Difference between revisions of "Datatilsynet (Norway) - 19/02985"

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=19/02985 |EC...")
 
Line 32: Line 32:
  
  
|Party_Name_1=
+
|Party_Name_1=Bergen municipality
 
|Party_Link_1=
 
|Party_Link_1=
 
|Party_Name_2=
 
|Party_Name_2=
Line 54: Line 54:
 
Datatilsynet issued Bergen municipality a fine of 3 000 000 NOK (approximately 283 000 euro) for lacking technical and organisational measures to secure the personal data of pupils using the app Vigilo for communication.  
 
Datatilsynet issued Bergen municipality a fine of 3 000 000 NOK (approximately 283 000 euro) for lacking technical and organisational measures to secure the personal data of pupils using the app Vigilo for communication.  
  
== English Summary ==
+
==English Summary==
  
=== Facts ===
+
===Facts===
 
Bergen municipality notified Datatilsynet of several personal data breaches pursuant to Article 33 GDPR concerning the use of the Vigilo-app.  
 
Bergen municipality notified Datatilsynet of several personal data breaches pursuant to Article 33 GDPR concerning the use of the Vigilo-app.  
  
Line 63: Line 63:
 
In addition, information that pupils were living on a secret address was disclosed to 113 parents.  
 
In addition, information that pupils were living on a secret address was disclosed to 113 parents.  
  
=== Dispute ===
+
===Dispute===
 
The question for Datatilsynet was whether Bergen municipality as controller had implemented sufficient technical and organisational measures pursuant to Article 32 GDPR in relation to the leakage of pupils personal data to third-parties.
 
The question for Datatilsynet was whether Bergen municipality as controller had implemented sufficient technical and organisational measures pursuant to Article 32 GDPR in relation to the leakage of pupils personal data to third-parties.
  
=== Holding ===
+
===Holding===
 
Datatilsynet criticized the lack of security, and pointed amongst other things to an insufficient risk assessment, the time it took to issue guidelines to prevent such data breaches and the lack of quality of the guidelines, and an insufficient understanding of how the app worked at the time of rollout.  
 
Datatilsynet criticized the lack of security, and pointed amongst other things to an insufficient risk assessment, the time it took to issue guidelines to prevent such data breaches and the lack of quality of the guidelines, and an insufficient understanding of how the app worked at the time of rollout.  
  
== Comment ==
+
==Comment==
  
  
== Further Resources ==
+
==Further Resources==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
== English Machine Translation of the Decision ==
+
==English Machine Translation of the Decision==
 
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
 
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
  

Revision as of 19:25, 3 June 2020

Datatilsynet - 19/02985
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 19.05.2020
Fine: 3000000 NOK
Parties: Bergen municipality
National Case Number/Name: 19/02985
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

Datatilsynet issued Bergen municipality a fine of 3 000 000 NOK (approximately 283 000 euro) for lacking technical and organisational measures to secure the personal data of pupils using the app Vigilo for communication.

English Summary

Facts

Bergen municipality notified Datatilsynet of several personal data breaches pursuant to Article 33 GDPR concerning the use of the Vigilo-app.

Through the use of the app, biological parents without parental responsibility received information by email about which school the pupil attended - in total 477 parents without parental responsibility received such an email. By logging in to the app, information about the child's name, school/kindergarten, which grade, employees at the school, and the name of parents with parental responsibility could be found.

In addition, information that pupils were living on a secret address was disclosed to 113 parents.

Dispute

The question for Datatilsynet was whether Bergen municipality as controller had implemented sufficient technical and organisational measures pursuant to Article 32 GDPR in relation to the leakage of pupils personal data to third-parties.

Holding

Datatilsynet criticized the lack of security, and pointed amongst other things to an insufficient risk assessment, the time it took to issue guidelines to prevent such data breaches and the lack of quality of the guidelines, and an insufficient understanding of how the app worked at the time of rollout.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Not available due to the format of the linked pdf.