Asker municipality – €87,000 Fine (Norway, 2021)

Datatilsynet received a notification of a personal data breach from Asker municipality. The municipality had published 127 counts of personal ID numbers and information deemed confidential under the Public Administration Act in the title of the public records. The documents themselves were not published. The DPA found that the municipality had violated Articles 5 and 6 GDPR by publishing personal data on their webpage without a legal basis, and Articles 5 and 32(1)(b) by failing to implement appropriate technical and organisational measures to ensure ongoing confidentiality and integrity in their systems, and Article 24 GDPR for not implementing proper routines when handling the public records of mail. Datatilsynet held that publishing the title of documents containing sensitive information was a breach of Article 32(1)(b) GDPR, highlighting that the breach was reported to the municipality by a private individual and not noticed by the municipality itself. Datatilsynet highlighted that the personal data in question was not covered by the Public Administration Act. As such, the municipality did not have a legal basis cf. Article 6 GDPR. In addition, Datatilsynet found that the municipality lacked routines for publishing information to the public, violating Article 24 GDPR.