Datatilsynet (Norway) - 20/01626: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/01626 |EC...")
 
mNo edit summary
Line 56: Line 56:
}}
}}


The Norwegian DPA has notified the Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF) that they will receive a fine of €236,165 for NIF's breach of Article 5(1)(a), (c) and (f), Article 6, and Article 32, following a data breach where the personal data of 3,2 million people, many children, was exposed online. NIF has until 4 January 2021 to provide their feedback, before the DPA will make their final decision.
The Norwegian DPA has notified the Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF) that they will receive a fine of €236,165 for NIF's breach of Article 5(1)(a), (c) and (f), Article 6, and Article 32.  


== English Summary ==
The fine follows a data breach where the personal data of 3,2 million people, many children, was exposed online. NIF has until 4 January 2021 to provide their feedback, before the DPA will make their final decision.


=== Facts ===
==English Summary==
 
===Facts===
Following a routine sweep of Irish IP addresses, the Irish National Cyber Security Centre (CSIRT-IE) discovered the exposed personal data of millions of people. They alerted the Norwegian National Cyber Security Centre (NCSC), who then alerted NIF.
Following a routine sweep of Irish IP addresses, the Irish National Cyber Security Centre (CSIRT-IE) discovered the exposed personal data of millions of people. They alerted the Norwegian National Cyber Security Centre (NCSC), who then alerted NIF.


Line 68: Line 70:


The personal data involved in the breach were names, gender, birth date, address, phone number, email address and club affiliation. Of the 3,2 million people affected by the breach, almost half a million were children aged 3-17 years.  
The personal data involved in the breach were names, gender, birth date, address, phone number, email address and club affiliation. Of the 3,2 million people affected by the breach, almost half a million were children aged 3-17 years.  
===Dispute===
Did NIF uphold the principles of the GDPR, when they tested their new, cloud-based platform with real member personal data?
===Holding===
The DPA held that NIF breached several fundamental principles as per the GDPR, as they lacked sufficient risk assessment, considerations, routines and security measures.


The DPA found that the testing was conducted without sufficient risk assessments and that NIF lacked routines and security measures to properly protect the personal data, thus breaching Article 32. The DPA also emphasized that the purpose for the processing (testing new solutions for member administration) could have been achieved in a less intrusive way, e.g. by processing synthetic data - or, at least, through processing significantly less personal data. NIF should also have limited the categories of data subjects on which the testing was conducted.
The DPA found that the testing was conducted without sufficient risk assessments and that NIF lacked routines and security measures to properly protect the personal data, thus breaching Article 32. The DPA also emphasized that the purpose for the processing (testing new solutions for member administration) could have been achieved in a less intrusive way, e.g. by processing synthetic data - or, at least, through processing significantly less personal data. NIF should also have limited the categories of data subjects on which the testing was conducted.
Line 75: Line 83:
In sum, the DPA found that NIF had breached Article 5(1)(a), (c) and (f), Article 6, and Article 32. For this, NIF has received a notice of a €236,165 fine. NIF has until 4 January 2021 to provide their feedback, before the DPA will make their final decision.
In sum, the DPA found that NIF had breached Article 5(1)(a), (c) and (f), Article 6, and Article 32. For this, NIF has received a notice of a €236,165 fine. NIF has until 4 January 2021 to provide their feedback, before the DPA will make their final decision.


=== Dispute ===
==Comment==
Did NIF uphold the fundamental principles as per the GDPR, when they tested their new, cloud-based platform with real member personal data?
 
=== Holding ===
The DPA held that NIF breached several fundamental principles as per the GDPR, as they lacked sufficient risk assessment, considerations, routines and security measures.
 
== Comment ==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.



Revision as of 18:47, 8 December 2020

Datatilsynet - 20/01626
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(f) GDPR
Article 6 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.12.2020
Published: 02.12.2020
Fine: 2500000 NOK
Parties: Norges idrettsforbund og olympiske og paralympiske komité (NIF)
the Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF)
The Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF)
National Case Number/Name: 20/01626
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA has notified the Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF) that they will receive a fine of €236,165 for NIF's breach of Article 5(1)(a), (c) and (f), Article 6, and Article 32.

The fine follows a data breach where the personal data of 3,2 million people, many children, was exposed online. NIF has until 4 January 2021 to provide their feedback, before the DPA will make their final decision.

English Summary

Facts

Following a routine sweep of Irish IP addresses, the Irish National Cyber Security Centre (CSIRT-IE) discovered the exposed personal data of millions of people. They alerted the Norwegian National Cyber Security Centre (NCSC), who then alerted NIF.

The data breach followed NIF's move from an on-premise solution to Azure and was related to testing of a service (Elasticsearch) that was meant to improve member administration. NIF decided to conduct the testing on real data and, further, that it was necessary to use a significant amount of data. They also felt it was essential to conduct the testing quickly. NIF has admitted that they didn't conduct sufficient risk assessments, nor did they assess whether it was possible to use anonymized data or a narrower data selection.

The personal data was exposed online in a total of 87 days. As soon as NIF was notified of the breach, they immediately corrected the mistake. It's not know if anyone has actually exploited the data breach.

The personal data involved in the breach were names, gender, birth date, address, phone number, email address and club affiliation. Of the 3,2 million people affected by the breach, almost half a million were children aged 3-17 years.

Dispute

Did NIF uphold the principles of the GDPR, when they tested their new, cloud-based platform with real member personal data?

Holding

The DPA held that NIF breached several fundamental principles as per the GDPR, as they lacked sufficient risk assessment, considerations, routines and security measures.

The DPA found that the testing was conducted without sufficient risk assessments and that NIF lacked routines and security measures to properly protect the personal data, thus breaching Article 32. The DPA also emphasized that the purpose for the processing (testing new solutions for member administration) could have been achieved in a less intrusive way, e.g. by processing synthetic data - or, at least, through processing significantly less personal data. NIF should also have limited the categories of data subjects on which the testing was conducted.

The DPA further assessed and concluded that NIF didn't have a purpose for the processing as per Article 5(1)(b), nor legal grounds as per Article 6.

In sum, the DPA found that NIF had breached Article 5(1)(a), (c) and (f), Article 6, and Article 32. For this, NIF has received a notice of a €236,165 fine. NIF has until 4 January 2021 to provide their feedback, before the DPA will make their final decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

<!doctype html><html class="no-js" lang="no"><head><meta charset="utf-8" /><title>Notification of violation fee to the Norwegian Sports Confederation | The Data Inspectorate </title><meta content="The Norwegian Data Protection Authority has sent the Norwegian Sports Confederation (NIF) a notice of infringement fines; 2.5 million kroner. The background for the case is that personal information about 3.2 million Norwegians was made available on & aring; online for 87 days e…" name="description" /><meta property="og:title" content="Notification of violation fee to the Norwegian Sports Confederation" /><meta property="og:description" content="The Norwegian Data Protection Authority has sent the Norwegian Sports Confederation (NIF) a notice of infringement fines; 2.5 million kroner. The background for the case is that personal information about 3.2 million Norwegians was made available on & aring; online for 87 days e…" /><meta property="og:type" content="website" /><meta property="og:url" content="https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-overtredelsesgebyr-til-norges-idrettsforbund/" /><meta property="og:image" content="https://www.datatilsynet.no/contentassets/9682160e01d440ab847de2f98e218786/personregister_medlem2.jpg" /><meta property="og:site_name" content="Datatilsynet" /><meta property="og:locale" content="nb_NO" /><meta name="twitter:card" content="summary" /><meta name="twitter:site" content="https://twitter.com/datatilsynet" /><link media="screen" rel="stylesheet" type="text/css" href="/Styles/main.css?bundle=637412923880000000" /><link media="print" rel="stylesheet" type="text/css" href="/Styles/print/print.css?bundle=637412923880000000" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="apple-touch-icon" sizes="57x57" href="/UI/Icons/apple-touch-icon-57x57.png"><link rel="apple-touch-icon" sizes="60x60" href="/UI/Icons/apple-touch-icon-60x60.png"><link rel="apple-touch-icon" sizes="72x72" href="/UI/Icons/apple-touch-icon-72x72.png"><link rel="apple-touch-icon" sizes="76x76" href="/UI/Icons/apple-touch-icon-76x76.png"><link rel="apple-touch-icon" sizes="114x114" href="/UI/Icons/apple-touch-icon-114x114.png"><link rel="apple-touch-icon" sizes="120x120" href="/UI/Icons/apple-touch-icon-120x120.png"><link rel="apple-touch-icon" sizes="144x144" href="/UI/Icons/apple-touch-icon-144x144.png"><link rel="apple-touch-icon" sizes="152x152" href="/UI/Icons/apple-touch-icon-152x152.png"><link rel="apple-touch-icon" sizes="180x180" href="/UI/Icons/apple-touch-icon-180x180.png"><link rel="icon" type="image/png" href="/UI/Icons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/UI/Icons/favicon-194x194.png" sizes="194x194"><link rel="icon" type="image/png" href="/UI/Icons/favicon-96x96.png" sizes="96x96"><link rel="icon" type="image/png" href="/UI/Icons/android-chrome-192x192.png" sizes="192x192"><link rel="icon" type="image/png" href="/UI/Icons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/UI/Icons/manifest.json"><link rel="shortcut icon" href="/UI/Icons/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/UI/Icons/mstile-144x144.png"><meta name="theme-color" content="#585858"><script>
    (function () {
        var docElement = document.documentElement;
        var className = docElement.className;
        className = className.replace(/\bno-js\b/, 'js');
        docElement.className = className;
    }())
</script><meta name='EPi.ID' content='13879'></head><body class="articlePage"><div class="page-wrapper"><header class="main-header"> <a href="#skiplinktarget" class="skiplink">To main content</a><div class="main-header__sticky"><div class="main-header__wrapper"><h2 class="sr-only"> Logo and auxiliary tools</h2><nav class="main-header__top" aria-label="Navigasjon og søk"><div class="logo"> <a href="/"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="Til startsiden til Datatilsynet" title="Logo"></a></div><div class="right mobile-buttons"> <button type="button" class="button--search" data-toggle-search><span class="sr-only">Show / hide search</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg><div class="mobile-modal"><div class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-search>Hide</button> </div><form method="get" action="/sok/" autocomplete="off" class="quickSearch"><div class="quick-search"><div class="quick-search__wrapper"><div class="quick-search__input-wrapper"> <label for="searchText" id="sok" class="quick-search__label">What are you looking for?</label> <input class="quick-search__text _jsAutoCompleteSearch" id="searchText" type="search" name="q" data-search-url="/sok/AutoComplete" /><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-search"></use></svg> <button class="button--search" type="submit" value="Søk"><span class="sr-only">Search</span></button></div><div class="autocomplete-container"></div></div></div></form></div> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span class="label desktop-only" data-label>Menu</span></button><p class="sr-only"> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk">Show / hide menu</button></p> <button type="button" class="button--main-menu" data-toggle-menu data-label-inactive="Meny" data-label-active="Lukk"><span></span></button></div></nav><div class="main-header__bottom container"><h2 class="sr-only"> Main menu </h2><nav class="main-menu" id="main-menu" aria-label="Hovedmeny"><div class="container"><div class="utility-menu"><ul><li class="header-linklist__element"> <a href="/om-datatilsynet/">About the Data Inspectorate</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></li><li class="header-linklist__element"> <a href="/om-datatilsynet/kontakt-oss/presse/">For press / media inquiries</a></li><li class="header-linklist__element"> <a href="/en/" rel="alternate" hreflang="en">English</a> </li></ul></div><div class="main-menu__root"><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-shield"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_1" data-toggle-sub-menu><span id="content_1-heading">Rights and duties</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_1" aria-labelledby="content_1-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/rettigheter-og-plikter/hva-er-personvern/">What is privacy?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personopplysninger/">What is personal information?</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/personvernprinsippene/">The privacy principles</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/den-registrertes-rettigheter/">The data subject's rights</a></li><li> <a class="link--secondary " href="/rettigheter-og-plikter/virksomhetenes-plikter/">The companies' duties</a> </li></ul></div></div></div><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-people"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_2" data-toggle-sub-menu><span id="content_2-heading">Privacy in various areas</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_2" aria-labelledby="content_2-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/korona/">Corona and privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/personvern-pa-arbeidsplassen/">Workplace privacy</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/overvaking-og-sporing/">Monitoring and tracking</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/internett-og-apper/">Internet and apps</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/skole-barn-unge/">Children, young people and school</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/bil-og-transport/">Car and transport</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/politi-justis/">Police and justice</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/forskning-helse-og-velferd/">Research, health and welfare</a></li><li> <a class="link--secondary " href="/personvern-pa-ulike-omrader/kundehandtering-handel-og-medlemskap/">Customer management, trade and membership</a> </li></ul></div></div></div><div class="main-menu__tab"><svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-guide"></use></svg> <button type="button" class="main-menu__tab-button" aria-controls="content_3" data-toggle-sub-menu><span id="content_3-heading">Regulations and tools</span></button> <svg><use xmlns:xlink="http://www.w3.org/1999/xlink"
         xlink:href="/UI/symbol/svg/sprite.symbol.svg#icon-arrow"></use></svg><div class="main-menu__tab-content-wrapper sub-menu" id="content_3" aria-labelledby="content_3-heading"><div class="main-menu__tab-content"><ul><li> <a class="link--secondary " href="/regelverk-og-verktoy/lover-og-regler/">Laws and regulations</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/internasjonalt/">International work and cooperation</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sandkasse-for-kunstig-intelligens/">Sandbox for artificial intelligence</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/atferdsnorm/">Behavioral norms</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/rapporter-og-utredninger/">Reports and reports</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/konsesjon-og-melding/">Concession and notification</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/sporsmal-svar/">Questions and answers</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/ordbok/">Dictionary (Norwegian - English)</a></li><li> <a class="link--secondary " href="/regelverk-og-verktoy/personvernpodden/">Privacy Pod</a></li></ul></div></div></div></div><div  class="mobile-modal__header"> <button type="button" class="close-menu" data-toggle-menu>Close</button> </div></div></nav></div></div></div><div class="container full-width"><nav class="breadcrumbs" aria-label="Brødsmulesti"><ul><li><a href="/aktuelt/aktuelle-nyheter-2020/">Current news 2020</a></li></ul></nav></div></header><script>
    document.consentCookie = '{"HaveRead":false,"FormCookies":false,"Expires":"\/Date(-62135596800000)\/"}';
    document.disableConsentPopup = false;
</script><div class="cookie-consent" v-bind:class="{ open: showCookieConsent }" tabindex="-1" role="dialog" aria-label="Samtykke for bruk av informasjonskapsler"><h2> We use cookies</h2><div class="user-content"><p> Our websites use cookies. If they are not necessary for our website to work, they will not be stored on your device unless you agree to this. Read about which ones we use and how we manage them at the bottom of the website.</p></div><div class="cookie-consent-section"><h3> Required cookies</h3><div class="user-content"><p> These support core functionality related to security. We have considered these to be necessary, and they are therefore stored without prior consent.</p></div></div><div class="cookie-consent-section"><h3> Form functions</h3><div class="user-content"><p> These are necessary if you want to use the form on our website. The other functionality on the website is not affected if you do not consent. The choice you make here is valid for up to 90 days. </p></div><div class="on-off"><input type="checkbox" name="on-off" id="chk-cookie-form" class="on-off-checkbox" v-model="consentCookie.FormCookies"/> <label class="on-off-label" for="chk-cookie-form"><span class="sr-only">Form functions on / off</span><span class="on-off-inner"></span><span class="on-off-switch"></span></label></div></div><div class="cookie-consent-section"><h3> Web analytics</h3><div class="user-content"><p> We are considering using an analysis tool based on cookies, but as of today we do not have this.</p></div></div><div class="cookie-consent-section"><div class="user-content"><p> You can withdraw your consent at any time by selecting "manage cookies" at the bottom of our pages.</p></div> <button type="button" v-on:click="save($event)" class="button cookie-consent-save">Save my selection</button></div> <button type="button" v-on:click="save($event)" class="cookie-consent-close">Close</button> </div><main><span id="skiplinktarget" tabindex="-1"></span><div class="article"><div class="container"><div class="article__content"><h1> Notification of violation fee to the Norwegian Sports Confederation</h1><div class="user-content ingress"><p> The Norwegian Data Protection Authority has sent the Norwegian Sports Confederation (NIF) a notice of infringement fines of NOK 2.5 million. The background for the case is that personal information about 3.2 million Norwegians remained available online for 87 days after an error in connection with testing a cloud solution. </p></div><div class="article__sidebar-main mobile-only"><div ><img alt="Notification of violation fee to the Norwegian Sports Confederation" src="/contentassets/9682160e01d440ab847de2f98e218786/personregister_medlem2.jpg?width=400&quality=80" /></div></div></div><div class="article__sidebar medium-up"><div class="article__sidebar-main no-margin"><div ><img alt="Notification of violation fee to the Norwegian Sports Confederation" src="/contentassets/9682160e01d440ab847de2f98e218786/personregister_medlem2.jpg?width=400&quality=80" /></div></div></div></div><div class="container"><div class="article__content"><div class="article__content-text"><div class="user-content"><p> The Norwegian Data Protection Authority considers that the Norwegian Sports Confederation had not implemented good enough security routines for testing, and that it was not necessary to test with such a scope of personal data.</p><p> - NIF has not implemented the technical and organizational measures that were needed. About half of Norway's population is affected by the deviation, many of them children. Children are a particularly vulnerable group, something we have emphasized in our assessment, says director of the Norwegian Data Protection Authority, Bjørn Erik Thon.</p><h2> Background to the case</h2><p> The case started with a non-conformance report to the Norwegian Data Protection Authority from the association on 20 December 2019, after the National Cyber Security Center had notified them that the personal information was available at a public IP address. The discrepancy arose when solutions were to be tested in connection with moving the database from a physical server environment and up into the cloud.</p><p> The personal information that was exposed was name, gender, date of birth, address, telephone number, e-mail and club affiliation. Of the 3.2 million people affected by the deviation, 486,447 were children aged 3-17 years. The Norwegian Data Protection Authority does not have information that unauthorized persons have actually exploited the deviation.</p><h2> <strong>Lack of risk assessment and routines</strong></h2><p> The Norwegian Data Protection Authority considers that the testing with the personal data was initiated without sufficient risk assessments, and without specific routines or measures having been implemented to secure the information.</p><p> The Norwegian Data Protection Authority also considers that there was no <a href="/rettigheter-og-plikter/virksomhetenes-plikter/behandlingsgrunnlag/veileder-om-behandlingsgrunnlag/">basis</a> for <a href="/rettigheter-og-plikter/virksomhetenes-plikter/behandlingsgrunnlag/veileder-om-behandlingsgrunnlag/">processing</a> this personal data. It is a requirement that the treatment must be necessary for the purpose, and that the purpose cannot be achieved in less invasive ways. The Norwegian Data Protection Authority considers that the testing could have been carried out by processing synthetic data - or at least by using far less personal data.</p><p> The Norwegian Data Protection Authority has also concluded that the <a href="/rettigheter-og-plikter/personvernprinsippene/grunnleggende-personvernprinsipper/">principles of legality, data minimization and confidentiality</a> have been violated.</p><h2> <strong>High fee</strong></h2><p> An infringement fee shall in each individual case be effective, be in a reasonable proportion to the infringement and act as a deterrent.</p><p> - Although this discrepancy does not apply to the types of personal information that involve the greatest risk, the Data Inspectorate has emphasized the enormous scope of those involved in this case - and especially the number of children, says Thon.</p><p> We have also emphasized the finances of the Norwegian Sports Confederation, which is registered with operating revenues of over 1.9 billion in 2019. NIF receives most of its revenues through grants from the public sector and other agencies.</p><p> This is a notice, and the Norwegian Sports Confederation can make comments before a final decision is made. The Norwegian Data Protection Authority has specifically requested feedback if the Norwegian Sports Confederation experiences conditions in connection with the social situation with covid-19 that is relevant to the notified decision.</p><p> The association has been given a deadline of 4 January 2021 for feedback.</p><h2> <strong>download</strong></h2><p class="link-download"> <a href="/contentassets/9682160e01d440ab847de2f98e218786/varsel-om-overtredelsesgebyr-til-nif.pdf" target="_blank" rel="noopener">Notification of violation fee to the Norwegian Sports Confederation (pdf)</a></p></div></div></div><aside class="article__sidebar"><h3> Contact person </h3><div><div><div class="person-contact-card"><div class="person-contact-card__inner"><div class="person-contact-card__image"><div class="profile-image"><div class="image-block Standard "><figure ><img alt="Janne Stang Dahl" src="/globalassets/global/bilder/ansatte-dt/kvadratiske/datatilsynet_janne_181122110238-kvadr.jpg?width=200&quality=80" /><figcaption itemprop="description" > Janne Stang Dahl </figcaption></figure></div></div></div><div class="person-contact-card__info"><div><h2 class="person-contact-card__info-name"> Janne Stang Dahl</h2><p class="person-contact-card__info-title"> communications director</p></div><dl class="person-contact-card__info-list"><dt class="describe"> Office: </dt><dd class="define"><span data-e="053B642A392525252525252525252525252525252525252525252525250F083635253C33253C362537372532312E252525252525252525252525252525252525252525252525252525250F083B2736353C333C36373732312E3F69607127386360776D252727387676646966256439"></span></dd><dt class="describe"> Mobile: </dt><dd class="define"><span data-e="447A256B786464646464646464646464646464646464646464646464644E497476647575647C7464737D6473706F646464646464646464646464646464646464646464646464646464644E497A66747675757C74737D73706F7E28213066792221362C646666793737252827642578"></span></dd><dt class="describe"> Email: </dt><dd class="define"><span data-e="CEF0AFE1F2EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEC4C3A1A0E0BAABA0B7BDA2A7BAAFBAAFAA8EABA0A0AFA4EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEC4C3F0ECA1A0E0BAABA0B7BDA2A7BAAFBAAFAA8EABA0A0AFA4F4A1BAA2A7AFA3ECF3A8ABBCA6EEECECF3BDBDAFA2ADEEAFF2"></span></dd></dl></div></div></div></div><div><div class="person-contact-card"><div class="person-contact-card__inner"><div class="person-contact-card__image"><div class="profile-image"><div class="image-block Standard "><figure ><img alt="Bjørn Erik Thon" src="/globalassets/global/bilder/ansatte-dt/kvadratiske/bjornerik-kvadr.jpg?width=200&quality=80" /></figure></div></div></div><div class="person-contact-card__info"><div><h2 class="person-contact-card__info-name"> Bjørn Erik Thon</h2><p class="person-contact-card__info-title"> director</p></div><dl class="person-contact-card__info-list"><dt class="describe"> Office:</dt><dd class="define"> <a class="" href="tel:(+47)22396901">(+47) 22 39 69 01</a></dd><dt class="describe"> Mobile:</dt><dd class="define"> <a class="" href="tel:(+47)99005090">(+47) 99 00 50 90</a></dd><dt class="describe"> Email: </dt><dd class="define"><span data-e="F3CD92DCCFD3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3F9FE9C9DDD87969D8A809F9A8792879297B3879691D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3F9FECDD19C9DDD87969D8A809F9A8792879297B3879691C99C879F9A929ED1CE9596819BD3D1D1CE8080929F90D392CF"></span></dd></dl></div></div></div></div></div><div class="article__sidebar-dates"><div > <span>Published:</span> <span>07.12.2020</span> </div></div></aside></div></div></main><footer class="main-footer"><div class="main-footer__wrapper"><div class="main-footer__upper"><div class="main-footer__content container"><div class="main-footer__content-column desktop-only" aria-hidden="true"><img src="/UI/datatilsynetLogo.png" width="141" height="35" alt="The Data Inspectorate logo" class="main-footer__logo"></div><div