Background information
- Date of final decision: 04 March 2022
- Cross-border case or national case: National
- Controller: Stortinget
- Legal Reference: Security of processing (Art. 32) and Principles relating to processing of personal data (Art. 5)
- Decision: Infringement of the GDPR and fine imposed
- Key words: Information Security, unauthorized users, two-factor authentication
Summary of the Decision
Origin of the case
The Norwegian parliament – the Storting – had a data breach in late 2020. In January 2022, the Norwegian Supervisory Authority gave notice of a NOK 2 million (EUR 200.000) fine for inadequate security. After having considered the Storting’s comments, the SA decided to maintain the fine.
Key Findings
The conclusion is that the Storting’s administration failed to implement suitable technical and organisational measures to achieve satisfactory security.
The data breach was related to unauthorised logins to e-mail accounts belonging to an unknown number of parliamentary representatives, as well as administrative and party secretariat staff. The Norwegian SA has placed particular emphasis on the fact that the Storting had not implemented two-factor authentication or similar effective security measures to achieve satisfactory protection.
Decision
The Norwegian SA have issued a EUR 200.000 (NOK 2 million) fine for inadequate security.
For further information:
- Norwegian parliament fined (EN), Datatilsynet, Norwegian SA
- Overtredelsesgebyr til Stortinget (NO), Datatilsynet, Norwegian SA
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.