Asker Municipality: Insufficient technical and organisational measures to ensure information security

The Norwegian DPA (Datatilsynet) has fined the municipality of Asker EUR 100,000. On May 20, 2020, the DPA received a notice that the municipality had unlawfully published personal data on its website. On the website, users could view the names of documents that had previously been sent via the municipality's email distribution list. In addition to the names of the actual document, they also contained the names and dates of birth of 127 people, including children. Although the distribution lists were proofread daily by two people, the municipality had failed to detect the discrepancies. The Norwegian DPA concludes that the data breach occurred partly due to a lack of required routines for handling email lists.

GDPR Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 32 (1) b) GDPR, Art. 24 GDPR
Industry: Public Sector and Education