Enforcement

€21,650 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 21,650 on Timegrip AS. The controller had been tracking the working hours of employees at a company that went bankrupt. A former employee requested that the controller send the working hours to the data subject so that they could claim their unpaid wages from the bankruptcy estate. Furthermore, the bankruptcy estate itself requested the data, but the controller refused to send it to them.

22.000 euro boete - Noorse Toezichtsautoriteit (Datatilsynet).

De Noorse Autoriteit Persoonsgegevens heeft de gemeente Kristiansand een boete van 22.000 euro opgelegd. De instantie biedt een hulplijn voor kinderen die slachtoffer zijn geworden van geweld, misbruik of verwaarlozing. De website van de hulplijn maakt gebruik van trackingpixels, waardoor de aanbieders van die pixels toegang krijgen tot persoonlijke gegevens van de betrokkenen zonder voldoende wettelijke basis.

€22,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA imposed a fine of EUR 22,000 on Kristiansand municipality. The controller offers a helpline for childreen, which had become victims of violence, abuse or neglect. The webiste of the helpline uses tracking pixels resulting in the providers of those pixels gaining acces to personal data of the data subjects without sufficient legal basis.

€338,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 333,800 on Telenor ASA. During its investigation, the DPA found that the company had not conducted sufficient assessments and documentation regarding the role of the Data Protection Officer (DPO). Additionally, no direct and documented reporting line from the DPO to the highest management level had been established. The company also lacked adequate internal controls. The DPA further criticized the absence of appropriate organizational measures and guid

€20,800 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA fined Grue municipality EUR 20,800 following the municipality's notification of a data breach. The municipality reported that personal data of students had been unlawfully published on a public portal. During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to ensure the protection of personal data.

€20,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA imposed a fine of EUR 20,900 on Eidskog municipality for giving two former employees access to a whistleblower’s report without redacting sensitive health and financial data. The the DPA found that the municipality had no legal basis for processing this information and had previously published confidential information about the whistleblower.

€12,700 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined the University of Agder (UiA) EUR 12,700. An employee of UiA had discovered that documents containing personal data of employees, students and external individuals were stored in open Microsoft Teams foldersand that employees with no business need were able to access them. During its investigation, the DPA found that UiA had failed to implement appropriate technical and organisational measures to protect personal data.

€1,700,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 1.7 million on Arbeids- og velferdsetaten, the Norwegian Labor and Welfare Administration (NAV). During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. For example, the IT systems were not adequately secured. In addition, an excessive number of employees had access to personal data, including very sensitive data in some cases. At the same time, the

€220,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours. ---UPDATE--- The controller appealed against the decision to the DPA, but the appeal was dismissed.

€900,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 900,000 on the fitness chain 'Sats'. The DPA had received several complaints from customers who had submitted requests for information as well as deletion of their personal data, which Sats had not complied with. The DPA also found that Sats had processed certain customer data without a valid legal basis.

€20,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has fined Recover AS EUR 20,000. The controller had carried out a credit check on the data subject without any valid legal basis for doing so.

€30,200 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has fined Krokatjønnvegen 15 AS EUR 30,200. The controller had carried out credit checks on two data subject without any contractual basis for doing so.

€14,500 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has fined the Norwegian Labor Inspectorate 'Arbeidstilsynet' EUR 14,500. The controller had carried out a credit check on the data subject without any valid legal basis for doing so.

€9,700 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 9,700 on a company. The DPA had received a complaint from a former employee of the company. Background of the complaint is the fact that after the employee's termination, both professional and private e-mails from the employee's mailbox were automatically forwarded to an e-mail address administrated by the managing director. During its investigation, the DPA found that the controller had automatically forwarded the e-mails without a valid legal basis.

€195,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined the Norwegian Parliament EUR195,000. The parliament had suffered a data breach in which unauthorized persons gained access to the email accounts of members of parliament and parliamentary administrative staff. The attackers had succeeded in siphoning off the data, including personal data on bank accounts, dates of birth and health-related data. During its investigation, the DPA found that the parliament did not incorporate sufficient security mechanisms, such as two-f

€30,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 30,000 on Lillestrøm Municipality. The municipality had accidentally published a document in which 10 out of 21 attachments contained personal data of students. The data included information on student names, date of birth, test results, assessments of student behavior and student challenges. This error was not detected by the responsible administrator and went through two more manual quality checks at the documentation center without the error being d

€5,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined Etterforsker1 Gruppen AS EUR 5,000. The controller had carried out a credit check on an individual, although there was no legal basis for doing so.

€3,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined T. Stene Transport AS EUR 3,900 due to an unfair credit check on a data subject.

€6,300,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined Grindr LLC EUR 6.3 million. Grindr is a location-based social networking app designed for gay, bi, trans and queer people. In 2020, the Norwegian Consumer Protection Authority filed a complaint against Grindr with the Norwegian DPA, alleging that the portal had shared information about users' GPS location, IP address, cell phone advertising ID, age and gender with several third parties for marketing purposes. Under GDPR, consent is required for the sharing of this per

€20,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined Elektro & Automasjon Systemer AS EUR 20,000. The controller had carried out a credit check on an individual, although there was no legal basis for doing so.

€98,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 98,000 on the Norwegian State Pension Fund (SPK). The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The DPA found that the controller had unlawfully collected certain income information since 2016. For example, the controller had collected health-related information on disability pensions, although this was not required. Approximately 24,000 individuals were affected by these incidents. In addition, the DPA found that SPK d

€412,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined Østre Toten municipality EUR 412,000. The municipality suffered a cyberattack in January 2021, as a result of which the municipality's data was encrypted as well as backups were deleted. A larger amount of data was later published on the dark web. Approximately 30,000 documents were affected by the attack. The documents contained, among other things, information on ethnic origin, political opinion, religious beliefs, union memberships, sexual orientation, health statu

€496,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined Ferde AS, a Norwegian toll company, EUR 496,000. Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China. As part of its operations, Ferde is respon

€12,500 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian Data Protection Authority has imposed a fine of EUR 12,500 on Ultra-Technology AS. Background of the fine is a complaint from a data subject who was credit-checked without any customer relationship or other affiliation to Ultra-Technology AS.

€40,200 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 40,200 on the municipality of Høylandet. The latter had reported a data breach to the DPA in accordance with Art. 33 GDPR. An employee gained access to several image files (bitmap) when she had to create new letter templates and insert an image logo from the file. The image files that the employee had access to contained sensitive information about individuals who had no connection with the municipality of Høylandet. The information included health dat

€75,600 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined St. Olav's Hospital in the amount of EUR 75,600. The hospital suffered three data leaks in accordance with Art. 33 the GDPR. The first incident had occurred between January 13, 2011, and January 27, 2020, at the hospital's cardiology department following an upgrade for a new treatment-oriented health registry for the cardiology laboratory. In connection with the upgrade, a test server was used on which treatment reports were temporarily cached and then copied to the n

€9,600 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 9,600 on the waxing salon operator of Waxing Palace AS. The controller had camera surveillance of the controller's reception area. The DPA found that the controller had no legal basis for the camera surveillance, as well as had not provided sufficient information about it. The camera surveillance concerned both employees and customers.

€24,800 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company's managing director logged into the complainant's email inbox on a daily basis for a period of six weeks after the former employee's employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing custome

€49,200 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has fined the municipality of Moss EUR 49,200 for inadequately securing personal data. In January, the municipality of Rygge was annexed to the municipality of Moss. For this reason, several IT systems from both municipalities were combined. Due to inadequate security measures, a data breach occurred in a productive system used in the municipality's health service. This system processed personal and health data and affected people who live in the municipality and

€39,700 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,700 on BRAbank ASA. The controller had reported a data breach to the DPA on September 6, 2019. On the controller's website, some customers were able to view other customers' data on the 'My Page' section. These included credit terms and address information of other customers. The section had been activated shortly before for 500 selected customers and was intended, among other things, to provide an overview of loans taken out with the

€39,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,000 on the Municipality of Oslo. On a website of the controller a subpoena from the public prosecutor's office concerning the data subject had been published. The subpoena contained, among other things, personal information such as health data. The incident occurred because the subpoena was not originally classified as confidential and accordingly was not exempted from public disclosure. The document was publicly available for five ho

€95,500 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined the national development bank Innovasjon Norge NOK 1,000,000 (EUR 95,500). The controller had carried out several credit checks on the data subject without any contractual basis for doing so. For this purpose, the bank had analyzed numerous financial data of the data subject without the data subject's consent.

Norwegian Supervisory Authority (Datatilsynet)

On May 5, 2021, the Norwegian DPA (Datatilsynet) announced that it intents to fine Disqus Inc. EUR 2, 500, 000 for violations of Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 12 GDPR and Art. 13 GDPR. It is alleged that Disqus unlawfully tracked visitors of Norwegian websites which used the Disqus plugin. Their data was then passed on to third-party advertisers.

