Legelisten.no AS – Court Ruling (Norway, 2019)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Legelisten.no, a website for anonymous reviews of healthcare workers, was told it couldn't process personal data without proper consent. The court agreed that the company must allow healthcare personnel to opt out of being listed. This ruling shows that even review sites must follow strict privacy rules.
What happened
Legelisten.no was found to lack a legal basis for processing personal data of healthcare personnel.
Who was affected
Healthcare personnel whose contact information was processed by Legelisten.no without consent.
What the authority found
The court upheld the decision that Legelisten lacked a valid legal basis for processing personal data, violating GDPR rules.
Why this matters
This ruling highlights that companies running review platforms must respect privacy rights and obtain consent. Website operators should ensure they have clear opt-out options for individuals listed on their sites.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
In 2017, the Norwegian DPA Datatilsynet found that a company "Legelisten", running an anonymous review website of healthcare personnel, lacked a legal basis for processing and instructed them to allow said personnel to opt out of being listed and reviewed, in addition to several other instructions. Both the initial complainant and Legelisten responded to the DPA's decision with complaints. The DPA considered both complaints, but did not find any grounds to change their decision. Consequently, the case was submitted to the Norwegian Privacy Appeals Board, who considered comments from the initial complainant, Legelisten, the Norwegian Consumer Council, and the DPA. The Board focused their assessment on the lawfulness of processing of personal data on the website Legelisten.no. First, they considered the applicable law, as the GDPR had entered into force since the initial complaints dating back to 2012. They found that the GDPR would indeed apply. The Board reviewed several aspects relating to the case in question, summarised below. = The Board agreed with the DPA's finding that Legelisten is the controller for all processing of personal data related to their site (as listed above), for both users and the healthcare personnel, because they in all these instances determine how the personal data will be processed (the purpose) and the means (technical platform, layout, which processors to use). = The Board agreed with the DPA's finding that there were no exemptions or derogations for processing carried out for journalistic purposes in this case. = The DPA found that Legelisten lacked a legal basis for processing contact information (email address) of users submitting reviews, because they could not rely on consent as this was not found to have been provided voluntarily. The Board agreed that email addresses will often reveal the identity of a person and is, as such, personal data, and that information related to visits to or contact with specialist healthcare pers
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (2)
Other cases involving Legelisten.no AS in NO
Court Ruling
Details
About this data
Cite as: Cookie Fines. Legelisten.no AS - Norway (2019). Retrieved from cookiefines.eu
Last updated: