Statens pensjonskasse (SPK - The Norwegian Public Service Pension Fund) – €87,000 Fine (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's pension fund was fined for collecting too much personal data from the tax office, including sensitive health information. The Norwegian privacy authority found this unnecessary data collection violated privacy rules. This case highlights the need for organizations to limit data collection to what is necessary.
What happened
The Norwegian Public Service Pension Fund collected and stored unnecessary personal data from the Tax Administration.
Who was affected
Around 44,000 people, including 24,000 receiving disability pensions, whose data was unnecessarily collected.
What the authority found
The Norwegian DPA fined the pension fund for collecting excessive personal data without meeting the necessity requirement under GDPR.
Why this matters
This case serves as a reminder that organizations must only collect data necessary for their purposes. It highlights the importance of implementing measures to prevent and delete unnecessary data to comply with privacy laws.
GDPR Articles Cited
The Norwegian Public Service Pension Fund (SPK - Statens pensjonskasse) reported a personal data breach in September 2019. Between 2016-2019, they obtained a large amount of personal data from the Norwegian Tax Administration, much of which was not needed for their purpose. The data was meant to be used for correcting disbursed disability pensions. However, SPK lacked a filter to prevent receiving and storing unnecessary data, as well as organisational measures for deleting the superfluous data. SPK themselves categorized the breach as serious, as it involved processing highly sensitive personal data about a vulnerable group of people (those receiving disability pensions). In total, about 44,000 people were affected by the breach, of which about 24,000 receiving disability pension. First, the DPA stated that, although the SPK could rely on both Article 6(1)(c) and Article 6(1)(e) GDPR, the processing must have been necessary. The same necessity requirement follows from Article 9(2)(b) GDPR, since SPK processed health data. Because SPK processed unnecessary income information that was obtained from the Tax Authority, the necessity requirement was not met, in violation of Article 6(1) and Article 9(2) GDPR. In addition, the DPA found that the Public Service Pension Fund (SPK) had obtained excess personal data not needed for the purpose of calculating correct disability pension disbursements, in breach of Article 5(1)(c) GDPR. Lastly, SPK lacked sufficient routines for assessing what personal data was needed and for deleting superfluous data, in breach of Article 5(1)(e) GDPR. Although the DPA found that the violations were not found intentional, but negligent, and SPK took measures to limit the damage, SPK violated basic principles of the GDPR, special categories of personal data were involved, and a large number of persons was affected. Hence, the DPA concluded that SPK needed to be fined, and considered the fine of € 99,940 (NOK 1 million) to be sufficient.
Related Enforcement Actions (0)
No other enforcement actions found for Statens pensjonskasse (SPK - The Norwegian Public Service Pension Fund) in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
24 November 2021
Authority
Datatilsynet (Norway)
Fine Amount
€87,000
1,000,000 NOK
GDPRhub ID
gdprhub-4476About this data
Cite as: Cookie Fines. Statens pensjonskasse (SPK - The Norwegian Public Service Pension Fund) - Norway (2021). Retrieved from cookiefines.eu
Last updated: