Datatilsynet (Norway) - 19/02985

From GDPRhub
Revision as of 18:52, 5 March 2022 by Riealeksandra (talk | contribs) (Riealeksandra moved page Datatilsynet - 19/02985 to Datatilsynet (Norway) - 19/02985)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 19/02985
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 19.05.2020
Fine: 3000000 NOK
Parties: Bergen municipality
National Case Number/Name: 19/02985
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

Datatilsynet issued Bergen municipality a fine of 3 000 000 NOK (approximately 283 000 euro) for lacking technical and organisational measures to secure the personal data of pupils using the app Vigilo for communication.

English Summary

Facts

Bergen municipality notified Datatilsynet of several personal data breaches pursuant to Article 33 GDPR concerning the use of the Vigilo-app.

Through the use of the app, biological parents without parental responsibility received information by email about which school the pupil attended - in total 477 parents without parental responsibility received such an email. By logging in to the app, information about the child's name, school/kindergarten, which grade, employees at the school, and the name of parents with parental responsibility could be found.

In addition, information that pupils were living on a secret address was disclosed to 113 parents.

Dispute

The question for Datatilsynet was whether Bergen municipality as controller had implemented sufficient technical and organisational measures pursuant to Article 32 GDPR in relation to the leakage of pupils personal data to third-parties.

Holding

Datatilsynet criticized the lack of security, and pointed amongst other things to an insufficient risk assessment, the time it took to issue guidelines to prevent such data breaches and the lack of quality of the guidelines, and an insufficient understanding of how the app worked at the time of rollout.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Not available due to the format of the linked pdf.