ARTICLE
2 April 2025

Norwegian Decision Sends Message To Companies: Independent Data Protection Officers Are Critical

AP
Arnold & Porter

Contributor

Arnold & Porter is a firm of more than 1,000 lawyers, providing sophisticated litigation and transactional capabilities, renowned regulatory experience and market-leading multidisciplinary practices in the life sciences and financial services industries. Our global reach, experience and deep knowledge allow us to work across geographic, cultural, technological and ideological borders.
In a recent decision, Norway's Data Protection Authority, Datatilsynet (Norwegian DPA), fined telecommunications multinational Telenor ASA around €350,000 for violations related to the setup...
Norway Privacy

In a recent decision, Norway's Data Protection Authority, Datatilsynet (Norwegian DPA), fined telecommunications multinational Telenor ASA around €350,000 for violations related to the setup, independence, and lack of internal controls needed to support the work of the company's Data Protection Officer (DPO). This decision reminds those companies which are legally required to appoint a DPO, that they need a properly established and independent one. It underscores that companies need to carefully document and ensure the DPO's role aligns with the requirements of data protection regulations, particularly the General Data Protection Regulation.

The Norwegian DPA's findings highlight significant inadequacies in Telenor ASA's DPO management. The company failed to properly evaluate and document the DPO's role, including their independence and absence of any possible conflict of interest. Furthermore, the company failed to establish a direct reporting channel to top management, which likely impeded the DPO's ability to effectively address data protection concerns. The investigation also revealed a lack of robust internal controls, underscoring a systemic failure to support the DPO's responsibilities.

This decision from Norway provides a clear signal that simply appointing a DPO is not enough. Organizations must proactively establish and document the DPO's role, ensuring their independence, and should provide a direct line of communication to top management. Robust internal controls are essential to support the DPO's work and foster a culture of data protection compliance. While the fine in this case was substantial, it could have been significantly higher had the investigation uncovered actual damage to data subject privacy. The decision emphasizes that proactive and thorough attention to the DPO's role is not just a regulatory obligation but also is a vital aspect of safeguarding an organization's reputation and avoiding potentially severe financial consequences.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More