Norway: Datatilsynet fines NIF NOK 1.2M for disclosing personal data of 3.2M individuals
The Norwegian data protection authority ('Datatilsynet') announced, 11 May 2021, that it had fined the Norwegian Olympic and Paralympic Committee and Confederation of Sports ('NIF') NOK 1.2 million (approx. €124,430) for disclosing the personal information of 3.2 million individuals online for 87 days following an error which occurred when testing a cloud solution. In particular, the Datatilsynet outlined that the exposed personal information included names, dates of birth, addresses, telephone numbers, and email addresses. Furthermore, the Datatilsynet highlighted that, of the 3.2 million individuals affected, 486,447 were children aged between 3-17 years old. However, the Datatilsynet noted that it does not have information to suggest that unauthorised individuals have exploited the information.
The Datatilsynet found that the NIF had initiated testing before conducting a sufficient risk assessment and without implementing specific routines or measures to secure the information. Additionally, the Datatilsynet outlined that testing could have been carried out by processing synthetic data, or by using fewer personal data, and therefore held that there was no legal basis for the testing and that the principles of legality, data minimisation and confidentiality had also been breached.
Notably, the Datatilsynet clarified that it reduced the original penalty of NOK 2.5 million (approx.€ 249,300) following a reassessment of the NIF and its finances.