Personvernnemnda (Norway) - PVN-2024-06
From GDPRhub
| Personvernnemnda (Norway) - PVN-2024-06 | |
|---|---|
 | |
| Court: | Personvernnemnda (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 57 GDPR Article 77(1) GDPR |
| Decided: | 24.09.2024 |
| Published: | |
| Parties: | |
| National Case Number/Name: | PVN-2024-06 |
| European Case Law Identifier: | |
| Appeal from: | Datatilsynet (Norway) |
| Appeal to: | Unknown |
| Original Language(s): | Norwegian |
| Original Source: | Personvernnemnda (Norway) (in Norwegian) |
| Initial Contributor: | wp |
The DPA’s Appeal Board held that a data subject’s request to investigate a suspicious data processing did not constitute a complaint under Article 77 GDPR and did not oblige the DPA to initiate an investigation.
English Summary
Facts
A data subject contacted the Norwegian DPA (Datatilsynet) asking for investigation against the Child Welfare Service in relation to its GDPR compliance. The request covered processing activities relating to data subject’s children. In response, the DPA explained that the State Administration (Statsforvalteren) was competent to hear complaints, in particular, regarding data processing of municipality bodies. Thus, the DPA closed the case.
Few months later, the data subject filed a complaint with the DPA in relation to data processing performed by the Police. Allegedly, the police breached the duty of confidentiality, disclosing a criminal report case to the Child Welfare Service. Additionally, the data subject asked the DPA to audit the municipality's data processing.
The DPA informed the data subject that it is not competent to examine the processing activity's of the police. Also, again the DPA found no reasons to conduct further investigation against the Child Welfare Service, nor to audit the municipality. Hence, the DPA close the case.
The data subject lodged an appeal with the Privacy Appeals Board (Personvernnemnda).
Holding
The Privacy Appeals Board dismissed the appeal.
According to the Privacy Appeals Board, the DPA closed the case since there was no complaint within the meaning of Article 77(1) GDPR in conjunction with Article 57 GDPR.
The Privacy Appeals Board found that the mere suspicion of unlawful data processing, not yet linked to specific processing activities, did not oblige the DPA to initiate investigation.
In the case at hand, the data subject asked the DPA to verify whether the Child Welfare Service violated GDPR in one of the mentioned cases. Nevertheless, the data subject’s claims were vague and general, expressing the data subject dissatisfaction with the Child Welfare Service conduct. Consequently, for the Privacy Appeals Board the data subject's request didn't constitute a complaint under Article 77(1) GDPR and the DPA was entitled to close the case.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
The Norwegian Privacy Board's decision on 24 September 2024 (Mats Ruland, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Malin Tønseth) The case concerns a complaint from A about the Data Protection Authority's decision on 9 October 2023, which in reality involved a rejection of her inquiry because it does not represent a complaint under the Personal Protection Regulation article 77 no. 1. Background of the case A contacted the Danish Data Protection Authority on 30 July 2022 and asked the Danish Data Protection Authority to investigate whether X child protection service had breached the personal data protection regulation in three different investigation cases concerning her children from the years 2018, 2020 and 2021, as well as in a further case established by the child protection service in autumn 2021 in connection with her not consenting for relief measures. In a letter on 1 September 2022, the Norwegian Data Protection Authority gave guidance that complaints about the municipality's handling of child protection matters must be addressed to the State Administrator. The supervisory authority pointed out that the Personal Data Protection Ordinance also draws limits on which processing of personal data is legal, but that it was not appropriate for the supervisory authority to assess what information the child welfare service was entitled to obtain and share in a specific child welfare case. The inspectorate then closed the case. On 9 December 2022, A sent a new inquiry to the Norwegian Data Protection Authority where she asked the Norwegian Data Protection Authority to investigate whether the police in Y had breached the duty of confidentiality in connection with the police's processing of a report in a criminal case and in connection with the police's disclosure of information to X's child welfare service. In the letter, she also referred to her previous inquiry, and asked that the Norwegian Data Protection Authority see this in context. A has subsequently sent several inquiries to the Norwegian Data Protection Authority, asking that the Norwegian Data Protection Authority investigate how X municipality has processed her and the children's personal data. She has also requested that the Norwegian Data Protection Authority initiate an inspection of X municipality. In an email to the Norwegian Data Protection Authority on 18 May 2023, A writes: "I have submitted a complaint about privacy and data processing in X municipality. Can you tell me when I can expect an answer to any of this?" In an e-mail to A on 23 May 2023, the Norwegian Data Protection Authority replies that it is difficult to give a concrete promise about the processing time, that a complaint can take anywhere from three to 18 months to process, and that she wants to hear from the Norwegian Authority as soon as they have done something in the matter. In a letter to A on 9 October 2023, the Data Protection Authority refers to its letter of 1 September 2022 that it is not the authority's task to assess whether the child protection service has complied with its obligations under the Child Protection Act. The Norwegian Data Protection Authority writes that the Norwegian Data Protection Authority has dealt with A's inquiry, but has not found it appropriate to carry out further investigations. The supervisory authority writes that it is unlikely that the municipality has breached the data protection regulation, and closes the case. With regard to the complaint about the police's disclosure of information, the Norwegian Data Protection Authority writes that breaches of the duty of confidentiality can be appealed to the Norwegian Police Directorate or reported to the Bureau for Police Affairs and that the Norwegian Data Protection Authority does not have the competence to assess the police's disclosure of information. A was informed in the same letter that the authority's conclusion of the case could be appealed to the Personal Data Protection Board, cf. section 22 of the Personal Data Act. A complained on 11 November 2023 about the Norwegian Data Protection Authority's decision to close the case regarding X municipality's processing of personal data. The Norwegian Data Protection Authority concluded that the complaint had been submitted within the statutory deadline. The Norwegian Data Protection Authority processed the complaint and upheld its decision not to carry out further investigations. The case was forwarded to the Personal Protection Board on 2 April 2024. A was informed about the case in a letter from the board, and was given the opportunity to make comments. The tribunal has not received any further comments. The case was dealt with in the board's meeting on 24 September 2024. The privacy board had the following composition: Mats Ruland (chairman), Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin and Malin Tønseth. Investigation leader Anette Klem Funderud was also present. Briefly about the Norwegian Data Protection Authority's decision The Danish Data Protection Authority points out that the child protection service has broad authority to obtain information that the child protection service considers necessary for the case, cf. the Child Protection Act § 13-4 et seq. (former Child Protection Act § 6-4 et seq.). It is the State Administrator and the National Health Inspectorate that supervise the child protection service, not the Data Protection Authority, cf. the Child Protection Act §§ 17-2 and 17-3. The Norwegian Data Protection Authority assumes that it falls outside the authority's competence to assess whether the child protection service has complied with its obligations under the Child Protection Act as it falls outside the authority's professional competence, cf. the Personal Protection Regulation article 57 no. 1 letter a. The Norwegian Data Protection Authority explains that in several cases the Personal Protection Board has assumed that access to the deletion of information in child welfare folders is very limited due to the child welfare service's need to document its own activities, as well as the obligation to archive according to the Archives Act with regulations. On the basis of the ban on the deletion of archival material, the complainant's right to rectification according to Article 16 of the Personal Protection Regulation will be deemed fulfilled by the complainant submitting a supplementary statement about what information the complainant believes to be incorrect/misleading. With regard to A's complaint about the police's processing of personal data, the Norwegian Data Protection Authority points out that the Norwegian Data Protection Authority does not have the authority to assess breaches of the duty of confidentiality, cf. Section 60 of the Police Registers Act. Breach of the duty of confidentiality can be appealed to the Police Directorate, cf. Section 55 of the Police Registers Act, first paragraph no. 2. or reported to the Bureau of Police Affairs. The Norwegian Data Protection Authority concludes that it is not appropriate to carry out further investigations into the case, cf. the Personal Protection Regulation article 57 no. 1 letter f, cf. also article 57 no. 1 letter a, and closes the case without taking a position on the merits. As's view of the case in brief In this child protection case, there are repeated breaches of confidentiality, the Personal Data Protection Ordinance and the right to information about what kind of information is registered about you and your children. She asks the Norwegian Data Protection Authority to investigate these matters: X municipality's breach of confidentiality by obtaining audio files from the police without her consent. X municipality's violation of the personal data protection regulation by the way information about A, her children and her family is written and used in the case documentation. ·Factual and groundless reports of concern (specified to four dates). ·X municipality's exploitation of the mother's position in the X Labor Party and the X municipal council when they go to custody proceedings and report the mother to the police. · X municipality's own gain by placing the children in foster homes with one party in a conflict, […]. ·False and incorrect testimony in court from several witnesses. Close to 200 documents are missing that have not been archived in the cases. No proper documentation has been made to treat both children as individuals. There is also no systematic and legal filing in a document journal, but internal documents with important professional assessments are entered into internal journals against better judgment. A does not agree with the Norwegian Data Protection Authority's assessment of the degree of probability that there has been an offense and refers to a number of pieces of evidence: 1. Complaint from a GP on 1 April 2022 after participation in a meeting with X child protection and false minutes. 2. Documents from X child protection with both threats against grandmother and grandfather, GP and psychologist, as well as a citizen of X municipality. 3. False certificates from X child protection in the district court and in the county board. 4. False reports of concern used in the case. 5. Child welfare professional assessments without documentation, entered in internal records, and diagnosis of mother without psychological competence. 6. Withheld documents in the child welfare case. 7. Expert report based on audio recordings that have been illegally extracted from the police without consent. 8. Incorrect and false reports in the child welfare case. 9. The judgment was given a day before to X municipality by the district court judge. A asks for quick treatment as there is an appeal in the child welfare case to the Court of Appeal and the children were placed in emergency [...]