Published: 25 May 2026 · Roy Morken, Datafolka
Datatilsynet 2026: What small businesses need to know about inspections, complaints, and sanctions
Datatilsynet (Norwegian Data Protection Authority) handled 4 736 new cases in 2024, received 902 complaints from individuals (an increase of 53 percent from the previous year), and issued 384 decisions. Of these, 44 were decisions on corrective measures or sanctions. Only five were administrative fines — all issued to public-sector organisations. For Norwegian SMBs this means the probability of a large fine is real but low. The probability of being contacted with a specific complaint is, however, higher than most people think.
Most Norwegian SMB owners we speak with have a vague relationship with Datatilsynet. They know GDPR exists, they have a privacy policy they have never read carefully, and they assume it does not apply to them because they are small. This article is for those who want the practical answer: what is Datatilsynet actually, what is it NOT, what triggers a case, how high are the fines, and what do you need to have in place to sleep well at night.
All figures and examples are drawn from Datatilsynet's own 2024 annual report, their public enforcement register, and the Verizon Data Breach Investigations Report 2025 for international comparison. No anonymised customer cases, no "we have seen" stories. Only public figures and process translated into SMB language.
What Datatilsynet is — and what it is NOT
Datatilsynet is an independent supervisory authority under the Norwegian Ministry of Local Government and Regional Development. This means it conducts inspections and issues administrative decisions, but is not politically directed in individual cases. Its mandate is set out in the GDPR, the Norwegian Personal Data Act, and a range of sector-specific privacy laws covering the workplace, healthcare, policing, and credit.
Datatilsynet is not:
- An ombudsman that helps individuals win cases. It receives complaints, assesses them professionally, and issues decisions. It does not represent the complainant against the organisation.
- A court. Decisions can be appealed to Personvernemnda (Privacy Appeals Board), and further to the district court via litigation.
- The police. Datatilsynet cannot seize equipment or investigate crime — it conducts administrative inspections.
- The EU's data protection council. Datatilsynet participates in the European Data Protection Board (EDPB) together with other supervisory authorities, but EDPB is a cooperative body, not an appeals instance.
Datatilsynet had around 80 full-time employees in 2024 and handled 4 736 new cases that year. That is not enough capacity to proactively audit all Norwegian businesses. They prioritise hard: complaints with concrete harm, inspections in high-risk sectors, and precedent cases that guide the entire market. For SMBs this means the most common way Datatilsynet shows up at your door is via a complaint — not via unannounced inspection.
The five most common triggers for a case
Datatilsynet's 2024 annual report categorises where complaints actually come from. Here is the pattern in prioritised order by volume.
1. Customer and member data handled without adequate control
The largest single category in 2024. A customer gets no response to a query about what data is stored about them. A former customer cannot get their account deleted. A member requests access and receives an unreadable PDF three months later. GDPR rights (access, rectification, erasure, data portability, objection) exist on paper. When they do not work in practice, people complain.
Practical implication for SMBs: you must be able to handle an access request within 30 days. If your customer system cannot export data per customer, that is a real problem at the first complaint.
2. Online publications without consent or legal basis
Photos of employees and customers on social media or websites. Customer lists used in marketing. Former employees still displayed on a "meet the team" page. Familiekanalen received a compliance order from Datatilsynet in November 2024 because children were identified in published videos. This is not an edge case — it is the second most common complaint category.
In practice: review all publicly published content (website, LinkedIn, Facebook, Instagram, Google My Business) and verify that every identifiable person has consented — or that another legal basis exists.
3. Tracking and camera surveillance
Cookies that record behaviour without consent. Tracking pixels in newsletters. Advertising pixels from Meta or Google on pages with sensitive topics. Datatilsynet issued a kr 250 000 fine in 2025 to a website operator for unlawful use of tracking pixels — a case that signals they are actively looking for this now.
For workplace camera surveillance: requires a legitimate purpose, employee notification in advance, a maximum storage period of 7 days unless a specific incident warrants longer, and zero surveillance of employee break areas. Violations are a rapid complaint trigger from employees.
4. Employment privacy
In 2024, employment cases accounted for 16 percent of all complaints. Reviewing employees' email without notice. Location tracking of company vehicles. Covert monitoring of keystrokes. Access to employees' private email threads. A personnel file that was not deleted after an employee left.
