The Norwegian Data Protection Authority (DPA) issues a fine of €77 139 against St Olav’s Hospital. The fine is issued since PDFs, containing personal data, have been stored in a folder without being present in the records of processing activities. The DPA also points out the CEO as accountable for the violation.

St Olav’s Hospital has had many PDF reports from the Department of Cardiology stored in a folder. These PDFs contained personal data and they should therefore not exist at all, or be present in the records of processing activities, as storage is also considered processing.

The reports were created in connection with a change to a new system for the Cardiology Laboratory and were only to be saved temporarily. Due to the human factor, however, the reports were not deleted and the folder in which the files were stored has also been theoretically accessible to all employees of Helse Midt-Norge RHF.

The reports were created already on 2011-01-13 but were not discovered until 2019-11-21.

GDPR has for St Olavs a maximum fine of NOK 106,000,000, but the DPA concludes that legislation other than GDPR was in force during the period. This is considered, together with the measures taken by the hospital, when the fine is reduced to only NOK 750,000.

It is interesting, however, that the DPA once again chooses to point out the accountable individual. Even though the fine is directed at St Olav’s Hospital, the hospital now has strong arguments for claiming damages from the CEO.

“The administrative director, as the highest leader for the hospital, is accountable for this careless breach of the law…”

GDPR regulates personal data in all data sources, including unstructured data such as files, e-mails and free text fields. As storage is regarded as processing, these files must also be included in the records of processing activities. This is also a prerequisite for being able to handle data subjects’ rights, such as register extracts, and also for being able to set the right permissions for the information. Or, of course, remove it when it is not to be saved.

Unstructured data makes up at least 80% of all data and it grows exponentially, by as much as 65% per year. A large part of these documents contains personal data, and more than half of it is never used.

In a reality where organizations have millions to billions documents it becomes an impossible task to manually delete everything that is not needed and legally assess and document what must be kept.

At Aigine, we use world-leading data mining that reads all information and applies AI to identify, assess and document personal data in unstructured data. We automatically create the mandatory records of processing activities and the PDFs that were present at St Olav’s Hospital had therefore been found, flagged and deleted.

The requirement for data and storage minimization in the GDPR is therefore not just a matter of compliance. By reducing the amount of data, both costs and environmental impact can be reduced, while staff can more easily find the information they need.

Do you want to know more?

Get in touch with us at:


08-121 080 00–st.-olavs-hospital-hf.pdf