Høylandet kommune (municipality) – €34,800 Fine (Norway, 2021)

An employee in a municipal health care center had access to highly sensitive personal data (image files) through an incorrectly configured script in a system used for creating letters. When adding images to the letters, they could access personal data about people with no affiliation to the municipality, including information about medical appointments, doctors' referrals, epicrisis and various medical examinations. The breach lasted from 01.01.2018 to 15.11.2019. When the municipality discovered the breach, they chose not to contact the processor because of the gravity of the breach. Instead, the only informed employees using the system to avoid opening image files not created by the municipality, and sent a breach notification to the DPA. The DPA had to contact the processor about the breach, who consequently deleted the image files immediately and corrected the script. Despite having an internal controls systems in place, the municipality admitted that it had been a challenge to ensure sufficient compliance throughout the organisation. Following the dialogue with the DPA, they increased their focus on information security and breach management, including procuring external assistance. The DPA fined the municipality €40,478 (NOK 400,000) for breaching Article 32(1)(b) GDPR and Article 32(2), cf. Article 24 and requires them to submit to the DPA documentation on new policies and procedures. The DPA found it aggravating that the municipality only took action to rectify the breach after the DPA sent their notification of the intent to issue a fine and corrective measures, i.e., about 11 months after they discovered the breach. Also, the fact that the case pertains to special category personal data as per Article 9 GDPR, increased the gravity of the breach. Finally, the DPA assumed that the chief municipal executive (Norwegian "rådmann"), as the main responsible on behalf of the municipality, is the one who had acted negligently and partly with intent.