Banner1.png
Banner3.png

Editing Datatilsynet - 20/11347

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 54: Line 54:
 
}}
 
}}
  
The Norwegian DPA investigated a personal data breach notified by a municipality. The DPA found that the municipality had violated Articles 5, 6, and 32(1)(b) GDPR by publishing personal data on their webpage without a legal basis, without appropriate measures and without implementing proper routines when revealing information to the public.
+
Datatilsynet investigated a personal data breach notified by Asker municipality pursuant to Article 33 GDPR. Datatilsynet found the municipality had violated Article 6 GDPR cf. Article 5 for publishing personal data on their webpage without a legal basis, Article 32(1)(b) GDPR cf. Article 5 GDPR for failing to implement appropriate technical and organisational measures to ensure ongoing confidentiality and integrity in their systems, and Article 24 GDPR for not implementing proper routines when handling the public records of mail.
  
 
== English Summary ==
 
== English Summary ==
Line 60: Line 60:
 
=== Facts ===
 
=== Facts ===
 
Datatilsynet received a notification of a personal data breach from Asker municipality. The municipality had published 127 counts of personal ID numbers and information deemed confidential under the Public Administration Act in the title of the public records. The documents themselves were not published.  
 
Datatilsynet received a notification of a personal data breach from Asker municipality. The municipality had published 127 counts of personal ID numbers and information deemed confidential under the Public Administration Act in the title of the public records. The documents themselves were not published.  
 +
 +
=== Dispute ===
 +
 +
 
=== Holding ===
 
=== Holding ===
The DPA found that the municipality had violated Articles 5 and 6 GDPR by publishing personal data on their webpage without a legal basis, and Articles 5 and 32(1)(b) by failing to implement appropriate technical and organisational measures to ensure ongoing confidentiality and integrity in their systems, and Article 24 GDPR for not implementing proper routines when handling the public records of mail. Datatilsynet held that publishing the title of documents containing sensitive information was a breach of Article 32(1)(b) GDPR, highlighting that the breach was reported to the municipality by a private individual and not noticed by the municipality itself. Datatilsynet highlighted that the personal data in question was not covered by the Public Administration Act. As such, the municipality did not have a legal basis cf. Article 6 GDPR. In addition, Datatilsynet found that the municipality lacked routines for publishing information to the public, violating Article 24 GDPR.
+
Datatilsynet held that publishing the title of documents containing sensitive information was a breach of Article 32(1)(b) GDPR, highlighting that the breach was reported to the municipality by a private individual and not noticed by the municipality itself.
 +
 
 +
Datatilsynet highlighted that the personal data in question was not covered by the Public Administration Act. As such, the municipality did not have a legal basis cf. Article 6 GDPR.
 +
 
 +
In addition, Datatilsynet found that the municipality lacked routines for publishing information to the public, violating Article 24 GDPR.  
  
 
== Comment ==
 
== Comment ==
The decision discusses as well, the relationship between directive 95/46/EC and GDPR. The DPA highlighted that the initial breach happened before GDPR entered into force. As the violation was continuous and carried over into when the GDPR entered into force, the issue was decided under the GDPR.
+
In addition, the decision discuss the relationship between directive 95/46/EC and GDPR. Datatilsynet highlighted that the initial breach happened before GDPR entered into force. As the violation was continuous and carried over into when the GDPR entered into force, the issue was decided under the GDPR.
  
 
== Further Resources ==
 
== Further Resources ==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: