On November 28, 2023, the Norwegian data protection authority (Datatilsynet) published a notice of its decision to impose an infringement fee of NOK 20 million (approx. $1.8 million) and several orders to Arbeids- og velferdsetaten (NAV), for violations of General Data Protection Regulation (GDPR) and the Personal Data Protection Ordinance (the Ordinance), following the conclusion of an inspection.

Background to the decision

In particular, the Datatilsynet reported that on September 6, 2023, it carried out an inspection at NAV and subsequently issued a preliminary inspection report to NAV on November 1, 2023. After receiving comments from NAV on November 22, 2023, the Datatilsynet finalized its inspection report.

Findings of the Datatilsynet

Following its inspection, the Datatilsynet identified several breaches of the GDPR and the Ordinance:

• Article 5(2), 24(1), and 24(2) of the GDPR: NAV lacked a sufficient management system to ensure compliance with the GDPR;
• Article 32(1), 32(2), 5(2), 24(1), and 24(2) of the GDPR: NAV's access management governing documentation lacked suitable measures for data processing compliance;
• Article 32(1)(d) of the GDPR: lack of regular audits for NAV's access management governing documentation;
• Article 32(2) of the Ordinance: unsatisfactory organizational measures for conducting risk assessments in professional systems;
• Article 5(1)(f) and 32(1) of the GDPR: availability of metadata is too broad and not aligned with confidentiality principles, general and broad disclosure of personal data for archival purposes, and NAV's organization-wide access contradicted confidentiality principles;
• Article 32(1) and 32(4) of the GDPR: inadequate organizational measures for training identity administrators, and outdated access granting routines without guidance on discretionary assessments;
• Article 32(1) and 32(2) of the GDPR: lack of technical and organizational measures for individualized shielding;
• Article 32(1)(d) of the GDPR: unsatisfactory routines for checking unit managers' annual access audits; and
• Article 32(1), 32(2), 5(2), 24(1), and 24(2) of the GDPR: absence of a systematic log check and deficiencies in controlling employees' access.

Outcomes

In light of the above, the Datatilsynet imposed an infringement fee of NOK 20 million (approx. $1.8 million). It also ordered NAV to rectify breaches of the GDPR by establishing an effective organizational system and implementing measures for access management.

Furthermore, the Datatilsynet allowed NAV three weeks to respond to its notification before a final decision is made.

You can read the press release here and the decision here only available in Norwegian.