Datatilsynet (Norway) - 19/02985
|Datatilsynet - 19/02985|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 5(2) GDPR
Article 32(1)(b) GDPR
|National Case Number/Name:||19/02985|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
Datatilsynet issued Bergen municipality a fine of 3 000 000 NOK (approximately 283 000 euro) for lacking technical and organisational measures to secure the personal data of pupils using the app Vigilo for communication.
Bergen municipality notified Datatilsynet of several personal data breaches pursuant to Article 33 GDPR concerning the use of the Vigilo-app.
Through the use of the app, biological parents without parental responsibility received information by email about which school the pupil attended - in total 477 parents without parental responsibility received such an email. By logging in to the app, information about the child's name, school/kindergarten, which grade, employees at the school, and the name of parents with parental responsibility could be found.
In addition, information that pupils were living on a secret address was disclosed to 113 parents.
The question for Datatilsynet was whether Bergen municipality as controller had implemented sufficient technical and organisational measures pursuant to Article 32 GDPR in relation to the leakage of pupils personal data to third-parties.
Datatilsynet criticized the lack of security, and pointed amongst other things to an insufficient risk assessment, the time it took to issue guidelines to prevent such data breaches and the lack of quality of the guidelines, and an insufficient understanding of how the app worked at the time of rollout.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Not available due to the format of the linked pdf.