Datatilsynet (Norway) - 20/03500: Difference between revisions

Latest revision as of 12:01, 28 June 2022

Datatilsynet (Norway) - 20/03500

Authority:	Datatilsynet (Norway)
Jurisdiction:	Norway
Relevant Law:	Article 5(1)(f) GDPR Article 5(2) GDPR Article 32(1)(b) GDPR Article 32(1)(d) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	13.01.2022
Published:	24.01.2022
Fine:	2,000,000 NOK
Parties:	The Norwegian Parliament (Stortinget)
National Case Number/Name:	20/03500
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Norwegian Norwegian
Original Source:	Datatilsynet (in NO) Datatilsynet (in NO)
Initial Contributor:	Rie Aleksandra Walle

The Norwegian DPA fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.

English Summary

Facts

In the fall of 2020, the Norwegian Parliament (Stortinget) had a personal data breach related to employees' email accounts, discovered after an employee had been contacted by their bank about an attempt of misuse of their payment card abroad. The Parliament discovered that the perpetrators had downloaded various data, including personal data information about their bank accounts, birth dates and health-related data.

The Parliament had not enabled two-factor authentication in their email system, despite having identified the lack of such as a "high risk" in their risk analysis of March 2020. They had also identified a lack of security culture, low competency and little focus on data protection as very high risks.

When the DPA reviewed the risk analysis in May 2021, two-factor authentication was still not fully implemented. In their notification of a decision, the DPA noted that the Parliament's administration, represented by the Secretary General, was grossly negligent.

Holding

The DPA found that the Parliament, despite having identified several risks, lacked sufficient technical and organizational measures, including two-factor authentication, thus breaching Article 32(1)(b) GDPR and Article 32(1)(d), cf. Article 5(1)(f) GDPR.

For this, the DPA fined the Parliament about €196,400 (NOK 2 million).

Comment

Share comments here!

Further Resources

On 15 February 2022:the Norwegian DPA received a response from the Parliament (in Norwegian) with feedback on their decision.

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

THE PARLIAMENT
PO Box 1700 Center
0026 OSLO

Their reference Our reference Date
20 / 03500-10 04.03.2022

Decision on violation fee - Notification of deviation - The Storting

1 Introduction

The Data Inspectorate refers to the submitted notification of 6 September 2020 of a breach
personal data security, notification of infringement fee of 13 January 2022 and
The Storting's response of 14 February 2022.

We also refer to other correspondence and documentation that has been made available to us
which can be linked to the relevant notification of a breach of personal data security. It

the overall documentation forms the basis for the decision. It is the attack in 2020 that lies ahead
reason for the decision. The events of March 2021 are of a different nature, and will not matter
for this decision.

In the following, Multi Factor Authentication (MFA), two-factor authentication and strong
authentication means the same thing. In the following, these will be referred to under the collective term
«Two-factor authentication».

2. The Data Inspectorate's comments on the Storting's response
The Norwegian Data Protection Authority has noticed that the Storting acknowledges that IT security could have been better then
the attack occurred.

Secondly, the Storting's administration points out that the follow-up of ROS 2020 must be seen in the light of
that the Storting's administration in the spring of 2020 was strongly affected by the pandemic and
the shutdown that hit the country in early March 2020, and the subsequent one

holiday settlement. It is also pointed out that the representatives of the Storting and the employees in
the party groups were not subject to instruction authority from the Storting's director, and that
this made the further process time consuming.

The Data Inspectorate cannot see that these are factors that have a significant effect on whether or not
violation fee must be given and the amount of this.

Postal address: Office address: Telephone: Org.nr: Homepage:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO, 3. Decision on infringement fine

Based on the information in the case, the Data Inspectorate believes that the Storting has violated the rules on
personal data security in the Privacy Ordinance:

Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance

Article 58 (2) (i), cf. Article 83, a violation fee of two shall be imposed on the Storting.
million - 2,000,000 - kroner to the Treasury for not having carried out suitable technical
and organizational measures, including two-factor authentication, to achieve a level of security
which is suitable in terms of the risk of achieving lasting confidentiality, integrity
and robustness, cf. Article 32 (1) (b) and (d) of the Privacy Regulation, cf. Article 5
No. 1 letter f).

The background and reasons for the decision follow below.

4. The case

On 2 September 2020, the Storting was informed that it had been exposed to a data breach
(unauthorized login) linked to the email accounts of an unknown number of parliamentary representatives and
employees in the administration and the group secretariats. It was one of the employees who notified
the administration after the person in question had been contacted by his bank for an attempt
misuse of payment cards abroad.

Subsequent investigations revealed that attackers had downloaded different amounts of data and that

this data could contain personal data originating from the employees concerned
email account. It was in the deviation report to the Data Inspectorate and subsequent additional report
informed that this included bank and account information, incl.
personal information about third parties, birth number and health information.

Possible consequences for those affected by the attack could be abuse of identity, abuse of
payment cards and use of information for extortion.

The Storting's administration later became aware that personal information from 13 email accounts
could be lost. Those affected were informed and followed up to limit damage. People
which were mentioned in the emails of the affected (third parties) were notified.

As a result of the incident, the Storting implemented a number of risk-reducing and preventive measures
measures. Among other things, new password requirements were introduced, the scope of security logging became

expanded and mobile guidelines were updated. Work was also started on
introduce two-factor authentication. In addition, training measures were implemented by employees to increase
raising awareness of information security.

The Storting has close contact with relevant security authorities in this matter. The relationship is
reported to the police and PST is investigating the case.

2.5. Relevant legal rules and guidance on two-factor authentication as a security measure
The discrepancies concern breaches of confidentiality, integrity and robustness. In the Privacy Ordinance
Article 32 states:

«Taking into account the technical development, the implementation costs and the nature of the treatment,
the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
severity of the rights and freedoms of natural persons, the data controller and

the data processor implement appropriate technical and organizational measures to achieve a level of security
which is suitable in terms of risk, including, inter alia, as appropriate,
a) pseudonymisation and encryption of personal data,
b) ability to ensure lasting confidentiality, integrity, availability and robustness in
treatment systems and services,
c) ability to restore the availability and access to personal information in a timely manner if necessary

a physical or technical event occurs,
d) a process for regular testing, analysis and assessment of how effective the treatment is
technical and organizational security measures are. "

Article 5 (1) (f) of the Privacy Ordinance states that personal data
«Shall be processed in a manner that ensures adequate security of personal data,
including protection against unauthorized or illegal treatment and against accidental loss, destruction or

damage, through the use of appropriate technical or organizational measures («integrity and
confidentiality »)».

Article 32 requires that a specific assessment of the risk to the physical be carried out
persons' rights and freedoms, compared with probability and severity.
The survey must be linked to the relevant business and their treatment of

personal information.

Furthermore, the provision requires that suitable technical and
organizational measures to achieve an appropriate level of information security related to closer
areas referred to in Article 32 (1) (a) to (d). This must be considered a duty to deal with
and reduce the risks identified in the survey through the introduction of measures. These can
either be technical measures in the form of physical security such as

authentication solutions, or organizational measures in the form of, for example, routines and
training of personnel.

In the Data Inspectorate's assessment of what must be considered suitable measures, a company's own
assessment of risk and necessary measures are given great weight.

The Storting's administration, as the person responsible for processing, undertakes to familiarize itself with it

regulations in the field of privacy, including the requirements for conducting risk assessments and
implement necessary measures to achieve a satisfactory level of safety. This follows
Article 5 (2) of the Privacy Regulation.

We assume that there may be alternative measures to ensure sufficient and effective
security level. The introduction of two-factor authentication is an example of security measures that are

3, recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency
and the National Security Authority (NSM) on their websites have published supplementary
information on why and when two-factor authentication should or should be introduced.

On NSM's website, clear recommendations have been given on the use of two - factor authentication
creation of i.a. email account. NSM also recommends requirements for unique passwords per service.

On the Data Inspectorate's website, we provide information on strong authentication as a security measure. It's called
here:

Many services are based only on something you know in the form of a username and password.
Very many also use the same password on several different services. Something that makes you
who use even more prone to others logging in like you on various services.

Often a service will make demands on the complexity of the password such as requirements
minimum length, requirements for the use of numbers, lowercase and uppercase letters, and possibly
special characters. This may reduce the ability to guess passwords, but users have one
tend to use the same type of pattern. Summer 2017 is a type of password that many
unfortunately user. It is also common for users to reuse the same password
more services.

If the password should go astray, it does not matter where
strong / complex password is. Unfortunately, there are many ways a password can get in the way
weighs on. For example, leaks from other places where the user uses the same
passwords, malware on the PC of users who pick up usernames and passwords,
"Man in the middle" attacks and phishing attacks.

Therefore, two-factor authentication is a much more secure solution. When using such authentication
the consequences of usernames and passwords going astray will be far less.

In Norway, we have seen examples of both political parties and schools having experienced that someone
has acquired unauthorized access to systems due to lack of strong authentication.

The Norwegian Data Protection Authority may impose the use of strong authentication if we consider that it is

necessary to ensure safety.

The Norwegian Data Protection Authority does not rule out that other measures may lead to a similar level of security as
two-factor authentication.

6. The Data Inspectorate's assessment of the Storting's solution for authentication of users

The Storting had not introduced a sufficient solution for two-factor authentication for all users
of their email systems at the time of the security breach in September 2020. In the latter
the version of the ROS analysis related to authentication that was completed in March 2020, was
lack of two-factor authentication identified as "high risk" for unauthorized access.

4, The Storting's report of 8 December 2020 states that there is ongoing work to
introduce two-factor authentication for users on all solutions where technically possible, including
also email.

We have also noted that a lack of safety culture was identified as a "high risk" for
unauthorized access to the Storting's systems in the ROS analysis in 2020. In the ROS analysis
concluding summary, it appears that it is perceived as challenging that different

user groups are not subject to instruction authority from the Storting's administration.
Lack of security culture, low competence and little focus on privacy are considered as one
very high risk.

In our view, the description in the ROS analysis reveals vulnerabilities that could have been
compensated by organizational measures, as required by Article 32. Examples of such measures are
mapping of employees' knowledge of information security and privacy, and targeted

training of employees.

As organizational measures, guidelines and routines for the use of the company's email account
could be effective and necessary to reduce the risk posed by human factors.
These should be part of the management system for privacy and information security, which is
decided by the management of the business.

The Data Inspectorate takes a serious view of the fact that no technical measures have been implemented by the Storting
which could have prevented the violation, e.g. through the use of two-factor authentication.
Missing or deficient security measures increase the likelihood of security breaches.
The consequences can be very serious for the companies and their employees who are affected
events like this.

Attacks via employees' emails are considered a well-known and real attack vector by

data security breach. Access to email accounts is a known method of accessing additional
systems in a business.

Secure authentication is considered a simple and essential security measure to reduce the risk
for such attacks.

In this case, the intruders have gained access to a number of the Storting's e-mail accounts due to
lack of security measures. The Storting had previously carried out a risk assessment which
concluded that two-factor authentication should be introduced. However, this has taken
disproportionately long time.

When the Data Inspectorate's reading of the ROS analysis in May 2021, the introduction of
two-factor authentication completed. The Storting's lack of introduction of those security measures

which the Storting itself has considered necessary in this area, has made the service become
being less robust and vulnerable to attack. The Data Inspectorate believes it is clear that if
necessary technical and organizational security measures had been implemented in the past
time, the Storting's infrastructure would have been more robust, and the attack could have been
avoided.

5, Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case
change of the authentication solution, in addition to deficient organizational measures, is considered to
constitute a breach of Article 32 (1) (b) and (d) of the Privacy Regulation. They mentioned
the provisions require the data controller to establish an appropriate level of safety
to ensure lasting confidentiality, integrity, availability and robustness of the services.

7. The Privacy Regulation's rules on infringement fines
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
authorities and bodies infringement fines under the rules of the Privacy Regulation Article
58, cf. Article 83 (1) and (2).

