Written by: Haim Ravia, Dotan Hammer
Following an investigation prompted by anonymous tips, the Norwegian Data Protection Authority (Datatilsynet) found that Telenor ASA, a Norwegian telecommunications company, violated several GDPR requirements on organizational processes and structures. Datatilsynet ordered corrective measures be taken and imposed a fine of approximately $380,000.
The GDPR requires data controllers to implement specific organizational measures to mitigate data protection concerns and prevent data protection violations. These obligations include maintaining a Record of Processing Activities (RoPA), a Data Protection Impact Assessment (DPIA), and appointing a data protection officer (DPO) with specific roles and authorities.
Datatilsynet found that Telenor failed to properly document a RoPA, which was determined to be ambiguous, unclear, and incomplete. It also neglected to provide its DPO access to the company’s senior management for over a year, rendering the position a figurehead. The regulator issued a decision requiring Telenor to correct the RoPA and to implement organizational measures to ensure the independence of Telenor’s DPO and avoid conflicts of interest with the DPO’s contemporaneous role as an in-house legal counsel.
Click here to read the full decision issued by Datatilsynet.
