Datatilsynet fines Ålesund Municipality NOK 50,000 for failure to conduct a DPIA for schools’ training app.
The Norwegian Data Protection Authority (‘Datatilsynet’) announced, on 24 March 2021, that it had fined Ålesund Municipality NOK 50,000 (approx. €5,000) for the use of a training app (Strava) that logs training and allows users to analyze and compare their data with their own or others’ training logs by two schools without previously conducting the required Data Protection Impact Assessment (‘DPIA’). In particular, Datatilsynet noted that the schools had been using the app, whose download on pupils’ phones was mandatory, to enable teachers to monitor students’ completion of the required assignments.
Further to this, Datatilsynet highlighted that the use of such an app entailed location tracking, possible processing of special categories of personal data, and systematic monitoring, and that, therefore, before its use, a DPIA was required. In addition, Datatilsynet found that the Municipality, apart from failing to conduct a DPIA, had not established specific procedures for risk assessment with respect to the downloading and use of certain apps.
This decision shows that the DPIA requirement should be considered in the case of processing special categories of personal data, location tracking, and systematic monitoring.
Particular emphasis was placed on the following factors in Datatilsynet’s assessment of whether or not to impose a penalty for a data breach:
- The nature, severity, and duration of the violation, taking into account the number of data subjects affected by the nature, scope, or purpose of the relevant activities and the extent of the damage they suffered,
- Whether the data breach was committed intentionally or negligently,
- Any measures taken by the data controller or data processor to limit the damage suffered by the data subjects,
- The degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32,
- Any relevant previous violations committed by the data controller or data processor,
- The degree of cooperation with the supervisory authority to remedy the data breach and reduce the possible negative effects of the breach,
- If the measures referred to in Article 58 (2) have previously been taken against the data controller or data controller concerned in respect of the same subject matter, such measures are complied with,
- The categories of personal data affected by the breach,
- The manner in which the supervisory authority became aware of the breach, in particular, whether and, if so, to what extent the data controller or data processor has notified the breach,
- Compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42,
- Any other aggravating or mitigating factor in the case, e.g. financial benefits obtained, or losses avoided, directly or indirectly, as a result of the infringement,
You can read the announcement here and the decision here, both only available in Norwegian.
A few contents that may be of interest to you; French DPA – CNIL Opens Investigation Into The Clubhouse App