Datatilsynets – Court Ruling (Norway, 2023)

During an ongoing dispute at a Norwegian Court of Appeal regarding the award of occupational injury insurance between a complainant and an insurance company (the data controller), the latter forwarded some of the complainant's health information to an external psychiatrist as a private expert. However, in its judgment of 7 January 2022, the Court of Appeal did not find it necessary to give decisive weight to the private expert's assessment and disregarded it. On 22 November 2021, the Norwegian DPA received an enquiry from the complainant who argued that the data controller's disclosure to the private expert resulted in a breach of the GDPR. However, on 5 September 2022, the DPA dismissed the complaint because it concerned the processing of personal data that falls outside the scope of the Norwegian Personal Data Act under section 2, second paragraph, letter b, meaning that the DPA did not have any authority on the process, pursuant to Article 55 GDPR and [https://lovdata.no/dokument/NLE/lov/2018-06-15-38 section 20 of the Personal Data Act]. On 26 September 2022, the complainant filed a timely complaint against this decision and on 30 January 2023, the case was submitted to the Norwegian Privacy Appeals Board, which, on 15 September 2023, considered whether the insurance company's transmission of the case documents containing the complainant's health information to a privately engaged expert, in connection with the processing of a civil case before the Court of Appeal, falls outside the scope of the Norwegian Personal Data Act. The Norwegian Privacy Appeals Board noted that the present case fell within an exception of the Norwegian Personal Data Act. Accordingly, the Act shall not apply to cases decided pursuant to Norwegian Administration of Justice laws, such as the Dispute Act, as they provide sufficient safeguards for privacy. Regarding the complaint, the Norwegian Privacy Appeals Board observed that the processing of the complainant's personal data during the