Norwegian Decision Sends Message to Companies: Independent Data Protection Officers Are Critical

In a recent decision, Norway’s Data Protection Authority, Datatilsynet (Norwegian DPA), fined telecommunications multinational Telenor ASA around €350,000 for violations related to the setup, independence, and lack of internal controls needed to support the work of the company’s Data Protection Officer (DPO). This decision reminds those companies which are legally required to appoint a DPO, that they need a properly established and independent one. It underscores that companies need to carefully document and ensure the DPO’s role aligns with the requirements of data protection regulations, particularly the General Data Protection Regulation.

The Norwegian DPA’s findings highlight significant inadequacies in Telenor ASA’s DPO management. The company failed to properly evaluate and document the DPO’s role, including their independence and absence of any possible conflict of interest. Furthermore, the company failed to establish a direct reporting channel to top management, which likely impeded the DPO’s ability to effectively address data protection concerns. The investigation also revealed a lack of robust internal controls, underscoring a systemic failure to support the DPO’s responsibilities.

This decision from Norway provides a clear signal that simply appointing a DPO is not enough. Organizations must proactively establish and document the DPO’s role, ensuring their independence, and should provide a direct line of communication to top management. Robust internal controls are essential to support the DPO’s work and foster a culture of data protection compliance. While the fine in this case was substantial, it could have been significantly higher had the investigation uncovered actual damage to data subject privacy. The decision emphasizes that proactive and thorough attention to the DPO’s role is not just a regulatory obligation but also is a vital aspect of safeguarding an organization’s reputation and avoiding potentially severe financial consequences.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.