Datatilsynet - 20/02191
|Datatilsynet - 20 / 02191-1 KBK / -|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 9(1) GDPR
Article 32(1)(b) GDPR
Article 83(2) GDPR
|National Case Number/Name:||20 / 02191-1 KBK / -|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
The Norwegian DPA held that a fine of NOK 500,000 was proportionate where the infringements by a controller include a data breach involving the special categories of data of children.
The Norwegian DPA (Datatilsynet) issued a notification of a fine to the Raelingen municipality for their violation of several Articles of the GDPR following a data breach. The breach involved the leak of the health data of a group of special needs students and their parents that was entered into a digital learning platform and then skimmed by another company.
The municipality argued that the intended fine was disproportionately high for the circumstances of the case, particularly since the municipality itself notified the DPA of the breach, there were a low number of data subjects involved, and the relevant information was deleted two days after the breach was discovered.
Was the imposition of the original fine justified in this case?
The DPA decided to reduce the infringement fee to NOK 500,000.
In its assessment of the size of the fee, the Norwegian DPA stated that the size of the fine was justified on the basis of the following factors set out in Article 83(2) GDPR: -the municipality had failed to communicate the use of Showbie for processing special categories of data, - no Data Protection Impact Assessment was carried out, despite the processing involving special categories of data and the data of children, - there was "beyond reasonable doubt" a breach of Article 32 by the municipality, - the municipality demonstrated a lack of awareness of the importance of necessary safety measures for such data, -the higher degree of responsibility on the controller because the personal data of children was involved, -no cooperation by the municipality to remedy the infringement, - the categories of personal data affected by the infringement.
In terms of mitigating factors for the fine size, the DPA found that the fact that the data was deleted after two days after the breach was discovered justified a reduction in the size of the fine, and that the relatively low number of persons affected was not a significant mitigating factor, but not an aggravating factor either. The DPA rejected the argument that the notification of the breach by the municipality could be a mitigating factor for this fine, as the duty on the controller to report such a breach is required by law in Article 33 GDPR.
Change in Fine Size after the GDPR One of the supplementary arguments of the municipality was that their case had several similarities with an earlier case against another municipality, where the fine was NOK 50,000. The Norwegian DPA disregarded this argument on the basis that the earlier case had been decided under the Data Protection Directive 95/46, the precursor to the GDPR, and that the rules for fines were significantly different between the two pieces of law.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
RÆLINGEN MUNICIPALITY PO Box 100 2025 FJERDINGBY Their reference Our reference Date 20 / 02191-1 KBK / - 02/07/2020 Decision on infringement fee - Rælingen municipality 1 Introduction We refer to the report of a breach of personal data security from Rælingen municipality sent May 8, 2019, notification of violation fee of February 26, 2020 and the municipality's feedback of 29 April 2020. The case concerns the Showbie application, which is used here to communicate health-related issues personal information between school and home, by the FINE group at Marikollen ungdomsskole. The discrepancy applies to personal data that includes special categories of personal data. Based on the information in the case, the Data Inspectorate believes that Rælingen municipality has violated the rules on the security of personal data in the Privacy Regulation (European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016). Pursuant to the Personal Data Act § 26 second paragraph, cf. the ordinance article 83, we order Rælingen municipality to pay an infringement fee to the state treasury 500,000 - five hundred thousand - kroner for not having completed suitable technical and organizational measures to achieve a level of security that is appropriate with respect to the risk, in the event of failure to ensure continued confidentiality and integrity, cf. Article 32 (1) (b) and (d) of the Regulation, Article 24 and Article 35, cf. Article 5. The background and reasons for the decision follow below. 2. The Data Inspectorate's assessment of the municipality's feedback In the feedback of 29 April 2020, the municipality acknowledges the facts of the case as forms the basis for the Data Inspectorate's conclusion on the imposition of infringement fines, at the same time as they point out that the fee is disproportionately high, given the specific circumstances that do applicable in the case. In the following, the Data Inspectorate will review the municipality's comments on the size of the fee. The municipality points out that «there is no information in the case that indicates that some of the children / pupils have in fact been exposed to neither material nor non- material damage, but the Data Inspectorate has not highlighted this point clearly in its assessment. " The Data Inspectorate agrees that this is not clearly stated in the reasons for the decision, but wishes to point out that this is implicitly stated in section 6.2 letter a) last paragraph. Secondly, have The Norwegian Data Protection Authority emphasized that the breach of personal data security has a high risk for them affected rights and freedoms. In this, the security breach itself constitutes a risk, regardless of whether the risk manifests itself in a more concrete form of harm to those affected or not. The municipality further points out that the Norwegian Data Protection Authority has not sufficiently emphasized that they the relevant personal information was removed from the app two days after the actual circumstances became discovered. In our view, this argument cannot be given further weight, because it is the data controller's duty to ensure that the rules in the Personal Data Act and The Privacy Ordinance is complied with at all times, but we take note of this view. Furthermore, the municipality points out that it has consistently used the term «students at adapted department » , and believes that this is the correct characteristic to use also in the Authority's case documents. The Norwegian Data Protection Authority has noticed this and will comply with the municipality's desire. Finally, the municipality points out that this case has certain similarities with the case against Årdal municipality (PVN-2016-14), where the final infringement fee was set at NOK 50,000. The Data Inspectorate points out that the decision against Årdal municipality was made after old Personal Data Act and EU Directive 95/46. The requirements and amounts of infringement fines are significantly tightened under the new Personal Data Act and the Privacy Ordinance, see Article 83 no. 4 and 5. According to the old Personal Data Act, an infringement fine of up to 10 could be imposed times the basic amount in the National Insurance Scheme. Based on this, the Data Inspectorate has found that there is a basis for adjusting the notified the violation fee down to 500 00 kroner. Violation of the Privacy Ordinance The report of a breach of personal data security has revealed circumstances that constitute the following possible breaches of the Privacy Regulation: • Inadequate security when logging in to Showbie, which makes it possible to access personal information about other students in the FINE group, is in conflict with Article 32 of the Privacy Regulation, see in particular point 1 (b). It has been treated special categories personal information (health information) about students when facilitated department in the application, without Rælingen municipality having carried out suitable technical and organizational measures to achieve an appropriate level of security. • Inadequate safety testing before Showbie was introduced in the municipality, and that the application was used with a level of safety that is not suitable in terms of risk, is in conflict with the Privacy Regulation Article 32 (1) (d) • An assessment of privacy consequences has not been carried out, cf. Article 35 • Using an application with an insufficient level of security is a violation the principle of liability in Article 5 (2) of the Privacy Regulation, cf. Article 5 (1) letter f) 4. The facts of the case The actual circumstances of the case are based on the report of a breach of personal data security, and the statements from the Privacy Ombudsman in Rælingen municipality, the municipality's statement of 5 June 2019, as well as an e-mail dated 13 September 2019. In a letter dated 9 May 2019, the Norwegian Data Protection Authority requested one further explanation of the case. Such a statement was sent to the Norwegian Data Protection Authority on 31 May 2019 and 5 June 2019 with report from security officer dated 13 May 2019. 13 September 2019 confirmed Rælingen municipality in an e-mail that Marikollen ungdomsskole and FINE-gruppa started with the application Showbie from January 2018. FINE stands for Forum for Included Students, and is one department that offers adapted teaching for students with special needs from 1. - 10. step. Showbie is an application developed by Microsoft. The reported breach of personal data security concerns inadequate security in Showbie. According to the State Educational Service, Showbie «is a digital learning platform that can simplify communication between teacher and student, and facilitate cooperation between school and home. Showbie allows the teacher to distribute assignments in an easy way, and students can submit answers and get these back with an assessment. Assessments can be given with written text, possibly in the form of video or audiovisual. " At the FINE group, Showbie has acted as a message book. The FINE group is an organized one department at Marikollen ungdomsskole, and includes children of different ages with different degrees of developmental disabilities with elements of various additional diagnoses, as for example epilepsy. 26 teachers and 15 students, including parents from the FINE group, have access to Showbie. Login done through code or fingerprints. There is no further login to Showbie. Parents do not have their own parental access. They log in with the student's code on his iPad. Code on iPad is the only security. The privacy ombudsman in Rælingen municipality received a deviation report on 28 February on the basis of a presentation that was shown at the unit leader meeting. One of the images was a screenshot from Showbie, which showed a student on the FINE group whose name was skimmed. On the left side in the application there were categories called «health» and «medicines». It turned out that it was not personal information in these folders. The folders were prepared in collaboration with RIKT AS for use. RIKT AS is a company that offers training on various digital platforms primarily education sector. The municipality states in the report on the breach of personal data security that it was found health information under daily schedules, as well as in chats with parents (who appeared to be with the student). The school communicates with parents about how the day has been, e.g. about the student has been to the bathroom, had seizures or received medication. Parents can act on behalf of the student, and it is the student's name that is displayed, regardless of who is logged in and responding. Employees use Showbie on wireless network in the workplace, while parents use unsecured wireless network, possibly mobile network at home. There are no routines for using Showbie. Rælingen municipality states in a letter of 5 June 2019 that no assessment has been made of the privacy implications before the application was launched. The municipality states that it rather no risk assessment of Showbie has been carried out before it was introduced. In the report on the breach of personal data security of 13 May 2019, stated security officer that there were a number of requirements that were not met in the processing of health information. The head of security pointed out i.a. that two-factor login authentication, and use of security level 4 in relation to communication with bank ID, ID gate, etc., as well network control, missing. One consequence of the fact that the processing of personal data does not have sufficient security is risk that unauthorized persons gain knowledge of information that is or is confidential considered as special categories of personal data. 5. Legal basis for the assessment 5.1 About the privacy principles Article 5 of the Privacy Regulation is central to the interpretation of the other provisions of the Regulation provisions. Violation of the principles in art. 5 may in itself lead to the imposition of sanctions. As stated in the provision, Art. 5 no. 1 letter f) personal data security and the principle of duty to ensure the necessary integrity and confidentiality. This is closer described and supplemented by more specific provisions in the Privacy Ordinance, Chapter IV, see eg. Article 32 on the security of personal data. Species. 5 no. 2 states, through the principle of responsibility, that it is the person responsible for processing who has the responsibility for complying with the privacy principles in art. 5 No. 1. 5.2 About information security Article 32 of the Privacy Regulation regulates the security requirements when processing personal information. The following is an excerpt from the relevant parts of Article 32 (1): '1. Taking into account the technical development, implementation costs and the nature, scope, purpose and context of the treatment, as well as the risks of varying degrees of probability and severity for the rights of natural persons and freedoms, the data controller and the data processor shall implement appropriate technical and organizational measures to achieve a level of security that is appropriate with taking into account the risk (…) ». The obligation to implement appropriate technical and organizational measures is stated accordingly Article 24 of the Privacy Regulation, which regulates the liability of the controller separately. 5.3 On assessment of the privacy consequences Article 35 of the Privacy Regulation regulates when the data controller is to perform a assessment of the privacy implications. An excerpt of the provision follows. '1. If it is likely that a type of treatment, especially when using new technology and as the nature, scope, purpose and context in which the treatment is performed will be taken into account entail a high risk to the rights and freedoms of natural persons, it shall treatment managers before the treatment make an assessment of the consequences planned processing will have for personal data protection. An assessment may include several similar treatment activities that involve correspondingly high risks. 2. The data controller shall consult with the privacy representative, if one privacy representative is appointed, in connection with the performance of an assessment of privacy implications. 3. An assessment of privacy consequences as mentioned in paragraph 1 shall be particularly necessary in the following cases: a) a systematic and comprehensive assessment of personal aspects of natural persons based on automated processing, including profiling, and which forms the basis for decisions such as has legal effect on the natural person or in a similar way significantly affects it the natural person, (b) the large-scale processing of specific categories of information referred to in Article 9 (1), or by personal data on criminal convictions and offenses as referred to in Article 10, or (c) a large-scale systematic monitoring of a publicly accessible area. " Reference is also made to the Data Inspectorate's website with guidance on when DPIA will be implemented www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/vurdere- privacy impact / rate-of-privacy implications / 5.4 In particular on the imposition of infringement fines - Article 58 (2) (i) The Privacy Regulation leaves it to the Member States to determine whether infringement fines should apply could be imposed on public authorities and bodies, cf. Article 83 (7). Section 26, second paragraph, of the Act stipulates that the Danish Data Protection Agency may impose public authorities and bodies infringement fines in accordance with the rules of Article 58 of the Privacy Regulation, cf. Article 83 No. 7. Article 83 of the Privacy Ordinance sets out the conditions for the imposition of a fee. The provision contains i.a. an overview of which factors should be taken into account when considering both whether an infringement fee is to be imposed and which factors are to be assessed in connection with the measurement of the size of the fee. The article also states the magnitude of the fees, and that appears from art. 83 no. 4 and no. 5 that the maximum rates depend on which provisions in the Privacy Regulation that has been violated. The provision basically provides instructions that the imposition of an infringement fee is due a discretionary overall assessment, but it lays down guidelines for the exercise of discretion by highlight aspects that should have special emphasis. The first paragraph of the article states that the infringement fine in each individual case must be effective, proportionate to the violation and act as a deterrent. We also refer to the Privacy Council's guidelines regarding the application and determination of infringement fine in accordance with Regulation (EU) 2016/679 (WP 253), where The Privacy Council explains the general criteria in art. 83 no. 1, and the points in art. 83 no. 2. 1 6. The Data Inspectorate's assessment and justification Rælingen municipality states that health information was found under daily plans, as well as in chat with guardians, but that it can not be established that personal information has arrived irrelevant in her. Rælingen municipality further states that Showbie was not arranged for treatment of special categories that personal data, and that therefore no one has been carried out risk assessment or review of the privacy implications of this treatment. The head of security in the municipality has also stated that the application Showbie does not have one sufficient level of security, cf. Article 5 (1) (f) of the Regulation, to be able to process especially categories of personal data. The Norwegian Data Protection Authority finds it necessary to point out that the established security level is not in accordance with the Privacy Ordinance Article 32 No. 1 letter b), and that the municipality must implement measures to create an adequate level of security. Rælingen municipality has not clearly communicated that Showbie will not be used for processing of special categories of personal data. There is no warning either information in the application itself that one should not enter special categories of personal information. The adaptation of the folders "health" and "medicines" was done in collaboration between the FINE group and RIKT AS. An assessment of the privacy implications, cf. Article 35, would have clarified this. Rælingen municipality is not aware that unauthorized persons have taken advantage of this weakness to access personal information, but due to insufficient security, has unauthorized persons both inside and outside the FINE group had the opportunity to gain access to personal information in Showbie. 6.2 The Danish Data Protection Agency's assessment - infringement fee The right to impose infringement fines is provided as a means of ensuring effective compliance with and enforcement of the Personal Data Act. Internal law is a violation fee not to be regarded as a punishment but as an administrative sanction. However, it must be assumed that infringement fine is to be regarded as a punishment under the ECHR (European Convention), Article 6, and in accordance with the case law of the Supreme Court, cf. Rt. 2012 page 1556 med further references. The Norwegian Data Protection Authority therefore assumes that a clear preponderance of probabilities is required offense in order to impose a fee. The case and the question of imposing infringement fines are assessed on the basis of this evidentiary requirement. In this connection, reference is made to Chapter IX of the Public Administration Act on administrative matters sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a administrative body, which addresses a committed violation of law, regulation or individual decision, which is considered a punishment under the European Convention on Human Rights (EMK). For companies, the guilt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: "When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual has shown guilt ». In Prop. 62 L (2015-2016) page 199 it is stated about § 46: «The wording that 'none an individual has shown guilt 'is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore basically objective ». As mentioned above, Article 83 in principle provides that the imposition of violation fee is based on a discretionary overall assessment, but adds guidance the exercise of discretion by highlighting factors that should be of particular importance, taking into account that imposition of infringement fines in each individual case shall be effective, proportionate and deterrent. We have placed particular emphasis on the following aspects in our assessment: a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose of the action concerned and the number of data subjects affected, and the extent of the damage they have suffered , The breach of personal data security is a result of lack of technical and organizational measures to ensure satisfactory information security with respect to confidentiality and integrity, in accordance with Article 32 of the Regulation. Special categories of personal information that the municipality has processed in Showbie are health information about i.a. daily form, seizures (epilepsy), as well as any additional diagnoses, medications and medication. The violation includes 15 students at Marikollen ungdomsskole in Rælingen municipality. IN in addition, 26 teachers will be covered. This applies to an adapted ward with children with physical or mental disability. In an e-mail to the principal at Marikollen ungdomsskole on 13 March In 2019, the then head of security asked the principal to explain what the use of Showbie was is at the FINE group. The reason for the request was that it was based on the security officer knowledge at this time could look as if the area of use corresponded to « an electronic patient record system »which may or will not contain sensitive information. In his response pointed out principal following: «Has pointed out several times what can and cannot be on Showbie for Fine. Laila is instructed to review folders and ensure that no sensitive ones are placed information there. " It is not exempt from liability if the management has pointed out how Showbie should used, when this has not been followed up with necessary measures. No privacy impact assessment (DPIA) has been carried out either. Then processing of special categories of personal data could entail a high risk the rights and freedoms of natural persons, Rælingen municipality must make an assessment of which consequences the planned processing will have for personal data protection. We refer here to Advocate 38 of the Privacy Ordinance, where it is pointed out that children's personal data shall given special protection. That the rights and freedoms of children in the adapted ward have been postponed, must be emphasized in an aggravating direction in the assessment of whether an infringement fine should be imposed. b) whether the infringement was committed intentionally or negligently In the case documents, including an e-mail from the principal to the security officer, it is clear that The FINE group has used Showbie in a way that has not been the prerequisites for use. That the principal has given instructions to named persons in the FINE group that sensitive information should not be posted there, does not exempt from lack of follow-up. The risk of this could happen was great; and since no good routines have been established or implemented assessment of the privacy implications under Article 35 of the Privacy Regulation or risk assessment, this is a system failure of a serious nature. The Danish Data Protection Agency will also point out that treatment of students at the adapted department in Showbie in isolation will require a similar security. Beyond reasonable doubt, Rælingen municipality has used Showbie without implementing it organizational and technical measures to ensure lasting confidentiality and integrity in the Showbie application, cf. Article 5 (1) (f) of the Privacy Ordinance, cf. Article 32 No. 1 letter b), and ensure an efficient process for regular testing, analysis and assessment of how effective the security measures are, cf. Article 5 (1) of the Privacy Ordinance letter f), cf. Article 32 (1), letter d). Showbie was taken into use at Marikollen ungdomsskole in early 2018. In an e-mail of 13 September 2019, the municipality announces the following: «Marikollen ungdomsskole and the FINE group started with Showbie from January 2018. However, the parents of the children at FINEgruppa did not receive training in using the app before September / early October 2018. The head of department at FINE was a little uncertain at specific time. Communication between parents / school for the students at FINE came started in October 2018 ». This indicates a lack of awareness of the importance of necessary safety measures. The lack of awareness must be described as negligent, and in our opinion it is about a serious degree of negligence, which is important in the assessment of whether infringement fines must be imposed. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects When the breach of personal data security was revealed, it was clear communication failure about the severity of the breach. This is stated in the statement from Protection Officer. Measures eventually came into place, and the personal information was removed from the app two days after the breach of personal data security was discovered. d) the degree of responsibility of the data controller or data processor, taking into account to the technical and organizational measures they have implemented in accordance with Article 25 and 32 The Privacy Ordinance has introduced a higher degree of responsibility for it persons responsible for processing, cf. the principle of liability in Article 5 no. 2. Rælingen municipality has has not ensured an adequate level of safety, cf. Article 32. It can therefore be stated that Rælingen municipality has not shown the necessary responsibility in relation to acceptable level of protection. e) any relevant previous violations committed by the data controller or data processor No previous violations can be found. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it There has been no cooperation between the municipality and the Norwegian Data Protection Authority beyond what follows the Personal Data Act and the requirements of the Privacy Ordinance, to remedy the infringement and reduce the possible consequences of it. g) the categories of personal data affected by the infringement We can state that special categories of personal data, as defined in Article 9 of the Privacy Regulation has been exposed in Showbie. Since the violation includes children, we refer to point 75 of the Privacy Ordinance, where it is pointed out that it must be taken special consideration of the risk associated with children's personal data. Personal information that has been registered in Showbie is health information about day form and seizures (epilepsy), as well as any additional diagnoses, medications and medication. The fact that the breach of personal data security includes students when facilitated department makes the case particularly serious, and has been given great weight in the assessment of whether violation fee must be given. h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement The Norwegian Data Protection Authority was notified of the deviation from Rælingen municipality on 8 May 2019. (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter, that the said measures are complied with No measures have previously been taken against Rælingen municipality with regard to same subject matter. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 This point is not relevant to the case. k) any other aggravating or mitigating factor in the case, e.g. economic benefits which has been obtained, or losses which have been avoided, directly or indirectly, as a result of violation The Data Inspectorate has not established that Rælingen municipality has had financial benefits, or avoided losses directly or indirectly as a result of the infringement, and there is rather no aggravating circumstances other than those mentioned above. We can not see that either there are other mitigating factors in the case. 7. Summary In assessing whether an infringement fee should be imposed, the Norwegian Data Protection Authority places particular emphasis on the fact that the violations have significantly violated basic principles that the regulation protects, cf. Article 5 (1) (f) of the Regulation, which states that ' personal data shall be processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal treatment and against unintentional loss, destruction or damage, by the use of appropriate technical or organizational measures ("integrity and confidentiality") ". The Norwegian Data Protection Authority places particular emphasis on the fact that an acceptable level of security had not been established in Showbie. The Data Inspectorate considers this to be serious. The users of the municipality's services have one clear and protected interest against deficient security measures where confidentiality is required. This can have serious consequences for the individual both because the environment can have access to information that the data subject has not himself chosen to make known, but also because the availability makes it unpredictable how many people have obtained the information. General preventive reasons and the consideration that the rules should have effect and work as intended, then speaks with force for it to react with an instrument such as an infringement charge. According to the Norwegian Data Protection Authority, the breach of personal data security is particularly serious as this applies to students in an adapted department who have little or no ability to take care of theirs rights and freedoms. The Data Inspectorate cannot see that the other aspects that the law emphasizes apply in significant degree - neither in an aggravating nor mitigating direction. The conclusion is that the Data Inspectorate has come to impose an infringement fee. 8. The size of the fee With regard to the size of the fee, the same factors shall be given weight as in wood the assessment of whether a fee should be imposed. The fee should be set so high that it also has an effect beyond the specific case. At the same time, the size of the fee must be in a reasonable proportion to the infringement and the business. We have particularly noted that the municipality had not established an acceptable level of security in Showbie, and that the relevant processing of personal data applies to children when facilitated department. Furthermore, we have looked at the general expectation that citizens should be able to have that municipal bodies follow the rules given. We assume that the signal effect of this case, the general preventive considerations are significant. It is important that such incidents do not occur, and that all public bodies that process citizens' personal data and information about vulnerable persons such as children, must take the responsibility that the law imposes on them. Inadequate routines often have the consequence that the risk of errors increases. In this case have weak routines and non-compliance with the routines actually had a real consequence in that it is found health information under daily schedules, as well as in chat with parents. This indicates a sharpened reaction. The municipality has stated that certain circumstances in the municipality's view should have been added weight in a mitigating direction. The municipality has pointed out that it was the municipality itself that sent notification of the breach of personal data security, that the breach concerned a relatively low number persons, and that the relevant information was deleted two days after the breach was discovered. We point out that the duty to report a breach to the Norwegian Data Protection Authority the personal data security is required by law, cf. the Privacy Ordinance art 33, and that this the duty rests with the person responsible for processing - in this case the municipality. We do not see that relatively low number of people should be given significant weight in the mitigating direction, but we emphasizes that the number of people affected has not been given weight in an aggravating direction either. With regard to the last allegation, that the personal data was deleted after two days, has we found that this can be given some weight in a mitigating direction. We refer to the Privacy Council guidelines on administrative sanctions (WP 253), which state that “timely action taken by the data controller / processor to stop the infringement from continuing or expanding to a level or phase which would have had a far more serious impact than it did ”, can be given weight. After this, we have come to the conclusion that the infringement fee can be reduced to NOK 500,000 . 9. Recovery of infringement fines The infringement fee is due for payment four weeks after the decision is final, cf. the Personal Data Act (2018) § 27. The decision is a coercive basis for disbursement. Recovery of the claim will be implemented by the Central Government Collection Agency. 10. Right of appeal You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we send the case to the Privacy Board for processing complaints, cf. the Personal Data Act § 22. 11. Transparency and publicity You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform that all documents are in principle public, cf. the Public Access to Information Act § 3, but emphasizes at the same time that security documentation is as a general rule exempt from public access, cf. the Public Access to Information Act § 13 and the Public Administration Act § 13 first paragraph no. 2. With best regards Bjørn Erik Thon director Knut Brede Kaspersen legal director The document is electronically approved and therefore has no handwritten signatures 1 Originally prepared by the Article 29 Working Party, but adopted by the Privacy Council, see the Privacy Council "Endorsement 1/2018", section 16. The documents are available at https://edpb.europa.eu