Norway

Bergen Municipality

170,000 €

GDPR enforcement action by Norwegian Supervisory Authority (Datatilsynet) on 2019-03.

Rank · Sector

#35

of 357 in Public Sector and Education

Rank · Norway

#11

of 53

Rank · All fines

#395

of 3,050

Case details

Authority: Norwegian Supervisory Authority (Datatilsynet)
Date: 2019-03
Controller / Processor: Bergen Municipality
Sector: Public Sector and Education
Quoted Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.

The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.

Open original source Links to the regulator's original publication or another source.