Indre Østfold kommune (municipality) – €17,400 Fine (Norway, 2020)

A former student asked a school to share their school folder. The municipality's routine is to keep records for access requests, which meant, in this case, that the folder was scanned and made available for access. It was, however, made openly available on their website and a local journalist was able to download the entire folder with its contents. The information was confidential, cf. the Education Act. When the error was discovered, the folder was removed and the municipality notified the DPA of the personal data breach, as well as the affected data subject. Was publishing the student's school folder online a breach of Article 32? The DPA concluded that the municipality had breached the required information security requirements as per Article 32(1)(b), cf. Article 5, and that they didn't have any legal grounds for this processing as per Article 6, cf. Article 5 (the latter because the information was confidential and should never have been published openly). The municipality was fined €18,860.