Norway Datatilsynet

Six Norwegian Websites Fined for Unlawful Tracking Pixel Data Sharing

The Norwegian Data Protection Authority completed inspections of six websites using tracking pixels and found all six unlawfully shared visitor personal data with third parties without legal basis. Several shared sensitive personal data categories. One website (116111.no) was fined NOK 250,000 while the other five received reprimands. The authority also issued guidance on tracking tool requirements.

Court of Appeal Upholds NOK 65M Fine Against Grindr for Invalid Data Consent

Borgarting Court of Appeal rejected Grindr's appeal and upheld the NOK 65 million administrative fine issued by the Norwegian Data Protection Authority. The court ruled that Grindr did not have valid consent to disclose personal data to advertising partners and that data about app usage constitutes special category personal data. This is the third consecutive level of appeal to affirm the fine.

Administrative Fine NOK 250,000 for Failure to Provide Employee Data Access - Timegrip AS

The Norwegian Data Protection Authority imposed an administrative fine of NOK 250,000 on Timegrip AS for denying 80 employees access to their personal time-tracking data following the bankruptcy of their employer. The DPA found that despite acting as a data processor, Timegrip exercised effective control over the data and was therefore functionally the data controller with an obligation to honour access requests under GDPR.

Telenor ASA Sanctioned for DPO Organization and Internal Control Failures

Datatilsynet imposed a 4 million NOK administrative fine on Telenor ASA for inadequate organization of the data protection officer role and lack of internal control. The investigation found the company failed to assess DPO independence, document conflict of interest considerations, and establish a documented reporting line to the highest management level. As a cross-border GDPR case processed through the cooperation and consistency mechanism with Swedish and Danish supervisory authorities, Telenor is ordered to assess its DPO obligation and maintain accurate processing activity records.

Four Sandbox Reports Explore Data Sharing to Combat Economic Crime

The Norwegian Data Protection Authority and Financial Supervisory Authority of Norway have published four final reports from joint regulatory sandbox projects exploring data sharing to combat economic crime. Participants including banks (DNB, Nordea, SpareBank 1, Eika), Stø, Finans Norge Forsikringsdrift, and Eika Gruppen with KPMG received joint regulatory guidance on how data protection and financial regulations interact. The reports clarify where current regulations provide clear boundaries versus where there is greater scope for action within existing frameworks.