Editing Datatilsynet (Norway) - 19/02985

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 32: Line 32:
  
  
|Party_Name_1=Bergen municipality
+
|Party_Name_1=
 
|Party_Link_1=
 
|Party_Link_1=
 
|Party_Name_2=
 
|Party_Name_2=
Line 54: Line 54:
 
Datatilsynet issued Bergen municipality a fine of 3 000 000 NOK (approximately 283 000 euro) for lacking technical and organisational measures to secure the personal data of pupils using the app Vigilo for communication.  
 
Datatilsynet issued Bergen municipality a fine of 3 000 000 NOK (approximately 283 000 euro) for lacking technical and organisational measures to secure the personal data of pupils using the app Vigilo for communication.  
  
==English Summary==
+
== English Summary ==
  
===Facts===
+
=== Facts ===
 
Bergen municipality notified Datatilsynet of several personal data breaches pursuant to Article 33 GDPR concerning the use of the Vigilo-app.  
 
Bergen municipality notified Datatilsynet of several personal data breaches pursuant to Article 33 GDPR concerning the use of the Vigilo-app.  
  
Line 63: Line 63:
 
In addition, information that pupils were living on a secret address was disclosed to 113 parents.  
 
In addition, information that pupils were living on a secret address was disclosed to 113 parents.  
  
===Dispute===
+
=== Dispute ===
 
The question for Datatilsynet was whether Bergen municipality as controller had implemented sufficient technical and organisational measures pursuant to Article 32 GDPR in relation to the leakage of pupils personal data to third-parties.
 
The question for Datatilsynet was whether Bergen municipality as controller had implemented sufficient technical and organisational measures pursuant to Article 32 GDPR in relation to the leakage of pupils personal data to third-parties.
  
===Holding===
+
=== Holding ===
 
Datatilsynet criticized the lack of security, and pointed amongst other things to an insufficient risk assessment, the time it took to issue guidelines to prevent such data breaches and the lack of quality of the guidelines, and an insufficient understanding of how the app worked at the time of rollout.  
 
Datatilsynet criticized the lack of security, and pointed amongst other things to an insufficient risk assessment, the time it took to issue guidelines to prevent such data breaches and the lack of quality of the guidelines, and an insufficient understanding of how the app worked at the time of rollout.  
  
==Comment==
+
== Comment ==
  
  
==Further Resources==
+
== Further Resources ==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
== English Machine Translation of the Decision ==
 
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
 
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: