Norwegian DPA: Norwegian Confederation of Sport fined for inadequate testing

15 June 2021

The Norwegian Data Protection Authority has fined the Norwegian Confederation of Sport (NIF) EUR 125,000 (NOK 1,250,000) for a GDPR violation. The backdrop for this case is that personal data about 3.2 million Norwegians was available online for 87 days as a result of an error in connection with testing of a cloud computing solution.

The Data Protection Authority finds that NIF had failed to establish satisfactory security measures for the testing, and that testing with such a large quantity of personal data was not necessary.

This case started when NIF submitted a discrepancy report to the Data Protection Authority on 20 December 2019, in response to an alert from the Norwegian National Cyber Security Centre (NCSC) that the personal data was available on a public IP address. The discrepancy occurred when they were testing solutions for moving a database from a physical server environment to the cloud.

The types of personal data made public included name, gender, date of birth, address, phone number, e-mail, and association affiliation. Of the 3.2 million individuals affected by this discrepancy, 486,447 were children aged 3–17. As far as the Data Protection Authority is aware, no unauthorized parties have exploited this discrepancy.

Inadequate risk assessment and procedures
The Data Protection Authority finds that the testing involving personal data was initiated without adequate risk assessments, and without implementing specific procedures or measures to keep the data safe.

In addition, the Data Protection Authority finds that NIF did not have a legal basis for performing testing with this personal data. The processing must be necessary to achieve the purpose; the purpose cannot be achieved with less intrusion on privacy. The Data Protection Authority finds that the testing could have been achieved with processing of synthetic data — or at least with using a much smaller quantity of personal data.

“It is very important to thoroughly test any solution before it is put into production,” says Data Protection Authority Director Bjørn Erik Thon. “Testing could, for example, reveal errors or security flaws in the solution. For that reason, there is considerable risk associated with testing, especially if you use people’s personal data in the testing process. We strongly recommend using fictitious data, so-called Donald Duck data, as this mitigates the risk considerably.”

The Data Protection Authority also found the incident to be in breach of the principles of legality, data minimisation and confidentiality.

Issuing a fine
A fine must be effective, proportionate to the violation, and have a deterrent effect. While this incident did not include the types of personal data normally associated with the greatest risk, the Data Protection Authority has emphasized the very high number of people affected in this case — and especially the high number of children.

The Data Protection Authority initially gave notice of a fine in the amount of EUR 250,000. NIF had no objections to the description of the event by the Data Protection Authority, but objected to the size of the fine. Based on new information about NIF’s organization and finances, the Data Protection Authority has reduced the fine to EUR 125,000.

For further information, please contact the Norwegian DPA:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.