Public Roads Administration (Statens vegvesen) – €87,000 Fine (Norway, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Public Roads Administration was fined for not deleting old toll road data, which included personal information like car tag numbers and crossing times. This matters because it highlights the importance of deleting personal data when it's no longer needed. Businesses should ensure their systems can delete data as required by privacy laws.
What happened
The Public Roads Administration failed to delete toll road crossing logs containing personal data after the legal retention period ended.
Who was affected
Individuals whose toll road crossing data, including car tag numbers and crossing times, was stored beyond the legal retention period.
What the authority found
The Norwegian DPA found that the Public Roads Administration violated GDPR by not deleting personal data after it was no longer needed, due to a lack of proper technical measures.
Why this matters
This case underlines the necessity for companies to implement systems capable of deleting personal data once its purpose is fulfilled. It serves as a reminder that organizations must regularly review and update their data management practices to comply with privacy regulations.
GDPR Articles Cited
A data subject lodged a complaint against the Norwegian Public Roads Administration (the controller) for failing to delete toll road crossings logs, which included personal data related to the car tag number, location and time of crossing. The data subject demonstrated that the controller still (at the time of the complaint) stored personal data about their place of residence dating back to 2008 and 2010. The controller may legally store personal data related to toll road crossings for accounting purposes, but when the purposes have been fulfilled (storage for 5 years as per Norwegian accounting rules), the personal data must be deleted in line with Article 17(1) GDPR. However, the system used for keeping this data, lacked deletion functionality and the DPA found that the controller had not assessed, nor implemented, technical and organisational measures as required by the GDPR. The Norwegian DPA's investigation revealed a complex situation of several involved parties and confusion around roles and responsibilities. The DPA, however, reasoned that the Norwegian Public Roads Administration was the controller for the personal data concerned. Other parties involved were toll operators and a software supplier. The involved parties had argued amongst themselves who were to blame for the violations of the GDPR, with letters dating back to May 2017. The controller claimed they could not delete the personal data in question since the software system (where the toll road crossings logs were kept) lacked deletion functionality. As the DPA had reasoned that the Norwegian Public Roads Administration was the controller and thus ultimately responsible for the processing of the personal data, the decision was made against them and not the other parties involved. The Norwegian DPA instructed the controller to, without undue delay, delete the personal data related to the toll road crossings logs where the purpose for storing has been fulfilled. For the violations described abov
Related Enforcement Actions (0)
No other enforcement actions found for Public Roads Administration (Statens vegvesen) in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
25 February 2020
Authority
Datatilsynet (Norway)
Fine Amount
€87,000
1,000,000 NOK
GDPRhub ID
gdprhub-4530About this data
Cite as: Cookie Fines. Public Roads Administration (Statens vegvesen) - Norway (2020). Retrieved from cookiefines.eu
Last updated: