Norway

Høylandet Municipality

40,200 €

GDPR enforcement action by Norwegian Supervisory Authority (Datatilsynet) on 2021-09-20.

Rank · Sector

#73

of 356 in Public Sector and Education

Rank · Norway

#21

of 52

Rank · All fines

#779

of 3,042

Case details

Authority: Norwegian Supervisory Authority (Datatilsynet)
Date: 2021-09-20
Controller / Processor: Høylandet Municipality
Sector: Public Sector and Education
Quoted Articles: Art. 32 (1) b), (2) GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Norwegian DPA has imposed a fine of EUR 40,200 on the municipality of Høylandet. The latter had reported a data breach to the DPA in accordance with Art. 33 GDPR. An employee gained access to several image files (bitmap) when she had to create new letter templates and insert an image logo from the file.
The image files that the employee had access to contained sensitive information about individuals who had no connection with the municipality of Høylandet. The information included health data among others. The DPA found that the municipality had not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. Instead, the municipality stated that it had simply asked employees using the relevant computer program to avoid opening bitmap files that were not created by the municipality. The error has meanwhile been corrected and the municipality has introduced a new internal control system.

Open original source Links to the regulator's original publication or another source.