Norway
Norwegian State Pension Fund (SPK)
98,000 €
GDPR enforcement action by Norwegian Supervisory Authority (Datatilsynet) on 2021-11-24.
Rank · Sector
#44
of 357 in Public Sector and Education
Rank · Norway
#16
of 53
Rank · All fines
#493
of 3,050
Case details
- Authority
- Norwegian Supervisory Authority (Datatilsynet)
- Date
- 2021-11-24
- Controller / Processor
- Norwegian State Pension Fund (SPK)
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 (1) c), e) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Norwegian DPA has imposed a fine of EUR 98,000 on the Norwegian State Pension Fund (SPK). The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The DPA found that the controller had unlawfully collected certain income information since 2016. For example, the controller had collected health-related information on disability pensions, although this was not required. Approximately 24,000 individuals were affected by these incidents. In addition, the DPA found that SPK did not implement routines to review and delete excessive information collected until 2019.
Open original source
Links to the regulator's original publication or another source.
Related fines
Norway
2021-12-13
6,300,000 €
ETid-950
Grindr LLC
Media, Telecoms and Broadcasting
Norway
2026-06-01
1,820,000 €
ETid-3193
Elkjøp AS
Industry and Commerce
Norway
2023-11-27
1,700,000 €
ETid-2136
Norwegian Labor and Welfare Administration
Public Sector and Education
Norway
2023-02-06
900,000 €
ETid-1656
Sats ASA
Industry and Commerce
Norway
2021-09-27
496,000 €
ETid-851
Ferde AS
Public Sector and Education
Norway
2021-10-18
412,000 €
ETid-878
Østre Toten municipality
Public Sector and Education