Norwegian Labour and Welfare Administration – €1,740,000 Fine (Norway, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller is the Norwegian Labour and Welfare Administration. The Norwegian DPA (“Datatilsynet”) audited the controller to check whether the controller ensured confidentiality in the management system used to process personal data to provide services. The audit was limited to the technical and organisational measures related to access management, logs and log control under Article 5(1)(f) GDPR and Article 32 GDPR. The audit also checked whether the controller established an appropriate management system under Article 5(2) GDPR and Article 24 GDPR. The DPA found a number of breaches that showed structural and organisational weakness and a lack of management and understanding of the importance of data protection and the imposed requirements. The DPA identified 12 offences relating to the fact that the controller, having a large number of employees all over the country, lacked systematic control of employees’ use of the specialised systems. The DPA found that the controller had organised itself in a way that a significant group of employees had broad access for official purposes. In combination with an inadequate system for log control, the DPA held that this was not compatible with the principle of confidentiality under Article 5(1)(f) GDPR and the requirements for organisational measures pursuant to Article 32 GDPR. Moreover, the DPA found that no routine risk assessments were made and that therefore also the necessary “links” between risk level and access level were not routinely made. New ID administrators, who are in charge of granting accesses, received training that was very person-dependent and only described how accesses should be granted and not on what terms. The DPA also found that employees had access to information about the entire population by default. Although the controller argued that it was for efficient case processing in order to provide good guidance and equal treatment and to process cases within a reasonable time, the DPA found that i
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is the Norwegian Labour and Welfare Administration. The Norwegian DPA (“Datatilsynet”) audited the controller to check whether the controller ensured confidentiality in the management system used to process personal data to provide services. The audit was limited to the technical and organisational measures related to access management, logs and log control under Article 5(1)(f) GDPR and Article 32 GDPR. The audit also checked whether the controller established an appropriate management system under Article 5(2) GDPR and Article 24 GDPR. The DPA found a number of breaches that showed structural and organisational weakness and a lack of management and understanding of the importance of data protection and the imposed requirements. The DPA identified 12 offences relating to the fact that the controller, having a large number of employees all over the country, lacked systematic control of employees’ use of the specialised systems. The DPA found that the controller had organised itself in a way that a significant group of employees had broad access for official purposes. In combination with an inadequate system for log control, the DPA held that this was not compatible with the principle of confidentiality under Article 5(1)(f) GDPR and the requirements for organisational measures pursuant to Article 32 GDPR. Moreover, the DPA found that no routine risk assessments were made and that therefore also the necessary “links” between risk level and access level were not routinely made. New ID administrators, who are in charge of granting accesses, received training that was very person-dependent and only described how accesses should be granted and not on what terms. The DPA also found that employees had access to information about the entire population by default. Although the controller argued that it was for efficient case processing in order to provide good guidance and equal treatment and to process cases within a reasonable time, the DPA found that i
Related Enforcement Actions (0)
No other enforcement actions found for Norwegian Labour and Welfare Administration in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
18 March 2024
Authority
Datatilsynet (Norway)
Fine Amount
€1,740,000
20,000,000 NOK
GDPRhub ID
gdprhub-7775About this data
Cite as: Cookie Fines. Norwegian Labour and Welfare Administration - Norway (2024). Retrieved from cookiefines.eu
Last updated: