Datatilsynet (Norway) - 20/01984

From GDPRhub
Datatilsynet - 20/01984
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 32(1)(b) GDPR
The Education Act § 15(1)
Public Administration Act § 13 no. 1
Type: Investigation
Outcome: Violation Found
Decided: 16.11.2020
Published: 16.11.2020
Fine: 200000 NOK
Parties: Indre Østfold kommune (municipality)
National Case Number/Name: 20/01984
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) fined Indre Østfold municipality €18,860 for publishing a former student's school folder openly on their website, therefore breaching Articles 32(1)(b), (5), and (6) of the GDPR.

English Summary


A former student asked a school to share their school folder. The municipality's routine is to keep records for access requests, which meant, in this case, that the folder was scanned and made available for access. It was, however, made openly available on their website and a local journalist was able to download the entire folder with its contents. The information was confidential, cf. the Education Act.

When the error was discovered, the folder was removed and the municipality notified the DPA of the personal data breach, as well as the affected data subject.


Was publishing the student's school folder online a breach of Article 32?


The DPA concluded that the municipality had breached the required information security requirements as per Article 32(1)(b), cf. Article 5, and that they didn't have any legal grounds for this processing as per Article 6, cf. Article 5 (the latter because the information was confidential and should never have been published openly). The municipality was fined €18,860.


It's interesting to note that the DPA also held that the municipality had breached Article 6, with the following logic: The folder and its content was subject to confidentiality as per the Freedom of Information Act. When the folder was openly published, the GDPR came into effect, meaning the municipality would require legal grounds for processing as per Article 6. However, since the personal data by law weren't allowed to be shared publically, none of the requirements for establishing legal grounds as per Article 6, were applicable, i.e. the municipality breached Article 6.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Violation fee to Indre Østfold municipality

The Norwegian Data Protection Authority has decided to give Indre Østfold municipality an infringement fee of NOK 200,000 for breach of confidentiality. Personal information that should have been protected was made available to unauthorized persons.

Violation fee to Indre Østfold municipality
Indre Østfold municipality, formerly Askim municipality, published the student folder of a former student on the municipality's website. The student file contained personal information that is subject to a duty of confidentiality.

Got tips from local newspaper

The starting point for the incident was that the student needed the student file in a study context, and therefore asked the municipality to send it over. The municipality's routine is for requests for access to be recorded. This means that the document in which access has been requested is also scanned and made available for access.

The student folder was available on the municipality's website from Friday 27 September to Monday 30 September. The municipality was made aware of the case by a journalist in the local newspaper Smaalenenes Avis. The documents were removed from the mailing list and exempted from public access immediately after they were discovered. The affected person was then notified.

The infringement fee does not change

After the Data Inspectorate sent a notification of infringement fines, we received feedback from the municipality. Here they regret that "personal sensitive information" was posted on the mailing list. The municipality also asked the Data Inspectorate to assess the size of the fee in light of the measures that were introduced afterwards.

An infringement fee shall reflect the severity of the offense in question. It follows from Norwegian law that the municipality must implement the necessary measures to prevent future offenses. The Norwegian Data Protection Authority has come to the conclusion that the subsequent measures to rectify the incidents, in view of the seriousness of the breach, do not have a significant effect on the size of the infringement fee.

We have therefore concluded that the notified fee will not change.