The Labour and Welfare Administration (NAV) – €1,740,000 Fine (Norway, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Labour and Welfare Administration (NAV) was fined €1.74 million for not properly protecting personal data. The agency had many employees with broad access to sensitive information but lacked proper controls to manage this access. This case highlights the need for organizations to implement strong security measures to protect personal data.
What happened
NAV failed to implement adequate security measures to protect personal data.
Who was affected
Norwegian citizens whose personal data was handled by NAV employees.
What the authority found
The Norwegian Data Protection Authority found that NAV did not have proper controls in place to secure personal data, violating GDPR's requirements.
Why this matters
This ruling emphasizes that even public agencies must take data protection seriously and implement effective security measures. Other organizations should review their data protection practices to avoid similar penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
"NAV", the Norwegian Labour and Welfare Administration, is a government agency that collaborates with local municipalities to provide a unified access to public labor and welfare services. Its primary functions include promoting employment and ensuring financial and social security. NAV administers a significant portion of the state budget and is one of the country's largest employers with about 22,000 employees. Almost all citizens of Norway are in contact with NAV at some point of their life. On 1 March 2023, the Norwegian DPA Datatilsynet notified NAV (the controller) of a physical inspection as per Article 57(1)(a) GDPR, Article 57(1)(h) GDPR, cf. Article 58(1)(a) GDPR, Article 58(1)(b) GDPR, Article 58(1)(e) GDPR and Article 58(1)(f) GDPR. The DPA conducted their inspection on 6 September. They focused on the controller's IT systems for processing personal data related to their government-related services, including technical and organisational measures related to access controls, logging and log control, as per Article 32 GDPR and Article 5(1)(f) GDPR, including if the controller had established an appropriate management system in line with Article 24 GDPR and Article 5(2) GDPR. The DPA sent the controller the preliminary audit report on 1 November, to which the controller responded on 22 November. The DPA then submitted their final report on 27 November, along with a notification of their intent to impose a fine and issue several orders. The controller has three weeks to respond to the DPA's preliminary conclusions, after which the DPA will make their final decision. Overall, the DPA found that many of the controller's employees work on cases from across the country, in several service areas, with broad access rights. Despite this, there isn't systematic control over how they use systems; this relies instead on trust. The employees also lack the necessary tools to manage this trust and the responsibility they're given, due to a lack of routines and supervi
Related Enforcement Actions (0)
No other enforcement actions found for The Labour and Welfare Administration (NAV) in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
27 November 2023
Authority
Datatilsynet (Norway)
Fine Amount
€1,740,000
20,000,000 NOK
GDPRhub ID
gdprhub-7421About this data
Cite as: Cookie Fines. The Labour and Welfare Administration (NAV) - Norway (2023). Retrieved from cookiefines.eu
Last updated: