Norway

Ålesund Municipality

4,900 €

GDPR enforcement action by Norwegian Supervisory Authority (Datatilsynet) on 2021-03-15.

Rank · Sector

#252

of 356 in Public Sector and Education

Rank · Norway

#50

of 52

Rank · All fines

#1,844

of 3,042

Case details

Authority: Norwegian Supervisory Authority (Datatilsynet)
Date: 2021-03-15
Controller / Processor: Ålesund Municipality
Sector: Public Sector and Education
Quoted Articles: Art. 32 (1) b) GDPR, Art. 24 (1) GDPR, Art. 35 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Norwegian DPA (Datatilsynet) imposed a fine of EUR 4,900 on the municipality of Ålesund. At two schools in Ålesund, teachers asked students to download the training app Strava for physical education classes. The students were then given tasks that the teachers controlled via the tracking function. According to the Norwegian DPA's investigation, this resulted in data breaches because the municipality failed to provide standard procedures for privacy-compliant app use in schools. For example, a data protection impact assessment was not carried out, although this would have been necessary in view of the potential risk to the students. In addition, adequate technical and organizational security measures had not been implemented to ensure the protection of the processing.

Open original source Links to the regulator's original publication or another source.