Norwegian State Pension Fund (SPK)

€98,000

Insufficient legal basis for data processing

Decision Date

24 de novembro de 2021

Authority

Norwegian Supervisory Authority (Datatilsynet)

NO

Sector

Public Sector and Education

Country

NO

Law

GDPR

Status

FINAL

Description

The Norwegian DPA has imposed a fine of EUR 98,000 on the Norwegian State Pension Fund (SPK). The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The DPA found that the controller had unlawfully collected certain income information since 2016. For example, the controller had collected health-related information on disability pensions, although this was not required. Approximately 24,000 individuals were affected by these incidents. In addition, the DPA found that SPK did not implement routines to review and delete excessive information collected until 2019.

Legal Citations

Art. 5 (1)Art. 6 (1)Art. 9 (2)

Issues & Violations

Insufficient legal basis for data processing
View Official Document
Back to Fines Database
Previous Fine
Spanish Data Protection Authority (aepd) - UNIÓN F...
Next Fine
Data Protection Authority of Hamburg (HmbBfDI) - C...

Stay Updated on Privacy Enforcement

We respect your privacy. One email per month, no spam, unsubscribe anytime.