News

📌 €351,000 fine for a telecommunications company (Norway)
📆 March 2025
📚 Articles violated: 24, 37, 38 and 39 of the GDPR.

Source : 21-03823-45

Following an investigation by the Norwegian authority Datatilsynet, fined a telecommunications company NOK 4 million (€351,000) for serious shortcomings in the organization of the DPO function and the absence of sufficient internal controls.

💥 The facts?

- The DPO had a hybrid role (DPO and associate lawyer), with no real independence.
- No separate e-mail address, no clear policy to avoid conflicts of interest.
 -The DPO was only marginally involved in data processing.
- No direct line to senior management.
- No documented evidence of compliance with obligations under Articles 38 and 39 of the GDPR.

📌 The company had even dismissed its DPO without documenting the decision, or putting in place a clear procedure to ensure compliance.

🎯 Essential reminder:
Appointing a DPO is not ticking an GDPR box.
It's guaranteeing:

✅ His independence
✅ His involvement in all treatments
✅ Human, technical and organizational resources
✅ A clear, recognized role at the heart of data governance

💡 This case reminds us that the DPO function must never be relegated to the background. It must be structured, monitored, and supported by management.