The right to impose infringement fines shall be a tool to ensure effective
compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as
punishment under Article 6 of the European Convention on Human Rights.

The Norwegian Data Protection Authority therefore assumes that a clear probability preponderance is required for
offense in order to impose a fee. The case and the question of imposing
infringement fees are assessed on the basis of this evidentiary requirement.

In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights
(EMF).

It is directly stated in the wording of the Penal Code § 27 that there is an objective criminal liability for
enterprises. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively
liability for corporate punishment is not compatible with the concept of punishment in the European
Convention on Human Rights, as interpreted by the European Court of Human Rights.

In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and

the Ministry of Emergency Management's briefing of 12 May 2021 on the significance of this
the Supreme Court ruling for administrative sanctions. The Ministry of Justice and Emergency Preparedness states
following:

«Pending the report on corporate penalties and any proposals for legislative amendments,
we recommend that the ministries inform their underlying agencies about the Supreme Court

decision, and that this for the time being is also used as a basis for imposing
infringement charge against companies. This means that by the imposition of
infringement fines against companies are required that the person who has acted on behalf of
the company has shown general negligence. "

Article 83 provides in principle that the imposition of an infringement fine depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting

moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure

6, that the imposition of infringement fines in each individual case is effective, is in a reasonable
relation to the violation and acts as a deterrent.

8. The Data Inspectorate's assessment of whether an infringement fee should be imposed
In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
moments:

a) the nature, severity and duration of the infringement, taking into account
the nature, extent or purpose of the action concerned and the number of data subjects affected,
and the extent of the damage they have suffered

Violations of personal data security include breaches of confidentiality, integrity and
robustness. In this case, it must be concretely assumed that the elected representatives and the employees know
The Storting has a clear and worthy of protection interest in having information about them processed
in a safe way.

Unauthorized access to the Storting's systems can have serious consequences for the individual and
for other people's personal information that the mailboxes potentially contain. The event may have

entails that the environment has access to information that the registered person (s) have not themselves chosen to
make known, and it is unknown to what extent this information may have been disseminated.

The breach of personal data security has meant that the representatives have lost control
over the personal information contained in their email accounts. As a consequence of
Inadequate security measures, there will be a probability that the elected representatives may be exposed
for blackmail. The incident can also lead to unreliable information from fraudulent actors being sent

based on the elected representatives' email accounts.

We would also like to emphasize that we consider that this breach may have entailed a potential risk of greater
attacks on the Storting as an institution, with the email system as the attack vector.

General preventive reasons and the consideration that the rules should have effect and work as intended

then speaks with force for a strict reaction, and for the imposition of an infringement fine.

a) whether the violation was committed intentionally or negligently
The case shows that there has been a failure in the Storting's administration to take care of
the principle of liability that follows from the Privacy Ordinance, Article 5, no. 2. The Norwegian Data Protection Authority

finds that the Storting's administration, through the Storting's director, has acted with gross negligence, cf.
HR-2021-797-A, cf. also the Privacy Ordinance Article 5 No. 2, for not having implemented
a solution for two-factor authentication when creating an email account for the elected representatives. The effect
of secure authentication as a measure must be considered to be well known, compared with that of the Storting
even had identified the high risk the lack of such a measure posed. Furthermore, we find
it is reprehensible that the Storting did not follow up on the known vulnerability either
organizational measures that to a certain extent could have remedied the technical deficiencies.

b) any measures taken by the data controller or data processor to
limit the damage suffered by the data subjects

7, After the attack, new password requirements were introduced, extended scope of
security logging, updated mobile device policies and started work on
introduction of two-factor authentication. In addition, training measures were implemented by employees to
raise awareness of information security.

(c) the degree of responsibility of the controller or processor, taking into account
to the technical and organizational measures they have implemented in accordance with Article 25 and

32
The Storting's administration took a significant risk as it did not create email accounts
two-factor authentication was introduced; and has a responsibility that this was not done. That this was not
done at the time of the second attack is an aggravating circumstance.

d) any relevant previous violations committed by the data controller or
the data processor
There are no previous violations from the Storting's administration.

e) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it
There has been no cooperation between the Norwegian Data Protection Authority and the Storting's administration to remedy
on the damage.

f) the categories of personal data affected by the infringement
Subsequent investigations revealed that the attackers had downloaded various amounts of data, including
this included bank and account information, birth number, health information and
personal information about third parties. This is stated in the submitted notification of 6 September 2020.

It is an aggravating circumstance that health information has gone astray.

g) the manner in which the supervisory authority became aware of the infringement, in particular whether and
possibly to what extent the data controller or data processor has
notified of the infringement

The Storting notified the Norwegian Data Protection Authority of the breach of personal data security by notifying 6.
September 2020. The Storting has further answered our requests for further information,
as well as facilitated to give the Data Inspectorate access to relevant documentation in connection with our
investigation of the case.

(h) if the measures referred to in Article 58 (2) have previously been taken against the person concerned

data controller or data processor with respect to the same subject matter, that
the said measures are complied with
No measures have been taken before the Storting with regard to the same subject matter.

(i) compliance with approved standards of conduct in accordance with Article 40 or approved

certification mechanisms in accordance with Article 42
This is not relevant to the case.

8, j) any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
the infringement
The Norwegian Data Protection Authority assumes that the Storting must be regarded as an attractive target for computer attacks, and that
based on a risk assessment, a significantly stricter safety regime should have been added

superficial. The ROS analysis describes various measures in the summary section, among others
compulsory training in information security and documentation of completed training,
as well as clarification of sanction options for own employees and agreements with party groups
to be able to impose the same sanctions there.

In an aggravating direction, it is assumed that a solution with two-factor authentication was not
implemented in the solution, despite the fact that this must be considered a known and effective

safety measures. The Storting had itself identified a lack of authentication as a vulnerability.

