seen the shareholder’s access request because it had ended up in a spam folder. It also confirmed that it would reply to the shareholder but that no duty to inform had ever applied because the exceptions under article 14 of the General Data Protection Regulation (GDPR) were in play.

In its reply to the shareholder, the company gave him information on the processing activity and informed him of a right under Norwegian law to receive shareholder information. It also noted that its supplier, Nasdaq, located in the United Kingdom, facilitated the request. The shareholder was satisfied with the reply, but the Norwegian Data Protection Authority was not. It decided that the company had breached its obligations.

No exceptions to the duty to inform applied

According to the Data Protection Authority, the company had been subject to a duty to inform. It was, therefore, wrong to refer to the exceptions to this duty.

The first exception used by the company entails that no duty to inform applies if the data subject already has the information. The Data Protection Authority emphasized that this exception presumed that the company could demonstrate and document that it was the case. It was not sufficient just to assume that the shareholder had the necessary information. The company had no evidence to lift that burden of proof.

At the same time, it was clear that even if the shareholder had received some information on the processing activities, he had never received a complete set of information. As a result, the company had, in any case, been subject to a duty to supplement the information he already had, including information missing from the privacy policy relating to information on the lawful basis for processing, the recipients, storage periods, and the safeguards for the transfer to Nasdaq in the United Kingdom.

The second exception used by the company entails that no duty to inform applies if obtaining and disclosing the personal information follows from national law. The Data Protection Authority stated that this presumes a mandatory requirement. This was not the case, as the company was exercising a right it had to receive information on its shareholders - not a requirement it was subject to under Norwegian law.

IUNO’s opinion

Exceptions to the duty to inform are interpreted and applied narrowly by the national data protection authorities. That makes it difficult for companies to apply them successfully, and for that same reason, such exceptions should be used carefully. A breach of a fundamental obligation under the data protection rules, including the duty to inform, may otherwise lead to a fine.

IUNO recommends that companies continuously reconsider if the applicable privacy policies and other information procedures satisfy articles 13 and 14 of the GDPR. In this case, the Data Protection Authority made an additional note that the company’s privacy policy would have made anyone not employed by the company believe that the only lawful basis for processing was consent – as no other lawful basis was listed in the document for this group. This shows how important it is to ensure that transparency requirements are satisfied for every data subject category, including shareholders.

[Norwegian Data Protection Authority’s decision 21/03656-12 of 26 April 2022]