GDPR Enforcement in Norway

Trend: Have the national data protection authorities in Norway focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

Norwegian enforcement in 2024–2025 suggests a focus on insufficient technical and organisational security measures, processing or disclosure without a valid legal basis and weak privacy governance/internal controls. The clearest sector pattern is a strong emphasis on the public sector, especially where large amounts of personal data are processed and basic confidentiality safeguards are lacking. At the same time, the 2025 decisions show increased attention to tracking technologies and third-party data sharing on websites, particularly where the data may concern children or other sensitive situations.

Two examples illustrate this:

• In 2025, Datatilsynet took action against six websites for use of tracking pixels that automatically disclosed visitors’ personal data to third parties without a valid legal basis. These cases were particularly serious because some of the websites concerned children or sensitive topics. The decision is available here (available in Norwegian only). 
• NAV was fined in 2024 because of serious shortcomings in access management and log controls. Datatilsynet found that employees had overly broad access to personal data and that the safeguards for protecting confidentiality were inadequate. The decision is available here (available in Norwegian only).

Overall, what was the most significant fine in Norway to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

On 12 December 2021, the highest GDPR fine in Norway to date was imposed on US company Grindr LLC, which provides the world’s largest social networking app for gay, bi, trans and queer people. The fine against Grindr LLC amounted to NOK 65 million (approx. EUR 5.4 million) and was imposed due to the disclosure of personal data to advertising partners without a valid legal basis, constituting a violation of Article 6(1) GDPR, and based on the disclosure of special-category personal data to advertising partners without a valid exemption from the prohibition as set out in Article 9(1) GDPR.

Grindr appealed against the fine imposed by Datatilsynet. Datatilsynet reconsidered the case but upheld its original decision. The case was then appealed to the Privacy Appeals Board (Personvernnemnda), which upheld the fine in September 2023. Grindr subsequently challenged the decision before the courts. The Oslo District Court upheld the fine in March 2024 and the Borgarting Court of Appeal dismissed Grindr’s appeal after a hearing on 12–14 August 2025. The case was not appealed further and the administrative fine of NOK 65 million therefore remains in place.

How is the data protection authority organised in Norway? Budget, staff, assignment to a ministry?

• The Norwegian Data Protection Authority (Datatilsynet) is a public authority. It is an independent body set up to protect the individual right to privacy.
• Datatilsynet is responsible for the enforcement of the GDPR, the Norwegian Personal Data Act and privacy regulation in the context of employment, in respect of both private and public entities across Norway.
• Datatilsynet is financed by the Norwegian government and is administratively subordinate to the Ministry of Digitalisation and Regional Development.
• Its annual budget for 2026 is NOK 92 million (approx. EUR 8.2 million) and it has approx. 70 employees.

How does a fine procedure work in Norway? Can the authority impose fines itself? Procedural steps? Legal remedies?

Fines can be directly imposed by Datatilsynet as part of administrative proceedings, which are governed by the Norwegian Public Administration Act. Proceedings usually start with a formal notification to the respective entity on the opening of a fining procedure. The respective entity has the option to provide its views on factual and legal aspects of the case before the authority issues the fining decision. Companies can appeal against fines to the Privacy Appeals Board or competent courts.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Fines are transferred to the state treasury.

Is there a common, official calculation methodology for fines in Norway (such as the fining models in the Netherlands or Germany)?

Datatilsynet uses the methodology in Guidelines 04/2022 on the calculation of administrative fines under the GDPR, which the European Data Protection Board (“EDPB”) has adopted to harmonise the methodology that supervisory authorities use when calculating the amount of a fine.

Can public authorities be fined in Norway? If they can: Where does this money go?

Yes. The fines are transferred to the state treasury.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

There is no comprehensive publication of fines. Datatilsynet is not obliged to publish each fine. However, individuals are usually entitled to access the decisions after requesting them. Datatilsynet has also published a list of its most significant decisions, which can be found here.

Fines are published in press releases and activity reports. Usually, the company is not anonymised, but this will depend upon the circumstances.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

Datatilsynet has not yet released the annual statistics for 2025. According to their latest report, they issued:

• 6 fines over the course of 2024;
• 7 fines over the course of 2023;
• 17 fines over the course of 2022;
• 26 fines over the course of 2021;
• 13 fines over the course of 2020;
• 11 fines over the course of 2019.

Does Norway have model declaratory proceedings/class actions in data protection law?

Pursuant to the Norwegian Dispute Act, several data subjects may join forces and take legal action together against a data controller or data processor. A class action can only be brought if the claimants have claims for which the factual or legal basis is identical or substantially similar. Additionally, the claims must be capable of being heard by a court with the same composition and under substantially the same procedural rules and a class action must be the most appropriate method for hearing the claims. A class representative must also be nominated.

A class action requires court approval. Upon receiving a submission, the court will decide as soon as possible whether to approve or reject the action, normally through a written procedure without oral hearings. The parties may make written submissions prior to the court's ruling. If approved, the court will define the scope of claims included and determine whether the action proceeds on an "opt-in" or "opt-out" basis.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

Fines issued by data protection authorities are much more relevant than private litigation as regards data protection infringements, which are relatively rare. This is most likely due to high litigation costs, paired with relatively low claims for damages.

We have not seen a large rise in the numbers of proceedings due to the GDPR but more court cases seem to involve questions about damages.