Privacy in practice
Privacy should be integrated into operational processes—not locked away at headquarters.
No posts in this category yet.
Someone quit your company. What happened to their email account, access, and customer data? Do you have a checklist, or is it handled...
Read more →Microsoft's agreement gives you the right to reject a new AI subcontractor. But the alternative is to cancel email, Teams, and...
Read more →The bank app sent data about your phone to a third-party company you've never heard of. No one was informed.
Read more →The company's own training slides stated that legitimate interest was the wrong basis. The Norwegian Data Protection Authority agreed.
Read more →IQVIA claimed the health data was anonymous. CNIL found it to be pseudonymized — and that GDPR applied in full.
Read more →The email account of a contractor who left six months ago was still active. The Belgian data protection authority fined the company…
Read more →Microsoft cut the notification period for new AI subcontractors in your agreement—from six months to 30 days. Has anyone in the business…
Read more →The DPO wrote it in the annual report – the municipality didn't delete what it should have. Management didn't follow up. The Norwegian Data Protection Authority intervened.
Read more →303,880 bank customers were locked out because they refused to let the app scan everything on their phone. The fine was 12.5…
Read more →A booking system used three-year-old travel data for profiling. The airline was unaware of this. Nor were the travelers.
Read more →14,000 pharmacists shared health data without customers knowing. The software sent data even when the customer said no.
Read more →The servers are located in the EU. But who holds the key? The EU now has a framework that provides precise answers — five levels…
Read more →The system was built to provide access. No one had built it to restrict it. It cost 31.8 million euros.
Read more →Sick leave forms, onboarding forms, customer forms — are you asking for more than you need? GDPR already applies when you design the form.
Read more →You have a data processing agreement with your IT vendor. But do you know if they are actually updating servers, managing access, and backing up correctly?
Read more →You receive an email from the Norwegian Data Protection Authority (Datatilsynet). They are asking about your processing records. Who in the company should respond, and by when?
Read more →An employee accessed 3,573 customers' bank data over two and a half years. The bank's own system did not trigger an alarm.
Read more →Your CRM stores everything. But can it delete? Many IT systems lack basic functionality to comply with privacy regulations.
Read more →The drivers provided their social security numbers and driver's licenses. Everything ended up on servers in Russia – without anyone being informed.
Read more →Three municipalities use the same supplier. The supplier is hacked. The Norwegian Data Protection Authority opens three cases—one per municipality. Not one case against…
Read more →Your accounting system is hacked. Your CRM is hacked. Your booking solution is hacked. Who do your customers call? You do.
Read more →A supplier to dental care was hacked. 23,000 citizens received letters at home. The letter was from the municipality. Not from the supplier.
Read more →An employee submitted a doctor's note for three days of absence. The employer demanded diagnosis and treatment details as well. The court's response was clear.
Read more →The mailman doesn't need to open the letter to learn something about you. The sender field is enough.
Read more →The Dutch Data Protection Authority inspects IT providers' security — preventatively, before anything has happened. A breach at the provider affects everyone.
Read more →The CNIL issued 83 sanctions in 2025. One of the most common reasons? Businesses that simply did not respond when the supervisory authority…
Read more →The client agreement contained nothing about data privacy. The company said they «didn't see the value» in it. The Norwegian Data Protection Authority disagreed.
Read more →633,887 people had their bank details and health information published on the dark web. The company was only monitoring 5 percent of its IT environment.
Read more →Seven administrations in Aalborg knew that the systems were not deleting personal data. No one took action. The Datatilsynet issued an order.
Read more →Norwegian user data ended up on Russian servers. The fine was 100 million euros — the Datatilsynet recommends deleting the app.
Read more →Employees are pasting customer names, contracts, and health information into AI tools. Most businesses have never checked what happens to the data...
Read more →The package said nothing about what was inside. But it said everything about who sent it.
Read more →A law firm said they «didn't see the value» in documenting their privacy practices. The Norwegian Data Protection Authority showed them the value – €4,920.
Read more →Profile views, usage statistics, purchase history. Everything that concerns the customer, the customer has the right to see. The question is, are you taking...
Read more →A water company had hackers in its network for almost two years. Only 5 percent of the IT environment was monitored. It cost almost...
Read more →The job app has access to the camera, location, and contact list. The employer says it's necessary. The employee wonders if that's true.
Read more →Four Canadian regulators are investigating OpenAI. ChatGPT was trained on personal data that should never have been used—including children's data.
Read more →LinkedIn tracks who views your profile. Want to know who? It costs 300 kroner per month. The privacy organization noyb believes…
Read more →The drivers had to install four apps on their private phones. The apps tracked them around the clock. It cost the company 200,000 euros.
Read more →The download form asks for an email for the guide. The app requests location to function. Is that consent — or payment in...
Read more →The boat wasn't just about bad security. It was about no one being responsible for the system.
