Alesund municipality – €4,350 Fine (Norway, 2021)

Teachers at two junior high schools in Alesund municipality required their students to download the fitness app Strava for use in gym classes during the COVID-19 pandemic. The teachers used the app's tracking capabilities to validate that the students had conducted required exercises at home, for example bicycling a certain distance. The teachers, schools, nor the municipality, conducted a risk assessment or a Data Protection Impact Assessment (DPIA) before deciding to use Strava in this way. Was this use of Strava a breach of the GDPR? The DPA (Datatilsynet) held that the municipality had several breaches as per the GDPR: 1) For the lack of routines for technical and organisational security measures necessary to secure and demonstrate that the processing was in line with the GDPR, cf. Article 24(1). 2) For not having sufficient technical and organisational security measures in place to achive a level of protection suitable for ensuring confidentiality, integrity and robustness, and for not having conducted a risk assessment for the use of the app, cf. Article 32(1)(b), cf. Article 5. 3) For not conducting a Data Protection Impact Assessment (DPIA), cf. Article 35 (which the DPA assessed was necessary for this specific case). For these breaches, the municipality was fined NOK 50 000,-.