Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Norway: Datatilsynet sends notification on NOK 2.5M fine to NIF for inadequate security procedures
The Norwegian data protection authority ('Datatilsynet') announced, on 7 December 2020, that it has sent to the Norwegian Sports Confederation ('NIF') a notice of an infringement fine amounting to NOK 2.5 million (approx. €236,000) following the disclosure of the personal data of 3.2 million Norwegians after an error that took place when testing a cloud solution. In particular, Datatilsynet highlighted that NIF had failed to implement sufficient technical and organisational measures, as well as security testing procedures. In addition, Datatilsynet noted that NIF had not implemented a risk assessment and that the processing of data was disproportionate in light of the purposes behind the processing. Moreover, Datatilsynet outlined that NIF had violated the principles of legality, data minimisation, and confidentiality enshrined in Article 5 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Lastly, Datatilsynet stated that this is a notice of an infringement fine and that NIF has until 4 January 2021 to submit feedback before a final decision is taken.
You can read the announcement here and the notice here, both only available in Norwegian.