Datatilsynet (DPA) – Court Ruling (Norway, 2024)

NAV, the Norwegian Labour and Welfare Administration, is a government agency that collaborates with local municipalities to provide a unified access to public labor and welfare services. Its primary functions include promoting employment and ensuring financial and social security. NAV administers a significant portion of the state budget and is one of the country's largest employers with about 22,000 employees. Nearly all citizens of Norway are in contact with NAV at some point of their life. NAV, in a letter to the data subject, admitted that it had unlawfully read his case files, equaling a violation of confidentiality. This formed the basis of the original complaint (Article 77 GDPR), which was declined by the DPA on the following basis: The Norwegian DPA Datatilsynet argued it is not the competent authority to assess the legality of isolated access to individual case files, and the potential violation of NAV employees' obligation to confidentiality. PVN related this appeal to a larger DPA investigation in September 2023 of NAV's insufficient logging, access and log controls. (Datatilsynet (Norway) - 23/00708). On 6 February 2024, PVN unanimously decided to uphold the DPA's decision not to further investigate this case. PVN underscored that this case does not concern the lawfulness of processing under Article 6 GDPR or the processing of special categories of personal data under Article 9 GDPR. Rather, the crux is whether one of the controller's employees had a valid reason to access a particular case file. PVN further argues that isolated incidences of "unnecessary" access to case files do not necessarily amount to a violation of Articles 24 and 25 GDPR, thereby not resulting in any corrective measures under Article 58(2) GDPR.