Court case 2021-07 – Court Ruling (Norway, 2021)

The data subject lodged a complaint with the the Norwegian DPA (Datatilsynet) stating that they had been subject to an unauthorized credit rating. An employee of the credit rating agency has indeed triggered a credit check on the complainant to contact them in private matter. However, the data was not disclosed to other parties. Therefore, the DPA found it unlikely that data protection legislation had been violated and decided not to investigate the case further. The complainant, however, was neither informed of the closure of the case nor of their right to appeal by the DPA, but only after asking for the status of the investigation and performing own online research. The complainant therefore appealed the DPA's decision to dismiss the case, which was rejected and submitted to the Norwegian Privacy Appeal Board by the DPA. The Appeal Board decided that according to national law a party is granted the right to appeal to an individual decision. The DPAs decision to terminate the case without deciding whether the complainant's personal data has been processed unlawfully must be regarded as a decision that is decisive for the complainants individual rights, granting them the right to appeal according to [https://lovdata.no/dokument/NLE/lov/1967-02-10/KAPITTEL_6#%C2%A728 section 28(1)], [https://lovdata.no/dokument/NLE/lov/1967-02-10/KAPITTEL_1#%C2%A72 2(1)(a)(b)] [https://lovdata.no/dokument/NLE/lov/1967-02-10/ Public Administration Act]. Furthermore, the Board pointed to the data subject’s right to receive information on the outcome of the complaint under Article 77(2) GDPR and Article 57(1)(f) GDPR. The case was therefore returned to the DPA for an assessment on the merits of the case.