Directorate of Norwegian Correctional Service – Violation Found (Norway, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Norwegian Correctional Service was audited by Norway's data protection authority for how it handles personal data. The audit found that their internal controls were outdated and not fully implemented across all agencies. This matters because it highlights the importance of having up-to-date and consistent data protection practices in organizations.
What happened
The Norwegian Correctional Service was audited for its handling of personal data, revealing outdated and inconsistent internal controls.
Who was affected
Employees and individuals involved with the Norwegian Correctional Service whose personal data was processed.
What the authority found
The audit found that the Norwegian Correctional Service's internal controls for managing personal data were insufficient and not fully implemented across all agencies.
Why this matters
This case underscores the need for organizations to maintain current and comprehensive data protection practices. It serves as a reminder that even public institutions must ensure consistent implementation of privacy controls.
National Law Articles
In December 2020, the Norwegian DPA initiated an audit of the Directorate of Norwegian Correctional Service (DCS, the controller) regarding their processing of personal data. The DPA first requested an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Norwegian Execution of Sentences Act, details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. This lead to a first decision issued in August 2021. As a second step of the audit, the DPA notified the controller in November 2021 about forthcoming physical inspections at various sites. The inspections were conducted on the basis of § 20 of the Norwegian Personal Data Act of 2018 (which also implements the GDPR in Norway) for their responsibilities as controller and internal controls for managing privacy and personal data protection in the organization. During the audit, the controller created an instruction which placed the controller responsibilities for the whole organization, including underlying agencies, with them (the Directorate). However, after the DPA conducted inspections with the underlying agencies, they concluded that the instruction was not fully implemented everywhere. Further, the DPA noted that the internal control system was insufficient and outdated, especially since the controller evidently registers few violations of routines and regulations, likely as a result of lack of training and lack of a personal data security culture in the organization. The DPA also stated that complex and confusing regulations might have lead to the lack of compliance. The Norwegian Personal Data Act of 2018 and the GDPR do not apply to the processing of personal data related to sentencing, so the legislator continued the Norwegian Personal Data Act of 2000, with corresponding regulations. The legislator announced in 2018 a new law for the processing of inmates' personal data rel
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Directorate of Norwegian Correctional Service in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Directorate of Norwegian Correctional Service - Norway (2022). Retrieved from cookiefines.eu
Last updated: