The Norwegian Data Protection Authority, Datatilsynet, issues a fine of €388 350 to the Norwegian Public Roads Administration.
The fine is the highest in Norway and is targeting a public authority, without any data breach occurring.
The investigation was initiated following a notification from a private person who made the DPA aware of the fact that personal data from toll stations was stored longer than the legally required 5 years.
The personal data, such as registration number, has been saved in a system that lacks functionality to delete it in a timely fashion. The Norwegian Public Roads Administration has known about the problem but has not solved it together with the supplier.
The DPA concludes that the Norwegian Public Roads Administration has:
• Stored personal data longer than is legal which is a violation of Article 5.1a and 17.1a and d.
• Lack implementation of suitable technical and organizational solutions that enable the data protection principles to be followed, including data minimization, and therefore does not meet the requirements of Article 25 (1).
The DPA sees big similarities with the Deutsche Wohnen case in Germany:
– Personal data could not be deleted
– They have tried to solve the problem but failed
– No breach occurred
– Storage began before GDPR came into effect
– Personal data was not documented
– The “privacy-by-design” principle has not been implemented
Compared to the €14,5M fine that Deutsche Wohnen received, appr. €400 000 can be considered a small fine.
However, the Norwegian maximum fine for the public sector is appr €1M, making this fine the equivilant of a 1,6% of total turnover fine for a private entity.
Once again, we see how important it is to have personal data documented and under control, in order to be able to deliver on the obligations towards data subjects.