-
The Data Protection Authority has made a decision to impose an infringement penalty of NOK 150,000 on the University of Agder (UiA) for violation of the General Data Protection Regulation. The University had not taken appropriate measures to safeguard personal data security in its use of Microsoft Teams.
-
In 2023, the Data Protection Authority received complaints from several private individuals who had received emails containing political advertising from the majority parties in Stavanger (Labour, Green, Red, Centre, Socialist Left and Progress). We have now made a final decision to reprimand the Stavanger Labour Party – on behalf of the majority parties.
-
The Data Protection Authority decided before the summer to impose an infringement penalty of NOK 250,000 to Eidskog Municipality for breach of the requirements for a legal basis in the General Data Protection Regulation.
-
In march, The Data Protection Authority decided to impose an infringement penalty of NOK 20 million and issue several orders to the Norwegian Labour and Welfare Administration (NAV). The decision came after an inspection where we checked NAV’s safeguarding of confidentiality through access management and log control. We found several serious non-conformities.
-
On 30–31 May 2024, the The Nordic Data Protection Authorities (DPAs) met in Oslo for their annual Nordic Meeting. The purpose of the meeting is to discuss current data protection issues and exchange best practices. During the meeting the DPAs signed a common declaration addressing current data protection issues.
-
Several large online services have begun to demand payment if you do not consent to your data being used for behavioural advertising. The data protection authorities of Norway, the Netherlands and Hamburg have asked the European Data Protection Board (EDPB) to issue an opinion on the matter.
-
Large language models have taken society by storm in the past year. It is also reflected when the Norwegian Data Protection Authority has now selected four new projects for exploration in the regulatory sandbox.
-
Earlier, the Norwegian Data Protection Authority gave notice that it intends to impose a fine of NOK 10 million on the fitness chain SATS for multiple violations of the General Data Protection Regulations (GDPR). We have reviewed SATS’s comments and issued a decision in which we uphold the notified fine.
-
When the application deadline for the fifth round in the Norwegian Data Protection Authority's regulatory sandbox ticked away on November 1st, 20 applications had been received from various innovation projects wishing to explore privacy challenges.
-
The report is now available, after the regulatory sandbox's efforts to ignite innovation of privacy enhancing artificial intelligence has been evaluated. The Norwegian Data Protection Authority's director sees the report as confirmation that the work being done in the sandbox is good, and that the direction is correct and important.
-
The European Data Protection Board (EDPB) has decided that the Norwegian ban on behavioural advertising based on contract and legitimate interest on Facebook and Instagram will become permanent and be extended to apply to the entire EU/EEA.
-
The Privacy Appeals Board has now made a decision in the Grind case. The Board upholds the Norwegian Data Protection Authority’s decision on an administrative fine of NOK 65 million.
-
The Norwegian Data Protection Authority (DPA) has requested a binding decision from the European Data Protection Board (EDPB) in the Meta case. In the request, we ask that the Norwegian temporary ban on behavioural advertising on Facebook and Instagram be made permanent and extended to the entire EU/EEA.
-
Today, Wednesday 6 September, Oslo District Court ruled in the case between Meta and the Data Protection Authority. The court decided in favour of Data Protection Authority.
-
The Norwegian Data Protection Authority imposes a ban on Meta carrying out behavioural advertising based on the surveillance and profiling of users in Norway. The ban will initially apply until October
-
The Norwegian Data Protection Authority has carried out an on-site inspection of the Norwegian Correctional Service. The focus of the inspection was the processing of personal data in connection with the execution of penal sentences.
-
The Norwegian Data Protection Authority has reached a final decision in a case where the Norwegian University of Science and Technology (NTNU) was accused of unlawfully accessing an employee's email account. In its decision, the Norwegian Data Protection Authority found that NTNU has violated the Email Regulations by accessing the complainant’s email account.
-
The Norwegian Data Protection Authority has notified Recover AS of its decision to fine the company NOK 200,000 (EUR 20,000) for non-compliance. The matter concerns a credit rating performed without legal basis.
-
The Norwegian Data Protection Authority has fined Krokatjønnvegen AS NOK 300,000 (EUR 30,000) for performing two credit ratings without legal basis. The company has also been instructed to establish written procedures for credit ratings.
-
The Norwegian Data Protection Authority has fined Etterforsker1 Gruppen AS NOK 50,000 (EUR 5,000) for performing an unwarranted credit rating on a private individual.
-
Shareholders must be informed when personal data is collected from an equity manager.
-
The Norwegian Data Protection Authority has fined Lillestrøm Municipal Council NOK 300,000 (EUR 30,000) for violation of the General Data Protection Regulation’s confidentiality requirements.
-
The Norwegian Data Protection Authority has decided to fine a business NOK 100,000 (EUR 10,000) for violating the Working Environment Act's provisions concerning e-mail access and the requirements of the General Data Protection Regulation concerning legal basis and disclosure. The business is also ordered to update its procedures.
-
The Norwegian Data Protection Authority has fined the Norwegian Labour Inspection Authority NOK 150,000 (EUR 15,000) for performing an unwarranted credit rating on a private individual. The Labour Inspection Authority is also reprimanded for lack of disclosure.
-
The Norwegian Data Protection Authority has decided to ban the processing of personal data in the browser extension Shinigami Eyes. The basis for this decision is failure to meet the requirement for a legal basis and a lack of information to users.
-
The Norwegian Data Protection Authority has decided to issue Trumf with a fine in the amount of NOK 5 million (EUR 500,000). The basis for this fine is that Trumf members were able to register someone else’s account number on their member profile, thereby accessing the purchasing history of a third party.
-
The Norwegian Data Protection Authority has decided to issue the Norwegian Labour and Welfare Administration (NAV) with a fine in the amount of NOK 5 million (EUR 500,00) for making CVs available on the service arbeidsplassen.no without a legal basis for doing so.
-
In the state budget for 2023 the DPA's regulatory sandbox, which for two years has been financed as a temporary project, is suggested to become a permanent part of the DPA. We've therefore opened our mailbox for applications from those wishing to participate in the fourth round of the sandbox.
-
Thursday November 3rd at 09 it is ready for the Sandbox seminar 2022. The seminar is open to everyone looking for real knowledge about artificial intelligence and privacy.
It will be a digital event with two panels: one on federated learning, and one on artificial intelligence in the health sector.
-
The Norwegian parliament – the Storting – had a data breach in late 2020. In January, the Data Protection Authority gave notice of a NOK 2 million fine for inadequate security. We have now considered the Storting’s comments and decided to maintain the fine.
-
The Norwegian Data Protection Authority has fined the municipality of Østre Toten NOK 4 million. The municipality has also been ordered to implement a suitable control system for information security and personal data protection.
-
The Norwegian Data Protection Authority has decided to fine the Norwegian Public Service Pension Fund (SPK) NOK 1 million. The background for the decision is that SPK has collected unnecessary income data on approximately 24,000 individuals.
-
The Norwegian Data Protection Authority has decided to fine T. Stene Transport AS NOK 40,000 (EUR 4,000) after unlawfully performing a credit rating of a sole proprietorship. The company is also ordered to establish procedures for when it is appropriate to perform a credit rating.
-
The Norwegian Data Protection Authority has fined Elektro & Automasjon Systemer AS NOK 200,000 for performing a credit rating on a private individual without any legal basis.
-
In December 2021, the Norwegian Data Protection Authority imposed an administrative fine of NOK 65 000 000 – approximately € 6.5 million – against Grindr LLC for not complying with the GDPR rules on consent. Grindr has now lodged an appeal against this decision.
-
The Norwegian Data Protection Authority has issued an advance notification of a ban on processing personal data by the browser extension «Shinigami Eyes», as the processing does not have a legal basis and insufficient information is provided to the data subjects.
-
The Norwegian Data Protection Authority has fined Ultra-Technology AS NOK 125,000 (EUR 12,500) for performing a credit rating on a private individual without any legal basis.
-
The Norwegian Data Protection Authority has decided to fine St. Olavs Hospital NOK 750,000 (EUR 75,000) due to a lack of access management concerning folder areas outside patient records.
