Ålesund Municipality: Insufficient technical and organisational measures to ensure information security

The Norwegian DPA (Datatilsynet) imposed a fine of EUR 4,900 on the municipality of Ålesund. At two schools in Ålesund, teachers asked students to download the training app Strava for physical education classes. The students were then given tasks that the teachers controlled via the tracking function. According to the Norwegian DPA's investigation, this resulted in data breaches because the municipality failed to provide standard procedures for privacy-compliant app use in schools. For example, a data protection impact assessment was not carried out, although this would have been necessary in view of the potential risk to the students. In addition, adequate technical and organizational security measures had not been implemented to ensure the protection of the processing.

GDPR Articles: Art. 32 (1) b) GDPR, Art. 24 (1) GDPR, Art. 35 GDPR
Industry: Public Sector and Education