Høylandet Municipality

€40,200

Insufficient technical and organisational measures to ensure information security

Date de décision

20 septembre 2021

Autorité

Norwegian Supervisory Authority (Datatilsynet)

NO

Secteur

Public Sector and Education

Pays

NO

Droit

GDPR

Statut

FINAL

Description

The Norwegian DPA has imposed a fine of EUR 40,200 on the municipality of Høylandet. The latter had reported a data breach to the DPA in accordance with Art. 33 GDPR. An employee gained access to several image files (bitmap) when she had to create new letter templates and insert an image logo from the file. The image files that the employee had access to contained sensitive information about individuals who had no connection with the municipality of Høylandet. The information included health data among others. The DPA found that the municipality had not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. Instead, the municipality stated that it had simply asked employees using the relevant computer program to avoid opening bitmap files that were not created by the municipality. The error has meanwhile been corrected and the municipality has introduced a new internal control system.

Citations légales

Art. 32 (1)

Questions et violations

Insufficient technical and organisational measures to ensure information security
Voir le document officiel
Retour à la base de données des amendes
Précédent Amende
Spanish Data Protection Authority (aepd) - CEDICO,...
Prochaine amende
Data Protection Authority of Hamburg (HmbBfDI) - C...

Restez informé sur l'application de la législation en matière de protection de la vie privée

Nous respectons votre vie privée. Un courriel par mois, pas de spam, désabonnement à tout moment.