In practice: whenever you monitor employees in any way (email, location, presence, camera), you need both a legitimate purpose, documented prior notification, and an obligation to consult with employee representatives or the whole workforce in businesses without a formal employee representative structure.
5. Processing without a legal basis
Eidskog municipality received a kr 250 000 fine in September 2024 for lacking a legal basis for processing personal data. This is the most fundamental GDPR error: you must be able to answer the question "on what basis do you process these data?" with one of six legal bases — consent, contract, legal obligation, vital interest, public task, or legitimate interest.
For SMBs, the answer is typically consent or contract for customer data, legal obligation for accounting and payroll, and legitimate interest for some marketing and IT security. If you cannot answer the question for each data category, you have a fundamental gap before the complaint arrives.
Sanction levels 2023–2025 — real examples from the enforcement register
GDPR's upper limit is €20 million or four percent of global annual turnover, but that is the ceiling — not the average. Here is what Datatilsynet has actually issued in recent years, drawn from the public enforcement register. The list is sorted by amount, not chronology.
| Organisation | Year | Amount | Violation |
|---|---|---|---|
| NAV | 2024 | kr 20 000 000 (overturned by Personvernemnda Dec. 2024) | Access management and log review |
| Eidskog municipality | 2024 | kr 250 000 | Lack of legal basis for processing |
| Grue municipality | 2024 | kr 250 000 | Confidentiality breach in public records |
| Website operator (tracking pixels) | 2025 | kr 250 000 | Unlawful use of tracking pixels |
| University of Agder | 2024 | kr 150 000 | Inadequate data security in Microsoft Teams |
| Norwegian Air Shuttle | 2024 | Reprimand | Unnecessary demand for ID |
| Disqus | 2024 | Reprimand | Unauthorised disclosure of personal data |
| Familiekanalen | 2024 | Compliance order | Identification of children in published videos |
The pattern is clear: of the five administrative fines Datatilsynet issued in 2024, all went to public-sector organisations. The private cases (Norwegian Air Shuttle, Disqus, Familiekanalen) resulted in reprimands or compliance orders, not fines. This does not mean private SMBs are safe from fines — the 2025 tracking-pixel case involves a private operator — but it signals that Datatilsynet typically provides opportunities to remediate before resorting to financial sanctions.
For a typical SMB, the realistic picture is this: a reprimand or compliance order is far more likely than a fine in a first-time case. Fines typically come when you fail to follow up on a compliance order, cooperate poorly during a case, or the violation is clearly intentional.
What Datatilsynet actually checks in an inspection
When Datatilsynet opens a case, it typically requests a short list of documents and answers within 30 days. The sequence in the list is reasonably predictable based on inspection practice from 2023–2025. They start with what is easiest to verify, and dig deeper if findings warrant it.
1. Data processing agreements with vendors
The first question in most cases. Datatilsynet requests a list of all data processors (M365, Google Workspace, Tripletex, CRM, support systems, AI services) and signed data processing agreements for each. A missing data processing agreement with a major vendor like Microsoft or Google is an obvious error that is noted immediately.
A template is available free at datatilsynet.no. For Microsoft and Google, their standard agreements are effectively pre-checked — you must actively accept them in the admin console, but most businesses have already done so without realising it. Smaller SaaS vendors often require a separate exchange by email.
2. Retention periods per data category
"How long do you retain customer data after the customer relationship ends?" "How long do applications from non-hired candidates remain?" "How long do you keep login logs?" If the answer is "don't know" or "indefinitely", you have an obvious gap.
Practical baseline: customer data is retained for as long as the customer relationship lasts plus legally required accounting retention (5–10 years depending on category). Applications from non-hired candidates are deleted after the position is filled. Personnel files of former employees are typically deleted after 5 years. Backups are overwritten after 90 days. Logs are overwritten after 6–12 months. Write down your own periods — that is what Datatilsynet asks for.
3. Consent mechanisms
For your website: do cookie banners appear before or after tracking scripts load? (The correct answer is before.) Can users withdraw consent as easily as they gave it? For newsletters: was it double opt-in or just a field? For marketing to existing customers: is there an opt-out that actually works?
Cookiebot, Cookiehub, and similar tools handle most of the cookie configuration if you actually enable the blocking functionality before consent. The banner alone is not enough — scripts must be held back until the user has consented.
4. Technical security measures
GDPR Article 32 requires "appropriate technical and organisational measures". Datatilsynet typically verifies: is MFA enabled on administrator accounts, is logging turned on, has backup been tested, and how are access permissions managed? The University of Agder received a kr 150,000 fine in 2024 because data security in their Microsoft Teams installation was inadequate.
For SMBs, the common problem is not that MFA is missing but that it is not enabled on all relevant accounts. If Datatilsynet asks for evidence, you need to show what proportion of users actually have MFA — not just that it is available.
5. Internal controls and documentation
GDPR Article 30 requires a record of processing activities for most organisations. This is a list of what types of personal data you process, for what purpose, on what legal basis, where they are stored, and for how long. It does not need to be long — a 2-page table is sufficient for an SMB. But it must exist, and it must be up to date.
5-point checklist to avoid notices
Here is the short version of everything above — a concrete checklist you can work through in 1–2 weeks for a typical SMB of 5–25 employees. The order is prioritised by what actually dominates in Datatilsynet's enforcement register 2023–2024.
1. Set up data processing agreements with all vendors that handle personal data. List of all systems, signed agreement with each, stored together in a shared register. Datatilsynet requests this first in almost all cases. A missing data processing agreement is a top-3 trigger for fines.
2. Define and document retention periods per data category. Write a simple table — type of data, how long it is retained, which legal basis, how it is deleted (automatic or manual). 1–2 days of work to write down, then automate where possible via M365 retention policies or equivalent.
3. Map the consent mechanisms on your website and in customer communications. Review all cookies and tracking scripts — are they blocked before consent? For newsletters and marketing: double opt-in and simple opt-out. The 2025 case with a kr 250,000 fine to a website operator for tracking pixels shows Datatilsynet is actively looking for this now.
4. Log access to sensitive personal data with regular review. Enable logging in M365 or Google Workspace. Review logs quarterly — who has access, have they used it, and is there anyone who should no longer have it. Remove inactive users within 30 days.
5. Establish a 72-hour notification procedure for personal data breaches. A short procedure on one A4 page: who discovers, who assesses severity, who fills in the notification form, who informs those affected. Print it out. Datatilsynet received 3,191 breach notifications in 2024 — having a routine in place is normal practice.
For a business starting from scratch, the typical workload is 5–8 days spread over 2–3 weeks. For a business that already has documentation in place, it is 1–2 days of updating. Cost: largely kr 0 — everything on the list can be done internally or with free templates from datatilsynet.no.
What happens if you receive a notice — the 30-day process
A letter from Datatilsynet is not a decision. It is an enquiry with specific questions and a response deadline. Here is how a typical case unfolds for an SMB:
Week 0 — The letter arrives. Datatilsynet sends a letter with a list of questions they want answered and a deadline of typically 30 days. The letter may come as a result of a complaint, an inspection project in your sector, or a follow-up to a previous letter. Read what is actually being asked — is it general or specific?
Week 1 — Assess the situation. Identify who internally will lead the case (typically the managing director or IT manager). Retrieve relevant documents (data processing agreements, policies, logs). Assess whether anything obvious needs to be remediated before you respond.
Weeks 2–3 — Prepare response and clean up. Write a response that is factual, objective, and within the 30-day deadline. If you find gaps, address them before responding — Datatilsynet views documented remediation during a case positively. That can be the difference between a reprimand and a compliance order.
Week 4 — Send response by the deadline. Submit the response as a digital case in their portal. Request an extension well in advance if you need more time — it is often granted with a substantive reason. Never ignore the deadline without notifying them.
Months 2–6 — Case handling and dialogue. Datatilsynet assesses the response and may come back with follow-up questions. Keep the same person internally as contact — changing contact persons mid-case makes the process messy. If you receive a preliminary notice of a decision, it is still possible to influence the outcome — you have a right to comment before the final decision is issued.
Months 6–12 — Decision or closure. Most SMB cases end in a reprimand or compliance order. If the decision involves a fine or order you disagree with, you have three weeks to appeal to Personvernemnda.
When do you need a lawyer?
For most smaller cases, good internal case handling and occasional input from an IT advisor is sufficient. A lawyer becomes relevant when:
- The exposure could exceed kr 100,000 in potential fines
- The case could result in an order to stop a core part of your service
- The case has employment law implications (surveillance, dismissal, whistleblowing)
- You have already received a preliminary notice of a decision and want to appeal
- The case risks escalating to public media coverage
Privacy specialists are available at most major Norwegian law firms (Wiersholm, Schjødt, BAHR, Thommessen) at hourly rates in the range kr 2,500–4,500. For a typical SMB case, total legal assistance is 10–40 hours.
