Datatilsynet (NO) – Court Ruling (Norway, 2025)

An employer (the controller) accessed the email address of an employee (the data subject) over suspicions of internal fraud. It was later discovered that the data subject committed no fraud. The data subject filed a complaint with the DPA. She claimed that her right to data protection was violated and request the DPA to impose a fine. The DPA held that the controller violated Articles 5, 6, 13 and 14 GDPR. On these grounds, the DPA issued a reprimand against the controller and an order to bring internal processes into compliance. The DPA did not impose a fine. The data subject filed an internal appeal before the Personvernnemnda (the Privacy Appeals Board of the DPA). In her appeal, she challenged the DPA’s decision not to fine the controller. The Board held that the data subject had no standing for appealing the decision and dismissed the appeal on procedural grounds. In this regard, The Board considered that the DPA’s decision put an end to the controller’s violation. On this basis, the Board held that the DPA’s decision not to inflict a fine, did not produce tangible and factual effects for the data subject. This, in turn, led to the conclusion that she was not a party to the decision and could not bring an appeal. The data subject further challenged the Board’s decision before the Sivilombudet (the Norwegian Parliamentary Ombud). She claimed that the Board was wrong in finding that she had no right to challenge the merits of the DPA’s decision. The Sivilombudet held that the data subject could challenge the DPA’s decision, and that she had the right to challenge both its procedure and its merits. In particular, she had the right to a review of the correctness and proportionality of the corrective measures inflicted by the DPA. On these grounds, the Sivilombudet ordered the Board to re-examine the data subject’s appeal, ensuring a full review of the DPA’s decision. = The Sivilombudet observed that the domestic rules on internal appeals against the DPA were not