The Data Protection Authority has the power to investigate complaints and other cases on its own initiative. In case of any privacy law breaches, the DPA may order to cease unlawful processing and impose coercive fines for noncompliance with such orders. Furthermore, for privacy law breaches, the DPA may impose a regulatory fine at a maximum of 10 times the national insurance basic amount, which at present corresponds to about €110,000.
A data controller may be liable to compensate the data subject for any damage suffered, including pecuniary and non-pecuniary damages.
Fines of unspecified value, as well as imprisonment which may be for a term not exceeding one year.
Sanctions may also be directed towards responsible directors and employees.
Selected Enforcement Actions / General Comments
Some examples of recent case law and enforcement action in the Norway include:
- In August 2014, Pixima was imposed an administrative fine of NOK 75,000 (about € 9,000) for illegal data processing.The company assisted various petrol stations by collecting data from video footage in order to identify customers that had not paid for the petrol. However, Pixima, acting as a data processor for the data controller petrol stations, went beyond the agreement with the petrol stations, and established their own archive over non-paying customers. Further, the agreements with the petrol stations did not satisfy the minimum criteria in the Personal Data Act, nor were the data sufficiently protected with a sufficient degree of security. The data was also kept indefinitely, in violation of the requirement to delete when no longer relevant.
- In January 2014, the security company Securitas was imposed an administrative fine of NOK 75,000 (about € 9,000). Securitas did not have satisfactory risk evaluations in place for of its processing of personal data, nor satisfactory measures to secure data. Finally, the data processing wording in the agreements with the customers was not satisfactory.