Datatilsynet (Norway) - 23/00708-28
| Datatilsynet - 23/00708-28 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 32 GDPR Article 83 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 18.03.2024 |
| Published: | |
| Fine: | 20,000,000 NOK |
| Parties: | Norwegian Labour and Welfare Administration |
| National Case Number/Name: | 23/00708-28 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Norwegian |
| Original Source: | Datatilsynet (in NO) |
| Initial Contributor: | ec |
The DPA imposed a fine of €1,720,425.16 (NOK 20,000,000) on the Norwegian Labour and Welfare Administration because it made special categories of personal data of a large number of people available for a long time without the necessary security mechanisms being established.
English Summary
Facts
The controller is the Norwegian Labour and Welfare Administration.
The Norwegian DPA (“Datatilsynet”) audited the controller to check whether the controller ensured confidentiality in the management system used to process personal data to provide services. The audit was limited to the technical and organisational measures related to access management, logs and log control under Article 5(1)(f) GDPR and Article 32 GDPR. The audit also checked whether the controller established an appropriate management system under Article 5(2) GDPR and Article 24 GDPR.
Holding
The DPA found a number of breaches that showed structural and organisational weakness and a lack of management and understanding of the importance of data protection and the imposed requirements. The DPA identified 12 offences relating to the fact that the controller, having a large number of employees all over the country, lacked systematic control of employees’ use of the specialised systems.
The DPA found that the controller had organised itself in a way that a significant group of employees had broad access for official purposes. In combination with an inadequate system for log control, the DPA held that this was not compatible with the principle of confidentiality under Article 5(1)(f) GDPR and the requirements for organisational measures pursuant to Article 32 GDPR.
Moreover, the DPA found that no routine risk assessments were made and that therefore also the necessary “links” between risk level and access level were not routinely made. New ID administrators, who are in charge of granting accesses, received training that was very person-dependent and only described how accesses should be granted and not on what terms.
The DPA also found that employees had access to information about the entire population by default. Although the controller argued that it was for efficient case processing in order to provide good guidance and equal treatment and to process cases within a reasonable time, the DPA found that it was not in line with the confidentiality and the data minimisation principles (Article 5(1)(f) GDPR and Article 5(1)(c) GDPR) and security requirements under Article 32(1) GDPR. The DPA held that there were other alternative options that would take into account both efficiency in case processing and the GDPR requirements to safeguard the data subjects' privacy through technical and organisational security measures.
Based on the findings of the audit, the DPA gave 3 orders to the controller:
(1) The DPA ordered the controller to establish a comprehensive and suitable system for organisational measures to ensure and demonstrate compliance with Article 5(2) GDPR, Article 24 GDPR and Article 32 GDPR;
(2) the DPA ordered the controller to establish technical and organisational measures related to access management that provide satisfactory confidentiality protection of personal data under Article 5(1)(f) GDPR and Article 32(1) GDPR;
(3) the DPA ordered the controller to establish technical and organisational measures related to log control that provide satisfactory confidentiality protection of personal data under Article 5(1)(f) GDPR and Article 32(1) GDPR.
Therefore, the DPA imposed a fine of €1,720,425.16 (NOK 20,000,000) under Article 83 GDPR. The DPA took into account that the controller made special categories of personal data available for a long time and about a large number of people, without the necessary security mechanisms being established. Moreover, the DPA also took into account that the previous orders issued by the DPA during audits and evaluations throughout the years did not proof to be sufficiently effective.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
