Privacy in practice
The question isn't whether the data exists. The question is whether you get it back.
No posts in this category yet.
The download form asks for an email for the guide. The app requests location to function. Is that consent — or payment in...
Read more →The boat wasn't just about bad security. It was about no one being responsible for the system.
Read more →Mailchimp shows you who opened your newsletter at 9:14 AM on an iPhone. Have you told your subscribers that you see…
Read more →Send a request for insights to yourselves — as if you were a customer. Can you respond within 30 days, with…
Read more →«Accept terms» is not valid consent — at least not when the alternative is losing access to the service.
Read more →The loyalty card collected points. Your email address was forwarded to a social network – without anyone telling you.
Read more →750,000 of those exposed were not even active members anymore. The association had never deleted them.
Read more →Schibsted wants 39 kroner. Facebook was fined two billion. The question is not the size of the price — but whether...
Read more →VG, Aftenposten, and BT give you a choice—share your data with advertisers, or pay an extra 39 kroner per month…
Read more →When data from 2.1 million people was published on the Darknet following the SportAdmin breach, it wasn't just the software company that had a problem. Every sports team using the system was also affected.
Read more →The online store was hacked through a system no one used anymore. The fine was over ten million kroner.
Read more →The prospecting tool stored contact data for five years—and automatically reset the deadline each time the person changed jobs. In practice, the data was never deleted.
Read more →Your newsletter knows who opens it, when, and on what device. The CNIL says you need consent for that.
Read more →83.5 percent of the transparency requests that noyb has sent to companies over the last eight years did not receive a response in line with...
Read more →Merely using the app revealed the user's sexual orientation. The Norwegian Data Protection Authority imposed a fine of 65 million. The Court of Appeal agreed.
Read more →The retail chain shared its customer list with a social network. 10.5 million people's emails and phone numbers—used to show them ads…
Read more →Two masked men knocked on the door in the middle of the night. They knew his name, his address, and that he had firearms at home.
Read more →The bank app required access to the list of all installed apps on your phone. Garante said: that's too much.
Read more →The sports app was hacked. Data from 2.1 million children — personal identification numbers, health information, club affiliation — ended up on the Darknet.
Read more →160 million contact profiles. Harvested from LinkedIn without asking. Stored for five years. CNIL fined KASPR €240,000.
Read more →The vendor had carried out a security audit. The errors were documented. None were fixed. When the breach occurred, data about disabled individuals was leaked. The fine was €1.7 million.
Read more →Most businesses know they should consider risks before adopting new systems. Few know what the assessment should entail. Now the EDPB has created the template – for free.
Read more →51 municipalities used Google in schools. The Danish Data Inspection Agency found that they didn't know who was actually processing the data — and stated that it was the municipalities' fault, not Google's.
Read more →In 2025, 443 data breaches were reported per day in Europe — up 22 percent from the previous year. Most of the businesses affected did not have a plan.
Read more →Almost all cloud usage in Norwegian businesses is based on one agreement between the EU and the US. That agreement is under pressure — again.
Read more →When the CNIL investigated the France Travail breach, one of the findings was this: access rights were defined too broadly. It's not sabotage. That's how the system was set up.
Read more →France Travail was not hacked. The attacker only asked for help. When he was inside, he had access to data on 43 million people.
Read more →Most privacy policies are written for lawyers. GDPR says they should be written for people. What should actually be in them?
Read more →25 European supervisory authorities are now checking whether your privacy policy gives people what they are entitled to know.
Read more →Reddit hadn't done a single risk assessment before they let children in. It cost £14 million.
Read more →You deleted the customer from the CRM. But the backup system remembers everything. Are you actually in compliance—or just in the production environment?
Read more →32 supervisory authorities checked 764 businesses. Most do not know what they are storing, why, or when they should delete it.
Read more →Older than 90 days
NSM has said the same thing for ten years - weak login is the biggest risk.
Read more →You are switching HR systems. Employee data remains with the old provider. Who is responsible — and who has access?
Read more →The store went bankrupt. The employees wanted their payrolls. The supplier said no. It cost 250,000 kroner.
Read more →The company kept personal data of customers who had left long ago. When the data was stolen, the damage was much greater than it needed to be.
Read more →They didn't have MFA on the VPN. An attacker just logged in. 24 million subscribers had their IBAN data leaked.
Read more →Someone sent the wrong attachment Thursday after lunch. The deadline to report to the Norwegian Data Protection Authority? Sunday. Do you have a plan for the 72 hours?
Read more →«Information security management system» sounds like something only big companies have. But for an SMB, it's about four concrete things.
Read more →The Norwegian Data Protection Authority is now checking all 357 Norwegian municipalities. What they are looking for, most businesses are also missing.
Read more →3,191 breach notifications to the Norwegian Data Protection Authority in 2024. The most common? Someone sent an email to the wrong person.
Read more →EDPB rules - you cannot force customers to create an account to shop. Guest checkout is not a nice-to-have - it's a right.
Read more →€325 million. Not for hacking anyone. For showing ads without consent and making it harder to refuse than to accept.
Read more →SHEIN was fined €150 million. Not for collecting too much, but because the reject button didn't actually reject anything.
Read more →