€3,400 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 3,400 on Miljø- og Kvalitetsledelse AS. At one of the carwashes operated by the controller, incidents of vandalism had occurred at the payment terminal. The controller thereupon sent footage of the incident from a surveillance camera to the employer of the alleged vandal. The Norwegian DPA concluded that the sharing of the video footage had taken place without a legal basis and the controller had thus violated Art. 6 (1) GDPR and Art. 5

€19,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 19,900 on Basaren Drift AS. The controller had installed video cameras in its premises which recorded both its employees and customers. The Norwegian DPA concluded that the controller had no legal basis for the camera surveillance. In addition, the Norwegian DPA found that the controller did not provide sufficient information on the surveillance to the data subjects.

€4,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) imposed a fine of EUR 4,900 on the municipality of Ålesund. At two schools in Ålesund, teachers asked students to download the training app Strava for physical education classes. The students were then given tasks that the teachers controlled via the tracking function. According to the Norwegian DPA's investigation, this resulted in data breaches because the municipality failed to provide standard procedures for privacy-compliant app use in schools. For example,

€100,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has fined the municipality of Asker EUR 100,000. On May 20, 2020, the DPA received a notice that the municipality had unlawfully published personal data on its website. On the website, users could view the names of documents that had previously been sent via the municipality's email distribution list. In addition to the names of the actual document, they also contained the names and dates of birth of 127 people, including children. Although the distribution lists

€14,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) imposed a fine of EUR 14,900 on the energy company Dragefossen AS. The latter had installed a webcam on the roof of its office building in the center of Rognan which was in operation 24/7 and recorded the city center. These recordings could be viewed via a live video stream on Youtube and on the controller's homepage. In addition, the recordings could be rewound for up to twelve hours. The area covered by the camera surveillance included a public street, the park

€24,400 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined a company NOK 250,000 (EUR 24,400). The controller ordered an employee to set up an automatic forwarding of his/her employee email account to a shared company account. The reason given for this was to improve the company's operations. The DPA found that the controller had no legal basis to order such automatic forwarding. It therefore acted unlawfully.

€19,300 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined Cyberbook AS NOK 200,000 (EUR 19,300) for the illegal automatic forwarding of e-mails from a former employee. The forwarding took place for several months without the data subject being informed.

€9,700 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (EUR 9,700). The controller had carried out a credit rating on an individual without there being a customer relationship or other affiliation. The personal data of the data subject was thus processed without a legal basis.

€38,600 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined Coop Finnmark SA NOK 400,000 (EUR 38,600). The manager of the store in question recorded CCTV footage with a mobile phone and shared the video. The Norwegian DPA states that Coop Finnmark had no legal basis for sharing the CCTV footage. The DPA notes that the case is very serious as the footage showed children, which poses a potentially high risk to their privacy.

€38,600 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined a company NOK 400,000 (EUR 38,600) for the illegal automatic forwarding of an employee's email inbox. The automatic forwarding was activated in connection with the employee's sick leave and lasted for more than a month.

€7,250 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined Gveik AS EUR 7,250. The controller had carried out a credit check on an individual, although there was no legal basis for doing so.

€9,700 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) has fined Lindstrand Trading AS EUR 9,700. The controller had carried out four credit checks on individuals and individual companies, although there was no legal basis for doing so.

€95,500 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) fined the national development bank Innovasjon Norge NOK 1,000,000 (EUR 95,500). The controller had carried out four credit checks on the data subject without any contractual basis for doing so. For this purpose, the bank had analyzed numerous financial data of the data subject over a period of three months without the data subject's consent.

€18,840 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) imposed a fine in the amount of NOK 200,000 (EUR 18,840) on the municipality of Indre Østfold. Datatilsynet found that a student file containing personal data was published on the municipality's website.

€13,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The company assessed the credibility of another company and thereby, according to Datatilsynet, processed personal data relating to a natural person (the owner of the company assessed) without there being a sufficient legal basis for doing so.

€276,000 fine - Norwegian Supervisory Authority (Datatilsynet)

In October 2019, the Data Protection Authority was informed by the Municipality of Bergen about a data breach in connection with the municipality's tool for communication between school and home called 'Vigilo'. This tool contained a module that allowed school and parents to communicate via a portal or app but that had not been secured properly to ensure the protection of personal data against security threats.

€46,660 fine - Norwegian Supervisory Authority (Datatilsynet)

Fine for the processing of children's health data in connection with disability through the digital learning platform 'Showbie'. The Municipality had failed to carry out a Data Protection Impact Assessment ('DPIA') in accordance with Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') prior to the start of the processing and had not taken adequate technical and organisational measures in accordance with Article 32 of the GDPR, resulting in an increased risk o