Court case 25/12378 – Court Ruling (Norway, 2026)

The data subject had lodged a complaint against a former employer for GDPR violations. While the DPA found an infringement and issued a reprimand against the employer, it rejected the complaint insofar as the data subject sought further corrective measures. The Data Protection Board of Appeal subsequently held that the data subject lacked a legal interest in appealing the DPA’s decision, arguing that the right to an effective remedy under Article 78 GDPR primarily protects persons on whom the decision has direct legal effects, and that national procedural law may limit who has standing to seek judicial review. The Ombudsman disagreed and challenged this restrictive interpretation, relying on CJEU case law, including Schufa cases and Land Hessen. The Ombudsman argued that Article 78(1) GDPR grants both data subjects and controllers the right to an effective remedy against supervisory authority decisions, including review of the authority’s choice of corrective measures under Article 58(2) GDPR. The Ombudsman also referred to [https://www.privacy-regulation.eu/en/recital-141-GDPR.htm Recital 141 GDPR] and [https://fra.europa.eu/en/eu-charter/article/47-right-effective-remedy-and-fair-trial Article 47 of the EU Charter], emphasizing the need for full judicial review where a supervisory authority fails to intervene adequately to protect a data subject’s rights. Restricting data subjects to cases of ongoing violations, risks undermining uniform enforcement of the GDPR and lowering the level of data protection. The data subject must have the right to an effective judicial remedy under Article 78(1) GDPR against all aspects of a supervisory authority’s decision, including the selection and adequacy of corrective measures. This right is not limited to situations where the decision has binding legal effects on the data subject, nor may it be excluded by national procedural rules.