Recent fines imposed by the Norwegian Data Protection Authority ("NDPA")

by Jeppe Songe-Møller & Sondre Arora Aaserud


Meeting discussion
Since the GDPR took effect in May 2018, we have seen over 800 fines issued across the EEA and the U.K. Enforcement started somewhat slow, but between July 2020 and July 2021 there was a significant increase in the size and quantity of fines. Amazon's record fine of EUR 746 million, issued by the Luxembourg data regulator, was revealed in the company's financial records made public on 30 July 2021. We take a look at recent GDPR fines issued by the Norwegian Data Protection Authority (NDPA).

Toll ring company fined NOK 5 million for GDPR non-compliance

The NDPA became aware that the toll ring company Ferde AS was transferring data about passages in toll rings to a data processor in China. On this basis, the NDPA carried out an inspection focusing on whether Ferde AS had adequate routines and measures in place to ensure information security for the data transferred to China.

During its inspection, the NDPA revealed that Ferde AS lacked both a data processing agreement, a risk assessment and a legal basis for processing and transferring personal data about motorists to China. After considering these findings, the NDPA concluded that Ferde AS did not comply with several basic requirements in the GDPR for a period of between 1-2 years.

The NDPA first stated that license plates are personal data, that processing of images of the license plates is considered processing of personal data and that Ferde AS is the data controller. Further, the NDPA underlined that it is required to have a processing agreement before the personal data can be processed. Here, the NDPA found that Ferde AS did not meet the requirements of having a data processor agreement during the period in question. This was considered to be a violation of the GDPR Article 28 (3).

Furthermore, the NDPA stated that Ferde AS should have conducted risk assessments before starting to process the personal data. This would have ensured that the data was processed with sufficient processing security cf. the GDPR Article 32. The NDPA stressed that a risk assessment is especially important when personal data is transferred to countries outside the EU/EEA. Without such risk assessment, the company cannot assess whether the risk is low or high and thus whether further safety measures should be implemented. The NDPA concluded that Ferde AS lacked a written risk assessment for the period in question, and that this constituted a breach of the GDPR Article 32 (2), cf. Article 5 (1) (f) and Article 5 (2).

Finally, the NDPA found that it was clear that Ferde AS did not have any legal basis for transferring the personal data to China during the period in question. This constituted a violation of the GDPR Article 44.

Thus, the NDPA decided to impose a fine of NOK 5 million for breach of the requirements for a data processor agreement, risk assessment and basis for processing and transferring personal data cf. the GDPR Article 28 (3), Article 32 (2), cf. Article 5 (1) (f) and Article 5 (2), and Article 44. The fine was imposed in accordance with a notice given to Ferde AS earlier the same year.

Municipality fined NOK 400 000 for insufficient processing security

Høylandet municipality stored image files with health information about people without connection to the municipality, which was accessible for employees at the health station.

The NDPA emphasized that the municipality did not take any measures after the failure was discovered. An encouragement not to open the relevant image files was not considered to be a sufficient processing security measure or a satisfactory default follow-up. Hence, the NDPA concluded that Høylandet municipality violated the requirements for processing security in the GDPR Article 32, cf. Article 24.

The NDPA therefore decided to impose a fine of NOK 400 000 for fundamental weaknesses in the internal access control and for violating the processing security requirements in the GDPR Article 32.

Hospital fined NOK 750 000 for lack of access control

The case started with three non-compliance reports from St. Olavs Hospital in March 2020. The defaults concerned lack of access control in the folder areas outside the patients' medical records. Thus, the folders had in principle been available to all authorized users in the systems of the regional health authority (No: Helse Midt-Norge RHF).

The NDPA stated that St. Olavs Hospital did not prevent unlawful access to a substantial volume of health data about patients. Even though the data was stored in an area that required some knowledge in order to locate the data, the risk of not complying with the requirements for confidentiality and integrity was present. The NDPA thus concluded that St. Olavs Hospital had violated the GDPR Article 32, cf. Articles 24 and 5 No. 1 letter f, and the Norwegian Patients' Medical Records Act § 22.

Furthermore, St. Olavs Hospital had not logged the activity in the folder areas at the time of two of the defaults. The NDPA stressed that this increased the risk of losing track of where the patient data was located. Therefore, the hospital was considered to be violating the GDPR Article 32, cf. Articles 24 and 5 no. 2, and the Norwegian Patients' Records Act § 23.

In the aftermath of the defaults, St. Olavs Hospital has done further work to introduce measures to improve processing security. The NDPA nevertheless came to the conclusion that the hospital should be fined NOK 750 000 for non-compliance with fundamental requirements for access control.

SMB fined NOK 125 000 for unlawful credit rating

The case started with a complaint from a person who had been credit rated without any kind of customer relationship or other affiliation with the company Ultra-Technology AS. The small-sized company uses "computer numerical control" to make complex parts in metal for industrial customers. A credit rating is the result of compiling personal data from many different sources and indicates the probability that a person will be able to pay. A credit rating will also show details about individuals' personal finances such as any payment remarks, voluntary mortgages and debt ratio.

Firstly, the NDPA states that the relevant legal basis for Ultra-Technology AS' credit rating was the GDPR Article 6 (1) (f), and that the company needed to have a "legitimate interest" in processing this data. Here, the NDPA referred to the GDPR Recital 47 and that the data subject's expectations based on the relationship with the data controller, among other things, shall be taken into account. Further, the legitimate interest must be substantiated on the basis of the company's objective needs and interest. The NDPA stated that the manager of Ultra-Technology AS used the company's credit rating tool for private purposes and not for company purposes. Based on this, the NDPA concluded that the data subject had no expectation that Ultra-Technology AS would process data from a credit rating. Hence, Ultra-Technology AS did not have a "legitimate interest" and had violated the GDPR Article 6 No. 1 letter f. The NDPA also stated that credit data has a particular need of protection and decided to impose a fine of NOK 125 000 for credit rating a person without a legal basis.

Do you have any questions?