Bergen Municipality fined EUR 276k

On 13/Oct/2020, Bergen Municipality received a privacy fine of EUR 276,000. The enforcement authority (Norwegian Data Protection Authority) has cited these legal provisions in imposing the fine on Bergen Municipality: GDPR/


Date of enforcement action:
Jurisdiction: Fine imposed:
Norway Flag for Norway, which is the jurisdiction taking enforcement action EUR 276,000 (US$326,000)
Defendant company or entity: Industry segment:
Bergen Municipality Government /

Case summary

The Norwegian Data Protection Authority has given Bergen municipality a final decision on an administrative fine of approximately EUR 276,000 (3 million NOK). Personal information in the communication system between school and home was not secure enough.
Decision to fine Bergen municipality

In October 2019, the Data Protection Authority was notified of a personal data breach by Bergen Municipality regarding the municipality’s new tool for communication between school and home. Vigilo contains a module where school and parents can communicate via a portal or app. The municipality had not established nor communicated the necessary guidelines to secure the personal information of children and parents with a confidential address before the tool was put to use.

This spring, the municipality was notified of the Data Protection Authority’s intention to impose an administrative fine, and now the fine has been made final.

– Bergen municipality has now received the final decision of an administrative fine of EUR 276,000, says Data Protection Authority Director-General Bjørn Erik Thon. The fee was imposed because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.
Danger to life and health

The decision emphasized that the municipality had not established nor communicated the necessary guidelines for information about children who have a clear interest in the information about them being processed with the highest degree of confidentiality.

– This applies to children who have registered a confidential or strictly confidential address in the National Register and who belong to a particularly vulnerable group. These children have a high need for protection, and in the extreme, life and health could have been in danger, says Thon.

Personal information that should have been confidential has instead been available to unauthorized persons. In one case, a contact list with information about “confidential address” was distributed to parents at a grade level.

– The risk assessments were inadequate. Among other things, there was no assessment of risk associated with information about relationships between parents and children, Thon emphasizes.

(Norway DPA)

Applicable legal provisions


Enforcement information

Enforcement authority: Type of enforcement action:
Norwegian Data Protection Authority Flag for Norway, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Not known

Cite this fine in your work

Data Privacy Fines Index. (2020-10-13 03:28) Bergen Municipality fined EUR 276k. Retrieved from

Entry last updated: 2020-11-06 03:30 GMT.