The Norwegian DPA Datatilsynet – Violation Found (Norway, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A complaint against the Norwegian DPA's website led to a finding of GDPR violations. The issue was about using the wrong legal basis for processing personal data on their site. This case matters because it shows even public authorities must carefully choose legal grounds for data processing.
What happened
The Norwegian DPA was found to have used an incorrect legal basis for processing personal data on its website.
Who was affected
Visitors to the Norwegian DPA's website whose data was processed under the wrong legal basis.
What the authority found
An external party found that the Norwegian DPA incorrectly relied on a legal basis not applicable to public authorities for processing website data.
Why this matters
This case underscores the need for public authorities to correctly apply legal bases for data processing. It serves as a reminder that all organizations, including government bodies, must comply with GDPR.
GDPR Articles Cited
National Law Articles
A data subject lodged a complaint against the Norwegian DPA for several GDPR violations related to their website (https://www.datatilsynet.no). Since the DPA is disqualified from managing complaints lodged against them, the Ministry of Local Government and Regional Development, administratively superior to the DPA, appointed an external party to assess the complaint and make a decision. First, the data subject claimed that the DPA violates Article 6 GDPR because they base all processing activities relating to website visits on Article 6(1)(f), when the second paragraph of Article 6(1) states that this lawful basis does not apply to processing carried out by public authorities in the performance of their tasks. The data subject opined that since the DPA is a public authority and operating their website happens as part of their tasks, they could not rely on this lawful basis. In addition, the data subject claims that even if the DPA could base certain processing activities on this lawful basis, the interests claimed are not necessary for the processing in question, for example claiming that storing keyword searches are not necessary to operate the website. The DPA responds that they have assessed several possible lawful bases for processing of personal data in relation to their website, for example Article 6(1)(e) and Article 6(1)(a). However, they felt that (e) was not appropriate and that (a) was only partly appropriate. Thus, they concluded that Article 6(1)(f) was the correct lawful basis. As for the complaint from the data subject, they refer to the legal preparatory works related to the GDPR, where the Ministry of Justice and Public Security assumes that the exception referred to in the second paragraph of Article 6(1) only refers to the processing of personal data related to the exercise of the public authorities' tasks. The DPA also refers to the French DPA's use of this lawful basis for several of their processing activities and purposes. Second, the data sub
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for The Norwegian DPA Datatilsynet in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Norwegian DPA Datatilsynet - Norway (2020). Retrieved from cookiefines.eu
Last updated: