Background information
- Date of final decision: 18 March 2024
- National case
- Legal references: Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing), Article 24 (Responsibility of the controller)
- Decision: Administrative fine, Compliance order
- Key words: Principles relating to processing of personal data, Data security, Public administration, Sensitive data
Summary of the Decision
Origin of the case
The Norwegian Supervisory Authority (SA) carried out an inspection of Norwegian Labour and Welfare Administration (NAV) in September 2023, and announced its final decision in the case in March 2024.
Key findings
The Norwegian SA’s main findings are that NAV’s management system is not satisfactory to ensure compliance with the data protection regulations, and that securing confidentiality through access management and log control is also not satisfactory in practice.
Decision
The Norwegian SA has made a decision to impose an administrative fine of approximately EUR 1,7 million and several orders to the NAV for violation of the GDPR.
For further information: Decision on infringement penalty and orders to NAV (English), Vedtak om gebyr og pålegg til NAV (Norwegian)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.