Read more →Mailchimp shows you who opened your newsletter at 9:14 AM on an iPhone. Have you told your subscribers that you see…
Read more →Send a request for insights to yourselves — as if you were a customer. Can you respond within 30 days, with…
Read more →«Accept terms» is not valid consent — at least not when the alternative is losing access to the service.
Read more →The loyalty card collected points. Your email address was forwarded to a social network – without anyone telling you.
Read more →750,000 of those exposed were not even active members anymore. The association had never deleted them.
Read more →Schibsted wants 39 kroner. Facebook was fined two billion. The question is not the size of the price — but whether...
Read more →VG, Aftenposten, and BT give you a choice—share your data with advertisers, or pay an extra 39 kroner per month…
Read more →When data from 2.1 million people was published on the Darknet following the SportAdmin breach, it wasn't just the software company that had a problem. Every sports team using the system was also affected.
Read more →The online store was hacked through a system no one used anymore. The fine was over ten million kroner.
Read more →The prospecting tool stored contact data for five years—and automatically reset the deadline each time the person changed jobs. In practice, the data was never deleted.
Read more →Your newsletter knows who opens it, when, and on what device. The CNIL says you need consent for that.
Read more →83.5 percent of the transparency requests that noyb has sent to companies over the last eight years did not receive a response in line with...
Read more →Merely using the app revealed the user's sexual orientation. The Norwegian Data Protection Authority imposed a fine of 65 million. The Court of Appeal agreed.
Read more →The retail chain shared its customer list with a social network. 10.5 million people's emails and phone numbers—used to show them ads…
Read more →Two masked men knocked on the door in the middle of the night. They knew his name, his address, and that he had firearms at home.
Read more →The bank app required access to the list of all installed apps on your phone. Garante said: that's too much.
Read more →The sports app was hacked. Data from 2.1 million children — personal identification numbers, health information, club affiliation — ended up on the Darknet.
Read more →160 million contact profiles. Harvested from LinkedIn without asking. Stored for five years. CNIL fined KASPR €240,000.
Read more →The vendor had carried out a security audit. The errors were documented. None were fixed. When the breach occurred, data about disabled individuals was leaked. The fine was €1.7 million.
Read more →Most businesses know they should consider risks before adopting new systems. Few know what the assessment should entail. Now the EDPB has created the template – for free.
Read more →51 municipalities used Google in schools. The Danish Data Inspection Agency found that they didn't know who was actually processing the data — and stated that it was the municipalities' fault, not Google's.
Read more →In 2025, 443 data breaches were reported per day in Europe — up 22 percent from the previous year. Most of the businesses affected did not have a plan.
Read more →Almost all cloud usage in Norwegian businesses is based on one agreement between the EU and the US. That agreement is under pressure — again.
Read more →When the CNIL investigated the France Travail breach, one of the findings was this: access rights were defined too broadly. It's not sabotage. That's how the system was set up.
Read more →France Travail was not hacked. The attacker only asked for help. When he was inside, he had access to data on 43 million people.
Read more →Most privacy policies are written for lawyers. GDPR says they should be written for people. What should actually be in them?
Read more →25 European supervisory authorities are now checking whether your privacy policy gives people what they are entitled to know.
Read more →Older than 90 days
Reddit hadn't done a single risk assessment before they let children in. It cost £14 million.
Read more →You deleted the customer from the CRM. But the backup system remembers everything. Are you actually in compliance—or just in the production environment?
Read more →32 supervisory authorities checked 764 businesses. Most do not know what they are storing, why, or when they should delete it.
Read more →NSM has said the same thing for ten years - weak login is the biggest risk.
Read more →You are switching HR systems. Employee data remains with the old provider. Who is responsible — and who has access?
Read more →The store went bankrupt. The employees wanted their payrolls. The supplier said no. It cost 250,000 kroner.
Read more →The company kept personal data of customers who had left long ago. When the data was stolen, the damage was much greater than it needed to be.
Read more →They didn't have MFA on the VPN. An attacker just logged in. 24 million subscribers had their IBAN data leaked.
Read more →Someone sent the wrong attachment Thursday after lunch. The deadline to report to the Norwegian Data Protection Authority? Sunday. Do you have a plan for the 72 hours?
Read more →«Information security management system» sounds like something only big companies have. But for an SMB, it's about four concrete things.
Read more →The Norwegian Data Protection Authority is now checking all 357 Norwegian municipalities. What they are looking for, most businesses are also missing.
Read more →3,191 breach notifications to the Norwegian Data Protection Authority in 2024. The most common? Someone sent an email to the wrong person.
Read more →EDPB rules - you cannot force customers to create an account to shop. Guest checkout is not a nice-to-have - it's a right.
Read more →€325 million. Not for hacking anyone. For showing ads without consent and making it harder to refuse than to accept.
Read more →SHEIN was fined €150 million. Not for collecting too much, but because the reject button didn't actually reject anything.
Read more →