9. Overall assessment
In the Data Inspectorate's assessment, the matter is important in principle. The Data Inspectorate considers it difficult

serious that the Storting's administration has shown an inability to implement necessary
security measures that the administration itself has identified the need for in the mapping of
the risk of processing personal data. We emphasize that the Privacy Regulation
requires that the results of such surveys be followed up with appropriate measures, and that
is precisely this which is the purpose of conducting risk assessments, cf.
the Privacy Ordinance Article 32 No. 1 letter b. The incident that triggered the message to
The Norwegian Data Protection Authority and which forms the basis for the decision, could and should have been avoided if

The Storting had implemented measures to remedy the vulnerabilities that were made known through
the risk assessment.

We assume that the Storting's administration has a vested interest in establishing the Storting
computer systems in line with recommendations from national professional authorities. It's the administration
who is responsible for the operation of these systems, and the responsibility for implementing them

the safety measures necessary to make the systems robust, in accordance with the law
requirements, cf. the Privacy Ordinance Article 5 No. 2, cf. Article 5 No. 1 letter f, cf. also Article
32 No. 1 letter b.

Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that the Storting should be given one
infringement fine.

10. The size of the fee
In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that

«As a starting point, the same rules for infringement fines shall apply
public bodies as for private, as this is the scheme under current

Personal Data Act. »

9, With regard to the amount of the fee, the same factors as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the violation and the activity, cf. art. 83 No. 1.

After an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of
the infringement and the legislation's requirement that the imposition of infringement fines in each individual case

should be effective, proportionate and dissuasive, we have come to that one
violation fee of two million - 2,000,000 - kroner is considered correct.

11. Complaint
You can appeal the decision. Any complaint must be sent to us by Monday 15 August
2022. If we uphold our decision, we will send the case to the Privacy Board for
complaint processing, cf. the Personal Data Act § 22.

12. Transparency and publicity
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform

that all documents are in principle public, cf. the Public Access to Information Act § 3, but
emphasizes at the same time that security documentation is as a general rule exempt from public access, cf.
the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.

If you have any questions, you can contact caseworker Knut B. Kaspersen.

With best regards

Janne Stang Dahl
acting director
Knut Brede Kaspersen

legal director

The document is electronically approved and therefore has no handwritten signatures

@@ Line 11: / Line 11: @@
 |Original_Source_Name_1=Datatilsynet
-|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/f72430ebb5734c1da295772c790225ed/varsel-om-vedtak-om-overtredelsesgebyr.pdf
+|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/338d64f46fbb436aa61b0fc4d7b794da/stortinget-vedtak.pdf
 |Original_Source_Language_1=Norwegian
 |Original_Source_Language__Code_1=NO
 |Original_Source_Name_2=Datatilsynet
-|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/varsel-om-overtredelsesgebyr-til-stortinget/
+|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/overtredelsesgebyr-til-stortinget/
 |Original_Source_Language_2=Norwegian
 |Original_Source_Language__Code_2=NO
@@ Line 58: / Line 58: @@
 }}
-The Norwegian DPA published a draft decision setting out its intention to fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.
+The Norwegian DPA fine the Parliament about €196,400 (NOK 2,000,000) for a data breach where perpetrators got access to employees' email accounts and health-related data, enabled by the lack of two-factor authentication and organizational measures.
 == English Summary ==
@@ Line 72: / Line 72: @@
 The DPA found that the Parliament, despite having identified several risks, lacked sufficient technical and organizational measures, including two-factor authentication, thus breaching [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]] and [[Article 32 GDPR#1d|Article 32(1)(d)]], cf. [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].
-For this, the DPA intends to fine the Parliament about €196,400 (NOK 2 million). This is only a notification of a fine and the Parliament has three weeks to submit their views, after which the DPA will make their final decision.
+For this, the DPA fined the Parliament about €196,400 (NOK 2 million).
 == Comment ==
-''Update 15/02/2022: the Norwegian DPA has received [https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/stortingets-tilsvar-til-datatilsynet/ a response from the Parliament] (in Norwegian) with feedback on their decision. After the feedback has been reviewed, the DPA will make a final decision.''
+''Share comments here!''
 == Further Resources ==
-''Share blogs or news articles here!''
+''On 15 February 2022:the Norwegian DPA received [https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/stortingets-tilsvar-til-datatilsynet/ a response from the Parliament] (in Norwegian) with feedback on their decision.''
 == English Machine Translation of the Decision ==
@@ Line 86: / Line 86: @@
   THE PARLIAMENT
   PO Box 1700 Center
-                                                                Exempt from public:
+OSLO
-OSLO Offl. § 13 cf. Popplyl. § 24 (1) 2.
-                                                                pkt.
@@ Line 96: / Line 94: @@
- Their reference Our reference Date
-/ 03500-8 13.01.2022
+Their reference Our reference Date
+/ 03500-10 04.03.2022
-Notification of decision on infringement fine
+Decision on violation fee - Notification of deviation - The Storting
 Introduction
-The Norwegian Data Protection Authority refers to the submitted notification of 6 September 2020 of a breach
-personal data security, as well as the Storting's response to the report of 8 December 2020.
+The Data Inspectorate refers to the submitted notification of 6 September 2020 of a breach
+personal data security, notification of infringement fee of 13 January 2022 and
+The Storting's response of 14 February 2022.
 We also refer to other correspondence and documentation that has been made available to us
+which can be linked to the relevant notification of a breach of personal data security. It
-which can be linked to the relevant notification of a breach of personal data security. It
+the overall documentation forms the basis for the decision. It is the attack in 2020 that lies ahead
-the overall documentation forms the basis for this notification of decision. It is attacked in 2020
+reason for the decision. The events of March 2021 are of a different nature, and will not matter
-which is the basis for the decision. The events of March 2021 are of a different nature, and will not
+for this decision.
-have significance for this decision.
 In the following, Multi Factor Authentication (MFA), two-factor authentication and strong
 authentication means the same thing. In the following, these will be referred to under the collective term
+«Two-factor authentication».
+. The Data Inspectorate's comments on the Storting's response
+    The Norwegian Data Protection Authority has noticed that the Storting acknowledges that IT security could have been better then
+    the attack occurred.
+    Secondly, the Storting's administration points out that the follow-up of ROS 2020 must be seen in the light of
+    that the Storting's administration in the spring of 2020 was strongly affected by the pandemic and
+    the shutdown that hit the country in early March 2020, and the subsequent one
+    holiday settlement. It is also pointed out that the representatives of the Storting and the employees in
+    the party groups were not subject to instruction authority from the Storting's director, and that
+    this made the further process time consuming.
+    The Data Inspectorate cannot see that these are factors that have a significant effect on whether or not
+    violation fee must be given and the amount of this.
-«Two-factor authentication».
-. Notification of decision on infringement fee
-This is a notification pursuant to the Public Administration Act § 16 that the Norwegian Data Protection Authority is considering the following
+Postal address: Office address: Telephone: Org.nr: Homepage:
-decision on infringement fine:
+PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
+OSLO 0191 OSLO, 3. Decision on infringement fine
+    Based on the information in the case, the Data Inspectorate believes that the Storting has violated the rules on
+    personal data security in the Privacy Ordinance:
      Pursuant to the Personal Data Act § 26 second paragraph, cf. the Privacy Ordinance
       Article 58 (2) (i), cf. Article 83, a violation fee of two shall be imposed on the Storting.
       million - 2,000,000 - kroner to the Treasury for not having carried out suitable technical
       and organizational measures, including two-factor authentication, to achieve a level of security
       which is suitable in terms of the risk of achieving lasting confidentiality, integrity
-      and robustness, cf. the Privacy Ordinance Article 32 No. 1 letter b) and d), cf. Article 5
+      and robustness, cf. Article 32 (1) (b) and (d) of the Privacy Regulation, cf. Article 5
+     No. 1 letter f).
-     No. 1 letter f).
 The background and reasons for the decision follow below.
+. The case
-Postal address: Office address: Telephone: Org.nr: Website:
-PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
-OSLO 0191 OSLO3. The case
 On 2 September 2020, the Storting was informed that it had been exposed to a data breach
 (unauthorized login) linked to the email accounts of an unknown number of parliamentary representatives and
-employees in the administration and the group secretariats. It was one of the employees who gave notice
+employees in the administration and the group secretariats. It was one of the employees who notified
 the administration after the person in question had been contacted by his bank for an attempt
 misuse of payment cards abroad.
 Subsequent investigations revealed that attackers had downloaded different amounts of data and that
 this data could contain personal data originating from the employees concerned
 email account. It was in the deviation report to the Data Inspectorate and subsequent additional report
@@ Line 160: / Line 178: @@
 personal information about third parties, birth number and health information.
+Possible consequences for those affected by the attack could be abuse of identity, abuse of
+payment cards and use of information for extortion.
-Possible consequences for those affected by the attack may be abuse of identity, abuse of
-payment cards and use of information for extortion.
 The Storting's administration later became aware that personal information from 13 email accounts
 could be lost. Those affected were informed and followed up to limit damage. People
 which were mentioned in the emails of the affected (third parties) were notified.
 As a result of the incident, the Storting implemented a number of risk-reducing and preventive measures
 measures. Among other things, new password requirements were introduced, the scope of security logging became
-expanded and mobile device guidelines were updated. Work was also started on
+expanded and mobile guidelines were updated. Work was also started on
 introduce two-factor authentication. In addition, training measures were implemented by employees to increase
 raising awareness of information security.
 The Storting has close contact with relevant security authorities in this matter. The relationship is
 reported to the police and PST is investigating the case.
-. Relevant legal rules and guidance on two-factor authentication as a security measure
+.5. Relevant legal rules and guidance on two-factor authentication as a security measure
 The discrepancies concern breaches of confidentiality, integrity and robustness. In the Privacy Ordinance
 Article 32 states:
@@ Line 186: / Line 207: @@
 «Taking into account the technical development, the implementation costs and the nature of the treatment,
 the scope, purpose and context in which it is performed, as well as the risks of varying probabilities and
-severity of the rights and freedoms of natural persons, the person responsible for treatment and
+severity of the rights and freedoms of natural persons, the data controller and
 the data processor implement appropriate technical and organizational measures to achieve a level of security
 which is suitable in terms of risk, including, inter alia, as appropriate,
       a) pseudonymisation and encryption of personal data,
       b) ability to ensure lasting confidentiality, integrity, availability and robustness in
          treatment systems and services,
-      c) ability to restore the availability and access to personal information in a timely manner if any
+      c) ability to restore the availability and access to personal information in a timely manner if necessary
          a physical or technical event occurs,
       d) a process for regular testing, analysis and assessment of how effective the treatment is
          technical and organizational security measures are. "
+Article 5 (1) (f) of the Privacy Ordinance states that personal data
+«Shall be processed in a manner that ensures adequate security of personal data,
+including protection against unauthorized or illegal treatment and against accidental loss, destruction or
-In the Privacy Ordinance Article 5 No. 1 letter f) it is stated that personal data
-«Shall be processed in a manner that ensures adequate security of personal data,
-including protection against unauthorized or unlawful treatment and against unintentional loss, destruction or
 damage, through the use of appropriate technical or organizational measures («integrity and
 confidentiality »)».
+Article 32 requires that a specific assessment of the risk to the physical be carried out
+persons' rights and freedoms, compared with probability and severity.
+The survey must be linked to the relevant business and their treatment of
-Article 32 requires that a specific assessment of the risk to the physical be carried out
-rights and freedoms of persons, in relation to the degree of probability and seriousness.
-The mapping must be linked to the relevant business and their treatment of
 personal information.
-Furthermore, the provision stipulates that suitable technical and
+Furthermore, the provision requires that suitable technical and
 organizational measures to achieve an appropriate level of information security related to closer
 areas referred to in Article 32 (1) (a) to (d). This must be considered a duty to deal with
 and reduce the risks identified in the survey through the introduction of measures. These can
 either be technical measures in the form of physical security such as
 authentication solutions, or organizational measures in the form of, for example, routines and
 training of personnel.
-In the Data Inspectorate's assessment of what must be regarded as suitable measures, a company's own
+In the Data Inspectorate's assessment of what must be considered suitable measures, a company's own
+assessment of risk and necessary measures are given great weight.
-assessment of risk and necessary measures are given great weight.
+The Storting's administration, as the person responsible for processing, undertakes to familiarize itself with it
-As the person responsible for processing, the Storting's administration undertakes to familiarize itself with
 regulations in the field of privacy, including the requirements for conducting risk assessments and
-implement necessary measures to achieve a satisfactory level of safety. This follows from
+implement necessary measures to achieve a satisfactory level of safety. This follows
 Article 5 (2) of the Privacy Regulation.
 We assume that there may be alternative measures to ensure sufficient and effective
 security level. The introduction of two-factor authentication is an example of security measures that are
-recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency
+, recognized as efficient and easily accessible. In this connection, we refer to both the Danish Data Protection Agency
 and the National Security Authority (NSM) on their websites have published supplementary
 information on why and when two-factor authentication should or should be introduced.
+On NSM's website, clear recommendations have been given on the use of two - factor authentication
+creation of i.a. email account. NSM also recommends requirements for unique passwords per service.
-On NSM's website, clear recommendations have been given on the use of two-factor authentication
-creation of i.a. email account. NSM also recommends requirements for unique passwords per service.
 On the Data Inspectorate's website, we provide information on strong authentication as a security measure. It's called
@@ Line 247: / Line 269: @@
          Many services are based only on something you know in the form of a username and password.
+        Very many also use the same password on several different services. Something that makes you
+        who use even more prone to others logging in like you on various services.
-        Very many also use the same password on several different services. Something that makes you
-        who use even more prone to others logging in as you on various services.
          Often a service will make demands on the complexity of the password such as requirements
-         minimum length, requirement to use numbers, lowercase and uppercase letters, and possibly
+         minimum length, requirements for the use of numbers, lowercase and uppercase letters, and possibly
+        special characters. This may reduce the ability to guess passwords, but users have one
-special characters. This may reduce the ability to guess passwords, but users have one
          tend to use the same type of pattern. Summer 2017 is a type of password that many
          unfortunately user. It is also common for users to reuse the same password
          more services.
          If the password should go astray, it does not matter where
          strong / complex password is. Unfortunately, there are many ways a password can get in the way
          weighs on. For example, leaks from other places where the user uses the same
          passwords, malware on the PC of users who pick up usernames and passwords,
          "Man in the middle" attacks and phishing attacks.
          Therefore, two-factor authentication is a much more secure solution. When using such authentication
          the consequences of usernames and passwords going astray will be far less.
+         In Norway, we have seen examples of both political parties and schools having experienced that someone
-         In Norway, we have seen examples of both political parties and schools experiencing that someone
          has acquired unauthorized access to systems due to lack of strong authentication.
          The Norwegian Data Protection Authority may impose the use of strong authentication if we consider that it is
          necessary to ensure safety.
 The Norwegian Data Protection Authority does not rule out that other measures may lead to a similar level of security as
 two-factor authentication.
 . The Data Inspectorate's assessment of the Storting's solution for authentication of users
-The Storting had not introduced two-factor authentication for users of their e-mail systems
+The Storting had not introduced a sufficient solution for two-factor authentication for all users
+of their email systems at the time of the security breach in September 2020. In the latter
+the version of the ROS analysis related to authentication that was completed in March 2020, was
+lack of two-factor authentication identified as "high risk" for unauthorized access.
-the time of the security breach in September 2020. In the latest version of the ROS analysis
-related to authentication that was completed in March 2020, there was a lack of two-factor authentication
-identified as "high risk" for unauthorized access.
-The Storting's report of 8 December 2020 states that there is ongoing work to
+, The Storting's report of 8 December 2020 states that there is ongoing work to
 introduce two-factor authentication for users on all solutions where technically possible, including
 also email.
 We have also noted that a lack of safety culture was identified as a "high risk" for
 unauthorized access to the Storting's systems in the ROS analysis in 2020. In the ROS analysis
 concluding summary, it appears that it is perceived as challenging that different
 user groups are not subject to instruction authority from the Storting's administration.
 Lack of security culture, low competence and little focus on privacy are considered as one
 very high risk.
 In our view, the description in the ROS analysis reveals vulnerabilities that could have been
 compensated by organizational measures, as required by Article 32. Examples of such measures are
 mapping of employees' knowledge of information security and privacy, and targeted
 training of employees.
+As organizational measures, guidelines and routines for the use of the company's email account
-As organizational measures, guidelines and routines for using the company's email account
 could be effective and necessary to reduce the risk posed by human factors.
 These should be part of the management system for privacy and information security, which is
 decided by the management of the business.
-The Norwegian Data Protection Authority is serious about the fact that no technical measures have been implemented by the Storting
+The Data Inspectorate takes a serious view of the fact that no technical measures have been implemented by the Storting
 which could have prevented the violation, e.g. through the use of two-factor authentication.
 Missing or deficient security measures increase the likelihood of security breaches.
 The consequences can be very serious for the companies and their employees who are affected
@@ Line 326: / Line 344: @@
 Attacks via employees' emails are considered a well-known and real attack vector by
 data security breach. Access to email accounts is a known method of accessing additional
 systems in a business.
 Secure authentication is considered a simple and essential security measure to reduce the risk
 for such attacks.
 In this case, the intruders have gained access to a number of the Storting's e-mail accounts due to
 lack of security measures. The Storting had previously carried out a risk assessment which
 concluded that two-factor authentication should be introduced. However, this has taken
 disproportionately long time.
 When the Data Inspectorate's reading of the ROS analysis in May 2021, the introduction of
 two-factor authentication completed. The Storting's lack of introduction of those security measures
 which the Storting itself has considered necessary in this area, has made the service become
 being less robust and vulnerable to attack. The Data Inspectorate believes it is clear that if
 necessary technical and organizational security measures had been implemented in the past
 time, the Storting's infrastructure would have been more robust, and the attack could have been
 avoided.
-Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case
+, Lack of introduction of appropriate measures to deal with an identified vulnerability, in this case
 change of the authentication solution, in addition to deficient organizational measures, is considered to
 constitute a breach of Article 32 (1) (b) and (d) of the Privacy Regulation. They mentioned
 the provisions require the data controller to establish an appropriate level of safety
 to ensure lasting confidentiality, integrity, availability and robustness of the services.
-. The Privacy Regulation's rules on infringement fines
+. The Privacy Regulation's rules on infringement fines
 The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
 authorities and bodies infringement fines under the rules of the Privacy Regulation Article
 , cf. Article 83 (1) and (2).
 The right to impose infringement fines shall be a tool to ensure effective
@@ Line 365: / Line 386: @@
 punishment under Article 6 of the European Convention on Human Rights.
+The Norwegian Data Protection Authority therefore assumes that a clear probability preponderance is required for
+offense in order to impose a fee. The case and the question of imposing
+infringement fees are assessed on the basis of this evidentiary requirement.
-Datatilsynet therefore assumes that a clear preponderance of probabilities is required
-offense in order to impose a fee. The case and the question of imposing
-infringement fines are assessed on the basis of this evidentiary requirement.
 In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.
 By an administrative sanction is meant a negative reaction that can be imposed by a
 administrative body, which addresses a committed violation of law, regulation or individual
+decision, which is considered a punishment under the European Convention on Human Rights
+(EMF).
-decision, which is considered a punishment under the European Convention on Human Rights
-(EMK).
 It is directly stated in the wording of the Penal Code § 27 that there is an objective criminal liability for
-companies. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively
+enterprises. In a judgment of 5 April 2021 (HR-2021-797-A), the Supreme Court has ruled that objectively
 liability for corporate punishment is not compatible with the concept of punishment in the European
 Convention on Human Rights, as interpreted by the European Court of Human Rights.
+In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and
-In a letter dated 2 June 2021, the Ministry of Local Government and Modernization has sent to the Ministry of Justice and
 the Ministry of Emergency Management's briefing of 12 May 2021 on the significance of this
 the Supreme Court ruling for administrative sanctions. The Ministry of Justice and Emergency Preparedness states
 following:
          «Pending the report on corporate penalties and any proposals for legislative amendments,
          we recommend that the ministries inform their underlying agencies about the Supreme Court
          decision, and that this for the time being is also used as a basis for imposing
          infringement charge against companies. This means that by the imposition of
@@ Line 399: / Line 417: @@
          the company has shown general negligence. "
+Article 83 provides in principle that the imposition of an infringement fine depends on a
+discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting
-Article 83 provides in principle that the imposition of infringement fines depends on a
-discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting
 moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure
-that the imposition of infringement fines in each individual case is effective is stated in a reasonable
+, that the imposition of infringement fines in each individual case is effective, is in a reasonable
 relation to the violation and acts as a deterrent.
+. The Data Inspectorate's assessment of whether an infringement fee should be imposed
-. The Data Inspectorate's assessment of whether an infringement fee should be imposed
 In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following
 moments:
 a) the nature, severity and duration of the infringement, taking into account
+    the nature, extent or purpose of the action concerned and the number of data subjects affected,
+    and the extent of the damage they have suffered
-    the nature, extent or purpose of the act concerned or the number of data subjects affected,
-    and the extent of the damage they have suffered
 Violations of personal data security include breaches of confidentiality, integrity and
-robustness. In this case, it must be specifically assumed that the elected representatives and the employees know
+robustness. In this case, it must be concretely assumed that the elected representatives and the employees know
 The Storting has a clear and worthy of protection interest in having information about them processed
 in a safe way.
+Unauthorized access to the Storting's systems can have serious consequences for the individual and
+for other people's personal information that the mailboxes potentially contain. The event may have
+entails that the environment has access to information that the registered person (s) have not themselves chosen to
-Authorized access to the Storting's systems can have serious consequences for the individual and
-for other people's personal information that the mailboxes potentially contain. The event may have
-entails that the surroundings have access to information that the registered person (s) have not themselves chosen to
 make known, and it is unknown to what extent this information may have been disseminated.
 The breach of personal data security has meant that the representatives have lost control
 over the personal information contained in their email accounts. As a consequence of
+Inadequate security measures, there will be a probability that the elected representatives may be exposed
+for blackmail. The incident can also lead to unreliable information from fraudulent actors being sent
-Inadequate security measures, there will be a probability that the elected representatives may be exposed
-for blackmail. The incident may also result in unreliable information being sent from fraudulent actors
 based on the elected representatives' email accounts.
 We would also like to emphasize that we consider that this breach may have entailed a potential risk of greater
 attacks on the Storting as an institution, with the email system as the attack vector.
 General preventive reasons and the consideration that the rules should have effect and work as intended
-speaks then with force for a strict reaction, and for the imposition of an infringement fine.
-b) whether the infringement was committed intentionally or negligently
+then speaks with force for a strict reaction, and for the imposition of an infringement fine.
+a) whether the violation was committed intentionally or negligently
 The case shows that there has been a failure in the Storting's administration to take care of
 the principle of liability that follows from the Privacy Ordinance, Article 5, no. 2. The Norwegian Data Protection Authority
 finds that the Storting's administration, through the Storting's director, has acted with gross negligence, cf.
 HR-2021-797-A, cf. also the Privacy Ordinance Article 5 No. 2, for not having implemented
@@ Line 453: / Line 470: @@
 of secure authentication as a measure must be considered to be well known, compared with that of the Storting
 even had identified the high risk the lack of such a measure posed. Furthermore, we find
+it is reprehensible that the Storting did not follow up on the known vulnerability either
+organizational measures that to a certain extent could have remedied the technical deficiencies.
-it is reprehensible that the Storting did not follow up on the known vulnerability either
-organizational measures which to a certain extent could have remedied the technical deficiencies.
-c) any measures taken by the data controller or data processor to
+b) any measures taken by the data controller or data processor to
      limit the damage suffered by the data subjects
-After the attack, new password requirements were introduced, the scope of which was expanded
-security logging, updated guidelines for mobile devices and started work on
+, After the attack, new password requirements were introduced, extended scope of
+security logging, updated mobile device policies and started work on
 introduction of two-factor authentication. In addition, training measures were implemented by employees to
 raise awareness of information security.
+(c) the degree of responsibility of the controller or processor, taking into account
+    to the technical and organizational measures they have implemented in accordance with Article 25 and
-d) the degree of responsibility of the data controller or data processor, taking into account
-    to the technical and organizational measures they have implemented in accordance with Article 25 and
 The Storting's administration took a significant risk as it did not create email accounts
 two-factor authentication was introduced; and has a responsibility that this was not done. That this was not
 done at the time of the second attack is an aggravating circumstance.
-e) any relevant previous violations committed by the data controller or
+d) any relevant previous violations committed by the data controller or
      the data processor
 There are no previous violations from the Storting's administration.
+e) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
-f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
      possible negative effects of it
 There has been no cooperation between the Norwegian Data Protection Authority and the Storting's administration to remedy
@@ Line 487: / Line 505: @@
-g) the categories of personal data affected by the infringement
+f) the categories of personal data affected by the infringement
 Subsequent investigations revealed that the attackers had downloaded various amounts of data, including
 this included bank and account information, birth number, health information and
+personal information about third parties. This is stated in the submitted notification of 6 September 2020.
-personal information about third parties. This is stated in the submitted notification of 6 September 2020.
 It is an aggravating circumstance that health information has gone astray.
-h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
+g) the manner in which the supervisory authority became aware of the infringement, in particular whether and
      possibly to what extent the data controller or data processor has
      notified of the infringement
@@ Line 503: / Line 521: @@
 investigation of the case.
-(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
+(h) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
      data controller or data processor with respect to the same subject matter, that
@@ Line 509: / Line 527: @@
 No measures have been taken before the Storting with regard to the same subject matter.
+(i) compliance with approved standards of conduct in accordance with Article 40 or approved
-(j) compliance with approved standards of conduct in accordance with Article 40 or approved
      certification mechanisms in accordance with Article 42
 This is not relevant to the case.
-k) any other aggravating or mitigating factor in the case, e.g. economic benefits
+, j) any other aggravating or mitigating factor in the case, e.g. economic benefits
      which have been obtained, or losses which have been avoided, directly or indirectly, as a result of
      the infringement
@@ Line 529: / Line 550: @@
 implemented in the solution, despite the fact that this must be considered a known and effective
-safety measures. The Storting itself had identified a lack of authentication as a vulnerability.
+safety measures. The Storting had itself identified a lack of authentication as a vulnerability.
+. Overall assessment
+In the Data Inspectorate's assessment, the matter is important in principle. The Data Inspectorate considers it difficult
-. Overall assessment
-In the Data Inspectorate's assessment, the case is important in principle. The Data Inspectorate considers it difficult
 serious that the Storting's administration has shown an inability to implement necessary
 security measures that the administration itself has identified the need for in the mapping of
 the risk of processing personal data. We emphasize that the Privacy Regulation
 requires that the results of such surveys be followed up with appropriate measures, and that
 is precisely this which is the purpose of conducting risk assessments, cf.
 the Privacy Ordinance Article 32 No. 1 letter b. The incident that triggered the message to
-The Norwegian Data Protection Authority and which forms the basis for this notification could and should have been avoided
+The Norwegian Data Protection Authority and which forms the basis for the decision, could and should have been avoided if
-if the Storting had implemented measures to remedy the vulnerabilities that were made known
-through the risk assessment.
+The Storting had implemented measures to remedy the vulnerabilities that were made known through
+the risk assessment.
 We assume that the Storting's administration has a vested interest in establishing the Storting
 computer systems in line with recommendations from national professional authorities. It's the administration
 who is responsible for the operation of these systems, and the responsibility for implementing them
 the safety measures necessary to make the systems robust, in accordance with the law
 requirements, cf. the Privacy Ordinance Article 5 No. 2, cf. Article 5 No. 1 letter f, cf. also Article
 No. 1 letter b.
 Following an overall assessment, the Norwegian Data Protection Authority has come to the conclusion that the Storting should be given one
 infringement fine.
-. The size of the fee
+. The size of the fee
 In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that
          «As a starting point, the same rules for infringement fines shall apply
          public bodies as for private, as this is the scheme under current
          Personal Data Act. »
-With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
+, With regard to the amount of the fee, the same factors as when assessing whether the fee
 shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
 the specific case, at the same time as the size of the fee must be in a reasonable proportion to
 the violation and the activity, cf. art. 83 No. 1.
@@ Line 577: / Line 599: @@
 After an overall assessment of the circumstances of the case, and in particular with regard to the seriousness of
 the infringement and the legislation's requirement that the imposition of infringement fines in each individual case
 should be effective, proportionate and dissuasive, we have come to that one
 violation fee of two million - 2,000,000 - kroner is considered correct.
+. Complaint
-. Concluding remarks
+You can appeal the decision. Any complaint must be sent to us by Monday 15 August
-We point out that this is a prior notice, and not a final decision, cf. § 16.
+. If we uphold our decision, we will send the case to the Privacy Board for
-If you have comments on this notice, we ask that these be sent to us within three weeks
+complaint processing, cf. the Personal Data Act § 22.
-after this letter is received. Deadline for feedback is February 14, 2022.
+. Transparency and publicity
+You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
+that all documents are in principle public, cf. the Public Access to Information Act § 3, but
+emphasizes at the same time that security documentation is as a general rule exempt from public access, cf.
-. Transparency and publicity
-You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform
-that all the documents are in principle public, cf. the Public Access to Information Act § 3, but
-emphasizes at the same time that safety documentation is as a general rule exempt from public access, cf.
 the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2.
 If you have any questions, you can contact caseworker Knut B. Kaspersen.
-With best regards
-Bjørn Erik Thon
-director
-                                                                 Knut Brede Kaspersen
-                                                                 legal director
-The document is electronically approved and therefore has no handwritten signature.
+With best regards
+Janne Stang Dahl
+acting director
+                                                                  Knut Brede Kaspersen
+                                                                  legal director
+The document is electronically approved and therefore has no handwritten signatures
 </pre>