Personvernnemnda (Norway) - 2018-14 (15/01355)
|PVN - 2018-14 (15/01355)|
|Relevant Law:||Article 4(11) GDPR|
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 7 GDPR
Article 7(4) GDPR
Article 9 GDPR
Article 9(2)(a) GDPR
Article 85 GDPR
European Convention on Human Rights Article 10
European Convention on Human Rights Article 8
Grunnloven (The Constitution of the Kingdom of Norway) § 100
Personopplysningsloven (Personal Data Act) § 3
|National Case Number/Name:||2018-14 (15/01355)|
|European Case Law Identifier:|
|Appeal from:||Datatilsynet (Norway)|
|Appeal to:||Appealed - Confirmed|
Norges Høyesterett (Norway)
|Original Source:||Personvernnemnda (Privacy Appeals Board) (in Norwegian)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian Privacy Appeals Board partly overturned a decision from the DPA regarding the processing of personal data on the website Legelisten. Importantly, the Board held that Legelisten had legal grounds for processing the personal data of healthcare personnel and rejected the DPA's decision to provide them with an opt-out. The decision was then taken to the lower courts in Norway, before the Supreme Court ultimately upheld the Board's decision in 2021.
English Summary[edit | edit source]
Facts[edit | edit source]
In 2017, the Norwegian DPA Datatilsynet found that a company "Legelisten", running an anonymous review website of healthcare personnel, lacked a legal basis for processing and instructed them to allow said personnel to opt out of being listed and reviewed, in addition to several other instructions.
Both the initial complainant and Legelisten responded to the DPA's decision with complaints. The DPA considered both complaints, but did not find any grounds to change their decision. Consequently, the case was submitted to the Norwegian Privacy Appeals Board, who considered comments from the initial complainant, Legelisten, the Norwegian Consumer Council, and the DPA.
The Board focused their assessment on the lawfulness of processing of personal data on the website Legelisten.no. First, they considered the applicable law, as the GDPR had entered into force since the initial complaints dating back to 2012. They found that the GDPR would indeed apply.
Holding[edit | edit source]
The Board reviewed several aspects relating to the case in question, summarised below.
Controller responsibility[edit | edit source]
The Board agreed with the DPA's finding that Legelisten is the controller for all processing of personal data related to their site (as listed above), for both users and the healthcare personnel, because they in all these instances determine how the personal data will be processed (the purpose) and the means (technical platform, layout, which processors to use).
The relationship to freedom of speach and processing for journalistic purposes[edit | edit source]
The Board agreed with the DPA's finding that there were no exemptions or derogations for processing carried out for journalistic purposes in this case.
Legal grounds for processing personal data about the users[edit | edit source]
The DPA found that Legelisten lacked a legal basis for processing contact information (email address) of users submitting reviews, because they could not rely on consent as this was not found to have been provided voluntarily.
The Board agreed that email addresses will often reveal the identity of a person and is, as such, personal data, and that information related to visits to or contact with specialist healthcare personnel, will reveal special category personal data and thus requires a legal ground for processing as per Article 9(2) GDPR, in addition to Article 6(1). However, the Board were split in their view of consent being a valid legal basis for processing in this specific case. The majority disagreed with the DPA and found that Legelisten could rely on consent for processing contact information of users, because they provided sufficient sufficient information in their terms and privacy notice, and required users to provide their consent through a clear affirmative act. The Board's decision here effectively reverted the DPA's initial decision item 8.
Legal grounds for processing personal data about healthcare personnel[edit | edit source]
Processing of personal data about healthcare personnel on Legelisten relates to two categories: objective vs. subjective personal data. The Board noted that the relevant legal basis in both cases is Article 6(1)(f), legitimate interest, and made a thorough assessment relating to the three-part test (the purpose test, the necessity test and the balancing test).
The Board first assessed the legal basis relating to the users' subjective reviews of healthcare personnel. In the balancing test, the Board were split in their views. First, the majority found that the subjective expressions of the individual patient in principle are expressions protected by the right of freedom of speech, cf. the Norwegian Constitution § 100 and the European Convention on Human Rights Article 10, and that most healthcare personnel on Legelisten can be seen as public figures, cf. the Article 29 Data Protection Working Party guidelines 225, number 2: «Does the data subject play a role in public life? Is the data subject a public figure?».
Next, the majority emphasised that patients' subjective reviews of their experiences with healthcare personnel is of public interest and Legelisten's services contributes to safeguarding important consumer interests. Hence, they concluded that a general right to opt out of being reviewed on the website, would reduce the value of Legelisten as a source of information on the quality of health-related services in Norway. They pointed to the almost immediate reservation requests from about 20% of general practicioners following the DPA's decision.
In conclusion, the majority of the Board held that the various legitimate interests of Legelisten outweighed the rights and freedoms of the healthcare personnel, that the processing of their personal data is necessary for the purpose and, consequently, lawful as per Article 6(1)(f).
For the objective personal data, an unanimous Board agreed that Legelisten had a legitimate interest in processing these.
The Board's decision[edit | edit source]
- Legelisten is the controller for all personal data published on their website.
- Legelisten's publishing of reviews of healthcare personnel is not subject to the exemptions or derogations for processing carried out for journalistic purposes.
- Legelisten has legal grounds for processing user contact information, cf. Article 6(1)(a), cf. Article 9(2)(a).
- Legelisten is not instructed to publish the identity of the users submitting reviews of healthcare personnel.
- Legelisten has legal grounds for collecting and publishing subjective reviews of healthcare personnel, cf. Article 6(1)(f), and does not have to provide healthcare personnel with the right to opt out.
- Legelisten has legal grounds for collecting and publishing objective personal data of healthcare personnel, cf. Article 6(1)(f), and does not have to provide healthcare personnel with the right to opt out.
Comment[edit | edit source]
Complaints against Legelisten started in 2012 and went through several rounds both at the Norwegian DPA and the Privacy Appeals Board (Personvernnemda), before going to the Norwegian courts and, ultimately, the Supreme Court.
The initial cases were assessed against the former Personal Data Act of 2000, however since the case continued into 2018 (and later), after the GDPR had taken effect, everything above is referenced with GDPR Articles. Consequently, the DPA's decision item 8 was removed entirely, as the introduction of the GDPR removed the requirement for a license from the DPA to process special category personal data.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.