Bodø Kommunale Pensjonskasse (BKP) – Violation Found (Norway, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Datatilsynet found that Bodø Kommunale Pensjonskasse improperly handled sensitive personal data, including health information, without a valid legal basis. This case emphasizes the need for companies to have a clear legal basis when processing sensitive data. Organizations should review their data handling practices to ensure compliance with privacy laws.
What happened
Bodø Kommunale Pensjonskasse processed and shared sensitive personal data, including health information, without a valid legal basis.
Who was affected
Customers of Bodø Kommunale Pensjonskasse whose sensitive personal data, like health information, was improperly processed.
What the authority found
The Datatilsynet found that Bodø Kommunale Pensjonskasse lacked a valid legal basis for processing and sharing sensitive personal data.
Why this matters
This finding highlights the critical need for organizations to establish a valid legal basis for processing sensitive data, especially health information, to comply with privacy regulations.
GDPR Articles Cited
The Datatilsynet received a notification that Bodø Kommunale Pensjonskasse (BKP), a Norwegian pension fund, would obtain unnecessary medical certificates, lack control over archives and share special categories of personal data with third parties. Based on this notification, the Datatilsynet started an independent investigation in November 2019. The Datatilsynet found two violation of Article 6 and 9 GDPR in that the BKP *has processed special categories of personal data in statistics that do not appear to be necessary and *has transferred special categories of personal data to Bodø Municipality without a legal basis und Article 6 and 9 GDPR. In essence, the Datatilsynet considered it very problematic that the BKP had a practice of creating statistics, that still contained personal data of the BKP's customers under Article 4(1) GDPR. These statistics even included health data which qualify as a special category of personal data under Article 9(1) GDPR. The Datatilsynet considered, that such processing might be based on Article 6(1)(f) GDPR (legitimate interest) and - regarding health data - on Article 9(2)b) GDPR (fulfilling obligations under social security law). However, the Datatilsynet was not convinced that statistics containing personal data were truly necessary and whether the BKP could not have compiled the statistics in a manner that would result in anonymised data. With regard to the transmission of this statistics that still contained personal data to Bodø Municipality , the Datatilsynet held that there is no legal basis under Article 6 and 9 GDPR and that such processing should be stopped. The alleged obtaining of unnecessary medical certificates in order to assess a person's entitlement to a disability pension was not considered to amount to a GDPR violation as these certificates might indeed be necessary for purpose achievement. Regarding the access of the BKP's board to data about the BKP's customers (e.g. gender, year of birth, position, informatio
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Bodø Kommunale Pensjonskasse (BKP) in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Bodø Kommunale Pensjonskasse (BKP) - Norway (2020). Retrieved from cookiefines.eu
Last updated: