Background information
- Date of final decision: 24 November 2021
- Cross-border case or national case: National Case
- Controller: the Norwegian Public Service Pension Fund (SPK)
- Legal Reference: Principles relating to processing of personal data (article 5), Legal basis (Article 6)
- Decision: Infringement of the GDPR
- Key words: Income Data, Lack of Procedures, Special Categories of Data
Summary of the Decision
Origin of the case
The background for the decision is that the Norwegian Public Service Pension Fund (SPK) has collected unnecessary income data on approximately 24,000 individuals.
SPK sent a discrepancy notification to the Norwegian Supervisory Authority (SA) in September 2019. SPK had collected income data from the Tax Administration since 2016. They identified that some of this data was excess data that should not have been collected, as the data was not necessary for the purpose of conducting a post-settlement for disability pension. The data had been collected by means of a pre-defined data set from the Tax Administration. Until 2019, SPK had no procedures for reviewing and deleting excess data from the data sets collected.
Key Findings
Approximately 24,000 individuals collecting disability pension were affected by the discrepancy, and the discrepancy includes special categories of personal data, in the form of information about disability pension from a third party beyond SPK and national insurance. The Norwegian SA concluded that SPK breached the fundamental principles for the processing of personal data.
Decision
The Norwegian SA has decided to fine the Norwegian Public Service Pension Fund (SPK) NOK 1 million (EUR 100,000). SPK was originally given notice of a EUR 150,000 fine. Based on SPK’s response to the notice, the fine amount was reduced in the final decision. The Norwegian SA’s overall processing time was also taken into account.
For further information:
- https://www.datatilsynet.no/en/news/2021/fine-issued-to-norwegian-public-service-pension-fund/
- (EN)
- https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/vedtak-om-overtredelsesgebyr-til-statens-pensjonskasse/ (NO)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.