. This is against children's rights. The children have been moved three times, and these moves have not been reported to the population register, probably against their better judgment. The Norwegian Privacy Board's assessment The tribunal assumes that the Norwegian Data Protection Authority's decision not to carry out investigations in the case was based on the fact that the Norwegian Data Protection Authority did not regard the inquiry from A as a complaint under the Personal Protection Regulation Article 77 no. 1. This in reality implies a rejection of the case. A rejection is a single decision that can be appealed, cf. section 2 third paragraph of the Administration Act. The Norwegian Data Protection Authority's duties follow from Article 57 of the Personal Data Protection Ordinance. According to the provision, the Data Protection Authority shall process a complaint submitted by a registered person and investigate, to the extent that it is appropriate, the subject of the complaint and inform the complainant of the course and outcome of the investigation within a reasonable period, cf. the Personal Data Protection Ordinance article 57 no. 1 letter f. The question in this case is what is required for an inquiry to the Norwegian Data Protection Authority to be considered a complaint under Article 77 no. 1 which the Norwegian Data Protection Authority is obliged to process in accordance with Article 57. It follows from Article 77 of the Personal Data Protection Regulation that any data subject shall have the right to complain to a supervisory authority if the data subject considers that the processing of personal data concerning him/her is in breach of the Data Protection Regulation. It follows directly from the wording of Article 77 No. 1 that the data subject must assert that the person's personal data has been processed in a manner that is in breach of the regulation. In other words, a requirement can be derived for a certain specification of the alleged illegality, and that the alleged illegality must affect the person making the complaint. Such an interpretation also finds support in the regulation's recital 141, where it is stated, among other things, that the registered person has a right to complain to a national supervision "if the person concerned considers his rights according to this regulation to have been violated" (the board's italics). The EFTA Court bases similar considerations in section 53 in cases E-11/19 and E-12/19, which were combined for joint treatment: "Further, a complaint lodged by a data subject pursuant to Article 77 of the GDPR must be qualified in the sense that the alleged infringement of the GDPR relates to the processing of personal data of that data subject." The Court of Justice of the European Union also considers in case C-319/20 paragraph 75 that individual complaints according to Article 77 no. 1 are a legal remedy as "a single person, who is individually and concretely affected by a violation of the right to protection of the person's personal data , can bring proceedings against the person who has committed this infringement". The Norwegian Data Protection Board states the following in Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints (15 December 2020), page 4 (example 2): "[…] a complaint should not be about […] a suggestion made by a natural person that he or she thinks that a particular company is not compliant with the GDPR as long as he or she is not among the data subjects." If there were not a requirement that the complaint, in order to trigger an obligation to act on the part of the Norwegian Data Protection Authority pursuant to Article 57, must be linked to a current and concretely specified processing of the complainant's personal data, it would be random individuals and their inquiries that would control which investigation cases the Norwegian Data Protection Authority should use their resources on. Statements of more or less unfounded suspicions or allegations without this being linked to a concrete and current processing of the complainant's personal data cannot trigger an obligation for the Norwegian Data Protection Authority to initiate investigations with the aim of clarifying whether there has been processing of personal data in violation with the regulation. A's inquiries to the Norwegian Data Protection Authority, together with the submission of a number of documents from the various child protection cases, clearly express that A is critical of X's child protection service, their treatment of the various investigation cases, the treatment of the cases in the county board and in the district court. She asked the Norwegian Data Protection Authority to "investigate whether X Child Protection Service had breached the Personal Data Protection Regulation" in connection with the various investigation cases that the Child Protection Service had carried out regarding the care situation for her children. She also requested that the supervisory authority open supervisory proceedings against X municipality. The allegations that the Personal Data Protection Ordinance has been breached are very general, and are about dissatisfaction with X child protection service's handling of child protection cases. The Norwegian Data Protection Authority has correctly stated that the Norwegian Data Protection Authority does not have the competence to assess the child welfare service's case management, and that a complaint about this must be directed to the State Administrator. The Danish Data Protection Authority has further informed about how A should proceed with any requests for correction or deletion in the child protection service's records. A's general request to the Norwegian Data Protection Authority to open a supervisory case and investigate whether the child protection service in question has breached the Personal Protection Regulation in her case cannot, in the tribunal's view, be considered a complaint that obliges the Norwegian Data Protection Authority to carry out certain investigations, cf. article 57 no. 1 letter f. A's inquiry does not concern a specific and current alleged illegal processing of her personal data, and is not considered a complaint under Article 77 no. 1. The Norwegian Data Protection Authority's rejection of the case is upheld. The complaint has not been successful. The decision is unanimous. Conclusion The Norwegian Data Protection Authority's decision is upheld. Oslo, 24 September 2024 Mats Ruland Manager
