Datatilsynet (Norway) - 20/01516

From GDPRhub
Revision as of 08:43, 7 May 2022 by Riealeksandra (talk | contribs) (Riealeksandra moved page Datatilsynet (Norway) - 20/11347 to Datatilsynet (Norway) - 20/01516: Fixed title)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 20/11347
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 24 GDPR
Article 32(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 15.03.2021
Published: 09.04.2021
Fine: 1000000 NOK
Parties: Asker municipality
National Case Number/Name: 20/11347
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: n/a

The Norwegian DPA investigated a personal data breach notified by a municipality. The DPA found that the municipality had violated Articles 5, 6, and 32(1)(b) GDPR by publishing personal data on their webpage without a legal basis, without appropriate measures and without implementing proper routines when revealing information to the public.

English Summary


Datatilsynet received a notification of a personal data breach from Asker municipality. The municipality had published 127 counts of personal ID numbers and information deemed confidential under the Public Administration Act in the title of the public records. The documents themselves were not published.


The DPA found that the municipality had violated Articles 5 and 6 GDPR by publishing personal data on their webpage without a legal basis, and Articles 5 and 32(1)(b) by failing to implement appropriate technical and organisational measures to ensure ongoing confidentiality and integrity in their systems, and Article 24 GDPR for not implementing proper routines when handling the public records of mail. Datatilsynet held that publishing the title of documents containing sensitive information was a breach of Article 32(1)(b) GDPR, highlighting that the breach was reported to the municipality by a private individual and not noticed by the municipality itself. Datatilsynet highlighted that the personal data in question was not covered by the Public Administration Act. As such, the municipality did not have a legal basis cf. Article 6 GDPR. In addition, Datatilsynet found that the municipality lacked routines for publishing information to the public, violating Article 24 GDPR.


The decision discusses as well, the relationship between directive 95/46/EC and GDPR. The DPA highlighted that the initial breach happened before GDPR entered into force. As the violation was continuous and carried over into when the GDPR entered into force, the issue was decided under the GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.


 Katrineåsveien 20
 3440 SMOKE

Their reference Our reference Date
20 / 11347-143 20 / 01516-8 15.03.2021

Decision on violation fee - Asker municipality - Notification of deviations

1 Introduction

We refer to the submitted report of 20 May 2020 on breaches of personal data security,
follow-up letter of 22 May 2020, in which Asker municipality announces that they are looking seriously
the incident, and that in this connection they want the Data Inspectorate to carry out an on-site inspection,
as well as the municipality's response of 18 December 2020.

For the record, the Data Inspectorate draws attention to the fact that on-site inspections are not relevant
present time. This is due to the general situation related to the existing one

the pandemic in the country.

    Asker municipality is imposed pursuant to the Personal Data Act § 26 second paragraph, cf.

     Article 58 (2) (i) of the Privacy Regulation, cf. Article 83, to pay a
     infringement fee to the Treasury of 1,000,000 - one million - kroner
        • for having published personal information on the municipality's website without

            basis for processing, cf. Article 6 of the Privacy Ordinance, cf. Article 5, and
        • for not having implemented appropriate technical and organizational measures to achieve a
            level of security suitable for achieving continuing confidentiality in

            the treatment systems and services, cf. Article 32 (1) of the Privacy Regulation
            letter b), cf. Article 5, and
        • for not having satisfactory routines for handling the mailing lists on the internet, cf.

            Article 24 of the Personal Data Act, cf. the Personal Data Act § 26 first paragraph.

The background and reasons for the decision follow below.

2. The case
On 20 May 2020, the Norwegian Data Protection Authority received a report of a breach of personal data security from

Asker municipality. The municipality has published confidential information on its website
personal information. In addition, the municipality has published 127 birth numbers (all eleven digits)
on the website.

Postal address: Office address: Telephone: Fax: Website:
PO Box 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467
0105 OSLOU The starting point for the incident was that the municipality was notified on 19 May 2020 by a private individual
that document titles from the municipality's mailing lists contained 127 names and birth numbers in to
together 170 journal entries. The information available was, in addition to the name and
birth number, title of the document. Several of the cases concern children, and include matters from
2009 to 2014. In some cases, this has meant that confidential information has also become available
published, e.g. in connection with decisions on PPT, special education and housing subsidies.
The document itself has not been publicly available. The document titles of the cases discussed

was immediately removed from the municipality's website.

