The University of Agder – €13,050 Fine (Norway, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The University of Agder was fined €13,050 after personal data of thousands of individuals was left accessible in open Microsoft Teams folders. This ruling matters because it highlights the risks of poor data management and the importance of securing sensitive information. Organizations must ensure that access to personal data is properly controlled.
What happened
The university was fined for allowing personal data of 4,851 employees and 10,419 external individuals to be freely accessible.
Who was affected
Approximately 1,200 employees and 12,000 students of the university, along with external individuals mentioned in the documents.
What the authority found
The authority found that the university violated GDPR by failing to implement proper security measures and controls over personal data access.
Why this matters
This case serves as a critical reminder for organizations to regularly assess their data security practices. It shows that inadequate protections can lead to serious financial penalties and loss of trust.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Since 2018, the University of Agder (the controller) was using MS Teams and Sharepoint. The controller’s employee found out that an open MS Teams’ folder gave all the employees and students access to documents contacting personal data. For example, four documents referred to 4,851 employees and 10,419 external persons (back to 2014) who were mentioned by name, national identity number, employee number, resignation date and organisational unit. Moreover, other documents consisted of, for example, an exam overview of 568 students or personal data of 64 Ukrainian refugees. After receiving the notification from the employee, the controller immediately changed the access setting of the MS Teams’ folders. The new setting required each employee willing to access the folder to be approved by the folder's owner. The controller notified about the incident under Article 33 GDPR the Norwegian DPA (Datatilsynet) and according to Article 34 GDPR affected data subjects. Additionally, the controller published its detailed description on the controller’s website. However, the log control was limited only to 6 months back. The controller was unable to confirm if the employees and students interacted with or downloaded the data. The DPA found the controller violated Article 24 and Article 32 GDPR. The data confidentiality was violated. Personal data became freely available to approximately 1,200 employees and 12,000 students of the controller. Furthermore, the controller had no adequate log control in place, which made it impossible to assess how many people accessed the data. At the same time, the controller failed to implement internal procedures and employees’ training in reference to usage of MS Teams. Also, the initial setting was incorrect, as there was no control over employees accessed to data stored within MS Teams or to discover the unauthorised access in advance. Hence, the controller failed to implement appropriate security measures in accordance with Article 24 an
Related Enforcement Actions (0)
No other enforcement actions found for The University of Agder in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
4 September 2024
Authority
Datatilsynet (Norway)
Fine Amount
€13,050
150,000 NOK
GDPRhub ID
gdprhub-8333About this data
Cite as: Cookie Fines. The University of Agder - Norway (2024). Retrieved from cookiefines.eu
Last updated: