The University of Agder – €13,050 Fine (Norway, 2024)

Since 2018, the University of Agder (the controller) was using MS Teams and Sharepoint. The controller’s employee found out that an open MS Teams’ folder gave all the employees and students access to documents contacting personal data. For example, four documents referred to 4,851 employees and 10,419 external persons (back to 2014) who were mentioned by name, national identity number, employee number, resignation date and organisational unit. Moreover, other documents consisted of, for example, an exam overview of 568 students or personal data of 64 Ukrainian refugees. After receiving the notification from the employee, the controller immediately changed the access setting of the MS Teams’ folders. The new setting required each employee willing to access the folder to be approved by the folder's owner. The controller notified about the incident under Article 33 GDPR the Norwegian DPA (Datatilsynet) and according to Article 34 GDPR affected data subjects. Additionally, the controller published its detailed description on the controller’s website. However, the log control was limited only to 6 months back. The controller was unable to confirm if the employees and students interacted with or downloaded the data. The DPA found the controller violated Article 24 and Article 32 GDPR. The data confidentiality was violated. Personal data became freely available to approximately 1,200 employees and 12,000 students of the controller. Furthermore, the controller had no adequate log control in place, which made it impossible to assess how many people accessed the data. At the same time, the controller failed to implement internal procedures and employees’ training in reference to usage of MS Teams. Also, the initial setting was incorrect, as there was no control over employees accessed to data stored within MS Teams or to discover the unauthorised access in advance. Hence, the controller failed to implement appropriate security measures in accordance with Article 24 an