Background information
- Date of final decision: 28 June 2024
- National case
- Legal references: Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data)
- Decision: Administrative fine
- Key words: Lawfulness of processing
Summary of the Decision
Origin of the case
The Norwegian Supervisory Authority (SA) decided to impose an infringement penalty of NOK 250,000 to Eidskog Municipality for breach of the requirements for a legal basis in the General Data Protection Regulation.
Key findings
The Norwegian SA’s conclusion is based on the Eidskog Municipality’s extensive publication of confidential information about a whistle-blower via the public records over several years.
Furthermore, the Norwegian SA believes that the municipality breached the requirements for a legal basis when they gave two former colleagues access to the complainant’s notification. Access was given without sufficient redaction, so that, among other things, information about the person’s physical and mental health, as well as financial situation, was disclosed.
The Norwegian SA finds that the breaches overall show a lack of understanding of and compliance with the municipality’s duty of confidentiality under the Freedom of Information Act.
Decision
The Norwegian SA has made a decision to impose an administrative fine of approximately EUR 21 000 to Eidskog Municipality for breach of the requirements for legal basis in the General Data Protection Regulation.
For further information: news article Infringement penalty to Eidskog Municipality (English), Overtredelsesgebyr til Eidskog kommune (Norwegian)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.