August 2023

1. Governing Texts

Norwegian data protection is governed by the Law on the Processing of Personal Data (Personal Data Act) of June 15, 2018 (only available in Norwegian here) ('the Act'), which implements the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Act and Regulation 0563/2018 on the Processing of Personal Data (only available in Norwegian here) contain certain specific national variations and additions to the GDPR. The Norwegian data protection authority ('Datatilsynet') enforces data protection law.

As Norway is an EEA country, judgments from the Court of Justice of the European Union ('CJEU') are not directly applicable in Norway. However, Datatilsynet refers to practices from the CJEU, the European Data Protection Board ('EDPB'), and other national supervisory authorities in its decisions. In 2021 and 2022, Datatilsynet continued its significant supervisory activity and issued important decisions.

1.1. Key acts, regulations, directives, bills

The GDPR was adopted in the EEA by the EEA Joint Committee through Decision 154/2018 of the EEA Joint Committee of 6 July 2018. As noted above, the Act implements the GDPR by reference to its incorporation into the Agreement on the European Economic Area ('the EEA Agreement'), together with a limited number of provisions complementing the GDPR. The Act, along with the GDPR, entered into force on July 20, 2018.

In addition, the Transitional Rules on the Processing of Personal Data of  June 15, 2018 (only available in Norwegian here) ('the Transitional Rules') were enforced on July 20, 2018. Furthermore, the Regulations to the Personal Data Act (the Personal Data Regulations) of June 10, 2001 (only available in Norwegian here) ('the Personal Data Regulations') were enforced on January 1, 2001.

1.2. Guidelines

The Datatilsynet has published guidelines on the following issues (only available in Norwegian):

• Data protection and digital attacks;
• Credit checks;
• Data breaches;
• Email access;
• Children and school;
• information and transparency;
• legal basis for processing;
• processor and controller;
• data processing agreements;
• codes of conduct;
• Data Protection Impact Assessments ('DPIAs');
• software development with Privacy by Design and by Default;
• fundamental privacy principles;
• the right to data portability;
• artificial intelligence and privacy;
• privacy at work;
• camera surveillance;
• drones;
• tracking in public spaces;
• sound recording;
• internal audit and information security;
• FinTech and privacy;
• digital services and consumers' privacy;
• transfer to third countries;
• COVID-19;
• DPO portal (only available in Norwegian here);
• frequently asked questions ('FAQs') (only available in Norwegian here);
• Does your business have an obligation to have a Data Protection Officer? (only available in Norwegian here) ('the DPO Appointment Tool');
• Who must appoint a Data Protection Officer? (only available in Norwegian here) ('the DPO Appointment Guide');
• Data Protection Officer's tasks (only available in Norwegian here) ('the DPO Tasks Guide');
• How to secure Data Protection Officer's independence? (only available in Norwegian here) ('the DPO's Independence Guide');
• How to facilitate the work of a Data Protection Officer? (only available in Norwegian here) ('the DPO Work Guide');
• What qualifications does a Data Protection Officer need? (only available in Norwegian here) ('the DPO Qualifications Guide');
• guidance on notification and license (only available in Norwegian here) ('the Notification Guidance');
• checklist of four phases of DPIA (only available in Norwegian here) ('the DPIA Checklist'); and
• prior consultation guidelines (only available in Norwegian here) ('the Prior Consultation Guidelines').

Furthermore, the European Data Protection Board ('EDPB') published Opinion 2/2019 on the draft list of the competent supervisory authority of Norway regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR).

1.3. Case law

The first decision from the Supreme Court of Norway ('the Supreme Court') on the GDPR has just been reached. Ruling HR-2021-2403-A of April 7, 2021 (only available in Norwegian here) sets out that the website Legelisten.no (a website for publishing information about doctors and other healthcare personnel) has legal basis in Article 6(1)(f) of the GDPR for its processing of personal data. It was emphasized that Legelisten.no is an important source for the public to obtain information regarding health service providers, and this was not overridden by the interests or rights and freedoms of the healthcare professionals. The Supreme Court took into consideration the fact that healthcare professionals may demand statements deleted if compelling reasons require.

In addition, enforcement of the previous law may still be instructive.

Ruling HR-2019-1226-A of June 26, 2019 sets out that the retention of the DNA profile of a man who had been sentenced to imprisonment for tax fraud in the DNA identity register was valid and not a breach of the European Convention on Human Rights. It was also mentioned that the Norwegian rules allow deletion after an individual assessment and that detailed provisions on, among other things, access, blocking, transparency, and storage give the necessary privacy guarantees.

Ruling HR-2017-833-A of April 26, 2017 (only available in Norwegian here) set out that the copyright owner of movies was not entitled to obtain the identity behind IP addresses used to download such movies using Bit Torrent networks. The Supreme Court found that the data subjects' privacy interests outweighed the interest of the copyright owner.

Ruling HR-2013-00234-A of January 31, 2013 (only available in Norwegian here) established that an employer's use of GPS data as evidence in a dismissal case, was incompatible with the purpose for which the data was originally collected and thus in breach of personal data regulations.

2. Scope of Application

2.1. Personal scope

There are no national law variations from the GDPR.

2.2. Territorial scope

Both the GDPR and the Act apply to the processing of personal data in connection with activities of businesses to a controller or processor in Norway, regardless of whether the processing takes place within the EU/EEA. Additionally, the regulations apply to the processing of personal data of data subjects in Norway, where such processing activities are related to:

• the offering of goods or services to a data subject in Norway, irrespective of whether payment from the data subject is required; or
• the monitoring of their behavior, as far as such behavior takes place within Norway.

Both the GDPR and the Act also apply to the processing of personal data by a controller not established in Norway, but in a place where Norwegian law applies by virtue of public international law. As such, both the GDPR and the Act apply in Svalbard and Jan Mayen. However, for Svalbard, Article 56, and Chapter VII of the GDPR do not apply.

2.3. Material scope

In addition to the scope of application set out in the GDPR, both the GDPR and the Act do not apply:

• when it is otherwise set out in law;
• for the processing of personal data by a natural person in the course of a purely personal or household activity;
• for cases that are brought before certain dispute resolution bodies as set out in Section 2(2)(b) of the Act; and
• for processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, as far as necessary for the exercise of the right to freedom of expression and information (however, some provisions still apply).

Notably, Article 56 and Chapter VII of the GDPR only apply within the scope of the EEA Agreement.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Datatilsynet is the independent supervisory authority, financed by the Government of Norway ('the Government') (Section 20 of the Act).

3.2. Main powers, duties and responsibilities

Datatilsynet acts as a supervisory body, ensuring compliance with privacy regulations through information, dialogue, complaints handling, and inspections. Datatilsynet also acts as the main authority on the interpretation of provisions of privacy regulations, takes part in the public debates, and provides guidance and advice to authorities, companies, organizations, and individuals on data protection.

4. Key Definitions

Data controller: There are no national law variations from the GDPR.

Data processor: There are no national law variations from the GDPR.

Personal data: There are no national law variations from the GDPR.

Sensitive data: There are no national law variations from the GDPR.

Health data: There are no national law variations from the GDPR.

Biometric data: There are no national law variations from the GDPR.

Pseudonymization: There are no national law variations from the GDPR.

5. Legal Bases

5.1. Consent

There are no national law variations from the GDPR, with the exception of children's consent and for certain other purposes as set out in the section below concerning children's data.

5.2. Contract with the data subject

There are no national law variations from the GDPR.

5.3. Legal obligations

There are no national law variations from the GDPR.

5.4. Interests of the data subject

There are no national law variations from the GDPR.

5.5. Public interest

Pursuant to Section 7 of the Act, the Datatilsynet may give permission, or the Government may adopt regulations, for the processing of the categories of personal data mentioned in Article 9(1) of the GDPR if it is necessary for the purpose of important public interests. No such regulations are currently adopted.

Pursuant to Section 8 of the Act, processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is recognized within the definition of public interest under Article 6(1)(e) of the GDPR.

5.6. Legitimate interests of the data controller

There are no national law variations from the GDPR.

5.7. Legal bases in other instances

statistical purposes

Pursuant to Sections 9 and 11 of the Act, special categories of personal data and criminal conviction data may be processed without consent for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, provided that the benefits for the society clearly exceed the detriment to the data subject. Such types of processing are also subject to exemptions from the right to information (see section on right to be informed below) exemptions from the right to restriction which apply equally to the right to rectification (see section on other rights. below).

As mentioned in the section on public interest. above, such types of processing are also recognized within the definition of public interest.

Use of national identity numbers and other unique means of identification

Pursuant to Section 12 of the Act, the processing of national identity numbers and other unique identifiers (e.g. fingerprints) may take place where there is an objective need for certain identification, and the method is necessary to achieve such identification. The Act also contains a provision permitting the Government to adopt a regulation on the use of national identity numbers and other unique means of identification.

Employer's access to employee e-mails and other electronically stored materials

Pursuant to Sections 9-5 of the Working Environment Act 2005 ('the Working Environment Act') and Regulation 1108/2018 on Employer's Access to Emails and Other Electronically Stored Material (only available in Norwegian here) ('the Email Monitoring Regulation'), a company's access to an employee's email account, etc. is only permitted if it is either necessary to safeguard the company's business or other legitimate interests, or in case of justified suspicions that the employee's use of the email account or other electronic equipment constitutes a material breach of the employee's obligations or may provide grounds for notice or dismissal. The Email Monitoring Regulation provides several requirements in relation to the above, including a duty to notify the employee and the employee's right to be present during a review, etc.

Video surveillance

Pursuant to Sections 9-5 of the Working Environment Act and Regulation 1107/2018 on camera surveillance in the workplace (only available in Norwegian here) ('the Camera Surveillance Regulation'), video surveillance of employees (including the use of fake equipment) must only be performed when such measures are objectively justified by circumstances relating to the undertaking and it does not involve undue strain on the employees. In addition, video surveillance of office premises that are frequently occupied by a limited circle of people must only be performed when necessary to prevent hazardous situations and to safeguard the safety of the employees and others, or when there is a specific need for such surveillance. The Camera Surveillance Regulation provides several requirements in relation to the above, including a duty to clearly provide information on the surveillance.

Pursuant to Section 31 of the Act, if video surveillance is in breach of the GDPR or the Act, the same applies to the use of fake equipment or signs that gives the impression that the area is video monitored.

Combating work-related crime

Pursuant to Section 12(a) of the Act, public authorities may surrender personal data other than special categories of personal data and data that is subject to a duty of confidentiality to each other when this is necessary to prevent, uncover, forestall, or sanction work-related crime.

Direct marketing

Pursuant to Section 15 of the Marketing Control Act 2009, consent is not required for direct marketing via electronic communication to a business' existing customers if the business has received the customers' electronic address in connection with a sale, and the marketing only relates to the business' own goods or services or otherwise corresponds to those on which the customer relationship is based. Nevertheless, the company must have a legal basis under Article 6 of the GDPR for any processing of personal data in relation to marketing.

Credit information

The Act of  July 1, 2022, on the processing of data in credit information activities (Credit Information Act) (only available in Norwegian here), and the Regulations on the processing of data in credit information activities (Credit Information Regulations) (only available in Norwegian here), set out specific rules for the processing of data as part of credit information activities. The Act replaces the former licensing requirements, meaning that all former licenses from Datatilsynet are now repealed.

6. Principles

There are no national law variations from the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

Pursuant to Section 14 of the Act, there is no general requirement for companies to notify or register with Datatilsynet prior to the processing of personal data. However, the Act makes a provision for regulations on consultation with and approval from Datatilsynet (see, for example, Section 6.1 of the Act on the processing of special categories of personal data).

7.2. Data transfers

There are no national law variations from the GDPR. However, Section 13 of the Act gives the Government the right to adopt regulations regarding the transfer of personal data to third countries or international organizations.

7.3. Data processing records

There are no national law variations from the GDPR.

7.4. Data protection impact assessment

As noted in section on data processing notification above, the Act contains a provision permitting the Government to adopt a regulation on a more extensive obligation to consult with and obtain prior authorization from the Datatilsynet (Section 14 of the Act).

The Datatilsynet has issued a list of activities that require a DPIA ('Blacklist'), namely the Norway DPIA Blacklist. The Blacklist is based on the EDPB's guidelines, is approved by the EDPB, and provides that the following types of processing operations require a DPIA:

• data collected via third parties in conjunction with at least one other criterion;
• processing of biometric data for identification purposes in conjunction with at least one other criterion;
• processing of genetic data in conjunction with at least one other criterion;
• processing of personal data using innovative technology in conjunction with at least one other criterion;
• processing of personal data involving measures for systematic monitoring of employee activities;
• processing of personal data without consent for scientific or historical purpose in conjunction with at least one other criterion;
• processing of location data in conjunction with at least one other criterion;
• processing of personal data for the purpose of evaluating learning, coping and improving wellbeing in schools or kindergartens. This includes all levels of education, from preschool, elementary, high school to university level;
• systematic monitoring, including camera surveillance, on a large scale, in areas accessible by the public;
• camera surveillance in schools or kindergartens during opening hours;
• processing of sensitive or highly personal data on a large scale for training of algorithms;
• processing of personal data to systematically monitor proficiency, skills, scores, mental health and development;
• processing personal data with the purpose of providing services or developing products for commercial use that involve predicting working capacity, economic status, health, personal preferences or interests, trustworthiness, behavior, location or route; and
• collection of personal data on a large scale through the use of 'Internet of Things' solutions or welfare technology solutions.

How to conduct a DPIA

The DPIA Checklist outlines the four phases of conducting a DPIA. These are as follows:

• a systematic description of the planned processing activities and the purposes behind the processing, including any legitimate interest pursued by the data controller (if applicable);
• an assessment of whether the processing activities are necessary and proportionate in light of the purpose behind them;
• an assessment of the risks for data subject rights and freedoms; and
• planned measures to mitigate risks to data subject rights and freedoms, such as security measures, as well as measures to ensure personal data protection and demonstrate compliance with the GDPR.

For addressing the four phases, the DPIA Checklist includes specific questions that should be taken into account during the assessment. For instance, on the description of planned processing activities, the questions refer to the methods of storing personal information, who has access to the information, the number of data subjects involved, and whether there will be processing of data of vulnerable individuals, including children. In addition, for assessment of necessity and proportionality, the DPIA Checklist includes questions, such as whether the purpose behind the processing has been clearly defined, whether the same purpose can be achieved with less personal information and whether there are functionalities in place to correct or delete incorrect personal information.

Moreover, the DPIA Checklist outlines requirements for the validation of the DPIA by the company's management team. The DPIA Checklist notes, among other things, that results of the DPIA must include a presentation of measures to mitigate the identified risks, as well as whether the DPIA is rejected or approved by management, thereby allowing processing to commence, and whether a revised DPIA is needed.

Prior consultation

Furthermore, the Prior Consultation Guidelines stipulate that, a request for prior consultation should be made to the Datatilsynet if an outcome of a DPIA indicates high risk and it is not possible to mitigate that risk, or if the assessment has been dealt with more than once and the risks to data subjects rights remain high.

The Prior Consultation Guidelines further stipulate that the request for prior consultation must be sent by email or letter as confidential information. Moreover, the Prior Consultation Guidelines note that the Datatilsynet is obliged to handle the consultation request within eight weeks of receipt, which may be further extended by six weeks. Furthermore, the Prior Consultation Guidelines provides that the relevant information that needs to be provided to the Datatilsynet includes:

• name and contact details of the data controller and data processor, if applicable;
• description of the processing;
• assessment of necessity and proportionality;
• assessment of risk to data subjects' rights; and
• and the relevant documentation.

Moreover, the Prior Consultation Guidelines note that questions relating to prior consultation can be sent to the Datatilsynet via email to [email protected].

7.5. Data protection officer appointment

Pursuant to the preparatory works of the Act, the expression 'public authority or body' in Article 37(1)(a) of the GDPR must refer to the central or local government bodies covered by Section 1(1) of the Act of 10 February 1967 relating to procedure in cases concerning the public administration (as amended) ('the Public Administration Act').

Section 19 of the Act contains a provision permitting the government to adopt a regulation on the obligation to appoint a data protection officer ('DPO').

The DPO is subject to a duty of confidentiality pursuant to Section 18 of the Act and must be registered with the Datatilsynet. More specifically in relation to the duty of confidentiality, the DPO is required to prevent others from gaining access to knowledge revealed to them in connection with the performance of their duties, such as:

• someone's personal relationships;
• technical facilities, production methods, business analyses, calculations and business secrets, when such information may potentially be exploited;
• security measures pursuant to Article 32 of the GDPR; and
• individuals' notification of violations of the Act.

Article 18 of the Act further stipulates that the duty of confidentiality does not apply if the DPO has the person's consent to reveal the information, or if this is necessary for the implementation of the DPO's statutory duties.

In addition, the Datatilsynet issued the DPO Tasks Guide, the DPO's Independence Guide, and the DPO Work Guide.

Moreover, the DPO Appointment Tool, as well as the DPO Appointment Guide aim to assist organizations in determining whether the appointment of a DPO is required.

Professional qualifications

The Datatilsynet issued the DPO Qualifications Guide, noting that DPOs generally have a background in fields such as legal, IT, security, HR, or compliance.

The FAQs issued by the Datatilsynet also highlight that for businesses established in Norway, a DPO should speak/understand a Scandinavian language.

Notification

Organizations that appoint a DPO are under an obligation to notify their contact details to the Datatilsynet, as explained on its website (only available in Norwegian here).

In accordance with the Privacy Statement, contact details of a DPO stored by the Datatilsynet in a register of DPOs are deleted from the register immediately, and no longer than one month after the Datatilsynet is informed that a person is no longer a DPO for the organization. In addition, a DPO's contact details are stored in the Datatilsynet's record management system for a period of three years after the Datatilsynet is informed that a person no longer performs their function as a DPO.

Location

In the FAQs, the Datatilsynet explains that a DPO may reside abroad. For group entities that have appointed a single DPO located outside of Norway, that person's contact information must be communicated to the supervisory authorities, rather than the contact details of local representatives of the subsidiaries.

In addition, in case several businesses appoint a single DPO, each of those must separately communicate their DPO contact details to the Datatilsynet.

7.6. Data breach notification

Section 16 of the Act stipulates that exemptions may be made to the obligation to notify affected data subjects under Article 34 of the GDPR provided that this would reveal information:

• of importance to Norway's national security interests or the defense of the country;
• that must be kept secret for the purpose of the prevention, investigation, detection, and prosecution of criminal offenses; and
• that is subject to a statutory obligation of professional secrecy (which must, if relevant, be explained to the data subject).

According to the same provision, the Government is permitted to adopt a regulation on breach notification obligations.

7.7. Data retention

There are no national law variations from the GDPR.

7.8. Children's data

The age of consent in relation to information society services is 13 years (Section 5 of the Act).

As a main rule, children can only consent to the sharing and processing of their own personal data when they reach the age of 18.  However, according to the Act of January 1, 1982, on Children and Parents (only available in Norwegian here) ('the Children Act'), children under the age of 18 can in some situations give consent themselves if they are able to give informed and voluntary consent.

Furthermore, an updated version of the Norwegian Children Act is currently being drafted. The current proposal states that children of the age of 13 can, generally, consent to the sharing of their personal data. However, the age limit increases to 18 if the consent concerns data that falls within Article 9 or 10 of the GDPR. Please note that this proposal is at an early stage and is currently not applicable.

7.9. Special categories of personal data

Pursuant to Sections 6 and 11 of the Act, processing of special categories of personal data and criminal conviction data is permitted when the processing is necessary to perform obligations or exercise rights in the field of employment.

Pursuant to Sections 7 and 11 of the Act, special categories of data and criminal conviction data may also be processed upon permission from Datatilsynet, if found to be necessary for important public interests, or upon the Government's adoption of a regulation found to be necessary in relation to important public interests.

Section 11 of the Act sets out that processing of criminal conviction data, pursuant to Article 10 of the GDPR, must generally be conducted in accordance with Article 9(2) of the GDPR (subject to certain exceptions and additional national provisions when not processed by public authorities).

Special categories of personal data and criminal conviction data may be processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, provided that the benefits for the society clearly exceed the detriment to the data subject (Section 9 of the Act).

7.10. Controller and processor contracts

There are no national law variations from the GDPR.

8. Data Subject Rights

8.1. Right to be informed

Section 16 of the Act provides exemptions from the right of information where:

• the information is of importance to national security interests or the defense of the country;
• the information must be kept secret for the purpose of the prevention, investigation, detection, and prosecution of criminal offenses.
• it is considered inadvisable for the data subject to gain knowledge of the information out of consideration for the health of the person concerned or for the relationship to persons close to the person concerned;
• the information is subject to a statutory obligation of professional secrecy (which must, if relevant, be explained to the data subject);
• the information is solely found in texts drawn up for internal preparatory purposes and which have not been disclosed to other persons; or
• disclosure of the information would be in conflict with obvious and fundamental private and public interests.

Section 16 of the Act also contains a provision permitting the Government to adopt a regulation on exemptions and terms for access and information.

Pursuant to Section 17 of the Act, the right of access does not apply to the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, insofar as this requires a disproportionate effort or is likely to make impossible or seriously impair the purpose of the processing, provided that the processing does not produce legal effects or direct actual effects for the data subject.

8.2. Right to access

Section 16 of the Act provides exemptions from the right of access where:

• the information is of importance to national security interests or the defense of the country;
• the information must be kept secret for the purpose of the prevention, investigation, detection, and prosecution of criminal offenses;
• it is considered inadvisable for the data subject to gain knowledge of the information out of consideration for the health of the person concerned or for the relationship to persons close to the person concerned;
• the information is subject to a statutory obligation of professional secrecy (which must, if relevant, be explained to the data subject);
• the information is solely found in texts drawn up for internal preparatory purposes and which have not been disclosed to other persons; or
• disclosure of the information would be in conflict with obvious and fundamental private and public interests.

8.3. Right to rectification

Section 17(2) of the Act provides exemptions from the right of rectification and limitation where the processing is performed for the purposes of archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR, insofar that the rectification is likely to seriously impede the purpose of the processing. However, this exemption does not apply if the processing has legal effects or direct factual effects on the data subject.

8.4. Right to erasure

There are no national law variations from the GDPR.

8.5. Right to object/opt-out

There are no national law variations from the GDPR.

8.6. Right to data portability

There are no national law variations from the GDPR.

8.7. Right not to be subject to automated decision-making

There are no national law variations from the GDPR.

8.8. Other rights

Exemptions from the right to restrict processing may be made when personal data is processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, insofar as this is likely to make impossible or seriously impair the purpose of the processing, provided that the processing does not produce legal effects or direct actual effect (Section 17 of the Act).

9. Penalties

Pursuant to Section 26 of the Act, Article 83(4) of the GDPR also applies to violations of Articles 10 (i.e. processing of personal data relating to criminal convictions and offences) and 24 (i.e. responsibility of the controller) of the GDPR. Additionally, the Datatilsynet may fine public authorities pursuant to Article 83(7) of the GDPR.

In accordance with Section 29 of the Act, the Datatilsynet may impose daily fines if its decision is not complied with.

If found liable for damages in accordance with Article 82 of the GDPR, damages for non-economic loss may also be imposed pursuant to Section 30 of the Act.

9.1 Enforcement decisions

There is some enforcement practice in relation to the GDPR from the Datatilsynet (only available in Norwegian here). Among others, we mention:

In March 2023, a business was fined approximately €220,000 for failing to notify a personal data breach without undue delay. Datatilsynet concluded that the controller became aware of the personal data breach when the controller had specific knowledge that the breach had affected the personal data of individuals in Europe, including in Norway, not several months later after having conducted a full and detailed investigation.

In February 2023, a business was fined approximately €850,000 for, among other things, failing to comply with requests for access and deletion of personal data.

In June 2022, a business was fined approximately €500,000 for failure to implement a solution to verify that a customer who registers a bank account is also the holder of the account.

From October 2020 to February 2022, eight businesses were fined different amounts for performing credit ratings without a legal basis. The fine level varied from approximately €4,000 up to approximately €100,000.

In December 2021, a business was fined approximately €7.8 million for breach of the consent requirements of the GDPR. The Datatilsynet concluded that the business had disclosed personal data about customers to third parties for behavioral marketing without a legal basis.

In December 2021, the Norwegian Public Service Pension Fund was fined approximately €100,000 for having collected unnecessary income information about approximately 24,000 people. The information contained special categories of personal data.

In September 2021, a business was fined approximately €500,000 for, inter alia, illegal transfers of personal data to China.

In May 2021, the Municipality of Oslo was fined approximately €40,000 for publishing documents containing special categories of personal data, including health information, at eInnsyn.no.

In May 2021, the Datatilsynet stated, in their preliminary conclusion, that Oslo University Hospital had not entered into necessary data processor agreements that safeguard the correct handling of the patient's personal data when using laboratories abroad. The hospital responded that they would structure the responsibility for use of foreign laboratories within the organization, as well as enter into the necessary agreements.

From January to August 2021, five businesses were fined for illegal video surveillance and/or sharing of video surveillance with third parties. The Datatilsynet concluded that the businesses did not have a legitimate interest under Article 6 of the GDPR to process the personal data in connection with the surveillance. The fine level varied from approximately €3,500 up to approximately €40,000.

In May 2021, the Norwegian Olympic and Paralympic Committee and Confederation of Sports was fined approximately €125,000 for publicly publishing the personal data of 3.2 million citizens online in 87 days, in connection with an error during the testing of a cloud solution. There were no indications that any third parties had accessed the data.

In January, February, and March 2021, three businesses were fined for forwarding emails of an employee on sick leave and a former employee in breach of the Email Monitoring Regulation, (see also section 5.7. above) and issued three fines of approximately €40,000, €20,000, and €30,000.

In September 2020, the Municipality of Bergen was fined approximately €300,000 for insufficient technical and organizational measures to ensure information security in a communication system used by a school, pupils, and parents. The use of the system involved a risk of the personal data related to pupils with a secret address, and a list containing such information was shared with the parents of one class.

In July 2020, the Datatilsynet temporarily banned the processing of personal data in the first version of the Norwegian app 'Smittestopp' which was developed by the Norwegian Institute of Public Health to help prevent COVID-19 from spreading. The Datatilsynet claimed that the processing of location data and other personal data to such a large extent as in this app was disproportionate compared to the users' fundamental privacy rights. All personal data was deleted, and a new version of the app was released.

In December 2019, the Education Department of the Municipality of Oslo was fined approximately €120,000 for insufficient technical and organizational measures to ensure information security. The lack of sufficient security measures led to unauthorized users gaining access to as many as 63,000 students' personal data on a mobile messaging app developed for schools in Oslo.

In October 2019, the Municipality of Oslo was fined approximately €50,000 for storing personal data about patients outside of the municipality's journal system, from 2007 until 2018. When determining the size of the fine, it was among other things decisive that the breach mostly had taken place when the GDPR was not yet in effect and that the fine level was much lower prior to the GDPR, with a maximum fine level of approximately €100,000.

In March 2019, the Municipality of Bergen was fined approximately €170,000 for computer files with usernames and passwords of over 35,000 user accounts being unprotected and easily accessible due to a lack of sufficient security measures. The aggravating factors considered were that the incident affected a large number of persons, who were mostly children. Additionally, the municipality had been warned previously that their security measures were inadequate and failed to act on such warning.