Norway: Data Protection Authority issued ruling in investigation into Telenor over violations of General Data Protection Regulation on data protection officer appointment (No.21/03823-45)

On 10 March 2025, the Norwegian Data Protection Authority issued a ruling against Telenor ASA, with an administrative fine of NOK 4,000,000 for violations of the General Data Protection Regulation (GDPR). The ruling highlighted that Telenor ASA failed to comply with Data Protection Officer (DPO) requirements under Articles 37–39 GDPR and organisational obligations under Article 24 GDPR. The ruling requires Telenor ASA to assess whether it is required to appoint a DPO, revise its record of processing activities, and implement organisational measures ensuring the DPO’s independence, reporting structure, and involvement in data protection matters. The ruling was issued for the absence of a direct reporting line for the DPO for approximately one year.