NORWEGIAN DPA ISSUES REPRIMAND TO TELENOR

13 February 2021

The Norwegian Data Protection Authority (“Norwegian DPA” - “Datatilsynet”) has issued Telenor Norge AS for inadequate protection of personal data in its voicemail function, and for failing to submit a data breach notification to the Norwegian DPA.

A security error has made it possible for unauthorized persons to access the voicemails of approx. 1.3 million customers by using so-called 'spoofing' services. The Norwegian DPA finds that Telenor had not implemented satisfactory security measures. This vulnerability in the voicemail function had been known for many years.

This vulnerability affected a large number of subscribers. Voicemail messages may contain a lot of information, and this content has been largely outside Telenor’s control. These factors indicate that Telenor’s security measures have been inadequate.

The Norwegian Communications Authority (NKOM) formerly issued a fine in the amount of EUR 150 000 for violation of the Electronic Communications Act, for the same circumstances as the DPA has now considered. To prevent Telenor Norge AS from being penalized twice for the same offence, the Norwegian DPA opted to issue a formal reprimand instead[1]

You can reach the EDPB’s announcement here.  

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr


[1] Violation of Article 32 (1) of the GDPR, by failing to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

    Violation of Article 33 of the GDPR, by failing to notify the personal data breach to the Data Protection Authority.