The Norwegian Data Protection Authority has decided to impose an infringement fee of NOK 2.5 million on the American company Argon Medical Devices

Violation fee to Argon Medical Devices
The Norwegian Data Protection Authority has decided to impose an infringement fee of NOK 2.5 million on the American company Argon Medical Devices for breaching the Personal Data Protection Regulation .

Violation fee to Argon Medical Devices
In July 2021, Argon discovered a security breach that affected the personal data of all their European employees, including in Norway. Argon sent a non-conformity notice to the Danish Data Protection Authority only in September 2021, long after the 72-hour deadline for reporting a breach under the regulation's Article 33. The security breach concerned personal data that can be used for fraud and identity theft.

Argon believed that they did not need to report the security breach until after they had a complete overview of the incident and all its consequences. This perception was embodied in their routines, and this was the starting point for the delay.

72-hour deadline for violations
The Norwegian Data Protection Authority disagreed with Argon's assessment. The Personal Data Protection Regulation states that the 72-hour deadline for sending a notification begins to run when the data controller becomes aware that a personal data security breach has occurred. In other words, one cannot wait to send such a message until all the circumstances of the breach have been clarified.

In the assessment, the Norwegian Data Protection Authority has, among other things, emphasized the wording of the law and the Norwegian Data Protection Authority's guidelines. The guidelines state that the controller cannot wait until after detailed investigations have been carried out before sending a notification to the Norwegian Data Protection Authority. The Danish Data Protection Authority has also emphasized that Argon is a large international group, which must have good privacy practices in place.

Important reminder
This case is an important reminder that data controllers - including those established outside the EEA - must have suitable measures in place to be able to immediately determine whether a breach of personal data security has taken place, and to immediately notify the supervisory authority and the data subject .

The infringement fee of NOK 2.5 million is approximately 2.5% of the maximum fee for such breaches of the Personal Data Protection Regulation, and 0.1% of Argon's turnover.

The case joins a number of similar cases in Europe. For example, Twitter (edpb.europa.eu) and Booking.com (edpb.europa.eu) have previously received fees of approx. NOK 4.5 million each for breach of the deadline in Article 33. In both cases, the data supervisory authorities in Europe cooperated on the cases.

Argon can appeal against the decision within three weeks of receiving it.