The Norwegian SA issues one administrative fine and five reprimands for unlawful sharing of personal information through tracking pixels

  • National News

Background information

  • Date of final decision: 10 June 2025
  • National case
  • Controllers: 116111.no (Municipality of Kristiansand), apotekfordeg.no (Apotekfordeg AS), bibel.no (Det norske bibelselskap), drdropin.no (Dr.Dropin AS), ifengsel.no (Kirkens Bymisjon), nhi.no (Norsk Helseinformatikk AS)
  • Legal Reference(s): Article 6 (Lawfulness of processing), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 9 (Processing of special categories of personal data)
  • Decision: administrative fine, communication order personal data breach
  • Key words: administrative fine, reprimand to processor, sensitive data, children, third party access to personal data, lawfulness of processing Information  

 

Summary of the Decision

Origin of the case  

The Norwegian Data Protection Authority conducted an inspection of six websites that use tracking pixels. The purpose of the inspections was primarily to increase awareness about the use of tracking pixels on websites.

Tracking pixels is a technology that automatically sends information about those who visit a website or app to a third party. This can be information about which subpages people visit, what actions they take on the website or what they put in their shopping cart. 

Key Findings 

All of the websites inspected made personal data about visitors available to third parties without legal basis. The Norwegian Data Protection Authority also found breaches of the duty to provide information. 
Decision 

The Norwegian Data Protection Authority found that all six websites subject to inspection unlawfully shared personal data of website visitors with third parties. In several of the cases, the personal data shared were of a sensitive nature.

In one of the cases, we imposed a fine of approximately EUR 22 000. The Data Protection Authority issued reprimands to the other websites.

For further information: 

Latest news

  • EDPB News

EDPB requires Belgian DPA to handle the merits of NOYB cookie banner complaint

  • EDPB News

EDPB sheds light on anonymisation and web scraping for generative AI and adopts final version of guidelines on blockchain

  • EDPB News

EDPB and AMLA to develop Joint Guidelines on partnerships for information sharing