Østre Toten municipality – €412,000 Fine (Norway, 2021)

€412,000Datatilsynet (Norway)18 October 2021Norway
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Østre Toten municipality in Norway faced a significant fine after a cyberattack exposed sensitive personal data. The attack revealed weaknesses in their data security practices, including the lack of two-factor authentication. This case serves as a reminder for organizations to strengthen their cybersecurity measures.

What happened

A cyberattack on Østre Toten municipality led to the exposure and publication of sensitive personal data on the dark web.

Who was affected

Residents and employees of Østre Toten municipality whose sensitive personal data was compromised.

What the authority found

The Norwegian DPA fined Østre Toten municipality for inadequate data security measures, violating GDPR's security obligations.

Why this matters

This incident highlights the importance of implementing strong security measures, such as two-factor authentication and secure backups, to protect personal data. Organizations should regularly assess and improve their cybersecurity practices to prevent similar breaches.

GDPR Articles Cited

AI-verified

Art. 24 GDPR
Art. 32 GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Personopplysningsloven § 26
Pasientjournalloven § 29
Source verified 6 March 2026
articles corrected
national law identified
Norway enforcementDatatilsynet (Norway) actionsAll Østre Toten municipality actions
Full Legal Summary
Detailed

The Norwegian DPA has fined Østre Toten municipality EUR 412,000. The municipality suffered a cyberattack in January 2021, as a result of which the municipality's data was encrypted as well as backups were deleted. A larger amount of data was later published on the dark web. Approximately 30,000 documents were affected by the attack. The documents contained, among other things, information on ethnic origin, political opinion, religious beliefs, union memberships, sexual orientation, health status, as well as banking data of the municipality's residents and employees. The DPA's investigation revealed that the municipality had fundamental deficiencies in the security of personal data and related internal controls.Among other things, the municipality had not used two-factor authentication when logging into systems, and lacked appropriate backup systems.

Related Enforcement Actions (2)

Other enforcement actions involving Østre Toten municipality in NO

Fine
Oct 2021· Datatilsynet (Norway)

In early 2021, a Norwegian municipality (Østre Toten kommune) realized they had been exposed to a serious ransomware attack that locked employees out ...

€348K
Current
Oct 2021

Fine

€412K

Court Ruling
Jan 2023· Datatilsynet (Norway)

This case is an appeal of a decision in which the DPA fined a municipality (the controller) about €352,555 (NOK 4,000,000) for violating Article 5(1)(...

Details

Fine Date

18 October 2021

Authority

Datatilsynet (Norway)

Fine Amount

€412,000

Enforcement Tracker ID

ETid-878

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Østre Toten municipality - Norway (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: