Norway: Datatilsynet issues NOK 800,000 fine to municipality of Rælingen for GDPR violations
The Norwegian data protection authority ('Datatilsynet') issued, on 10 March 2020, a press release concerning its decision of 26 February 2020 ('the Decision') to impose a fine of NOK 800,000 (approx. €73,600) to the municipality of Rælingen after health information about children with physical and mental disabilities had been processed in the Showbie digital learning platform. In particular, Datatilsynet outlined that the violation relates to 15 students with physical and mental disabilities where the Showbie application had been used to communicate health-related personal information between schools and their homes. In addition, Datatilsynet noted that no necessary risk assessments, data privacy impact assessments, or testing had been carried out prior to the application being used, and that insufficient security during logging into the application had made it possible to access the information of other students in the group.