Changeflow GovPing Data Privacy & Cybersecurity Telenor ASA Sanctioned for DPO Organization and...
Urgent Enforcement Amended Final

Telenor ASA Sanctioned for DPO Organization and Internal Control Failures

Favicon for www.datatilsynet.no Norway Datatilsynet
Filed
Detected
Email

Summary

Datatilsynet imposed a 4 million NOK administrative fine on Telenor ASA for inadequate organization of the data protection officer role and lack of internal control. The investigation found the company failed to assess DPO independence, document conflict of interest considerations, and establish a documented reporting line to the highest management level. As a cross-border GDPR case processed through the cooperation and consistency mechanism with Swedish and Danish supervisory authorities, Telenor is ordered to assess its DPO obligation and maintain accurate processing activity records.

Published by Datatilsynet on datatilsynet.no . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .
View original document View source feed page

What changed

Datatilsynet found Telenor ASA non-compliant with GDPR requirements for data protection officer organization. The company lacked documented assessments of DPO independence and conflict of interest, failed to establish a direct reporting line to highest management, and had inadequate internal control mechanisms. The authority issued an order requiring Telenor to assess its DPO obligation and maintain proper processing records.

Affected organizations should review their DPO arrangements for compliance with GDPR requirements, including documented independence assessments, conflict of interest reviews, and direct reporting lines to senior management. Companies should ensure adequate internal control frameworks support their data protection functions. The decision, processed under the GDPR cooperation mechanism, cannot be appealed to the Norwegian Privacy Appeals Board but may be challenged in Oslo District Court.

What to do next

  1. Assess and document whether the company is obligated to have a DPO
  2. Review and ensure up-to-date and correct records of processing activities
  3. Implement relevant organizational measures for DPO role if obligated

Penalties

4,000,000 Norwegian Kroner (NOK)

Archived snapshot

Apr 18, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Sanctions imposed on Telenor ASA for lack in the organisation of the data protection officer and lack of internal control

Based on an investigation of Telenor ASA, we have issued an order and administrative fine for inadequate organisation of the role of the data protection officer (DPO) and lack of internal control.

Our main findings are that Telenor ASA had not carried out all necessary assessments and documentation on the role of DPO, including the DPO’s independence and possible conflict of interest. A direct and documented reporting line for the DPO to the highest level of management had not been established. The company also had inadequate internal control.

Following our advance notification, the company announced the termination of the DPO role. Therefore, Telenor ASA is ordered to assess and document whether they are obligated to have a DPO and to review and ensure an up-to-date and correct records of processing activities. In the event that the company finds that they are obliged to have a DPO, they must implement relevant organizational measures. The Norwegian Data Protection Authority also issues a reprimand for inadequate reporting line for the DPO to the highest management level.

Furthermore, we impose an administrative fine of four million Norwegian kroner for the lack of suitable organizational measures and suitable guidelines for the role of the DPO. We consider it a mitigating factor that no specific damage has been identified to the data subject’s privacy. We have also taken into account the long handling time when assessing the size of the fine.

The case was handled as a cross-border case, where the data protection authorities in Sweden and Denmark considered themselves as concerned supervisory authorities. They were given the opportunity to provide comments on the draft decision. The decision was thus made according to the cooperation and consistency mechanism in the General Data Protection Regulation. This entails that the decision cannot be appealed to the Norwegian Privacy Appeals Board. However, the decision can be brought before the Oslo District Court.

Download

Decision: DPO Role in Telenor ASA (pdf)

Contact

Mona Naomi Lintvedt

Telephone: +47 481 51 418

E-mail:

Published: 3/14/2025

Related changes

Favicon for www.datatilsynet.no Six Norwegian Websites Fined for Unlawful Tracking Pixel Data Sharing
Priority review Apr 18, 2026 Norway Datatilsynet Data Privacy & Cybersecurity
Favicon for www.datatilsynet.no Four Sandbox Reports Explore Data Sharing to Combat Economic Crime
Routine Apr 18, 2026 Norway Datatilsynet Data Privacy & Cybersecurity

Get daily alerts for Norway Datatilsynet

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.datatilsynet.no
Norway Datatilsynet datatilsynet.no/en/news
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from Datatilsynet.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
Datatilsynet
Filed
March 14th, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Telecommunications firms
Industry sector
5170 Telecommunications
Activity scope
DPO organization Internal control Data protection governance
Geographic scope
NO NO

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Compliance frameworks
GDPR
Topics
Corporate Governance

Browse Categories

Agriculture & Food Safety 69 AI Regulation 3 Banking & Finance 350 Consumer Protection 77 Courts & Legal 361 Data Privacy & Cybersecurity 82 Defense & National Security 51 Education 48 Energy 100 Environment 86 Environmental & Energy 38 Environmental Regulation 7 Financial Regulation 2 Financial Services 30 Government & Legislation 278 Government Operations 119 Healthcare 136 Healthcare Compliance 6 Healthcare & Life Sciences 102 Housing 16 Immigration 8 Immigration & Border Control 2 Insurance 68 Labor & Employment 131 Legal & Judicial 37 Occupational Safety 2 Pharma & Drug Safety 101 Pharma & Healthcare 1 Privacy 1 Professional Licensing 1 Public Health 2 Real Estate & Housing 61 Sanctions & Export Controls 2 Securities & Investments 34 Securities & Markets 103 Securities Regulation 6 Tax 64 Tax & Revenue 10 Telecom & Technology 47 Trade & Commerce 3 Trade & Sanctions 135 Transportation 90

Get alerts for this source

We'll email you when Norway Datatilsynet publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!