Personvernnemnda (Norway) - 2022-13 (21/00481)
|Personvernnemnda (Norway) - 2022-13 (21/00481)|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 24 GDPR
Article 32 GDPR
Article 58(2)(d) GDPR
Article 58(2)(i) GDPR
Article 83 GDPR
Personal Data Act § 26(1)
|Parties:||Østre Toten municipality|
|National Case Number/Name:||2022-13 (21/00481)|
|European Case Law Identifier:|
|Appeal from:||Datatilsynet (Norway)|
|Original Source:||Personvernnemnda (Privacy Appeals Board) (in Norwegian) (in Norwegian)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian Privacy Appeals Board upheld the DPA's decision to fine a municipality €352,555 for violating Article 5(1)(f), Article 24 and Article 32 GDPR after a serious ransomware attack led to highly sensitive personal data being irreparably lost and sold on the dark web.
English Summary[edit | edit source]
Facts[edit | edit source]
This case is an appeal of a decision in which the DPA fined a municipality (the controller) about €352,555 (NOK 4,000,000) for violating Article 5(1)(f) GDPR, Article 24 GDPR and Article 32 GDPR after a serious ransomware attack led to highly sensitive personal data being irreparably lost and sold on the dark web.
The controller disagreed with the DPA on the part of the decision pertaining to the fine and asked them to reconsider their position. After the DPA had reviewed the case again, they found no grounds to change their decision and so, as per Norwegian procedures, referred the case to the Privacy Appeals Board.
In their comments to the Privacy Appeals Board, the controller argued that the grounds for an administrative fine were non-existent. They also held that they had implemented sufficient technical and organisational measures available to them as per their internal resources and in line with Article 24 GDPR and Article 32 GDPR.
Holding[edit | edit source]
The Privacy Appeals Board reviewed the case, both parties' arguments, grounds for imposing an administrative fine as per the GDPR, as well as the objective and subjective grounds for assessing if personal data breaches took place.
After assessing the controller's personal data practices, the Privacy Appeals Board held that they agreed with the DPA in that the various deficiencies represented fundamental shortcomings in the controller's information security, resulting in violations of Article 24 GDPR and Article 32 GDPR.
When assessing the subjective grounds, however, the Privacy Appeals Board noted that the DPA had taken an incorrect legal standpoint and interpreted the legality inaccurately. They disagreed with the DPA's interpretation that the Chief Municipal Executive was objectively responsible for the personal data breaches, regardless of him acting negligent. In the Privacy Appeals Board's view, the insufficient IT security must be sees against a lack of focus over time, long before the Chief Municipal Executive was employed only about half a year before the personal data breaches. The Privacy Appeals Board thus assessed if one or more employees responsible for IT security in the municipality had acted negligent and found that this was indeed the case. Consequently, they held that also the subjective grounds imposing a fine were present.
Finally, the Privacy Appeals Board agreed with the DPA's assessment regarding the grounds for, and level of, an administrative fine, thus rejecting the controller's appeal and upholding the DPA's decision to impose a fine of €352,555 (NOK 4,000,000).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.