The norwegian data protection authority threatens to impose legal measures against the international baccalaureate organization


The DPA considered IBO’s processing to be in violation of the fairness requirement, transparency requirement and the accuracy requirement set out in the GPDR.

The International Baccalaureate Organization (IBO) is a Swiss organization that is responsible for the International Baccalaureate (IB) educational programme, which is offered through many schools world-wide, including several schools in Norway.

The grades given to the students in the IB programme are normally determined through exams only, and not as in the Norwegian public schools, through a combination of grades set by the teachers and grades achieved in exams.

Most exams in Norway scheduled for the spring of 2020 were cancelled, due to COVID-19 restrictions. In public schools, the consequence was that the final grades given to the students were based on grades awarded by the teachers only, and the cancellation of exams therefore did not cause any major issues. For students in the IB programme, where no such grades are awarded, the schools needed to find another way to determine the grades.

The IBO decided to set the grades based on the following factors: Student coursework, teacher-delivered predicted grades and “school context”. IBO explained that “school context” is an algorithm which will determine grades, based on historical data for each subject and school, meaning that the grades of students studying a certain subject at a certain school will be determined in part on the basis of results historically achieved by students who have previously studied the same subject at the same school. Exactly how the algorithm works seems unclear, but the IBO has explained that they will consider several parameters, including “time zones”. The IBO expresses that this method is able to accurately predict the grades which would have been awarded to each student.

During the summer of 2020, there were numerous stories in the Norwegian media about IB students who, through this grading process, had received lower grades than what they had anticipated, and, as a consequence, were not admitted to study at the universities which they had planned to attend.

As the personal data processing concerns data subjects (students) in Norway, the Norwegian DPA has decided to enforce the provisions of the Norwegian Data Processing Act (which by reference includes the GDPR) against IBO. The Norwegian DPA considered IBO in Switzerland to be the data controller for the personal data processing.

The DPA considered IBO’s processing to be illegal, on the following basis:

  • The DPA considered the processing to be a form of profiling as defined in the GDPR Article 4 (4).
  • The DPA considered IBO’s processing to be in violation of the fairness requirement set out in the GDPR Article 5 (1) (a), as the awarding of grades should be based on their demonstrable academic achievements and not on historical data relating to the academic achievements of other students in the past. The use of historical data, the DPA held, also entails a potential for discrimination, based on factors outside the control of the individual student such as the general quality and history of the school itself. These factors were likely to result in undue adverse effects for the students.
  • The DPA also considered IBO’s processing to be in violation of the transparency requirement set out in the GDPR Article 5 (1) (a), i.a. as the grading process, which is likely to have a significant impact on the student’s life, is determined based on an algorithm of which the details were not publicly known.
  • The DPA further considered the processing to be in violation of the accuracy requirement set out in the GPDR Article 5 (1) (d), as the processing did not ensure that the grades given to any particular student would accurately reflect the academic achievements of that student.

The DPA issued an advance notification to IBO in August 2020 that the DPA intends to impose an obligation on IBO to rectify the grades of the students who had been subject to the processing, taking into account the fairness, transparency and accuracy principles of the GDPR, and also an obligation to refrain from using “school context” and “historical data” in any future awarding of grades to IB students.

The case is likely to result in the DPA imposing obligations on IBO in line with the above, but at the time of writing, the DPA has not yet made its final decision.

The DPA has not proposed to issue an administrative fine in this case.

The DPA’s letter to IBO from August 2020 is in English language and can be found on the DPA’s web site:



Article provided by: Øystein Flagstad (Gjessing Reimers, Norway)  



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.