Private AI and Datatilsynet — the Schrems II problem
One area that has become increasingly important over the last two years is the use of AI services at work. ChatGPT, Microsoft Copilot, Google Gemini, Claude, and similar tools run on US infrastructure. When a Norwegian SMB enters customer data or employee data into an open version of these services, personal data is exported to the US — and this triggers the Schrems II issue.
Background: the Court of Justice of the EU struck down the then-current EU–US Privacy Shield in the Schrems II ruling (2020) because US legislation (FISA 702, Executive Order 12333) gives US authorities access to data held by US vendors in a way incompatible with GDPR. The replacement, the EU–US Data Privacy Framework (DPF) from 2023, provides a formal basis for transfers but is still under legal pressure and could fall.
In practice for SMBs, this means that open use of US AI services with personal data is a genuine risk area — not necessarily an immediate breach, but an exposure if the legal framework changes or if Datatilsynet turns its focus explicitly in this direction.
Three alternatives in prioritised order:
- Enterprise versions with data processing agreements. ChatGPT Enterprise/Team, Microsoft 365 Copilot with supplementary terms, Google Workspace with Gemini under the Workspace agreement — all have signed data processing agreements and data is not retained for training. Lawful as long as the Data Privacy Framework holds.
- General versions with masking. Use the tools but mask all personal data before prompting. In practice difficult to enforce across all employees.
- Private or EU-hosted AI. A model running in the EU or entirely on-premises where you control where data is stored. Mistral, open-source models such as Llama or Qwen on EU infrastructure, or your own on-premises installation. No Schrems II exposure.
We at Datafolka build and operate Private AI solutions for SMBs that want the benefits of AI without exporting customer data to the US. It is not necessary for everyone, but it is a genuine consideration when you regularly handle sensitive data.
Comparison with international SMB statistics
For perspective on the Norwegian threat landscape, Verizon Data Breach Investigations Report 2025 shows that 88 percent of SMB breaches internationally involve ransomware — compared with just 39 percent for larger organisations. The median ransomware demand was $115,000, down from $150,000 in the 2024 report. 64 percent of victims refused to pay, up from 50 percent two years earlier.
In the Norwegian context this is relevant because most of the personal data breaches notified to Datatilsynet (3,191 in 2024, up 13 percent from the previous year) are not classic hacker attacks. 37 percent were personal data sent to the wrong recipient — classic human error. But intentional attacks (hacking, phishing) increased 39 percent, and ransomware is part of that picture.
Practical implication: when a ransomware attack hits an SMB with customer data, it triggers two parallel processes. An operational one — how do you restore operations. And a privacy process — were personal data exposed, and must Datatilsynet be notified within 72 hours. The second track is often forgotten in the crisis, and that is where a privacy fine can come on top of the breach damages themselves.
Next steps
The list above is prioritised. If you only have one week to spend on privacy this month, work through the five checklist points. They cover over 80 percent of what typically triggers a case against an SMB. The rest is moving from "good" to "excellent", and can wait until next quarter.
If you want a sparring partner who has reviewed many SMB setups and can lead a privacy review in 1–2 days, we can help. It is typically a combination of IT consulting and IT security assessment where we go through the five checklist areas and set up the documentation together with you.
Send an email to Roy.Morken@Datafolka.no , and we will schedule a call.
Related reading on datafolka.no: Cybersecurity for small businesses — 8 things you actually need to do , Private AI without data leakage and IT security services .
Sources
- Datatilsynet annual report 2024 — Inspections and case handling: datatilsynet.no/arsrapport-for-2024
- Datatilsynet decisions 2024 — Enforcement register: datatilsynet.no/avgjorelser-2024
- Verizon Data Breach Investigations Report 2025: verizon.com/business/resources/reports/dbir
- GDPR regulation Articles 30, 32, 33, and 58: lovdata.no/personopplysningsloven
Roy Morken, co-founder of Datafolka. This article is built on Datatilsynet's own 2024 annual report, the public enforcement register, and Verizon DBIR 2025, and translated into practical language for Norwegian SMBs. No customer data or anonymised cases have been used. Last updated 25 May 2026.