-
The Norwegian Data Protection Authority has decided to fine Høylandet municipality NOK 400,000 (EUR 40,000). Image files containing health data about people with no connection to the municipality were accessible to staff at the health clinic.
-
The Norwegian Data Protection Authority has fined the Norwegian toll company Ferde NOK 5 million. Among other things, the company allegedly unlawfully transferred personal data about Norwegian motorists to China.
-
What are the privacy risks associated with communicating through a Page on Facebook? And what kind of responsibility for the processing of personal data may we have as the owner of a Page? We have carried out a risk assessment and a DPIA of Facebook, based on the obligations that follow from data protection regulations.
-
The Norwegian Data Protection Authority has issued a fine in the amount of NOK 50,000.
-
The Norwegian Data Protection Authority has reprimanded an enterprise for breach of the General Data Protection Regulation’s (GDPR) requirements concerning information about and access to one’s own personal data.
-
The Norwegian Data Protection Authority has fined Waxing Palace AS NOK 100,000. The enterprise operates a waxing salon, and their CCTV monitoring of the reception area has been found to be in breach of the General Data Protection Regulation (GDPR).
-
Are you struggling with privacy regulations related to artificial intelligence? In a way, the DPA does the same. Because in such a recent field, there is little case law to refer to. The technology is at the forefront of law. But the Data Protection Authority's sandbox for responsible artificial intelligence can provide mutual help.
-
The Norwegian Data Protection Authority has imposed a NOK 500,000 fine on Moss Municipal Council for failing to adequately protect personal data. The error has been corrected and the case closed.
-
The Norwegian Data Protection Authority’s inspection of Oslo University Hospital (OUH) reveals that the hospital cannot document satisfactory control of patient data when the hospital needs laboratory services from other countries.
-
The Norwegian Data Protection Authority has fined Innovation Norway EUR 100,000 (NOK 1,000,000). The matter concerns a credit rating without a legal basis for processing.
-
The Norwegian Data Protection Authority has ordered the company Smartere Utdanning AS to improve its solution for obtaining consent in order to comply with the requirements of the General Data Protection Regulation (GDPR).
-
The Norwegian Data Protection Authority has fined BRAbank EUR 40,000 (NOK 400,000) for violation of the General Data Protection Regulation (GDPR). This case concerns insufficient risk assessment and testing in connection with the launch of a customer portal for banking services.
-
The background for this case is a complaint from a former employee who discovered that their former employer had accessed their e-mail account.
-
Datatilsynet has received multiple complaints against the browser extension «Shinigami Eyes», available for Chrome and Firefox. We have sent an order to provide information to the developer.
-
The Norwegian Data Protection Authority has fined the Municipality of Oslo EUR 40,000 (NOK 400,000) for making documents containing sensitive personal data public.
-
The Norwegian Data Protection Authority has fined the Norwegian Confederation of Sport (NIF) EUR 125,000 (NOK 1,250,000) for a GDPR violation. The backdrop for this case is that personal data about 3.2 million Norwegians was available online for 87 days as a result of an error in connection with testing of a cloud computing solution.
-
The Norwegian Data Protection Authority has fined Basaren Drift AS EUR 20,000 (NOK 200,000) for a GDPR violation. The case relates to CCTV surveillance of restaurant premises.
-
The Norwegian Data Protection Authority has fined Asker municipality EUR 100,000 (NOK 1,000,000). The Municipality was fined for publishing confidential personal data and National Identity Numbers (NID) on its website.
-
The Norwegian Data Protection Authority has fined the company Miljø- og Kvalitetsledelse AS EUR 3,500 (NOK 35,000) for illegal distribution of personal data from camera recordings.
-
The Norwegian Data Protection Agency has fined the power company Dragefossen AS EUR 15,000 (NOK 150,000). The fine was imposed after the company put the city centre of Rognan under CCTV surveillance and live-streamed the images without legal basis.
-
The Norwegian Data Protection Authority has fined Ålesund municipality EUR 5,000 (NOK 50,000) for its use of the fitness app Strava.
-
A business has been fined EUR 25,000 (NOK 250,000) for illegal forwarding of an employee's e-mails. The name of the business has been withheld from public disclosure to protect the identities of its employees.
-
The Norwegian Data Protection Authority has fined an organization EUR 40 000 (NOK 400,000) for unlawfully setting up automatic forwarding of an employee’s e-mails.
-
The Norwegian Data Protection Authority has fined Cyberbook AS EUR 20 000 (NOK 200,000) for unlawfully setting up the automatic forwarding of a former employee’s e-mails.
-
The Norwegian Data Protection Authority has fined Aquateknikk AS EUR 10,000 (NOK 100,000) for having performed a credit rating on a private individual without legal basis.
-
The Norwegian Data Protection Authority has issued a fine in the amount of EUR 40 000 (NOK 400,000) to Coop Finnmark AS. The case concerns unlawful distribution of a camera recording from a shop.
-
The Norwegian Data Protection Authority has fined Gveik AS EUR 7 500 (NOK 75,000) for having conducted a credit rating without a legal basis.
-
The Norwegian Data Protection Authority has notified Disqus Inc. (Disqus) that we intend to issue an administrative fine of NOK 25 000 000 for not complying with the GDPR rules on accountability, lawfulness, and transparency.
-
The Data Protection Authority have chosen the first four projects that will participate in the regulatory sandbox for responsible artificial intelligence. In the sandbox, they will explore a regulatory challenging terrain.
-
The Norwegian Data Protection Authority have issued a reprimand to Telenor Norge AS for inadequate protection of personal data in its voicemail function, and for failing to submit a data breach notification to the Norwegian Data Protection Authority.
-
The Norwegian Data Protection Authority has fined the Municipality of Indre Østfold EUR 20 000 (NOK 200,000) for a confidentiality violation. Personal data that should have been restricted was available to unauthorized persons.
-
The Norwegian Data Protection Authority has notified Grindr LLC (Grindr) that we intend to issue an administrative fine of NOK 100 000 000 for not complying with the GDPR rules on consent.
-
- It is exciting to see all the AI innovation going on in Norway, and that there is a strong desire to protect privacy, says Kari Laumann. She is the project manager for the Data Protection Authority's recent offer, a regulatory sandbox for responsible artificial intelligence.
-
The Norwegian Data Protection Authority has given the Norwegian Customs a final decision on an administrative fine of NOK 400,000. The fine has been adjusted downwards in relation to the notice given in 2019. The case concerns the collection and use of information from cameras without legal basis.
-
The Norwegian Data Protection Authority has decided on an administrative fee of NOK 750,000 to Østfold HF Hospital. The background is that in the period 2013-2019, the hospital stored report extracts from patient records outside the safe zone. The case started with a notice of personal data breach from the hospital.
-
Earlier this autumn, the Norwegian Data Protection Authority decided on an administrative fee for Bergen municipality because personal information in the communication system between school and home was not adequately secured. We have now given guidance to Vigilo that they too must take responsibility for the communication failure between the company and the municipality.
-
The Norwegian Data Protection Authority has issued Odin Flissenter AS (Tile distributor) an administrative fine of EUR 13 905 (NOK 150 000) for performing a credit check of a sole proprietorship without having a lawful basis for the processing.
-
The Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.
-
The Norwegian Data Protection Authority has issued the Norwegian Public Roads Administration a fine of 37,400 EUR (400 000 NOK) for processing personal data for purposes that were incompatible with the originally stated purposes, and for not erasing video recordings after 7 days.
-
The Norwegian Data Protection Authority has reached a decision to temporarily ban the processing of personal data using the Smittestopp contact tracing mobile application. As previously notified, we mean that Smittestopp cannot be considered a proportionate intervention in the user’s fundamental right to data protection.
-
The Norwegian Data Protection Authority has imposed an administrative fine of 500 000 NOK (EUR 47,500) to Rælingen Municipality. The fine is imposed after data concerning health of children in with special needs was processed using the digital learning platform Showbie.
-
The Norwegian Data Protection Authority has notified the Norwegian Institute of Public Health (NIPH) of our intention to impose a temporary ban on the processing of personal data in connection with the Smittestopp contact tracing mobile application. NIPH has nowtemporarily suspended all use of the app.