Norway: Datatilsynet fines Rælingen municipality NOK 500,000 for inadequate security measures and failure to conduct DPIA
The Norwegian data protection authority ('Datatilsynet') announced, on 10 July 2020, that it had adopted a final decision ('the Decision') to fine the Municipality of Rælingen NOK 500,000 (approx €46,660) for the processing of children's health data relating to disability by the digital learning platform Showbie, further to a notice of a fine for the same. In particular, Datatilsynet highlighted that the Municipality had failed to undertake a Data Protection Impact Assessment ('DPIA') under Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') before commencing the processing and had not implemented adequate technical and organisational measures under Article 32 of the GDPR, which had created an increased risk of unauthorised access to pupils' personal data. In addition, Datatilsynet noted that regardless of whether children and/or pupils were subject to material or non-material damage, the security breach indicated the existence of increased risk. Moreover, Datatilsynet stated such use of an app with insufficient security measures constitutes a violation of the principle of accountability under Article 5(2) of the GDPR.