Norwegian System of Patient Injury Compensation – Court Ruling (Norway, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Norwegian System of Patient Injury Compensation partially answered a person's request for access to her data but did not provide all the information she wanted. This ruling is significant because it emphasizes the need for organizations to fully comply with access requests under data protection laws.
What happened
The organization partially responded to a request for access to personal data but did not provide complete information.
Who was affected
A person involved in a case with the Norwegian System of Patient Injury Compensation was affected.
What the authority found
The Norwegian data protection authority ruled that the organization had adequately responded to the access request and found no violation of GDPR.
Why this matters
This case illustrates the challenges individuals face in accessing their data. Organizations must ensure they provide complete information to comply with data protection requirements.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject requested access to her data processed by the board within the [https://www.npe.no/no/ Norwegian System of Patient Injury Compensation] (Norsk pasienterstatning), a controller. The data subject was a party to proceedings before the controller and her request covered the documents of the case, including the logs data. The data subject stood on the position that the controller’s employees didn’t check the documents in depth, while examining her case. For this reason, the data subject wanted to verify who and when accessed her documents. The controller partially answered the access request. The data subject didn’t receive the information she asked for, in particular whether printouts of the documents were done, or the documents were sent by e-mail or copied and stored elsewhere. The data subject complained with the Norwegian DPA (Datatilsynet) and notified the Ministry of Public health. The data subject claimed that the controller violated Article 32 GDPR, because they didn’t secure the data properly as there was no logs control in place. Moreover, lack of access to log data deprived the data subject from scrutinising the controller’s conduct with their case. Additionally, the data subject filed an access request with the [https://www.helseklage.no National Appeals Body for the Health Service] (Nasjonalt klageorgan for helsetjenesten), which was the body competent to deal with appeals and/or complaints against the controller's decisions. The appeal body answered the request and provided the data subject with the dates and purposes of access to the data subject’s documents. Nevertheless, in reference to the Ministry of Public health letter, the appeal body didn’t disclosed the identity of employees who accessed the documents. The DPA issued a decision, stating that access request was answered. Moreover, alleged violation of Article 32 GDPR were not found. Thus, the DPA closed the case. The data subject lodged an appeal with the Privacy Appeals Boa
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Norwegian System of Patient Injury Compensation in NO
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Norwegian System of Patient Injury Compensation - Norway (2024). Retrieved from cookiefines.eu
Last updated: