Norwegian DPA: St. Olavs Hospital fined

28 October 2021

Background information

Date of final decision: 20 September 2021
Cross-border case or national case: National case
Controller: St. Olavs Hospital HF
Legal Reference: Security of processing (article 32, cf. article 24)
Decision: Infringement declared and fine imposed 
Key words: Access Management, Health Data, Information Security 

Summary of the Decision

Origin of the case

The case started with three non-conformity reports in March 2020. The non-conformities concerned a lack of access management in folder areas outside patient records. The folders were in principle accessible to all authorised users within the Central Norway Regional Health Authority.

St. Olavs Hospital HF has subsequently carried out further work to introduce relevant measures in order to improve personal data security.

Key Findings

The fine is imposed due to a lack of access management concerning folder areas outside patient records. This constitutes a breach of the requirements regarding personal data security in Article 32 cf. article 24 of the General Data Protection Regulation.


The Norwegian Data Protection Authority has fined Ultra-Technology AS EUR 12,500 for performing a credit rating on a private individual without any legal basis. The company was also ordered to prepare written routines for credit ratings in accordance with Article 24.

For further information: (NO) (EN)




The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned