Date of final decision: 20 September 2021
Cross-border case or national case: National case
Controller: Høylandet Municipal Council
Legal Reference: Security of processing (article 32), cf. article 24 and article 5
Decision: Infringement declared and fine imposed
Key words: Information security, internal control, access management
Summary of the Decision
Origin of the case
Image files containing health data about people with no connection to the municipality were accessible to staff at the health clinic.
The Norwegian Data Protection Authority noted that the municipality did not implement any relevant measures after the non-conformity was discovered. The error has now been resolved and the municipality has also introduced a new internal control system.
The Norwegian Data Protection Authority has decided to fine Høylandet municipality EUR 41,000. The Norwegian Data Protection Authority decided to fine the municipality for fundamental internal deficiencies in its access management. This is a breach of the requirements regarding personal data security in the General Data Protection Regulation.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned