Telenor ASA – €348,000 Fine (Norway, 2025)

Following receipt of anonymous tips, the Datatilsynet (Norwegian DPA) launched an investigation into Telenor ASA’s (data controller) compliance with the DPO requirements in Articles 37-39 GDPR. As part of the investigation, a site visit was conducted, as well as interviews with executives and employees of the controller. During the investigation, the controller noted that they had terminated their DPO as they did not believe they met the criteria for requiring one under Article 37(1) GDPR. The DPA requested documentation detailing this assessment but the controller did not provide it. After the investigation was launched, a temporary DPO was appointed. The investigation also showed that contact details of the DPO were not available on the controller’s website, but only on the internal intranet, accessible only by employees. The investigation revealed an incomplete Record of Processing Activity (ROPA) and an absence of evidence of involvement of the DPO in issues relating to data protection. The investigation found that the evidence showed involvement by the DPO as only consisting of meetings between the DPO and certain heads of function across the organisation, and that these meetings only began more recently, after the commencement of the investigation. The investigation concluded that outside of this meeting, the DPO was involved on a case-by-case basis with data protection matters. The investigation revealed that the DPO’s role was split 50/50 between the DPO duties and work as an associate lawyer. The controller claimed that in practice, most of the DPO’s working hours were spent on DPO work. The controller, however, was unable to produce any documentation to demonstrate this. The investigation showed that there was a “major backlog” of data protection related tasks in 2021. It was also shown that the (then) DPO had raised concerns in 2021 about the resources available, requesting 100% full time equivalent (FTE) allocation to the handling of data protection mat