On March 18, 2024, the Norwegian data protection authority (Datatilsynet) announced that it had published its final decision in Case 23/00708-28, in which it imposed an infringement fee of NOK 20 million (approx. $1.87 million) to the Norwegian Labor and Welfare Administration (NAV) after finding that its management system is not sufficient in complying with privacy regulations, following an inspection in September 2023.

Background to the case

The Datatilsynet announced on November 28, 2023, that it would impose an infringement fee of NOK 20 million (approx. $1.87 million) but received feedback from NAV on January 5, 2024. After assessing the feedback from NAV, the Datatilsynet made its decision regarding the investigation of NAV's management system and its technical and organizational measures.

Findings of the Datatilsynet

The Datatilsynet found that NAV's management systems were not satisfactory to ensure compliance with privacy regulations, particularly ensuring sufficient security when processing personal data, and that NAV had not implemented suitable technical and organizational measures, violating Articles 5(1)(f), 5(2), 24(1), 24(2), 32(1), 32(2), and 32(4) of the GDPR.  

Outcomes

As a result, the Datatilsynet decided to impose the aforementioned fine on NAV. Additionally, the Datatilsynet ordered NAV to carry out 16 measures, including updating documentation, preparing training material, reviewing current routines, and updating risk assessments. The Datatilsynet had set separate deadlines for each measure.  

Furthermore, the Datatilsynet mentioned that NAV can appeal this decision three weeks from the decision being received. In the case where the Datatilsynet upholds the decision, the Datatilsynet also mentions that the case will be sent to the Norwegian Privacy Appeal Board (Personvernemnda).

You can read the press release here, the final inspection report on NAV here, and the decision here, all only available in Norwegian.