Datatilsynet is Norway’s Data Protection Authority. Inspection of its website indicates that it has not imposed many monetary penalties in recent years for violations of the Personal Data Act 2000. After 2021, in which it reported 37 actions, it issued only 12 reports in 2023, and only 7 so far in 2024. Here are two of the recent cases in which it imposed monetary penalties, as reported at Datatilsynet.no and translated into English at Datatilsynet.no.
Infringement penalty to the University of Agder
The Data Protection Authority has made a decision to impose an infringement penalty of NOK 150,000 on the University of Agder (UiA) for violation of the General Data Protection Regulation. The University had not taken appropriate measures to safeguard personal data security in its use of Microsoft Teams.
In February 2024, an employee at UiA discovered that documents containing personal data had been stored in open Teams folders, where employees without a need to know had access. The data breach has been ongoing since the university started using Microsoft Teams in August 2018.
NOK 150,000 (Norwegian Krone) is the equivalent of USD $14,073.14. The incident reportedly affected 16,000, and the information included names, national identity numbers, information about adapted exams, the number of exam attempts and special arrangements. The data breach has also included an overview of refugees from Ukraine affiliated to the university, with information such as contact information, education and settlement status.
Read more at Datatilsynet.no.
Decision on infringement penalty and orders to the Norwegian Labour and Welfare Administration
In March, The Data Protection Authority decided to impose an infringement penalty of NOK 20 million and issue several orders to the Norwegian Labour and Welfare Administration (NAV). The decision came after an inspection where we checked NAV’s safeguarding of confidentiality through access management and log control. We found several serious non-conformities.
‘We take this matter very seriously,’ says Line Coll, Director General of the Data Protection Authority. ‘From a data protection perspective, NAV is in a special position, and the tasks that it is required to perform entail large-scale processing of personal data. This includes highly sensitive information, and we have therefore decided to impose a high penalty fee.’
NOK 20 million is the equivalent of USD $1,876,419.20 at today’s conversion rate.
Read more about the background of this matter, NAV’s appeal, and the DPA’s decision on Datatilsynet.no.
