Norwegian System of Patient Injury Compensation – Court Ruling (Norway, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A data subject requested access to her data processed by the board within the [https://www.npe.no/no/ Norwegian System of Patient Injury Compensation] (Norsk pasienterstatning), a controller. The data subject was a party to proceedings before the controller and her request covered the documents of the case, including the logs data. The data subject stood on the position that the controller’s employees didn’t check the documents in depth, while examining her case. For this reason, the data subject wanted to verify who and when accessed her documents. The controller partially answered the access request. The data subject didn’t receive the information she asked for, in particular whether printouts of the documents were done, or the documents were sent by e-mail or copied and stored elsewhere. The data subject complained with the Norwegian DPA (Datatilsynet) and notified the Ministry of Public health. The data subject claimed that the controller violated Article 32 GDPR, because they didn’t secure the data properly as there was no logs control in place. Moreover, lack of access to log data deprived the data subject from scrutinising the controller’s conduct with their case. Additionally, the data subject filed an access request with the [https://www.helseklage.no National Appeals Body for the Health Service] (Nasjonalt klageorgan for helsetjenesten), which was the body competent to deal with appeals and/or complaints against the controller's decisions. The appeal body answered the request and provided the data subject with the dates and purposes of access to the data subject’s documents. Nevertheless, in reference to the Ministry of Public health letter, the appeal body didn’t disclosed the identity of employees who accessed the documents. The DPA issued a decision, stating that access request was answered. Moreover, alleged violation of Article 32 GDPR were not found. Thus, the DPA closed the case. The data subject lodged an appeal with the Privacy Appeals Boa
GDPR Articles Cited
A data subject requested access to her data processed by the board within the [https://www.npe.no/no/ Norwegian System of Patient Injury Compensation] (Norsk pasienterstatning), a controller. The data subject was a party to proceedings before the controller and her request covered the documents of the case, including the logs data. The data subject stood on the position that the controller’s employees didn’t check the documents in depth, while examining her case. For this reason, the data subject wanted to verify who and when accessed her documents. The controller partially answered the access request. The data subject didn’t receive the information she asked for, in particular whether printouts of the documents were done, or the documents were sent by e-mail or copied and stored elsewhere. The data subject complained with the Norwegian DPA (Datatilsynet) and notified the Ministry of Public health. The data subject claimed that the controller violated Article 32 GDPR, because they didn’t secure the data properly as there was no logs control in place. Moreover, lack of access to log data deprived the data subject from scrutinising the controller’s conduct with their case. Additionally, the data subject filed an access request with the [https://www.helseklage.no National Appeals Body for the Health Service] (Nasjonalt klageorgan for helsetjenesten), which was the body competent to deal with appeals and/or complaints against the controller's decisions. The appeal body answered the request and provided the data subject with the dates and purposes of access to the data subject’s documents. Nevertheless, in reference to the Ministry of Public health letter, the appeal body didn’t disclosed the identity of employees who accessed the documents. The DPA issued a decision, stating that access request was answered. Moreover, alleged violation of Article 32 GDPR were not found. Thus, the DPA closed the case. The data subject lodged an appeal with the Privacy Appeals Boa
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Norwegian System of Patient Injury Compensation in NO
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Norwegian System of Patient Injury Compensation - Norway (2024). Retrieved from cookiefines.eu
Last updated: