Datatilsynet – Complaint Upheld (Norway, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's data protection authority upheld a complaint against a municipality for improperly using a digital form to survey bullying in schools. The authority found that the municipality didn't have a legal reason to collect the data and ordered them to delete it. This case stresses the need for clear legal grounds when processing personal data.
What happened
The authority ruled that a municipality lacked legal grounds for processing personal data in a bullying survey.
Who was affected
Students and their parents, whose data was collected in the bullying survey, were affected.
What the authority found
The authority determined that the municipality violated data protection principles and had to delete the collected personal data.
Why this matters
This decision highlights the importance of having a valid legal basis for data processing. Organizations must ensure they follow data protection rules to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
A parent submitted a complaint to the DPA on the municipality's use of a digital form to survey bullying behaviour at local schools. The DPA concluded in their investigations that the municipality lacked legal grounds for the processing cf. Article 6(1)(c), as they didn't believe the processing was "required" to achieve the goals of The Education Act Chapter 9A. Consequently, the municipality had to delete all personal data related to this processing, cf. Article 17(1)(d). The DPA also found that the municipality were in breach of the principles of lawfulness, fairness and transparency, cf. Article 5(1)(a), and accuracy, cf. Article (5)(1)(d), they hadn't recorded the processing activity as required in Article 30, hadn't conducted a risk assessment as per Article 32(2) or a Data Protection Impact Assessment as per Article 35(1) cf. 35(7) cf. the DPA's list over processing activities requiring a DPIA. Arendal municipality opposed this decision, however, following a review, the DPA continued to upheld it. The case was then forwarded to the Privacy Appeals Board, who concluded that the municipality had indeed sufficient legal grounds, however had other shortcomings that need to be resolved before further processing can take place, including: - conduct a DPIA cf. Article 35 - clearly inform students cf. Article 12 that a) it's voluntary to participate in the survey cf. Article 13(2)(f), and b) that their responses can be shared with individuals they name in their response cf. Article 15 - fulfill the other requirements as per the GDPR, including the fundamental principles for processing personal data cf. Article 5(1) and data subjects' rights cf. Chapter III - record the processing activity as per Article 30 - create written routines and other necessary documentation to ensure sufficient internal controls Did Arendal municipality (and the schools) have legal grounds for processing the personal data in the digital form, cf. Article 6(1)(c) cf. The Education Act Chapt
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (3)
Other enforcement actions involving Datatilsynet in NO
Complaint Upheld
Details
About this data
Cite as: Cookie Fines. Datatilsynet - Norway (2020). Retrieved from cookiefines.eu
Last updated: