Datatilsynet (Norway) - 20/02137
|Datatilsynet - Telenor Norge AS|
|Relevant Law:||Article 32(1) GDPR|
Article 33 GDPR
Article 58(2)(b) GDPR
|National Case Number/Name:||Telenor Norge AS|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
The Norwegian DPA (Datatilsynet) issued a reprimand against Telenor Norge AS for a failure to implement appropriate personal data security measures in its voicemail box functions, and for failing to notify the Datatilsynet of a personal data breach by Telenor Norge AS.
English Summary[edit | edit source]
Facts[edit | edit source]
Telenor Norge AS is largest digital services provider in Norway in the telecommunications and data services sectors.
The Datatilsynet opened a supervisory case based on information that Telenor had detected a security breach in its voicemail box function.
Dispute[edit | edit source]
Had Telenor Norge violated Article 33 GDPR by failing to notify the Datatilsynet of the data breach? Had Telenor Norge violated Article 32(1) GDPR by failing to implement appropriate technical measures that would ensure an appropriate level of security for its voicemail box functions?
Holding[edit | edit source]
The Datatilsynet found that Telenor Norge had failed to fulfil its obligations under both Articles 33 and 32(1).
On this basis the Datatilsynet issued a reprimand to Telenor Norge pursuant to Article 58(2)(b) GDPR. Its rationale for issuing a reprimand rather than a fine was based on the Norwegian National Communications Authority already fining Telenor Norge 1.5 million NOK (approximately 139,000€) for the same incident under the Electronic Communications Act.
Comment[edit | edit source]
Recital 148 GDPR permits the issuing of other penalties such as reprimands alongside administrative fines. However, in the case of issuing reprimands against a service provider, Recital 148 GDPR suggests that this is an appropriate penalty only "in a case of a minor infringement". The questions of appropriate financial thresholds for acts constituting a "minor infringement", or whether the actions by Telenor were considered "minor infringements", were not discussed in this decision.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.