Administrative fine of approximately EUR 276,000 applied to Bergen Municipality by Norwegian Data Protection Authority

The National Center for Personal Data Protection, for information and application purposes, communicates about the fine imposed by Norwegian Data Protection Authority to Bergen Municipality for non-compliant processing of personal information in the communication system between school and home.

In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality’s new tool for communication between school and home. Vigilo contains a module where school and parents can communicate via a portal or application. The municipality had not established nor communicated the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use. Therefore, a contact list with information about “confidential address” was distributed to parents at a grade level.

The administrative fine of EUR 276,000 was imposed because the municipality did not implement technical and organizational measures to ensure an adequate level of security of personal data, as well as their confidentiality.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.