Home / Publications / GDPR Enforcement Tracker Report / Norway
Table of contents
  1. Executive Summary
  2. Numbers and Figures
  3. Finance, Insurance and Consulting
  4. Accommodation and Hospitality
  5. Health Care
  6. Industry and Commerce
  7. Real Estate
  8. Media, Telecoms and Broadcasting
  9. Public Sector and Education
  10. Transportation and Energy
  11. Individuals and Private Associations
  12. Employment
  13. Methodology and Contacts
  14. Germany
  15. United Kingdom
  16. Belgium
  17. Czech Republic
  18. France
  19. Hungary
  20. Italy
  21. Norway
  22. Poland
  23. Austria
  24. Bulgaria
  25. Spain
  26. Netherlands
  27. Enforcement Insights by Business Sector
  28. Enforcement Insights per Country

Norway

Main takeaways:


  • Fines can be imposed on authorities and public entities.
  • No comprehensive publication of GDPR fines, but DPA decisions are available on request, and significant decisions are published online.
  • Fines > Damages: Fines appear to be more significant than damages due to high costs and comparably low damages amounts awarded so far.

Fining practice 

Trend: to date, have the national data protection authorities in Norway focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?

The Norwegian data protection authority ( “Datatilsynet”) has not clearly expressed a focus on certain types of violations. However, the fines seem to be issued either due to breaches of regulations concerning employee control (under Norwegian law), insufficient legal bases for data processing (Art. 6 GDPR) – i.a., in connection with credit ratings – and a lack of appropriate information security (Art. 32 GDPR).

From what we can see, the fines imposed in Norway so far are not highly concentrated within a specific sector, but processing seems to relate mostly to the public sector and to patient and employee data. Datatilsynet has also stated that their supervisory control will focus on larger undertakings and serious or extensive violations of the GDPR.

In recent years, much of Datatilsynet’s communication has related to transfers to third countries (outside the EU/EEA), but we have not seen a rise in fines concerning such issues.

Overall, what was the most significant fine in Norway to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?

On 12 December 2021, the highest GDPR fine in Norway to date was imposed on US company Grindr LLC, which provides the world’s largest social networking app for gay, bi, trans and queer people. The fine against Grindr LLC amounted to NOK 65 million and was imposed due to the disclosure of personal data to advertising partners without a valid legal basis, constituting a violation of Article 6(1) GDPR, and based on the disclosure of special-category personal data to advertising partners without a valid exemption from the prohibition as set out in Article 9(1) GDPR.

Modern buildings in Oslo, Norway

Organisation of authorities, procedure and publicising of fine proceedings

How is the data protection authority organised in Norway? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?


  • The Norwegian Data Protection Authority (Datatilsynet) is a public authority. It is an independent body set up to protect the individual right to privacy.
  • Datatilsynet is responsible for the enforcement of the GDPR, the Norwegian Personal Data Act and privacy regulation in the context of employment, in respect of both private and public entities across Norway.
  • Datatilsynet is financed by the Norwegian government and is administratively subordinate to the Ministry of Local Government and Regional Development.
  • Its annual budget is NOK 66.5 million and has approx. 70 employees.

How does a fine procedure work in Norway? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?


  • Fines can be directly imposed by Datatilsynet as part of administrative proceedings.
  • Administrative proceedings are governed by the Norwegian Public Administration Act.
  • Proceedings usually start with a formal notification to the respective entity on the opening of a fining procedure.
  • The respective entity has the option to provide its views on factual and legal aspects of the case before the authority issues the fining decision.
  • Companies can appeal against fines to the competent (criminal) courts.

In Norway, does the data protection authority publish all imposed fines or other procedural steps (e.g. on its website)? Are the affected companies identifiable in such publications?


  • There is no comprehensive publication of fines. Datatilsynet is not obliged to publish each fine. However, individuals are usually entitled to access the decisions after requesting them. Datatilsynet has also published a list of its most significant decisions, which can be found here: https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/
  • Fines are published in press releases and activity reports.
  • Usually, the company is not anonymised, but this will depend upon the circumstances.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the State treasury, the authority's budget)?

Fines are transferred to the State treasury.

Is there a common, official calculation methodology of fines in Norway (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology to establish fines. However, we assume that Datatilsynet takes into account the methodology used by other European states. Datatilsynet has stated that one of the key elements in the calculation of a fine is the financial position of the affected undertaking.

Can public authorities be fined in Norway? If yes: Where does this money go?

Yes. The fines are transferred to the State treasury.

Bergen, Norway

Other legal consequences of non-compliance

Does Norway have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?


  • Pursuant to the Norwegian Dispute Act, it is possible for several data subjects to join forces and take legal action together against the data controller (or data processor). A class action can only be brought if several legal persons have claims or obligations for which the factual or legal basis is identical or is substantially similar. Further conditions are as follows: it must be possible for the claims to be heard by a court with the same composition and, in the main, according to the same procedural rules; further, a class action procedure must be the most appropriate method for the hearing of the claims. Another prerequisite is that it must be possible to nominate a class representative.
  • A class action requires court approval. When receiving a submission, the court shall decide, as soon as possible, whether to approve or reject the class action. The court will normally decide this by way of a written procedure, there being no oral hearings. However, the parties are allowed to make written submissions prior to the court’s ruling. If the class action is approved, the court shall describe the scope of the claims which may be included in the class action. Moreover, the court shall decide whether the class action shall proceed as an «opt-in» or «opt-out» class action.

What is more relevant in Norway: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?


  • Fines issued by data protection authorities are much more relevant than private litigation as regards data protection infringements, which are relatively rare. This is most likely due to high litigation costs, paired with relatively low claims for damages.
  • We have not seen a rise in the numbers of proceedings due to the GDPR.

Read more


Key contacts

Ove-Andre-Vanebo
Ove André Vanebo
Associate Partner
Oslo
T +47 915 49 378
Stian-Hultin-Oddbjornsen
Stian Hultin Oddbjørnsen
Partner
Oslo
T +47 957 89 414
Previous 22 / 29 Next