class="main-footer__content-column"><p> The Data Inspectorate<br> PO Box 458 Center<br> 0105 Oslo</p><p> Org.nr 974 761 467</p><div class="user-content"><p> <a href="/om-datatilsynet/kontakt-oss/">Contact Us</a></p></div><div > <a href="https://ext.mnm.as/s/2751/9366">Receive our newsletter</a></div><div class="main-footer__social"><div class="main-footer__social--twitter" > <a href="https://twitter.com/datatilsynet">The Data Inspectorate on twitter</a></div></div><div class="main-footer__personvernpodden_logo"> <a href="/regelverk-og-verktoy/personvernpodden/"><img src="/UI/personvernpodden-logo.svg" alt="The Privacy Podcast - A podcast from the Danish Data Protection Agency"></a></div></div><div class="main-footer__content-column"><ul class="clean-link-list"><li> <a href="/aktuelt/">Currently</a></li><li> <a href="/regelverk-og-verktoy/ordliste/">Dictionary</a></li><li> <a href="/regelverk-og-verktoy/sporsmal-svar/">Frequently Asked Questions</a></li><li> <a href="/om-datatilsynet/datatilsynets-personvernerklaring/">The Data Inspectorate's privacy statement</a></li><li> <a href="/om-datatilsynet/datatilsynets-cookie-erklaring/">The Danish Data Protection Agency's cookie statement</a></li><li> <a href="#" id="_jsManageCookies">Manage cookies</a> </li></ul></div></div></div><div class="main-footer__lower"><div class="main-footer__sponsors container"><p> Other sites</p> <a href="/om-datatilsynet/Andre-nettsteder/Personvernbloggen/"><img alt="The Privacy Blog" src="/globalassets/global/bilder/logoer/footer/personvernbloggennb.png?width=400&quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Du-bestmmer/"><img alt="You decide" src="/globalassets/global/bilder/logoer/footer/dubestemmernb.png?width=400&quality=80" /></a> <a href="/om-datatilsynet/Andre-nettsteder/Slett-meg/"><img alt="slettmeg.no" src="/globalassets/global/bilder/logoer/footer/slettmegnb.png?width=400&quality=80" /></a></div></div></div></footer></div><script src="/Scripts/libs/jquery/3.2.1.min.js"> </script><script src="/Scripts/libs/jquery/jquery-ui.min.js"> </script><script src="/Scripts/libs/svg4everybody.js"> </script><script src="/Scripts/libs/jquery.sticky-sidebar.min.js"> </script><script src="/Scripts/libs/vue.min.js"> </script><script src="/Scripts/global/common/jquery.aria.js"> </script><script> window.jQuery || document.write('<script src="/Scripts/libs/jquery/3.2.1.min.js"><\/script>') </script><script src="/Scripts/site.js?bundle=637412923880000000"></script><script src="/Scripts/global/common/jquery.unobtrusive-ajax.js" async defer></script><script>
    Datatilsynet.GlossaryHighlightedWords = 'adressemekling;akseptkriterium;algoritmer;artikkel 29-gruppen;atferdsnorm;autentisering;automatisk målesystem;avidentifisert personopplysning;avindeksere;avvik;behandling av personopplysningar;behandling av personopplysninger;behandlingsansvarleg;behandlingsansvarlig;behandlingsgrunnlag;berlingruppen;big data;biometri;bransjenorm;databehandlar;databehandlaravtale;databehandler;databehandleravtale;datakommunikasjon;dataminimering;datanettverk;dataportabilitet;den registrerte;dpia;ekstern datakommunikasjon;eksternt nettverk;european data protection board;filsluse;forhåndsdrøftelse;formålsbestemthet;forordning;fødselsnummer;gdpr;helseopplysning;humant biologisk materiale;informasjonssamfunnstjeneste;informasjonssikkerhet;informasjonstryggleik;innebygd personvern;integritet;intern sone;internkontroll;ip-adresse;konfidensialitet;konfigurasjon;konsesjon;konsesjonsplikt;kontrolltiltak;kredittopplysning;kredittsjekk;kredittvurdering;kryptering;meldeplikt;nettsky;nettverkssone;personnummer;personopplysning;personprofil;personregister;personvernforordningen;personvernfremjande teknologi;personvernfremmende teknologi;personvernkonsekvens;personvernombod;personvernombud;personvernrådet;profiler;profilering;pseudonymisering;radiofrekvensidentifikasjon;reidentifisering;rfid;risiko;samtykke;schengen informasjonssystem;sensitive personopplysninger;sikker sone;sikkerhetskopiering;sikkerhetsrevisjon;sikkerhetsstrategi;sporing;stordata;særlige kategorier;teknisk sikkerhetsbarriere;tilgangskontroll;tilgangsstyring;tilgjengelighet;tilsyn;tjenstlig behov;vurdere personvernkonsekvenser;ødeleggende programvare;';
    Datatilsynet.HasGlossary = true;
</script><script type="text/javascript" src="/Scripts/find/find.js"></script><script type="text/javascript">
if(FindApi){var api = new FindApi();api.setApplicationUrl('/');api.setServiceApiBaseUrl('/find_v2/');api.processEventFromCurrentUri();api.bindWindowEvents();api.bindAClickEvent();api.sendBufferedEvents();}
</script><script>(function(){function i(n){var t=n.charCodeAt(0);return(t>=65?t-7:t)-48}function e(n){for(var r=new String,u=i(n.substr(0,1))*16+i(n.substr(1,1)),t=n.length-2;t>1;t-=2)r+=String.fromCharCode(i(n.substr(t,1))*16+i(n.substr(t+1,1))^u);return r}var t=document.querySelectorAll("[data-e]"),n,u,r,f;if(t.length)for(n=0;n<t.length;n++)u=e(t[n].getAttribute("data-e")),r=document.createElement("div"),r.innerHTML=u,f=r.firstChild,t[n].parentNode.insertBefore(f,t[n]),t[n].parentNode.removeChild(t[n])})();</script></body></html>