Directorate of Norwegian Correctional Service – Violation Found (Norway, 2021)

On their own initiative, the Norwegian DPA requested information from the Directorate of Norwegian Correctional Service (DCS) regarding their processing of personal data, specifically an overview of such processing (equivalent to Article 30 GDPR) for purposes related to the Execution of Sentences Act, and details about the controller, the various processing activities in the correctional services, as well as a description of the roles and responsibilities internally. The DCS responded that they lack an overview of personal data processing activities, despite having procured a dedicated system for this purpose. They had initiated the work, but could only document ten processing activities - which are insufficient as per the GDPR, their own view. The DCS further stated that they process several - and many to a great extent - sensitive personal data related to sentencing. Consequently, it's important that the directorate has a good overview and control of personal data processing. The DPA held that the Directorate of Correctional Service (DCS) must 1) establish records of processing activities in line with the Norwegian Personal Data Act of 2000 § 14 and the associated Regulation on personal data processing § 2-4, 2) describe how the responsibility for personal data processing is structured and distributed in the directorate, both organisationally and practically, cf. the Regulation on personal data processing § 2-7, and 3) send the DPA their internal controls documentation, cf. the Personal Data Act of 2000 § 14. Relevant documentation must be enclosed.