Norwegian Supervisory Authority: Mowi ASA reprimanded and ordered to update its procedures

Background information

  • Date of final decision: 26 April 2022
  • Cross-border case or national case: Cross-border
  • If cross-border, LSA: Norwegian Supervisory Authority
  • and CSAs: Belgian, Czech, Danish, German, French, Irish, Italian, Spanish,  Swedish, Polish Supervisory Authorities
  • Controller: Mowi ASA
  • Legal Reference: Information (Art. 14)
  • Decision: Reprimand, Order to Comply
  • Key words: Third party collection


Summary of the Decision


Origin of the case

In Norway and other European countries, it is possible to purchase shares in listed companies through a bank, which then acts as a manager of the shareholding. This means that the company does not necessarily know who its shareholders are. Under the Norwegian Public Limited Liability Companies Act, however, the company has the right to ask the equity manager to disclose the identity of the underlying owner of the managed shareholdings. 

When the company collects such information from the equity manager, personal data is processed. The company must therefore provide the shareholders in question with all the information required by Article 14 of the General Data Protection Regulation. Mowi failed to do so.


Key Findings

This case is an important reminder that the GDPR's requirement to provide information also applies when personal data is processed in accordance with a legal right, like that granted under Section 4-10 of the Public Limited Liability Companies Act. One cannot presume that a shareholder purchasing shares through their bank is aware of the fact that their personal data may be shared with the company whose shares they purchased. Listed companies in Norway should take this decision into consideration.



The Norwegian Supervisory Authority has reprimanded the seafood company Mowi ASA for failing to provide all the information required by the General Data Protection Regulation to company shareholders.

In addition, Mowi is ordered to ensure that notification procedures and documentation are in compliance with the General Data Protection Regulation – this includes changes to the company’s privacy policy.

For further information:


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.