The municipality has also conducted investigations to see if there are more cases of wrongdoing
publication of personal data in the mailing lists than what appears from the notification.
The municipality states that some discoveries have been made, but that the municipality will continue with further

In addition, the discrepancy includes 43 document titles about 33 employees from 2018 - 2019. The breach
personal data security has arisen as a result of routines not being followed.
The mailing lists are proofread by two people every day. Nevertheless, the municipality has not discovered
the discrepancies. The municipality states that it has not had routines for taking random samples in the old
mailing lists.

3 The offense

The deviations concern breaches of the personal data regulations' requirement for confidentiality.
Personal information that should have been screened has been made available to unauthorized persons
the municipality's website. The personal information covered by the breach is the birth number
and title of the document. The title of the document makes it clear that several of the cases involve children. IN
In some cases, this has meant that confidential personal information has also become available

published, e.g. in connection with decisions on PPT, special education and housing subsidies,
as well as other information of a confidential nature.

This constitutes a breach of Article 32 (1) (b) of the Privacy Regulation, which requires that
a level of security is established that is suitable for ensuring continued confidentiality. When the mailing lists
published on the municipality's website, it is clear that no such has been established
security level. That the incident is not discovered by the municipality, but by a private person also indicates

on deficient routines for detecting such incidents.

The incident includes personal information that is confidential pursuant to the Public Administration Act § 13 no.
Pursuant to section 7 of the Public Administration Regulations, it is not permitted to publish birth numbers and confidentiality
personal information on the internet. The consequence for those affected may have been that the mailing list has become
downloaded by unauthorized persons, who may distribute these further.

Public Administration Act § 10 third paragraph and Public Administration Regulations § 7 first paragraph states that enterprises
which are covered by the law can publish documents for the public on the Internet. It's up to
the individual business to decide if this should happen. Public Administration Regulations § 7 second paragraph
regulates which personal information cannot be published on the internet. Among other things, this will

                                                                                                2 applies to personal information that is subject to a duty of confidentiality, birth number and special
categories of information provided for in Articles 9 and 10 of the Privacy Regulation.

Personal information that appears from the mailing lists, which was posted on the municipality's
website, was subject to a duty of confidentiality.

If personal information is published on the Internet that is not permitted under the Public Access to Information Act,

the Privacy Regulation will apply. This means that the municipality must have one
suitable basis for processing pursuant to Article 6 of the Privacy Regulation in order to be able to publish such

However, when personal data is not permitted by law to be published on the Internet, none of them will
other conditions for establishing a valid basis for processing in accordance with the Privacy Ordinance
be fulfilled.

In addition, the practice could be a violation of Article 24, then established routines for handling
of the mailing lists are incomplete.

4 Which regulations are to be applied
The new Personal Data Act (Personal Data Act 2018), which in § 1 incorporates the EU
Privacy Ordinance in Norwegian law, entered into force on 20 July 2018. The law also repealed the law

14.04.2000 no. 31 on the processing of personal data (Personal Data Act 2000) and
the rules in regulation 15.12.2000 no. 1265 on the processing of personal data
(Personal Data Regulations 2000). Due to the course of events, it is necessary to
decide whether the case is to be assessed in accordance with the Personal Data Act 2018 or
the Personal Data Act 2000.

We have come to the conclusion that the Personal Data Act of 2018 must be applied in the case. Thus comes
also the provisions of the Privacy Ordinance apply, cf. section 1 of the Act. This applies to everyone
aspects of the case, including those concerning the imposition of infringement fines, cf. also
the Personal Data Act § 26 second paragraph and § 33.

This case concerns a breach of the regulations that has occurred at a time prior to
the entry into force of the Personal Data Act 2018. However, the breaches of regulations have been

continuous and has persisted in time, and was discovered on 19 May 2020, ie after
the date of entry into force of the new Personal Data Act. The current events have
in other words, extended over a longer period, from 2004 to 2020. At the time before 20.
July 2018, the Personal Data Act 2000 and the Personal Data Regulations 2000 applied.
Regulations §§ 2-6, 2-11, 2-13 and 2-14 regulated such matters as the case concerns.

The relevant conditions that are under consideration have thus arisen before the entry into force of

the Personal Data Act 2018, but they have persisted and been continuous for some time after that
The new Personal Data Act came into force on 20 July.

The Personal Data Act 2018 § 33 first paragraph lays down a special transitional rule on
infringement fee which reads as follows:

                                                                                                3 «The rules on the processing of personal data that applied at the time of the action,
        shall be used as a basis when a decision is made on an infringement fee. The legislation on
        the time of the decision shall nevertheless be used when this leads to a more favorable one
        result for the person responsible. "

When a decision is made on an infringement fee, the question of choice of law must therefore be assessed on the basis of

what must be considered the time of action. The Danish Data Protection Agency's assessment is that
the time of action in this case is extended in time - the illegal act or acts have
occurred before July 20, but it has been, and will continue to be, a constant
and continuous breaches of regulations until the person responsible for processing takes care of bringing
the treatment activities in accordance with the requirements of the regulations.

As the data controller has not done anything to make sure they bring

illegal treatment activities to cease and in accordance with regulatory requirements before August i
year, the time of action in § 33 must be considered to be after the date of entry into force of the new one
the Personal Data Act. It thus follows from the Personal Data Act § 33 that this case
shall be assessed in accordance with the Personal Data Act 2018. This is also in accordance with the ECHR
art 7, which refers to resp. «The time of the action» and «the time when [the action] was committed».

We also refer to the preparatory work for the Personal Data Act 2018 (Prop. 56 LS (2017-2018) page

196), where the Ministry states, among other things, the following on questions of choice of law between
the Personal Data Act 2000 and the Personal Data Act 2018:

        «The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to
        is made on the basis of the material rules in force at any given time ».

The same follows from the Privacy Board's practice in cases that do not concern infringement fines
and which is submitted to the tribunal before a new law, but which is processed according to a new law. See for example PVN-
2018-005 and PVN-2018-006.

Against this background, we consider it clear that cases that apply on an ongoing or ongoing basis
Violations of the rules must be assessed in accordance with the Personal Data Act 2018 and the Privacy Ordinance.

5 Assessment of the Privacy Ordinance's rules on infringement fines
The Personal Data Act § 26 second paragraph stipulates that the Data Inspectorate may impose public
authorities and bodies infringement fines under the rules of the Privacy Regulation Article

58, cf. Article 83 no. 7. It is stated here that «without prejudice to the authority of the supervisory authorities
to adopt corrective measures in accordance with Article 58 (2), each Member State may provide
rules on when and to what extent public authorities and bodies are established in the said
Member State may be fined. '

The right to impose infringement fines shall be a tool to ensure effective

compliance with and enforcement of the Personal Data Act. Infringement fee is to be regarded as

                                                                                               4 Penalties under Article 6 of the European Convention on Human Rights.

The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required
offense in order to impose a fee. The case and the question of imposing
infringement fines are assessed on the basis of this evidentiary requirement.

In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions.

By an administrative sanction is meant a negative reaction that can be imposed by a
administrative body, which addresses a committed violation of law, regulation or individual
decision, which is considered a punishment under the European Convention on Human Rights

For companies, the guilt assessment is unique. Section 46 (1) of the Public Administration Act states:

       "When it is stipulated by law that an administrative sanction may be imposed on an enterprise,
       the sanction can be imposed even if no individual has shown guilt ».

Prop. 62 L (2015-2016) page 199 states about § 46: «The wording that‘ none
individual has shown guilt ’is taken from the section on corporate punishment in the Penal Code § 27
first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ».

Article 83 provides in principle that the imposition of an infringement fine depends on a
discretionary overall assessment, but lays down guidelines for the exercise of discretion by highlighting
moments that should have special emphasis. It is stated in Article 83 no. 1 that the Data Inspectorate shall ensure
that the imposition of infringement fines in each individual case is effective is stated in a reasonable
relation to the violation and acts as a deterrent.

In our assessment of whether we should impose an infringement fee, we have placed particular emphasis on the following

a) the nature, severity and duration of the infringement, taking into account
    the nature, extent or purpose of the action concerned and the number of data subjects affected,
    and the extent of the damage they have suffered

The breach of personal data security includes personal data of at least 120
persons, and includes 170 documents in the period 2004 - 2020.

The breach of personal data security has meant that the data subject has lost control of
information about oneself, and whether others have seen information about the person. The
is not logged in who is in and sees or downloads personal information from
the municipality's mailing list. The mailing lists contained personal information of a confidential nature.

Some of the personal information is subject to a duty of confidentiality, e.g. applies to this decision on PPT,
special education and housing subsidies.

                                                                                               5Datatilsynet takes a serious view that the municipality has not had routines that could have contributed to that
the breach was discovered. Furthermore, we also consider it very serious that the offense has taken place
over 16 years.

b) whether the infringement was committed intentionally or negligently

The Data Inspectorate finds it reprehensible that the municipality has published information about residents in

the municipality where confidentiality is required. Despite routines, the breach has occurred due to
of human failure. In addition, there have been insufficient routines to uncover the conditions
which is mentioned in the deviation report, which the municipality itself admits.

The case in question indicates that training / accountability has not had the desired effect,
and that one must then consider other measures to safeguard against such violations
personal data security.

