News
ππ³π΄ DPO and insufficient resources
π €351,000 fine for a telecommunications company (Norway)
π March 2025
π Articles violated: 24, 37, 38 and 39 of the GDPR.
Source : 21-03823-45
Following an investigation by the Norwegian authority Datatilsynet, fined a telecommunications company NOK 4 million (€351,000) for serious shortcomings in the organization of the DPO function and the absence of sufficient internal controls.
π₯ The facts?
- The DPO had a hybrid role (DPO and associate lawyer), with no real independence.
- No separate e-mail address, no clear policy to avoid conflicts of interest.
-The DPO was only marginally involved in data processing.
- No direct line to senior management.
- No documented evidence of compliance with obligations under Articles 38 and 39 of the GDPR.
π The company had even dismissed its DPO without documenting the decision, or putting in place a clear procedure to ensure compliance.
π― Essential reminder:
Appointing a DPO is not ticking an GDPR box.
It's guaranteeing:
β
His independence
β
His involvement in all treatments
β
Human, technical and organizational resources
β
A clear, recognized role at the heart of data governance
π‘ This case reminds us that the DPO function must never be relegated to the background. It must be structured, monitored, and supported by management.