Norwegian DPA issues fine to Municipality of Indre Østfold

Feb 11, 2021

Source: European Data Protection Board

The Norwegian Data Protection Authority has fined the Municipality of Indre Østfold EUR 20 000 (NOK 200,000) for a confidentiality violation. Personal data that should have been restricted was available to unauthorized persons.

The Municipality of Indre Østfold, formerly the Municipality of Askim, published the records file of a former pupil on its municipal website. This file included confidential personal data.

Tipped off by a local newspaper

The background for this incident was that the pupil needed his record file in connection with his further studies, and asked the municipality to send it to them. The municipality routinely enters such Access to Information requests in the public record. This process also entails the document to which access has been requested, being scanned and made available for public access.

The pupil’s file was available on the municipality’s website from Friday 27 September to Monday 30 September. The municipality was made aware of the incident by a journalist from the local newspaper Smaalenenes Avis. The documents were removed from the public record and exempted from public access as soon as they were discovered. The affected person was then notified.

Fine not adjusted

The municipality responded to the Data Protection Authority’s notice of fine. In its response, the municipality apologized for “sensitive personal data” having been included in the public record. At the same time, the municipality urged the Data Protection Authority to reconsider the size of the fine, considering the measures implemented after the fact.

A fine should reflect the severity of the violation. Norwegian law requires the municipality to implement any measures necessary to prevent future violations. The Data Protection Authority has found that, given the severity of the violation, the measures later implemented to remedy the incident do not significantly affect the amount of the fine imposed.

The Norwegian Data Protection Authority have therefore decided not to reduce the fine.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

← Norwegian DPA issues fine to Lindstrand Trading AS Spanish Data Protection Authority (AEPD) imposes fine of 6.000.000 EUR on CAIXABANK, S.A., →

Recent news

CSC elects 2nd Deputy Coordinator

Apr 10, 2024

The Coordinated Supervision Committee (CSC) has elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its Deputy Coordinator for a term of two years. Sironic will be the second Deputy Coordinator, and will work along with Sebastian Hümmeler from...

Online conference”Call for GDPR update”

Mar 12, 2024

EFDPO, together with the Czech Association for Personal Data Protection and IAPP, co-organised the online conference “Call for GDPR update?”, which took place on 11.3.2024.

CEF 2024: Launch of coordinated enforcement on the right of access

Feb 28, 2024

Brussels, 28 February - The European Data Protection Board has kicked off its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 Data Protection Authorities (DPAs), including 7 German State-level DPAs, across the EEA will take part in...