The incident is serious and must be described as gross negligence.

c) any measures taken by the data controller or data processor to
    limit the damage suffered by the data subjects

The municipality states that they will contact the affected as soon as possible.

d) the degree of responsibility of the data controller or data processor, taking into account
    to the technical and organizational measures they have implemented in accordance with Article 25 and

The data controller is responsible for the lack of organizational and technical measures that are

suitable for achieving a level of safety appropriate to the risk.

e) any relevant previous violations committed by the data controller or
    the data processor

No previously relevant infringements can be identified.

f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
    possible negative effects of it

This is not relevant in the case.

g) the categories of personal data affected by the infringement

It can be stated that special categories of information have been published on the municipality's
website, i.a. decisions on PPT, special education and housing subsidies. The documents themselves
it is referred to, however, has not been published.

                                                                                              6h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
    possibly to what extent the data controller or data processor has
    notified of the infringement

The Norwegian Data Protection Authority became aware of this through a reported breach
personal data security 20 May 2020.

(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
    data controller or data processor with respect to the same subject matter, that
    the said measures are complied with

No measures have previously been taken against Asker municipality with regard to the same
case subject.

(j) compliance with approved standards of conduct in accordance with Article 40 or approved
    certification mechanisms in accordance with Article 42

Violation of behavioral norms has not been a topic in the deviation.

k) any other aggravating or mitigating factor in the case, e.g. economic benefits
    which have been obtained, or losses which have been avoided, directly or indirectly, as a result of

    the infringement

The Data Inspectorate has not established that Asker municipality has had financial benefits, or avoided
direct or indirect loss as a result of the infringement. Nor can anything be stated in
mitigating direction.

6 Overall assessment
We refer to the submitted report of 20 May 2020 on breaches of personal data security.
The Data Inspectorate views positively that Asker municipality quickly took action when the unsafe storage became
discovered and reported the deviation to the Norwegian Data Protection Authority. The municipality has also implemented measures such as
shall prevent similar offenses in the future.

In the Data Inspectorate's assessment, however, the matter is important in principle. Asker municipality should
been equipped to meet the requirements for personal data security when publishing mailing lists on
their website. In this regard, a decision on infringement fines can provide an important
signal effect.

Among other things, the municipality has not had routines for taking random samples in old mailing lists, something
the municipality states in the deviation report. This is also a consequence of the breach

personal data security was discovered by a private individual.

After an overall assessment, the Data Inspectorate has come to the conclusion that Asker municipality should be imposed a
infringement fine.

                                                                                              77 The size of the fee

In the preparatory work for the new Personal Data Act (Prop. 56 LS (2017-2018)), the Ministry states that

        «As a starting point, the same rules for infringement fines shall apply
        public bodies as for private, as this is the scheme under current
        Personal Data Act. »

The ministry further writes that they have noted the concern as some public
consultation bodies have expressed, but the Ministry assumes that within the rules of
Article 83 of the Regulation, which also sets out the factors to be taken into account in the measurement
of administrative fees, there is room for considerable consideration with regard to the size of
fee. The Ministry states that «[t] he flow limits in the regulation Article 83 state
maximum limits for the calculation of administrative fees, while no one has been set

minimum limits. "

With regard to the size of the fee, the same factors shall apply as when assessing whether the fee
shall be imposed, special weight shall be given. The fee should be set so high that it also has an effect beyond
the specific case, at the same time as the size of the fee must be in a reasonable proportion to
the infringement and the activity, cf. art. 83 No. 1.

We have in particular seen to it that the breach of personal data security is linked to one
processing of personal data where confidentiality is required, and that this has happened
over a period of 16 years. Furthermore, we have looked at the general expectation that citizens should be able to
ensure that municipal bodies follow the rules that have been given, and especially those that give individuals
rights that are intended to be a protection against the disclosure of this type of information.

We refer to the general preventive considerations and the signal effect of an infringement fee in
this matter, which we believe is significant. It is very important that all government agencies like
processes the citizens' personal data and information about vulnerable people is their own
responsibility consciously and that such incidents do not occur.

After an overall assessment of the case, and in particular with regard to the duration of the infringement and
seriousness and the legislation's requirement that the imposition of infringement fines in each individual case

should be effective, proportionate and dissuasive, we have come to that one
violation fee of NOK 1,000,000 is considered correct.

8 Right of appeal
You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision,

we send the case to the Privacy Board for complaint processing, cf. the Personal Data Act § 22


Bjørn Erik Thon
                                                               Knut Brede Kaspersen

                                                               legal director

The document is electronically approved and therefore has no handwritten signatures