Norges idrettsforbund og olympiske og paralympiske komité (NIF) – €108,750 Fine (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Datatilsynet fined the Norwegian Olympic and Paralympic Committee (NIF) for exposing personal data of millions, including children, during a software test. The breach happened because NIF used real data without proper security checks, showing the importance of data protection in testing environments.
What happened
NIF exposed personal data of millions by testing a new cloud-based platform with real member data without proper security measures.
Who was affected
The breach affected 3.2 million people, including nearly half a million children aged 3-17 years.
What the authority found
The DPA found NIF violated GDPR by failing to conduct sufficient risk assessments and using real data unnecessarily during testing.
Why this matters
This case highlights the risks of using real data in testing environments and underscores the need for strong data protection measures. Businesses should consider using synthetic data to avoid similar breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
Following a routine sweep of Irish IP addresses, the Irish National Cyber Security Centre (CSIRT-IE) discovered the exposed personal data of millions of people. They alerted the Norwegian National Cyber Security Centre (NCSC), who then alerted NIF. The data breach followed NIF's move from an on-premise solution to Azure and was related to testing of a service (Elasticsearch) that was meant to improve member administration. NIF decided to conduct the testing on real data and, further, that it was necessary to use a significant amount of data. They also felt it was essential to conduct the testing quickly. NIF has admitted that they didn't conduct sufficient risk assessments, nor did they assess whether it was possible to use anonymized data or a narrower data selection. The personal data was exposed online in a total of 87 days. As soon as NIF was notified of the breach, they immediately corrected the mistake. It's not know if anyone has actually exploited the data breach. The personal data involved in the breach were names, gender, birth date, address, phone number, email address and club affiliation. Of the 3,2 million people affected by the breach, almost half a million were children aged 3-17 years. Did NIF uphold the principles of the GDPR, when they tested their new, cloud-based platform with real member personal data? The DPA held that NIF breached several fundamental principles as per the GDPR, as they lacked sufficient risk assessment, considerations, routines and security measures. The DPA found that the testing was conducted without sufficient risk assessments and that NIF lacked routines and security measures to properly protect the personal data, thus breaching Article 32. The DPA also emphasized that the purpose for the processing (testing new solutions for member administration) could have been achieved in a less intrusive way, e.g. by processing synthetic data - or, at least, through processing significantly less personal data. NIF should also h
Related Enforcement Actions (0)
No other enforcement actions found for Norges idrettsforbund og olympiske og paralympiske komité (NIF) in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
5 May 2021
Authority
Datatilsynet (Norway)
Fine Amount
€108,750
1,250,000 NOK
GDPRhub ID
gdprhub-2968About this data
Cite as: Cookie Fines. Norges idrettsforbund og olympiske og paralympiske komité (NIF) - Norway (2021). Retrieved from cookiefines.eu
Last updated: