Mobile telecommunications giant Telenor ASA has been sancitioned by the Norwegian Data Protection Authority, Datatilsynet, to the tune of NKr 4m ($379,261) for deficiencies in its data protection officer scheme and in its internal controls.

Following a supervisory control instigated by anonymous tips, Datatilsynet found that Telenor failed to carry out all required assessments and documentation of the role of data protection officer. Telenor was also found not to have established or documentd any direct reporting line from the data protection officer (DPO) to the highest management level.

The authority also discovered that the company failed to have sufficient internal controls. Based on the inspection, Datatilsynet found that Telenor violated Article 37(7), Article 38(2) and (3), and Article 24(1) and (2) of EU GDPR.

No harm to data subjects

“We consider it a mitigating factor that no specific harm to the data subjects’ privacy has been identified. We have also taken into account the long processing time when assessing the size of the fee,” Datatilsynet said. Investigations began in 2021. The company was also reprimanded for the inadequate reporting lines for the DPO.

After announcing the findings, Telenor terminated its data protection officer scheme. However, Datatilsynet has ordered the company to conduct an investigation to determine if it is obliged to have a DPO, and to implement necessary measures if one is required.

Telenor has been ordered to review and ensure that it has an updated and correct processing protocol.