Background information

• Date of final decision: 18 March 2024 
• National case
• Legal references: Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing), Article 24 (Responsibility of the controller)
• Decision: Administrative fine, Compliance order
• Key words: Principles relating to processing of personal data, Data security, Public administration, Sensitive data

Summary of the Decision

Origin of the case

The Norwegian Supervisory Authority (SA) carried out an inspection of Norwegian Labour and Welfare Administration (NAV) in September 2023, and announced its final decision in the case in March 2024.

Key findings

The Norwegian SA’s main findings are that NAV’s management system is not satisfactory to ensure compliance with the data protection regulations, and that securing confidentiality through access management and log control is also not satisfactory in practice.

Decision

The Norwegian SA has made a decision to impose an administrative fine of approximately EUR 1,7 million and several orders to the NAV for violation of the GDPR.

For further information: Decision on infringement penalty and orders to NAV (English), Vedtak om gebyr og pålegg til NAV (Norwegian)