Datatilsynet (Norway) - 18/02579
| Datatilsynet - 2019-31-1424 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 5(1)(f) GDPR |
| Type: | n/a |
| Outcome: | Violation found |
| Decided: | 11.10.2019 |
| Published: | 1.12.2019 |
| Fine: | 120.000 EUR |
| Parties: | Skolemelding Vs. n/a |
| National Case Number: | 18/34319-1 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language: | Norwegian |
| Original Source: | [ https://www.datatilsynet.no/contentassets/ae65e212c134455c93f36a10c5a8c792/vedtak-oslo-kommune-oktober2019.pdf(in NO)] |
The Datatilsynet found that a pension company restricted data subject’s right of access under Article 15 GDPR.
English Summary
Facts
A citizen complained that his pension company refused to give him access to his medical consultant’s assessment. Thus, the complainant filed a complaint with the Datatilsynet. Before the Datatilsynet, the pension company claimed that such documents are considered internal and they are not shared with the clients, according to its privacy policy.
Dispute
Could a data controller limit the access right to personal data because these personal data are include in a internal document?
Holding
The Datatilsynet found that the company could not restrict the right of access to certain categories of personal data. Thus, it violated Article 15 GDPR. The Datatilsynet issued an injunction and ordered the company, as foreseen under 58(2)(c) GDPR, to carry out a concrete assessment on whether data subjects shall access personal data included in the medical consultants’ assessments.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Danish original for more details.
The content of the pdf decision cannot be copied/paste. You can find the translation of the summary provided by the datatilsynet authority here.
Source : [https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2019/gebyr-til-oslo-kommune-utdanningsetaten/ Datatilsynet]
Fee to Oslo Municipality Education Agency
In April 2019, the Data Inspectorate sent a notification to the Oslo Municipality Education Agency about a violation fee for breach of personal data security in the mobile application School Notification. In October, a final fee of NOK 1.2 million was adopted.
The fee is given because the municipality had not taken appropriate measures to achieve a level of security appropriate to the risk. The assessment emphasized, among other things:
One of the uses of the app is for parents to send messages about their children or announce absence when using free text fields. It facilitates the communication of sensitive personal information, such as health information, about the children. There are no technical measures to prevent this from happening, nor does the app inform you not to communicate such information. Had built-in privacy been taken into consideration, it would not have been a free-text field, but for example a drop-down list or check boxes.
Lack of security around logging in to the app has allowed unauthorized persons access to view and change personal information of more than 63,000 children in primary school in Oslo.
Inadequate security testing prior to the launch of the app led to it being launched with vulnerabilities well known in security environments worldwide.
The municipality has not been conscious of its responsibility and has launched a school messaging app with an unacceptable vulnerability without taking appropriate measures to close the vulnerabilities. They have also had insufficient control with the supplier when it comes to safety test results.
Read the entire case published in connection with the notice
Lower fee than notified
However, the Data Inspectorate has found that the notified fee of 2 million has to be slightly lowered. In our assessment, we have emphasized that the City of Oslo has taken measures to limit the damage as soon as the municipality became aware of the breach. The municipality has shown a willingness to organize the event.
