Bergen Municipality – €170,000 Fine (Norway, 2019)

€170,000Datatilsynet (Norway)1 March 2019Norway
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Norway fined Bergen Municipality €170,000 for leaving over 35,000 user accounts unprotected. This security lapse exposed personal data of students and school employees. The case shows the critical need for robust data security, especially when handling children's information.

What happened

Bergen Municipality left usernames and passwords for over 35,000 user accounts unprotected, exposing personal data.

Who was affected

Students and employees of Bergen Municipality's primary schools whose accounts were left unsecured.

What the authority found

The authority determined that Bergen Municipality failed to implement adequate security measures, violating GDPR's data protection principles.

Why this matters

This case highlights the severe consequences of inadequate data security, particularly in educational settings. It emphasizes the importance of protecting sensitive information, especially when children are involved.

GDPR Articles Cited

AI-verified

Art. 32 GDPR
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
verified correct
Norway enforcementDatatilsynet (Norway) actionsAll Bergen Municipality actions
Full Legal Summary
Detailed

The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools. The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.

Related Enforcement Actions (1)

Other enforcement actions involving Bergen Municipality in NO

Current
Mar 2019

Fine

€170K

Fine
Sept 2020· Datatilsynet (Norway)

In October 2019, the Data Protection Authority was informed by the Municipality of Bergen about a data breach in connection with the municipality's to...

€276K

Details

Fine Date

1 March 2019

Authority

Datatilsynet (Norway)

Fine Amount

€170,000

Enforcement Tracker ID

ETid-42

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Bergen Municipality - Norway (2019). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: